boxtec
/
yacy_search_server
mirror of https://github.com/yacy/yacy_search_server
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

*) Fixed another XSS vulnerability. By adding </textarea>[add nasty text/commands here] it was possible to mess up the edit and the preview page.

Browse Source 
git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@1756 6c8d7289-2bf4-0310-a012-ef5d649a1542
pull/1/head
low012 19 years ago
parent f31b633b2e
commit 8f6627378a
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File

4
htroot/Wiki.java
Unescape View File

@ -118,7 +118,7 @@ public class Wiki {
try { try {
prop.put("mode", 1); //edit prop.put("mode", 1); //edit
prop.put("mode_author", author); prop.put("mode_author", author);
prop.put("mode_page-code", new String(page.page(), "UTF-8")); prop.put("mode_page-code", new String(page.page(), "UTF-8").replaceAll("</textarea>","<&#047;textarea>"));
prop.put("mode_pagename", pagename); prop.put("mode_pagename", pagename);
} catch (UnsupportedEncodingException e) {} } catch (UnsupportedEncodingException e) {}
} }
@ -132,7 +132,7 @@ public class Wiki {
prop.put("mode_author", author); prop.put("mode_author", author);
prop.put("mode_date", dateString(new Date())); prop.put("mode_date", dateString(new Date()));
prop.put("mode_page", wikiTransformer.transform(post.get("content", ""))); prop.put("mode_page", wikiTransformer.transform(post.get("content", "")));
prop.put("mode_page-code", post.get("content", "")); prop.put("mode_page-code", post.get("content", "").replaceAll("</textarea>","<&#047;textarea>"));
} }
//end contrib of [MN] //end contrib of [MN]

Write Preview
Loading…
Cancel
Save