oblac · pixeebot · Apr 15, 2024
diff --git a/jodd-htmlstapler/src/main/java/jodd/htmlstapler/HtmlStaplerFilter.java b/jodd-htmlstapler/src/main/java/jodd/htmlstapler/HtmlStaplerFilter.java
@@ -25,6 +25,7 @@
 
 package jodd.htmlstapler;
 
+import io.github.pixee.security.Newlines;
 import jodd.bean.BeanUtil;
 import jodd.io.IOUtil;
 import jodd.lagarto.TagVisitor;
@@ -202,11 +203,11 @@ protected boolean processActionPath(final HttpServletRequest servletRequest, fin
 			throw new IOException("bundle not found: " + bundleId);
 		}
 
-		servletResponse.setHeader("Content-Length", String.valueOf(file.length()));
-		servletResponse.setHeader("Last-Modified", TimeUtil.formatHttpDate(file.lastModified()));
+		servletResponse.setHeader("Content-Length", Newlines.stripAll(String.valueOf(file.length())));
+		servletResponse.setHeader("Last-Modified", Newlines.stripAll(TimeUtil.formatHttpDate(file.lastModified())));
 
 		if (cacheMaxAge > 0) {
-			servletResponse.setHeader("Cache-Control", "max-age=" + cacheMaxAge);
+			servletResponse.setHeader("Cache-Control", Newlines.stripAll("max-age=" + cacheMaxAge));
 		}
 
 		sendBundleFile(servletResponse, file);

diff --git a/jodd-madvoc/src/main/java/jodd/madvoc/scope/HeaderScope.java b/jodd-madvoc/src/main/java/jodd/madvoc/scope/HeaderScope.java
@@ -25,6 +25,7 @@
 
 package jodd.madvoc.scope;
 
+import io.github.pixee.security.Newlines;
 import jodd.madvoc.ActionRequest;
 import jodd.madvoc.config.Targets;
 
@@ -81,7 +82,7 @@ public void outject(final ActionRequest actionRequest, final Targets targets) {
 		targets.forEachTargetAndOut(this, (target, out) -> {
 			final String value = (String) target.readValue(out);
 			if (value != null) {
-				servletResponse.setHeader(out.name(), value);
+				servletResponse.setHeader(out.name(), Newlines.stripAll(value));
 			}
 		});
 	}

diff --git a/jodd-servlet/src/main/java/jodd/servlet/DispatcherUtil.java b/jodd-servlet/src/main/java/jodd/servlet/DispatcherUtil.java
@@ -25,6 +25,7 @@
 
 package jodd.servlet;
 
+import io.github.pixee.security.Newlines;
 import jodd.util.StringPool;
 
 import javax.servlet.RequestDispatcher;
@@ -170,7 +171,7 @@ public static void redirectPermanent(final HttpServletRequest request, final Htt
 			url = ServletUtil.getContextPath(request) + url;
 		}
 		response.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);
-		response.setHeader("Location", url);
+		response.setHeader("Location", Newlines.stripAll(url));
 	}
 
 

diff --git a/jodd-servlet/src/main/java/jodd/servlet/ServletUtil.java b/jodd-servlet/src/main/java/jodd/servlet/ServletUtil.java
@@ -25,6 +25,7 @@
 
 package jodd.servlet;
 
+import io.github.pixee.security.Newlines;
 import jodd.core.JoddCore;
 import jodd.http.upload.FileUpload;
 import jodd.io.FileNameUtil;
@@ -145,7 +146,7 @@ public static String resolveAuthBearerToken(final HttpServletRequest request) {
 	 * Sends correct headers to require basic authentication for the given realm.
 	 */
 	public static void requireAuthentication(final HttpServletResponse resp, final String realm) throws IOException {
-		resp.setHeader(WWW_AUTHENTICATE, "Basic realm=\"" + realm + '\"');
+		resp.setHeader(WWW_AUTHENTICATE, Newlines.stripAll("Basic realm=\"" + realm + '\"'));
 		resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
 	}
 
@@ -200,7 +201,7 @@ public static void prepareResponse(final HttpServletResponse response, final Str
 			final String encodedFileName = URLCoder.encode(name);
 
 			response.setHeader(CONTENT_DISPOSITION,
-				"attachment;filename=\"" + name + "\";filename*=utf8''" + encodedFileName);
+				Newlines.stripAll("attachment;filename=\"" + name + "\";filename*=utf8''" + encodedFileName));
 		}
 	}