Author: jmitchell
Date: Wed Jan 23 23:39:45 2008
New Revision: 614814
URL: http://svn.apache.org/viewvc?rev=614814&view=rev
Log:
WW-2414 - failsafe sanitization of querystring params
Modified:
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
Modified:
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java?rev=614814&r1=614813&r2=614814&view=diff
==============================================================================
---
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
(original)
+++
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
Wed Jan 23 23:39:45 2008
@@ -174,10 +174,14 @@
buildParametersString(params, link, "&");
}
- String result;
-
+ String result = link.toString();
+
+ if (result.indexOf("<script>") >= 0){
+ result = result.replaceAll("<script>", "script");
+ }
+
try {
- result = encodeResult ? response.encodeURL(link.toString()) :
link.toString();
+ result = encodeResult ? response.encodeURL(result) : result;
} catch (Exception ex) {
// Could not encode the URL for some reason
// Use it unchanged
