From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Sun, 8 Jun 2008 11:30:44 +0000 (+0000)
Subject: Add an additional layer of protection in case app fails to protect against an XSS.
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=a7f92b847d9a8c5d1b7d4123c7f75336884eb9e7;p=tomcat7.0

Add an additional layer of protection in case app fails to protect against an XSS.
Copied filter code to jasper module so no new dependency is created.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@664483 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/java/org/apache/jasper/security/SecurityUtil.java b/java/org/apache/jasper/security/SecurityUtil.java
index 657a87208..22d0668e4 100644
--- a/java/org/apache/jasper/security/SecurityUtil.java
+++ b/java/org/apache/jasper/security/SecurityUtil.java
@@ -40,5 +40,42 @@ public final class SecurityUtil{
         return false;
     }
     
-    
+
+    /**
+     * Filter the specified message string for characters that are sensitive
+     * in HTML.  This avoids potential attacks caused by including JavaScript
+     * codes in the request URL that is often reported in error messages.
+     *
+     * @param message The message string to be filtered
+     */
+    public static String filter(String message) {
+
+        if (message == null)
+            return (null);
+
+        char content[] = new char[message.length()];
+        message.getChars(0, message.length(), content, 0);
+        StringBuffer result = new StringBuffer(content.length + 50);
+        for (int i = 0; i < content.length; i++) {
+            switch (content[i]) {
+            case '<':
+                result.append("&lt;");
+                break;
+            case '>':
+                result.append("&gt;");
+                break;
+            case '&':
+                result.append("&amp;");
+                break;
+            case '"':
+                result.append("&quot;");
+                break;
+            default:
+                result.append(content[i]);
+            }
+        }
+        return (result.toString());
+
+    }
+
 }
diff --git a/java/org/apache/jasper/servlet/JspServlet.java b/java/org/apache/jasper/servlet/JspServlet.java
index c345d8ea1..1c1200358 100644
--- a/java/org/apache/jasper/servlet/JspServlet.java
+++ b/java/org/apache/jasper/servlet/JspServlet.java
@@ -35,6 +35,7 @@ import org.apache.jasper.EmbeddedServletOptions;
 import org.apache.jasper.Options;
 import org.apache.jasper.compiler.JspRuntimeContext;
 import org.apache.jasper.compiler.Localizer;
+import org.apache.jasper.security.SecurityUtil;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 
@@ -311,8 +312,12 @@ public class JspServlet extends HttpServlet implements PeriodicEventListener {
                         if (includeRequestUri != null) {
                             // This file was included. Throw an exception as
                             // a response.sendError() will be ignored
-                            throw new ServletException(Localizer.getMessage(
-                                    "jsp.error.file.not.found",jspUri));
+                            String msg = Localizer.getMessage(
+                                    "jsp.error.file.not.found",jspUri);
+                            // Strictly, filtering this is an application
+                            // responsibility but just in case...
+                            throw new ServletException(
+                                    SecurityUtil.filter(msg));
                         } else {
                             try {
                                 response.sendError(