Index: examples/test-webapp/src/main/java/com/acme/Dump.java
===================================================================
--- examples/test-webapp/src/main/java/com/acme/Dump.java (revision 2164)
+++ examples/test-webapp/src/main/java/com/acme/Dump.java (working copy)
@@ -63,6 +63,12 @@
/* ------------------------------------------------------------ */
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
{
+ if(request.getPathInfo().toLowerCase().indexOf("script")!=-1)
+ {
+ response.sendRedirect(getServletContext().getContextPath() + "/dump/info");
+ return;
+ }
+
request.setCharacterEncoding("UTF-8");
if (request.getParameter("empty")!=null)
@@ -411,13 +417,13 @@
{
name= (String)h.nextElement();
pout.write("\n");
- pout.write("| "+name+": | ");
- pout.write(""+request.getParameter(name)+" | ");
+ pout.write(""+name.toLowerCase().replaceAll("script", "textarea")+": | ");
+ pout.write(""+request.getParameter(name).toLowerCase().replaceAll("script", "textarea")+" | ");
String[] values= request.getParameterValues(name);
if (values == null)
{
pout.write("
\n");
- pout.write("| "+name+" Values: | ");
+ pout.write(""+name.toLowerCase().replaceAll("script", "textarea")+" Values: | ");
pout.write(""+"NULL!"+" | ");
}
else if (values.length > 1)
@@ -425,8 +431,8 @@
for (int i= 0; i < values.length; i++)
{
pout.write("
\n");
- pout.write("| "+name+"["+i+"]: | ");
- pout.write(""+values[i]+" | ");
+ pout.write(""+name.toLowerCase().replaceAll("script", "textarea")+"["+i+"]: | ");
+ pout.write(""+values[i].toLowerCase().replaceAll("script", "textarea")+" | ");
}
}
}
Index: examples/test-webapp/src/main/webapp/snoop.jsp
===================================================================
--- examples/test-webapp/src/main/webapp/snoop.jsp (revision 2164)
+++ examples/test-webapp/src/main/webapp/snoop.jsp (working copy)
@@ -38,9 +38,9 @@
Path translated: |
<%= request.getPathTranslated() %> |
-
+
k.toLowerCase().replaceAll("script", "textarea")
| Query string: |
- <%= request.getQueryString() %> |
+ <%= request.getQueryString().toLowerCase().replaceAll("script", "textarea") %> |
| Content length: |
@@ -122,13 +122,13 @@
String vals[] = request.getParameterValues(k);
%>
- | <%= k %> |
- <%= val %> |
+ <%= k.toLowerCase().replaceAll("script", "textarea") %> |
+ <%= val.toLowerCase().replaceAll("script", "textarea") %> |
<%
for(int i = 0; i < vals.length; i++) {
if(i > 0)
out.print("
");
- out.print(vals[i]);
+ out.print(vals[i].toLowerCase().replaceAll("script", "textarea"));
}
%> |
@@ -157,8 +157,8 @@
Object val = request.getAttribute(k);
%>
- | <%= k %> |
- <%= val %> |
+ <%= k.toLowerCase().replaceAll("script", "textarea") %> |
+ <%= val.toString().toLowerCase().replaceAll("script", "textarea") %> |
<%
}
Index: VERSION.txt
===================================================================
--- VERSION.txt (revision 2164)
+++ VERSION.txt (working copy)
@@ -1,6 +1,7 @@
jetty-SNAPSHOT
+ + CERT VU#237888 Dump Servlet - prevent cross site scripting
+ CERT VU#38616 handle single quotes in cookie names.
+ Improved JSON parsing from Readers
+ Moved some impl classes from jsp-api-2.1 to jsp-2.1