svn commit: r1399577 - in /activemq/trunk: activemq-web-demo/src/main/webapp/websocket/chat.js activemq-web/src/main/java/org/apache/activemq/web/PortfolioPublishServlet.java

Thu, 18 Oct 2012 03:58:44 -0700 

Author: dejanb
Date: Thu Oct 18 10:57:52 2012
New Revision: 1399577

URL: http://svn.apache.org/viewvc?rev=1399577&view=rev
Log:
https://issues.apache.org/jira/browse/AMQ-4115 - xss in web demos

Modified:
    activemq/trunk/activemq-web-demo/src/main/webapp/websocket/chat.js
    
activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/PortfolioPublishServlet.java

Modified: activemq/trunk/activemq-web-demo/src/main/webapp/websocket/chat.js
URL: 
http://svn.apache.org/viewvc/activemq/trunk/activemq-web-demo/src/main/webapp/websocket/chat.js?rev=1399577&r1=1399576&r2=1399577&view=diff
==============================================================================
--- activemq/trunk/activemq-web-demo/src/main/webapp/websocket/chat.js 
(original)
+++ activemq/trunk/activemq-web-demo/src/main/webapp/websocket/chat.js Thu Oct 
18 10:57:52 2012
@@ -29,7 +29,7 @@ $(document).ready(function(){
 
     // this allows to display debug logs directly on the web page
     client.debug = function(str) {
-      $("#debug").append(str + "\n");
+      $("#debug").append(document.createTextNode(str + "\n"));
     };
     // the client is notified when it is connected to the server.
     var onconnect = function(frame) {
@@ -39,7 +39,7 @@ $(document).ready(function(){
       $('#send_form_input').removeAttr('disabled');
 
       client.subscribe(destination, function(message) {
-        $("#messages").append("<p>" + message.body + "</p>\n");
+        $("#messages").append(document.createTextNode("<p>" + message.body + 
"</p>\n"));
       });
     };
     client.connect(login, passcode, onconnect);

Modified: 
activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/PortfolioPublishServlet.java
URL: 
http://svn.apache.org/viewvc/activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/PortfolioPublishServlet.java?rev=1399577&r1=1399576&r2=1399577&view=diff
==============================================================================
--- 
activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/PortfolioPublishServlet.java
 (original)
+++ 
activemq/trunk/activemq-web/src/main/java/org/apache/activemq/web/PortfolioPublishServlet.java
 Thu Oct 18 10:57:52 2012
@@ -70,7 +70,8 @@ public class PortfolioPublishServlet ext
                 }
                 out.print(refreshRate);
                 out.println("'/></head>");
-                out.println("<body>Published <b>" + count + "</b> of " + total 
+ " price messages.  Refresh = " + refreshRate + "s");
+                out.println("<body>Published <b>" + 
escape(Integer.toString(count)) + "</b> of " + escape(Integer.toString(total))
+                        + " price messages.  Refresh = " + escape(refreshRate) 
+ "s");
                 out.println("</body></html>");
 
             } catch (JMSException e) {
@@ -129,4 +130,8 @@ public class PortfolioPublishServlet ext
         }
         return 1;
     }
+
+    protected String escape(String text) throws IOException {
+        return java.net.URLEncoder.encode(text, "UTF-8");
+    }
 }

Reply via email to