return false;
}
-
+
+ /**
+ * Filter the specified message string for characters that are sensitive
+ * in HTML. This avoids potential attacks caused by including JavaScript
+ * codes in the request URL that is often reported in error messages.
+ *
+ * @param message The message string to be filtered
+ */
+ public static String filter(String message) {
+
+ if (message == null)
+ return (null);
+
+ char content[] = new char[message.length()];
+ message.getChars(0, message.length(), content, 0);
+ StringBuffer result = new StringBuffer(content.length + 50);
+ for (int i = 0; i < content.length; i++) {
+ switch (content[i]) {
+ case '<':
+ result.append("<");
+ break;
+ case '>':
+ result.append(">");
+ break;
+ case '&':
+ result.append("&");
+ break;
+ case '"':
+ result.append(""");
+ break;
+ default:
+ result.append(content[i]);
+ }
+ }
+ return (result.toString());
+
+ }
+
}
import org.apache.jasper.Options;
import org.apache.jasper.compiler.JspRuntimeContext;
import org.apache.jasper.compiler.Localizer;
+import org.apache.jasper.security.SecurityUtil;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
if (includeRequestUri != null) {
// This file was included. Throw an exception as
// a response.sendError() will be ignored
- throw new ServletException(Localizer.getMessage(
- "jsp.error.file.not.found",jspUri));
+ String msg = Localizer.getMessage(
+ "jsp.error.file.not.found",jspUri);
+ // Strictly, filtering this is an application
+ // responsibility but just in case...
+ throw new ServletException(
+ SecurityUtil.filter(msg));
} else {
try {
response.sendError(
projects / tomcat7.0 / commitdiff