Merge pull request #9 from googleglass/moved-sign-out

Upgraded client lib, fixed potential XSS, fixed some other tiny bugs

pom.xml

@@ -37,16 +37,15 @@ limitations under the License.
     <dependency>
       <groupId>com.google.apis</groupId>
       <artifactId>google-api-services-mirror</artifactId>
-      <version>v1-rev11-1.15.0-rc</version>
+      <version>v1-rev18-1.16.0-rc</version>
     </dependency>
     <dependency>
       <groupId>com.google.http-client</groupId>
       <artifactId>google-http-client-jackson2</artifactId>
-      <version>1.15.0-rc</version>
+      <version>1.16.0-rc</version>
     </dependency>
 
-
-      <!-- Jetty plugin dependencies -->
+    <!-- Jetty plugin dependencies -->
     <dependency>
       <groupId>org.mortbay.jetty</groupId>
       <artifactId>jetty</artifactId>
@@ -74,6 +73,11 @@ limitations under the License.
     </dependency>
 
     <!-- everything else -->
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+      <version>3.1</version>
+    </dependency>
     <dependency>
       <groupId>org.codehaus.jackson</groupId>
       <artifactId>jackson-core-asl</artifactId>

src/main/webapp/WEB-INF/web.xml

@@ -77,16 +77,6 @@ limitations under the License.
     <url-pattern>/attachmentproxy</url-pattern>
   </servlet-mapping>
 
-  <servlet>
-    <servlet-name>signout</servlet-name>
-    <servlet-class>com.google.glassware.SignOutServlet</servlet-class>
-  </servlet>
-  <servlet-mapping>
-    <servlet-name>signout</servlet-name>
-    <url-pattern>/signout</url-pattern>
-  </servlet-mapping>
-
-
   <welcome-file-list>
     <welcome-file>index.jsp</welcome-file>
   </welcome-file-list>

src/main/webapp/index.jsp

@@ -23,6 +23,7 @@ limitations under the License.
 <%@ page import="com.google.api.services.mirror.model.Subscription" %>
 <%@ page import="com.google.api.services.mirror.model.Attachment" %>
 <%@ page import="com.google.glassware.MainServlet" %>
+<%@ page import="org.apache.commons.lang3.StringEscapeUtils" %>
 
 <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 
@@ -94,7 +95,7 @@ limitations under the License.
     <h1>Your Recent Timeline</h1>
     <% String flash = WebUtil.getClearFlash(request);
       if (flash != null) { %>
-    <span class="label label-warning">Message: <%= flash %> </span>
+    <span class="label label-warning">Message: <%= StringEscapeUtils.escapeHtml4(flash) %> </span>
     <% } %>
 
     <div style="margin-top: 5px;">
@@ -105,10 +106,10 @@ limitations under the License.
         <li><strong>ID: </strong> <%= timelineItem.getId() %>
         </li>
         <li>
-          <strong>Text: </strong> <%= timelineItem.getText() %>
+          <strong>Text: </strong> <%= StringEscapeUtils.escapeHtml4(timelineItem.getText()) %>
         </li>
         <li>
-          <strong>HTML: </strong> <%= timelineItem.getHtml() %>
+          <strong>HTML: </strong> <%= StringEscapeUtils.escapeHtml4(timelineItem.getHtml()) %>
         </li>
         <li>
           <strong>Attachments: </strong>
@@ -126,10 +127,10 @@ limitations under the License.
           } %>
         </li>
         <li>
-          <form action="/" method="post">
+          <form action="<%= WebUtil.buildUrl(request, "/main") %>" method="post">
             <input type="hidden" name="itemId" value="<%= timelineItem.getId() %>">
             <input type="hidden" name="operation" value="deleteTimelineItem">
-            <button class="btn" type="submit">Delete Item</button>
+            <button class="btn" type="submit">Delete</button>
           </form>
         </li>