Skip to content

Commit

Permalink
xss filter
Browse files Browse the repository at this point in the history
  • Loading branch information
@sventantau
sventantau committed Apr 15, 2014
1 parent 1e103cc commit ed3492a
Show file tree
Hide file tree
Showing 57 changed files with 293 additions and 265 deletions.
11 changes: 6 additions & 5 deletions src/web/audit-policy.jsp
View file
Expand Up @@ -17,9 +17,10 @@
--%>

<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.audit.AuditManager,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.audit.AuditManager,
org.jivesoftware.openfire.user.UserNotFoundException,
org.jivesoftware.util.StringUtils,
org.xmpp.packet.JID,
java.io.File"
errorPage="error.jsp"
Expand Down Expand Up @@ -226,7 +227,7 @@
</td>
<td width="99%">
<input type="text" size="50" maxlength="150" name="logDir"
value="<%= ((logDir != null) ? logDir : "") %>">
value="<%= ((logDir != null) ? StringUtils.escapeForXML(logDir) : "") %>">

<% if (errors.get("logDir") != null) { %>

Expand Down Expand Up @@ -361,7 +362,7 @@
<fmt:message key="audit.policy.ignore" />
</td>
<td width="99%">
<textarea name="ignore" cols="40" rows="3" wrap="virtual"><%= ((ignore != null) ? ignore : "") %></textarea>
<textarea name="ignore" cols="40" rows="3" wrap="virtual"><%= ((ignore != null) ? StringUtils.escapeHTMLTags(ignore) : "") %></textarea>
<% if (errors.get("ignore") != null) { %>

<span class="jive-error-text">
Expand Down Expand Up @@ -393,4 +394,4 @@


</body>
</html>
</html>
55 changes: 28 additions & 27 deletions src/web/available-plugins.jsp
View file
Expand Up @@ -15,7 +15,8 @@
<%@ page errorPage="error.jsp" import="org.jivesoftware.util.ByteFormat,
org.jivesoftware.util.Version,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.container.Plugin"
org.jivesoftware.openfire.container.Plugin,
org.jivesoftware.util.StringUtils"
%>
<%@ page import="org.jivesoftware.openfire.container.PluginManager" %>
<%@ page import="org.jivesoftware.openfire.update.AvailablePlugin" %>
Expand Down Expand Up @@ -284,38 +285,38 @@
<tr id="<%= plugin.hashCode()%>">
<td width="1%" class="line-bottom-border">
<% if (plugin.getIcon() != null) { %>
<img src="<%= plugin.getIcon() %>" width="16" height="16" alt="Plugin">
<img src="<%= StringUtils.escapeForXML(plugin.getIcon()) %>" width="16" height="16" alt="Plugin">
<% }
else { %>
<img src="images/plugin-16x16.gif" width="16" height="16" alt="Plugin">
<% } %>
</td>
<td width="20%" nowrap class="line-bottom-border">
<%= (pluginName != null ? pluginName : "") %> &nbsp;
<%= (pluginName != null ? StringUtils.escapeHTMLTags(pluginName) : "") %> &nbsp;
</td>
<td nowrap valign="top" class="line-bottom-border">
<% if (plugin.getReadme() != null) { %>
<a href="<%= plugin.getReadme() %>"
<a href="<%= StringUtils.escapeForXML(plugin.getReadme()) %>"
><img src="images/doc-readme-16x16.gif" width="16" height="16" border="0" alt="README"></a>
<% }
else { %> &nbsp; <% } %>
<% if (plugin.getChangelog() != null) { %>
<a href="<%= plugin.getChangelog() %>"
<a href="<%= StringUtils.escapeForXML(plugin.getChangelog()) %>"
><img src="images/doc-changelog-16x16.gif" width="16" height="16" border="0" alt="changelog"></a>
<% }
else { %> &nbsp; <% } %>
</td>
<td width="60%" class="line-bottom-border">
<%= pluginDescription != null ? pluginDescription : "" %>
<%= pluginDescription != null ? StringUtils.escapeHTMLTags(pluginDescription) : "" %>
</td>
<td width="5%" align="center" valign="top" class="line-bottom-border">
<%= pluginVersion != null ? pluginVersion : "" %>
<%= pluginVersion != null ? StringUtils.escapeHTMLTags(pluginVersion) : "" %>
</td>
<td width="15%" nowrap valign="top" class="line-bottom-border">
<%= pluginAuthor != null ? pluginAuthor : "" %> &nbsp;
<%= pluginAuthor != null ? StringUtils.escapeHTMLTags(pluginAuthor) : "" %> &nbsp;
</td>
<td width="15%" nowrap valign="top" class="line-bottom-border" align="right">
<%= fileSize %>
<%= StringUtils.escapeHTMLTags(fileSize) %>
</td>
<td width="1%" align="center" valign="top" class="line-bottom-border">
<%
Expand All @@ -328,17 +329,17 @@
<%
%>
<a href="javascript:downloadPlugin('<%=updateURL%>', '<%= plugin.hashCode()%>')"><span id="<%= plugin.hashCode() %>-image"><img src="images/add-16x16.gif" width="16" height="16" border="0"
<a href="javascript:downloadPlugin('<%=StringUtils.escapeForXML(updateURL)%>', '<%= plugin.hashCode()%>')"><span id="<%= plugin.hashCode() %>-image"><img src="images/add-16x16.gif" width="16" height="16" border="0"
alt="<fmt:message key="plugin.available.download" />"></span></a>

<% } %>
</td>
</tr>
<tr id="<%= plugin.hashCode()%>-row" style="display:none;background: #E7FBDE;">
<td width="1%" class="line-bottom-border">
<img src="<%= plugin.getIcon()%>" width="16" height="16" alt=""/>
<img src="<%= StringUtils.escapeForXML(plugin.getIcon())%>" width="16" height="16" alt=""/>
</td>
<td colspan="6" nowrap class="line-bottom-border"><%= plugin.getName()%> <fmt:message key="plugin.available.installation.success" /></td>
<td colspan="6" nowrap class="line-bottom-border"><%= StringUtils.escapeHTMLTags(plugin.getName())%> <fmt:message key="plugin.available.installation.success" /></td>
<td class="line-bottom-border" align="center">
<img src="images/success-16x16.gif" height="16" width="16" alt=""/>
</td>
Expand Down Expand Up @@ -367,38 +368,38 @@
<tr id="<%= plugin.hashCode()%>">
<td width="1%" class="line-bottom-border">
<% if (plugin.getIcon() != null) { %>
<img src="<%= plugin.getIcon() %>" width="16" height="16" alt="Plugin">
<img src="<%= StringUtils.escapeForXML(plugin.getIcon()) %>" width="16" height="16" alt="Plugin">
<% }
else { %>
<img src="images/plugin-16x16.gif" width="16" height="16" alt="Plugin">
<% } %>
</td>
<td width="20%" nowrap class="line-bottom-border">
<%= (pluginName != null ? pluginName : "") %> &nbsp;
<%= (pluginName != null ? StringUtils.escapeHTMLTags(pluginName) : "") %> &nbsp;
</td>
<td nowrap valign="top" class="line-bottom-border">
<% if (plugin.getReadme() != null) { %>
<a href="<%= plugin.getReadme() %>"
<a href="<%= StringUtils.escapeForXML(plugin.getReadme()) %>"
><img src="images/doc-readme-16x16.gif" width="16" height="16" border="0" alt="README"></a>
<% }
else { %> &nbsp; <% } %>
<% if (plugin.getChangelog() != null) { %>
<a href="<%= plugin.getChangelog() %>"
<a href="<%= StringUtils.escapeForXML(plugin.getChangelog()) %>"
><img src="images/doc-changelog-16x16.gif" width="16" height="16" border="0" alt="changelog"></a>
<% }
else { %> &nbsp; <% } %>
</td>
<td width="60%" class="line-bottom-border">
<%= pluginDescription != null ? pluginDescription : "" %>
<%= pluginDescription != null ? StringUtils.escapeHTMLTags(pluginDescription) : "" %>
</td>
<td width="5%" align="center" valign="top" class="line-bottom-border">
<%= pluginVersion != null ? pluginVersion : "" %>
<%= pluginVersion != null ? StringUtils.escapeHTMLTags(pluginVersion) : "" %>
</td>
<td width="15%" nowrap valign="top" class="line-bottom-border">
<%= pluginAuthor != null ? pluginAuthor : "" %> &nbsp;
<%= pluginAuthor != null ? StringUtils.escapeHTMLTags(pluginAuthor) : "" %> &nbsp;
</td>
<td width="15%" nowrap valign="top" class="line-bottom-border">
<%= fileSize %>
<%= StringUtils.escapeHTMLTags(fileSize) %>
</td>
<td width="1%" align="center" valign="top" class="line-bottom-border">
<%
Expand All @@ -409,16 +410,16 @@
<% }
else { %>

<span id="<%= plugin.hashCode() %>-image"><a href="javascript:downloadPlugin('<%=updateURL%>', '<%= plugin.hashCode()%>')"><img src="images/add-16x16.gif" width="16" height="16" border="0"
<span id="<%= plugin.hashCode() %>-image"><a href="javascript:downloadPlugin('<%=StringUtils.escapeForXML(updateURL) %>', '<%= plugin.hashCode() %>')"><img src="images/add-16x16.gif" width="16" height="16" border="0"
alt="<fmt:message key="plugin.available.download" />"></a></span>
<% } %>
</td>
</tr>
<tr id="<%= plugin.hashCode()%>-row" style="display:none;background: #E7FBDE;">
<td width="1%" class="line-bottom-border">
<img src="<%= plugin.getIcon()%>" width="16" height="16" alt=""/>
<img src="<%= StringUtils.escapeForXML(plugin.getIcon())%>" width="16" height="16" alt=""/>
</td>
<td colspan="6" nowrap class="line-bottom-border"><%= plugin.getName()%> <fmt:message key="plugin.available.installation.success" /></td>
<td colspan="6" nowrap class="line-bottom-border"><%= StringUtils.escapeHTMLTags(plugin.getName())%> <fmt:message key="plugin.available.installation.success" /></td>
<td class="line-bottom-border" align="center">
<img src="images/success-16x16.gif" height="16" width="16" alt=""/>
</td>
Expand Down Expand Up @@ -493,13 +494,13 @@
else { %> &nbsp; <% } %></p>
</td>
<td class="line-bottom-border">
<%= pluginDescription %>
<%= StringUtils.escapeHTMLTags(pluginDescription) %>
</td>
<td class="line-bottom-border">
<%= pluginVersion%>
<%= StringUtils.escapeHTMLTags(pluginVersion) %>
</td>
<td class="line-bottom-border">
<%= pluginAuthor%>
<%= StringUtils.escapeHTMLTags(pluginAuthor) %>
</td>
</tr>
<% }%>
Expand Down Expand Up @@ -529,4 +530,4 @@
<% } %>

</body>
</html>
</html>
11 changes: 6 additions & 5 deletions src/web/clearspace-status.jsp
View file
Expand Up @@ -20,6 +20,7 @@
<%@ page import="org.jivesoftware.openfire.clearspace.ClearspaceManager" %>
<%@ page import="org.jivesoftware.openfire.session.ComponentSession" %>
<%@ page import="org.jivesoftware.util.JiveGlobals" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="java.text.NumberFormat" %>
<%@ page import="java.util.Collection" %>
<%@ page import="java.util.Date" %>
Expand Down Expand Up @@ -189,17 +190,17 @@
<fmt:message key="clearspace.status.connected.table.label.hostname" />
</td>
<td>
<%= cs.getHostAddress() %>
<%= StringUtils.escapeHTMLTags(cs.getHostAddress()) %>
/
<%= cs.getHostName() %>
<%= StringUtils.escapeHTMLTags(cs.getHostName()) %>
</td>
</tr>
<% } else { %>
<tr>
<td>
<%= cs.getHostAddress() %>
<%= StringUtils.escapeHTMLTags(cs.getHostAddress()) %>
/
<%= cs.getHostName() %>
<%= StringUtils.escapeHTMLTags(cs.getHostName()) %>
</td>
</tr>
<% } %>
Expand Down Expand Up @@ -268,4 +269,4 @@
<% } %>

</body>
</html>
</html>
13 changes: 7 additions & 6 deletions src/web/component-session-details.jsp
View file
Expand Up @@ -21,6 +21,7 @@
<%@ page import="org.jivesoftware.openfire.SessionManager,
org.jivesoftware.openfire.session.ComponentSession,
org.jivesoftware.util.JiveGlobals,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.ParamUtils"
errorPage="error.jsp"
%>
Expand Down Expand Up @@ -86,15 +87,15 @@
<fmt:message key="component.session.label.name" />
</td>
<td>
<%= componentSession.getExternalComponent().getName() %>
<%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getName()) %>
</td>
</tr>
<tr>
<td class="c1">
<fmt:message key="component.session.label.category" />:
</td>
<td>
<%= componentSession.getExternalComponent().getCategory() %>
<%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getCategory()) %>
</td>
</tr>
<tr>
Expand All @@ -117,7 +118,7 @@
<% }
}
%>
<%= componentSession.getExternalComponent().getType() %>
<%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getType()) %>
</td>
</tr>
<tr>
Expand Down Expand Up @@ -150,9 +151,9 @@
<fmt:message key="session.details.hostname" />
</td>
<td>
<%= componentSession.getHostAddress() %>
<%= StringUtils.escapeHTMLTags(componentSession.getHostAddress()) %>
/
<%= componentSession.getHostName() %>
<%= StringUtils.escapeHTMLTags(componentSession.getHostName()) %>
</td>
</tr>
</tbody>
Expand All @@ -167,4 +168,4 @@
</form>

</body>
</html>
</html>
9 changes: 5 additions & 4 deletions src/web/component-session-summary.jsp
View file
Expand Up @@ -22,6 +22,7 @@
org.jivesoftware.openfire.session.ComponentSession,
org.jivesoftware.openfire.session.Session,
org.jivesoftware.util.JiveGlobals,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.ParamUtils,
java.net.URLEncoder"
errorPage="error.jsp"
Expand Down Expand Up @@ -187,10 +188,10 @@
<a href="component-session-details.jsp?jid=<%= URLEncoder.encode(componentSession.getAddress().toString(), "UTF-8") %>" title="<fmt:message key="session.row.cliked" />"><%= componentSession.getAddress() %></a>
</td>
<td align="center" width="15%" nowrap>
<%= componentSession.getExternalComponent().getName() %>
<%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getName()) %>
</td>
<td align="center" width="10%" nowrap>
<%= componentSession.getExternalComponent().getCategory() %>
<%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getCategory()) %>
</td>
<td align="center" width="10%" nowrap>
<table border="0">
Expand Down Expand Up @@ -218,7 +219,7 @@
<% }
}
%>
<td><%= componentSession.getExternalComponent().getType() %></td>
<td><%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getType()) %></td>
</tr></table>
</td>
<% Date creationDate = componentSession.getCreationDate();
Expand Down Expand Up @@ -279,4 +280,4 @@
</p>

</body>
</html>
</html>
5 changes: 3 additions & 2 deletions src/web/error.jsp
View file
Expand Up @@ -7,6 +7,7 @@
<%@ page import="java.io.*,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.JiveGlobals,
org.jivesoftware.util.StringUtils,
org.jivesoftware.openfire.auth.UnauthorizedException,
org.jivesoftware.openfire.user.UserNotFoundException,
org.jivesoftware.openfire.group.GroupNotFoundException"
Expand Down Expand Up @@ -54,7 +55,7 @@
%>
<fmt:message key="error.exception" />
<pre>
<%= sout.toString() %>
<%= StringUtils.escapeHTMLTags(sout.toString()) %>
</pre>

<% } %>
<% } %>
12 changes: 7 additions & 5 deletions src/web/external-components-settings.jsp
View file
Expand Up @@ -25,8 +25,10 @@
org.jivesoftware.openfire.component.ExternalComponentConfiguration,
org.jivesoftware.openfire.component.ExternalComponentManager,
org.jivesoftware.util.ModificationNotAllowedException,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.ParamUtils,
java.util.Collection"
java.util.Collection,
java.net.URLEncoder"
errorPage="error.jsp"
%>
<%@ page import="java.util.HashMap" %>
Expand Down Expand Up @@ -243,7 +245,7 @@
<tr>
<td class="jive-icon"><img src="images/error-16x16.gif" width="16" height="16" border="0" alt=""/></td>
<td class="jive-icon-label">
<fmt:message key="component.settings.modification.denied" /> <%= operationFailedDetail != null ? operationFailedDetail : ""%>
<fmt:message key="component.settings.modification.denied" /> <%= operationFailedDetail != null ? StringUtils.escapeHTMLTags(operationFailedDetail) : ""%>
</td>
</tr>
</tbody>
Expand Down Expand Up @@ -328,7 +330,7 @@
</td>
<td width="99%">
<input type="text" size="15" maxlength="70" name="defaultSecret"
value="<%= ((defaultSecret != null) ? defaultSecret : "") %>">
value="<%= ((defaultSecret != null) ? StringUtils.escapeForXML(defaultSecret) : "") %>">
</td>
</tr>
</table>
Expand Down Expand Up @@ -408,13 +410,13 @@
<%= count %>
</td>
<td>
<%= configuration.getSubdomain() %>
<%= StringUtils.escapeHTMLTags(configuration.getSubdomain()) %>
</td>
<td>
<%= configuration.getSecret() %>
</td>
<td align="center" style="border-right:1px #ccc solid;">
<a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('external-components-settings.jsp?deleteConf=<%= configuration.getSubdomain() %>'); } "
<a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('external-components-settings.jsp?deleteConf=<%= URLEncoder.encode(configuration.getSubdomain(),"UTF-8") %>'); } "
title="<fmt:message key="global.click_delete" />"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
Expand Down

0 comments on commit ed3492a

Please sign in to comment.