Author: taylor Date: Wed Mar 10 01:42:57 2021 New Revision: 1887401 URL: http://svn.apache.org/viewvc?rev=1887401&view=rev Log: improve XXS url attack filter
Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?rev=1887401&r1=1887400&r2=1887401&view=diff ============================================================================== --- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java (original) +++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java Wed Mar 10 01:42:57 2021 @@ -99,7 +99,11 @@ public class XXSUrlAttackFilter implemen // catch 'jspage=/responsive/my-account2.psml%22;alert(/xss/);%22' String[] parts = value.split("&"); for (String part : parts) { - String queryValue = part.split("=")[1].replaceAll("%22", "\""); + String[] segments = part.split("="); + if (segments.length <= 1) { + continue; + } + String queryValue = segments[1].replaceAll("%22", "\""); if (queryValue.matches("^\"(.*)\"$")) { // properly quoted query value } else if (queryValue.indexOf('"') != -1) { --------------------------------------------------------------------- To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org