struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r1076372 - /struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/DefaultActionProxy.java
Date Wed, 02 Mar 2011 21:01:01 GMT
Author: lukaszlenart
Date: Wed Mar  2 21:01:01 2011
New Revision: 1076372

URL: http://svn.apache.org/viewvc?rev=1076372&view=rev
Log:
Solves WW-3579 - escapes actionName and methodName to prevent XSS vulnerability

Modified:
    struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/DefaultActionProxy.java

Modified: struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/DefaultActionProxy.java
URL: http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/DefaultActionProxy.java?rev=1076372&r1=1076371&r2=1076372&view=diff
==============================================================================
--- struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/DefaultActionProxy.java
(original)
+++ struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/DefaultActionProxy.java
Wed Mar  2 21:01:01 2011
@@ -23,12 +23,12 @@ import com.opensymphony.xwork2.util.Loca
 import com.opensymphony.xwork2.util.logging.Logger;
 import com.opensymphony.xwork2.util.logging.LoggerFactory;
 import com.opensymphony.xwork2.util.profiling.UtilTimerStack;
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang.StringUtils;
 
 import java.io.Serializable;
 import java.util.Locale;
 
-import org.apache.commons.lang.StringUtils;
-
 
 /**
  * The Default ActionProxy implementation
@@ -74,10 +74,10 @@ public class DefaultActionProxy implemen
 			LOG.debug("Creating an DefaultActionProxy for namespace " + namespace + " and action name
" + actionName);
 		}
 
-		this.actionName = actionName;
-		this.namespace = namespace;
-		this.executeResult = executeResult;
-        this.method = methodName;
+        this.actionName = StringEscapeUtils.escapeHtml(actionName);
+        this.namespace = namespace;
+        this.executeResult = executeResult;
+        this.method = StringEscapeUtils.escapeJavaScript(StringEscapeUtils.escapeHtml(methodName));
     }
     
     @Inject



Mime
View raw message