Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #399 from bhagyasakalanka/master-xss
Encode request parameters in registry profiles UI.
  • Loading branch information
bhagyasakalanka committed Jul 12, 2022
2 parents c93f6bf + 5bba56a commit 9f967ab
Show file tree
Hide file tree
Showing 6 changed files with 13 additions and 7 deletions.
Expand Up @@ -18,8 +18,9 @@
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<%@ taglib prefix="carbon" uri="http://wso2.org/projects/carbon/taglibs/carbontags.jar" %>
<%@ page import="org.owasp.encoder.Encode" %>
<%
String parentPath = request.getParameter("parentPath");
String parentPath = Encode.forHtml(request.getParameter("parentPath"));
%>
<br/>
<fmt:bundle basename="org.wso2.carbon.registry.profiles.ui.i18n.Resources">
Expand Down
Expand Up @@ -17,6 +17,7 @@
-->
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<%@ page import="org.owasp.encoder.Encode" %>
<%@ page import="org.wso2.carbon.ui.CarbonUIMessage"%>
<%@ page import="org.wso2.carbon.registry.profiles.ui.clients.ProfilesAdminServiceClient" %>
<%@ page import="org.wso2.carbon.registry.profiles.stub.beans.xsd.ProfilesBean" %>
Expand All @@ -29,7 +30,7 @@
<%@ page import="java.util.Set" %>

<%
String path =request.getParameter("path");
String path = Encode.forHtml(request.getParameter("path"));
Map<String, Map<String,String>> data = null;
Map<String,String> defaultprofile = null;
Iterator it = null;
Expand Down
Expand Up @@ -16,10 +16,11 @@
~ under the License.
-->
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="org.owasp.encoder.Encode" %>
<%@ page import="org.wso2.carbon.registry.common.utils.RegistryUtil" %>
<%@ page import="org.wso2.carbon.registry.common.ui.UIException" %>
<%
String esPath = request.getParameter("path");
String esPath = Encode.forHtml(request.getParameter("path"));
String profilesMainPath = "profiles_main_ajaxprocessor.jsp?path=" + esPath;
%>
<jsp:forward page="<%=profilesMainPath%>"/>
Expand Down
Expand Up @@ -16,14 +16,15 @@
~ under the License.
-->
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="org.owasp.encoder.Encode" %>
<%@ page import="org.wso2.carbon.registry.common.ui.UIException" %>
<%@ page import="org.wso2.carbon.registry.profiles.stub.beans.xsd.ProfilesBean" %>
<%@ page import="org.wso2.carbon.registry.core.RegistryConstants" %>
<%@ page import="org.wso2.carbon.registry.profiles.ui.clients.ProfilesAdminServiceClient" %>
<%@ page import="org.wso2.carbon.ui.CarbonUIMessage" %>
<%@ page import="org.wso2.carbon.ui.CarbonUIUtil" %>
<%
String username = request.getParameter("username");
String username = Encode.forHtml(request.getParameter("username"));
String error = "This profile is already stored in the registry or a profile does not exist for the given username or you don't have sufficient privileges to configure user profiles.";
// bean.setUserName(username);
if (username != null) {
Expand Down
Expand Up @@ -17,6 +17,7 @@
-->
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<%@ page import="org.owasp.encoder.Encode" %>
<%@ page import="org.wso2.carbon.ui.CarbonUIMessage"%>
<%@ page import="org.wso2.carbon.registry.profiles.ui.clients.ProfilesAdminServiceClient" %>
<%@ page import="org.wso2.carbon.registry.profiles.stub.beans.xsd.ProfilesBean" %>
Expand All @@ -28,7 +29,7 @@
<%@ page import="org.wso2.carbon.registry.profiles.ui.utils.GetProfileUtil" %>

<%
String path =request.getParameter("path");
String path = Encode.forHtml(request.getParameter("path"));
Map<String,String> defaultProfile = new HashMap();
Map<String, Map<String,String>> data = null;
try {
Expand Down
Expand Up @@ -17,6 +17,7 @@
-->
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<%@ page import="org.owasp.encoder.Encode" %>
<%@ page import="org.wso2.carbon.ui.CarbonUIMessage"%>
<%@ page import="org.wso2.carbon.registry.profiles.ui.clients.ProfilesAdminServiceClient" %>
<%@ page import="org.wso2.carbon.registry.profiles.stub.beans.xsd.ProfilesBean" %>
Expand All @@ -29,8 +30,8 @@
<%@ page import="java.util.Set" %>

<%
String path =request.getParameter("path");
String selectedProfile = request.getParameter("profile_menu");
String path = Encode.forHtml(request.getParameter("path"));
String selectedProfile = Encode.forHtml(request.getParameter("profile_menu"));
if (selectedProfile == null) {
selectedProfile = "default";
}
Expand Down

0 comments on commit 9f967ab

Please sign in to comment.