From 410ed3001d51c689cf59085b7417466caa2ded7b Mon Sep 17 00:00:00 2001 From: Kohsuke Kawaguchi Date: Tue, 1 Nov 2011 22:27:09 -0700 Subject: [PATCH] escape error messages which are supposed be plain text and not markup --- src/java/winstone/ErrorServlet.java | 2 +- src/java/winstone/URIUtil.java | 17 +++++++++++++++++ src/java/winstone/WinstoneResponse.java | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/java/winstone/ErrorServlet.java b/src/java/winstone/ErrorServlet.java index 1854f8d6..35c95ca3 100644 --- a/src/java/winstone/ErrorServlet.java +++ b/src/java/winstone/ErrorServlet.java @@ -42,7 +42,7 @@ public void service(ServletRequest request, ServletResponse response) throws Ser // If we are here there was no error servlet, so show the default error page String output = Launcher.RESOURCES.getString("WinstoneResponse.ErrorPage", - new String[] { sc + "", (msg == null ? "" : msg), sw.toString(), + new String[] { sc + "", URIUtil.htmlEscape(msg == null ? "" : msg), URIUtil.htmlEscape(sw.toString()), Launcher.RESOURCES.getString("ServerVersion"), "" + new Date() }); response.setContentLength(output.getBytes(response.getCharacterEncoding()).length); diff --git a/src/java/winstone/URIUtil.java b/src/java/winstone/URIUtil.java index a2fba88a..97d7fdcf 100644 --- a/src/java/winstone/URIUtil.java +++ b/src/java/winstone/URIUtil.java @@ -50,4 +50,21 @@ static String canonicalPath(String path) { return buf.toString(); } + /** + * Performs necessary escaping to render arbitrary plain text as plain text without any markup. + */ + public static String htmlEscape(String text) { + StringBuilder buf = new StringBuilder(text.length()+64); + for( int i=0; i