roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From snoopd...@apache.org
Subject svn commit: r520056 - in /incubator/roller: branches/roller_2.3/ branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/ branches/roller_2.3/web/WEB-INF/classes/ branches/roller_2.3/web/weblog/ branches/roller_3.0/ branches/roller_3.0/...
Date Mon, 19 Mar 2007 19:26:01 GMT
Author: snoopdave
Date: Mon Mar 19 12:25:59 2007
New Revision: 520056

URL: http://svn.apache.org/viewvc?view=rev&rev=520056
Log:
Fixing XSS vulnerability by stripping HTML from incoming comment fields and escapeing HTMLO
when fields are displayed in Roller 2.3, Roller 3.0, Roller 3.1 and trunk

Removed:
    incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/authoring/struts/formbeans/CommentFormEx.java
    incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/authoring/struts/formbeans/CommentFormEx.java
    incubator/roller/trunk/src/org/apache/roller/ui/authoring/struts/formbeans/CommentFormEx.java
Modified:
    incubator/roller/branches/roller_2.3/CHANGES.txt
    incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java
    incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm
    incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp
    incubator/roller/branches/roller_3.0/CHANGES.txt
    incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
    incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp
    incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm
    incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
    incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp
    incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm
    incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
    incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp
    incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm

Modified: incubator/roller/branches/roller_2.3/CHANGES.txt
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/CHANGES.txt?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_2.3/CHANGES.txt (original)
+++ incubator/roller/branches/roller_2.3/CHANGES.txt Mon Mar 19 12:25:59 2007
@@ -6,13 +6,24 @@
 
 *** Security risk in comment form
 
-Allowing commenters to leave HTML in comments is a potential security risk because it allows
commenters can add malicious Javascipt code. You can disable HTML in comments via the Roller
admin interface, but in Roller 2.3 and earlier versions of Roller, attackers could still add
malicious HTML to the name, email and URL fields. 
+Allowing commenters to leave HTML in comments is a potential security risk 
+because it allows commenters can add malicious Javascipt code. You can 
+disable HTML in comments via the Roller admin interface, but in Roller 2.3 and 
+earlier versions of Roller, attackers could still add malicious HTML to the 
+name, email and URL fields. 
 
-We fixed the problem in Roller 2.3.1 and all subsequent versions of Roller by stripping all
HTML from name, email and comment fields at comment post time. 
+We fixed the problem in Roller 2.3.1 and all subsequent versions of 
+Roller by stripping all HTML from name, email and comment fields at 
+comment post time. Also, we do HTML escaping whenever we display the
+suspect fields.
 
 *** Licensing issue with JavaMail and Activation jars  
 
-The JavaMail and Activation jars (mail.jar and activation.jar) included in Roller 2.3 were
licensed under Sun's Binary Code License, which is incompatible with Apache licensing policy.
So these jars have been removed from the release and instructions have been added to the Installation
Guide that explain how to get them and add them to Roller.
+The JavaMail and Activation jars (mail.jar and activation.jar) included in 
+Roller 2.3 were licensed under Sun's Binary Code License, which is incompatible 
+with Apache licensing policy. So these jars have been removed from the release 
+and instructions have been added to the Installation Guide that explain 
+how to get them and add them to Roller.
 
 
 Roller 2.3: improvements and bug fixes, no major new features

Modified: incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java
(original)
+++ incubator/roller/branches/roller_2.3/src/org/apache/roller/presentation/weblog/formbeans/CommentFormEx.java
Mon Mar 19 12:25:59 2007
@@ -114,6 +114,8 @@
     public void copyTo(org.apache.roller.pojos.CommentData dataHolder, Locale locale) 
         throws RollerException
     {
+        super.copyTo(dataHolder, locale);
+        
         if (!StringUtils.isEmpty(name)) {
             name = Utilities.removeHTML(name);
         }
@@ -123,7 +125,9 @@
         if (!StringUtils.isEmpty(email)) {
             email = Utilities.removeHTML(email);
         }
-        super.copyTo(dataHolder, locale);
+        if (!StringUtils.isEmpty(remoteHost)) {
+            remoteHost = Utilities.removeHTML(remoteHost);
+        }
         if (getSpam() == null) dataHolder.setSpam(Boolean.FALSE);
         if (getNotify() == null) dataHolder.setNotify(Boolean.FALSE);
     }

Modified: incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm (original)
+++ incubator/roller/branches/roller_2.3/web/WEB-INF/classes/comments.vm Mon Mar 19 12:25:59
2007
@@ -61,15 +61,15 @@
     <p class="comment-details">
     $text.get("macro.weblog.postedby")
     #if (!$stringUtils.isEmpty($comment.name) && !$stringUtils.isEmpty($comment.remoteHost))
-        <b>$comment.name</b> ($comment.remoteHost)
+        <b>$utilities.escapeHTML($comment.name)</b> ($utilities.escapeHTML($comment.remoteHost))
     #elseif (!$stringUtils.isEmpty($comment.name))
-        <b>$comment.name</b>
+        <b>$utilities.escapeHTML($comment.name)</b>
     #elseif (!$stringUtils.isEmpty($comment.remoteHost))
-        <b>$comment.remoteHost</b>
+        <b>$utilities.escapeHTML($comment.remoteHost)</b>
     #end
     $text.get("macro.weblog.on") $dateFormatter.format($comment.postTime)
     #if( $stringUtils.isNotEmpty($comment.url) )
-        $text.get( "macro.weblog.postedbywebsite", [$comment.url, $comment.url] )
+        $text.get( "macro.weblog.postedbywebsite", [$utilities.escapeHTML($comment.url),
$utilities.escapeHTML($comment.url)] )
     #end
     #if( $showPermalink )
     <a href="${ctxPath}${entry.permaLink}#comment${velocityCount}"
@@ -199,15 +199,15 @@
 
         <table cellspacing="0" cellpadding="1" border="0" width="95%">
         <tr><th>$text.get( "macro.weblog.name" )</th>
-            <td><input type="text" name="name" value="$commentForm.name" size="50"
maxlength="255" /></td>
+            <td><input type="text" name="name" value="$utilities.escapeHTML($commentForm.name)"
size="50" maxlength="255" /></td>
         </tr>
 
         <tr><th>$text.get( "macro.weblog.email" )</th>
-            <td><input type="text" name="email" value="$commentForm.email" size="50"
maxlength="255" /></td>
+            <td><input type="text" name="email" value="$utilities.escapeHTML($commentForm.email)"
size="50" maxlength="255" /></td>
         </tr>
 
         <tr><th>$text.get( "macro.weblog.url" )</th>
-            <td><input type="text" name="url" value="$commentForm.url" size="50"
maxlength="255" /></td>
+            <td><input type="text" name="url" value="$utilities.escapeHTML($commentForm.url)"
size="50" maxlength="255" /></td>
         </tr>
         #if ($pageModel.emailComments)
         <tr>

Modified: incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp (original)
+++ incubator/roller/branches/roller_2.3/web/weblog/CommentManagement.jsp Mon Mar 19 12:25:59
2007
@@ -303,27 +303,27 @@
                             <c:choose>
                                 <c:when test="${!empty comment.email && !empty
comment.name}">
                                     <fmt:message key="commentManagement.commentByBoth"
>
-                                        <fmt:param value="${comment.name}" />
-                                        <fmt:param value="${comment.email}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.email}"
/></fmt:param>
                                         <fmt:param value="mailto" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:when test="${!empty comment.name}">
                                     <fmt:message key="commentManagement.commentByName"
>
-                                        <fmt:param value="${comment.name}" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:when test="${!empty comment.email}">
                                     <fmt:message key="commentManagement.commentByName"
>
-                                        <fmt:param value="${comment.email}" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:otherwise>
                                     <fmt:message key="commentManagement.commentByIP" >
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:otherwise>
                             </c:choose>

Modified: incubator/roller/branches/roller_3.0/CHANGES.txt
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/CHANGES.txt?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_3.0/CHANGES.txt (original)
+++ incubator/roller/branches/roller_3.0/CHANGES.txt Mon Mar 19 12:25:59 2007
@@ -2,6 +2,22 @@
 ROLLER CHANGE LOG
 -----------------
 
+Roller 3.0.1: minor release to fix comment form XSS security risk
+
+Allowing commenters to leave HTML in comments is a potential security risk 
+because it allows commenters can add malicious Javascipt code. You can 
+disable HTML in comments via the Roller admin interface, but in Roller 2.3 and 
+earlier versions of Roller, attackers could still add malicious HTML to the 
+name, email and URL fields. 
+
+We fixed the problem in Roller 2.3.1 and all subsequent versions of 
+Roller by stripping all HTML from name, email and comment fields at 
+comment post time. Also, we do HTML escaping whenever we display the
+suspect fields.
+
+
+-------------------------------------------------------------------------------
+
 Roller 3.0: major release with new URL structure and new template syste
 
 Please refer to the What's New page for an overview of the changes:

Modified: incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
(original)
+++ incubator/roller/branches/roller_3.0/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
Mon Mar 19 12:25:59 2007
@@ -27,6 +27,7 @@
 import org.apache.roller.model.RollerFactory;
 import org.apache.roller.model.WeblogManager;
 import org.apache.roller.pojos.WeblogEntryData;
+import org.apache.roller.util.Utilities;
 
 
 /**
@@ -121,15 +122,15 @@
          *   notify - if commenter wants to receive notifications
          */
         if(request.getParameter("name") != null) {
-            this.name = request.getParameter("name");
+            this.name = Utilities.removeHTML(request.getParameter("name"));
         }
         
         if(request.getParameter("email") != null) {
-            this.email = request.getParameter("email");
+            this.email = Utilities.removeHTML(request.getParameter("email"));
         }
         
         if(request.getParameter("url") != null) {
-            this.url = request.getParameter("url");
+            this.url = Utilities.removeHTML(request.getParameter("url"));
         }
         
         if(request.getParameter("content") != null) {

Modified: incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp
(original)
+++ incubator/roller/branches/roller_3.0/web/WEB-INF/jsps/authoring/CommentManagement.jsp
Mon Mar 19 12:25:59 2007
@@ -308,27 +308,27 @@
                             <c:choose>
                                 <c:when test="${!empty comment.email && !empty
comment.name}">
                                     <fmt:message key="commentManagement.commentByBoth"
>
-                                        <fmt:param value="${comment.name}" />
-                                        <fmt:param value="${comment.email}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.email}"
/></fmt:param>
                                         <fmt:param value="mailto" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:when test="${!empty comment.name}">
                                     <fmt:message key="commentManagement.commentByName"
>
-                                        <fmt:param value="${comment.name}" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:when test="${!empty comment.email}">
                                     <fmt:message key="commentManagement.commentByName"
>
-                                        <fmt:param value="${comment.email}" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:otherwise>
                                     <fmt:message key="commentManagement.commentByIP" >
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:otherwise>
                             </c:choose>

Modified: incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm (original)
+++ incubator/roller/branches/roller_3.0/web/WEB-INF/velocity/weblog.vm Mon Mar 19 12:25:59
2007
@@ -160,11 +160,10 @@
     <br/>
     #foreach( $comment in $comments )
         #if($comment.approved || $model.commentForm.preview)
-            #set($content = $utils.encodeEmail($comment.content))
             #if($config.commentEscapeHtml)
-                #set($content = $utils.escapeHTML($content))
+                #set($content = $utils.escapeHTML($comment.content))
             #else 
-                #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($content)))
+                #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($comment.content)))
             #end
             #if($config.commentAutoFormat)
                 #set($content = $utils.autoformat($content))
@@ -177,11 +176,11 @@
                 <p class="comment-details">
                 $text.get("macro.weblog.postedby")
                 #if (!$utils.isEmpty($comment.name) && !$utils.isEmpty($comment.url))
-                    <a rel="nofollow" href="$comment.url"><b>$comment.name</b></a>
+                    <a rel="nofollow" href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
                 #elseif (!$utils.isEmpty($comment.name))
-                    <b>$comment.name</b>
+                    <b>$utils.escapeHTML($comment.name)</b>
                 #else
-                    <b>$comment.remoteHost</b>
+                    <b>$utils.escapeHTML($comment.remoteHost)</b>
                 #end
 
                 $text.get("macro.weblog.on") $utils.formatDate($comment.postTime, $text.get(
"macro.weblog.datepattern" ))
@@ -222,16 +221,16 @@
         <ul>
             <li>
                 <label class="desc">$text.get( "macro.weblog.name" )</label>
-                <input type="text" name="name" class="text large" value="$cform.name"
size="50" maxlength="255" />
+                <input type="text" name="name" class="text large" value="$utilities.escapeHTML($cform.name)"
size="50" maxlength="255" />
             </li>
 
 
             <li><label class="desc">$text.get( "macro.weblog.email" )</label>
-                <input type="text" name="email" class="text large" value="$cform.email"
size="50" maxlength="255" />
+                <input type="text" name="email" class="text large" value="$utilities.escapeHTML($cform.email)"
size="50" maxlength="255" />
             </li>
 
             <li><label class="desc">$text.get( "macro.weblog.url" )</label>
-                <input type="text" name="url" class="text large" value="$cform.url" size="50"
maxlength="255" />
+                <input type="text" name="url" class="text large" value="$utilities.escapeHTML($cform.url)"
size="50" maxlength="255" />
             </li>
 
         #if ($config.commentEmailNotify)
@@ -245,7 +244,12 @@
             </li>
             <li>
                 <label class="desc">$text.get( "macro.weblog.yourcomment" )</label>
-                <textarea name="content" class="textarea large" cols="" rows="">$cform.content</textarea>
+                #if($config.commentEscapeHtml)
+                    #set($content = $utils.escapeHTML($cform.content))
+                #else 
+                    #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($cform.content)))
+                #end
+                <textarea name="content" class="textarea large" cols="" rows="">$!content</textarea>
             </li>
             <li class="info">
                 <span class="comments-syntax-indicator">

Modified: incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
(original)
+++ incubator/roller/branches/roller_3.1/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
Mon Mar 19 12:25:59 2007
@@ -27,6 +27,7 @@
 import org.apache.roller.business.RollerFactory;
 import org.apache.roller.business.WeblogManager;
 import org.apache.roller.pojos.WeblogEntryData;
+import org.apache.roller.util.Utilities;
 
 
 /**
@@ -121,15 +122,15 @@
          *   notify - if commenter wants to receive notifications
          */
         if(request.getParameter("name") != null) {
-            this.name = request.getParameter("name");
+            this.name = Utilities.removeHTML(request.getParameter("name"));
         }
         
         if(request.getParameter("email") != null) {
-            this.email = request.getParameter("email");
+            this.email = Utilities.removeHTML(request.getParameter("email"));
         }
         
         if(request.getParameter("url") != null) {
-            this.url = request.getParameter("url");
+            this.url = Utilities.removeHTML(request.getParameter("url"));
         }
         
         if(request.getParameter("content") != null) {

Modified: incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp
(original)
+++ incubator/roller/branches/roller_3.1/web/WEB-INF/jsps/authoring/CommentManagement.jsp
Mon Mar 19 12:25:59 2007
@@ -329,27 +329,27 @@
                             <c:choose>
                                 <c:when test="${!empty comment.email && !empty
comment.name}">
                                     <fmt:message key="commentManagement.commentByBoth"
>
-                                        <fmt:param value="${comment.name}" />
-                                        <fmt:param value="${comment.email}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.email}"
/></fmt:param>
                                         <fmt:param value="mailto" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:when test="${!empty comment.name}">
                                     <fmt:message key="commentManagement.commentByName"
>
-                                        <fmt:param value="${comment.name}" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:when test="${!empty comment.email}">
                                     <fmt:message key="commentManagement.commentByName"
>
-                                        <fmt:param value="${comment.email}" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:otherwise>
                                     <fmt:message key="commentManagement.commentByIP" >
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:otherwise>
                             </c:choose>

Modified: incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm
URL: http://svn.apache.org/viewvc/incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm (original)
+++ incubator/roller/branches/roller_3.1/web/WEB-INF/velocity/weblog.vm Mon Mar 19 12:25:59
2007
@@ -160,11 +160,10 @@
     <br/>
     #foreach( $comment in $comments )
         #if($comment.approved || $model.commentForm.preview)
-            #set($content = $utils.encodeEmail($comment.content))
             #if($config.commentEscapeHtml)
-                #set($content = $utils.escapeHTML($content))
+                #set($content = $utils.escapeHTML($comment.content))
             #else 
-                #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($content)))
+                #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($comment.content)))
             #end
             #if($config.commentAutoFormat)
                 #set($content = $utils.autoformat($content))
@@ -177,11 +176,11 @@
                 <p class="comment-details">
                 $text.get("macro.weblog.postedby")
                 #if (!$utils.isEmpty($comment.name) && !$utils.isEmpty($comment.url))
-                    <a rel="nofollow" href="$comment.url"><b>$comment.name</b></a>
+                    <a rel="nofollow" href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
                 #elseif (!$utils.isEmpty($comment.name))
-                    <b>$comment.name</b>
+                    <b>$utils.escapeHTML($comment.name)</b>
                 #elseif ($comment.remoteHost)
-                    <b>$comment.remoteHost</b>
+                    <b>$utils.escapeHTML($comment.remoteHost)</b>
                 #else
                     <b>$text.get("macro.weblog.comment.unknown")</b>
                 #end
@@ -247,7 +246,12 @@
             </li>
             <li>
                 <label class="desc">$text.get( "macro.weblog.yourcomment" )</label>
-                <textarea name="content" class="textarea large" cols="40" rows="10">$utils.escapeHTML($cform.content)</textarea>
+                #if($config.commentEscapeHtml)
+                    #set($content = $utils.escapeHTML($cform.content))
+                #else 
+                    #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($cform.content)))
+                #end
+                <textarea name="content" class="textarea large" cols="" rows="">$content</textarea>
             </li>
             <li class="info">
                 <span class="comments-syntax-indicator">

Modified: incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
URL: http://svn.apache.org/viewvc/incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
(original)
+++ incubator/roller/trunk/src/org/apache/roller/ui/rendering/util/WeblogCommentRequest.java
Mon Mar 19 12:25:59 2007
@@ -27,6 +27,7 @@
 import org.apache.roller.business.RollerFactory;
 import org.apache.roller.business.WeblogManager;
 import org.apache.roller.pojos.WeblogEntryData;
+import org.apache.roller.util.Utilities;
 
 
 /**
@@ -121,15 +122,15 @@
          *   notify - if commenter wants to receive notifications
          */
         if(request.getParameter("name") != null) {
-            this.name = request.getParameter("name");
+            this.name = Utilities.removeHTML(request.getParameter("name"));
         }
         
         if(request.getParameter("email") != null) {
-            this.email = request.getParameter("email");
+            this.email = Utilities.removeHTML(request.getParameter("email"));
         }
         
         if(request.getParameter("url") != null) {
-            this.url = request.getParameter("url");
+            this.url = Utilities.removeHTML(request.getParameter("url"));
         }
         
         if(request.getParameter("content") != null) {

Modified: incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp
URL: http://svn.apache.org/viewvc/incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp (original)
+++ incubator/roller/trunk/web/WEB-INF/jsps/authoring/CommentManagement.jsp Mon Mar 19 12:25:59
2007
@@ -364,27 +364,27 @@
                             <c:choose>
                                 <c:when test="${!empty comment.email && !empty
comment.name}">
                                     <fmt:message key="commentManagement.commentByBoth"
>
-                                        <fmt:param value="${comment.name}" />
-                                        <fmt:param value="${comment.email}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.email}"
/></fmt:param>
                                         <fmt:param value="mailto" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:when test="${!empty comment.name}">
                                     <fmt:message key="commentManagement.commentByName"
>
-                                        <fmt:param value="${comment.name}" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:when test="${!empty comment.email}">
                                     <fmt:message key="commentManagement.commentByName"
>
-                                        <fmt:param value="${comment.email}" />
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.name}"
/></fmt:param>
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:when>
                                 <c:otherwise>
                                     <fmt:message key="commentManagement.commentByIP" >
-                                        <fmt:param value="${comment.remoteHost}" />
+                                        <fmt:param><c:out value="${comment.remoteHost}"
/></fmt:param>
                                      </fmt:message>
                                 </c:otherwise>
                             </c:choose>

Modified: incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm
URL: http://svn.apache.org/viewvc/incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm?view=diff&rev=520056&r1=520055&r2=520056
==============================================================================
--- incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm (original)
+++ incubator/roller/trunk/web/WEB-INF/velocity/weblog.vm Mon Mar 19 12:25:59 2007
@@ -179,11 +179,10 @@
     <br/>
     #foreach( $comment in $comments )
         #if($comment.approved || $model.commentForm.preview)
-            #set($content = $utils.encodeEmail($comment.content))
             #if($config.commentEscapeHtml)
-                #set($content = $utils.escapeHTML($content))
+                #set($content = $utils.escapeHTML($comment.content))
             #else 
-                #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($content)))
+                #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($comment.content)))
             #end
             #if($config.commentAutoFormat)
                 #set($content = $utils.autoformat($content))
@@ -197,11 +196,11 @@
                 <p class="comment-details">
                 $text.get("macro.weblog.postedby")
                 #if (!$utils.isEmpty($comment.name) && !$utils.isEmpty($comment.url))
-                    <a rel="nofollow" href="$comment.url"><b>$comment.name</b></a>
+                    <a rel="nofollow" href="$comment.url"><b>$utils.escapeHTML($comment.name)</b></a>
                 #elseif (!$utils.isEmpty($comment.name))
-                    <b>$comment.name</b>
+                    <b>$utils.escapeHTML($comment.name)</b>
                 #elseif ($comment.remoteHost)
-                    <b>$comment.remoteHost</b>
+                    <b>$utils.escapeHTML($comment.remoteHost)</b>
                 #else
                     <b>$text.get("macro.weblog.comment.unknown")</b>
                 #end
@@ -245,16 +244,15 @@
         <ul>
             <li>
                 <label class="desc">$text.get( "macro.weblog.name" )</label>
-                <input type="text" name="name" class="text large" value="$cform.name"
size="50" maxlength="255" />
+                <input type="text" name="name" class="text large" value="$utils.escapeHTML($cform.name)"
size="50" maxlength="255" />
             </li>
 
-
             <li><label class="desc">$text.get( "macro.weblog.email" )</label>
-                <input type="text" name="email" class="text large" value="$cform.email"
size="50" maxlength="255" />
+                <input type="text" name="email" class="text large" value="$utils.escapeHTML($cform.email)"
size="50" maxlength="255" />
             </li>
 
             <li><label class="desc">$text.get( "macro.weblog.url" )</label>
-                <input type="text" name="url" class="text large" value="$cform.url" size="50"
maxlength="255" />
+                <input type="text" name="url" class="text large" value="$utils.escapeHTML($cform.url)"
size="50" maxlength="255" />
             </li>
 
         #if ($config.commentEmailNotify)
@@ -268,7 +266,14 @@
             </li>
             <li>
                 <label class="desc">$text.get( "macro.weblog.yourcomment" )</label>
-                <textarea name="content" class="textarea large" cols="40" rows="10">$utils.escapeHTML($cform.content)</textarea>
+
+            #if($config.commentEscapeHtml)
+                #set($content = $utils.escapeHTML($cform.content))
+            #else 
+                #set($content = $utils.transformToHTMLSubset($utils.escapeHTML($cform.content)))
+            #end               
+            <textarea name="content" class="textarea large" cols="40" rows="10">$utils.escapeHTML($content)</textarea>
+
             </li>
             <li class="info">
                 <span class="comments-syntax-indicator">



Mime
View raw message