xss protection

git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@4772 6c8d7289-2bf4-0310-a012-ef5d649a1542
pull/1/head
lotus 17 years ago
parent b32736762c
commit 9bc56a9edc

@ -208,7 +208,7 @@ public final class Connections_p {
prop.putNum("list_" + idx + "_ms_duration", sessionTime);
}
prop.putHTML("list_" + idx + "_source",(seed!=null)?seed.getName()+".yacy":userAddress.getHostAddress()+":"+userPort);
prop.put("list_" + idx + "_dest",(dest==null)?"-":dest);
prop.putHTML("list_" + idx + "_dest",(dest==null)?"-":dest);
if (blockingRequest) {
prop.put("list_" + idx + "_running", "0");
prop.putNum("list_" + idx + "_running_reqNr", commandCount+1);

@ -142,7 +142,7 @@ public final class IndexTransfer_p {
try {
while ((hostName = (String) hostList.firstKey()) != null) {
prop.put("running_hosts_" + hc + "_hosthash", hostList.get(hostName));
prop.put("running_hosts_" + hc + "_hostname", /*seed.hash + " " +*/ hostName);
prop.putHTML("running_hosts_" + hc + "_hostname", /*seed.hash + " " +*/ hostName);
hc++;
hostList.remove(hostName);
}

@ -66,8 +66,8 @@ public class feed {
RSSMessage message = feed.getChannel();
if (message != null) {
prop.put("channel_title", message.getTitle());
prop.put("channel_description", message.getDescription());
prop.putHTML("channel_title", message.getTitle(), true);
prop.putHTML("channel_description", message.getDescription(), true);
prop.put("channel_pubDate", message.getPubDate());
}
while ((messageMaxCount > 0) && (feed.size() > 0)) {
@ -75,9 +75,9 @@ public class feed {
if (message == null) continue;
// create RSS entry
prop.putHTML("item_" + messageCount + "_title", channels[channelIndex] + ": " + message.getTitle());
prop.putHTML("item_" + messageCount + "_description", message.getDescription());
prop.putHTML("item_" + messageCount + "_link", message.getLink());
prop.putHTML("item_" + messageCount + "_title", channels[channelIndex] + ": " + message.getTitle(), true);
prop.putHTML("item_" + messageCount + "_description", message.getDescription(), true);
prop.putHTML("item_" + messageCount + "_link", message.getLink(), true);
prop.put("item_" + messageCount + "_pubDate", message.getPubDate());
prop.put("item_" + messageCount + "_guid", message.getGuid());
messageCount++;

@ -179,7 +179,7 @@ public class sidebar_navigation {
private static String navurla(int page, plasmaSearchQuery theQuery) {
return
"<a href=\"ysearch.html?search=" + theQuery.queryString() +
"<a href=\"ysearch.html?search=" + theQuery.queryString(true) +
"&amp;count="+ theQuery.displayResults() +
"&amp;offset=" + (page * theQuery.displayResults()) +
"&amp;resource=" + ((theQuery.isLocal()) ? "local" : "global") +
@ -187,7 +187,7 @@ public class sidebar_navigation {
"&amp;prefermaskfilter=" + theQuery.prefer +
"&amp;cat=href&amp;constraint=" + ((theQuery.constraint == null) ? "" : theQuery.constraint.exportB64()) +
"&amp;contentdom=" + theQuery.contentdom() +
"&amp;former=" + theQuery.queryString() + "\">";
"&amp;former=" + theQuery.queryString(true) + "\">";
}
private static void domzone(serverObjects prop, String zonename, int zonecount, plasmaSearchQuery theQuery) {

@ -416,7 +416,7 @@ public class yacysearch {
private static String navurla(int page, int display, plasmaSearchQuery theQuery) {
return
"<a href=\"yacysearch.html?display=" + display +
"&amp;search=" + theQuery.queryString() +
"&amp;search=" + theQuery.queryString(true) +
"&amp;count="+ theQuery.displayResults() +
"&amp;offset=" + (page * theQuery.displayResults()) +
"&amp;resource=" + ((theQuery.isLocal()) ? "local" : "global") +
@ -424,6 +424,6 @@ public class yacysearch {
"&amp;prefermaskfilter=" + theQuery.prefer +
"&amp;cat=href&amp;constraint=" + ((theQuery.constraint == null) ? "" : theQuery.constraint.exportB64()) +
"&amp;contentdom=" + theQuery.contentdom() +
"&amp;former=" + theQuery.queryString() + "\">";
"&amp;former=" + theQuery.queryString(true) + "\">";
}
}

@ -224,7 +224,8 @@ public class yacysearchitem {
((yacyURL.probablyRootURL(result.hash())) ? ", probablyRootURL" : "") +
(((wordURL = yacyURL.probablyWordURL(result.hash(), query[0])) != null) ? ", probablyWordURL=" + wordURL.toNormalform(false, true) : ""));
plasmaSnippetCache.TextSnippet snippet = result.textSnippet();
prop.putHTML("content_snippet", (snippet == null) ? "(snippet not found)" : snippet.getLineMarked(theQuery.queryHashes));
// TODO: check if tags are correctly stripped from snippet
prop.put("content_snippet", (snippet == null) ? "(snippet not found)" : snippet.getLineMarked(theQuery.queryHashes));
serverProfiling.update("SEARCH", new plasmaProfiling.searchEvent(theQuery.id(true), plasmaSearchEvent.FINALIZATION + "-" + item, 0, 0));
return prop;

@ -662,7 +662,7 @@ public final class httpdFileHandler {
// add the application version, the uptime and the client name to every rewrite table
tp.put(servletProperties.PEER_STAT_VERSION, switchboard.getConfig("version", ""));
tp.put(servletProperties.PEER_STAT_UPTIME, ((System.currentTimeMillis() - serverCore.startupTime) / 1000) / 60); // uptime in minutes
tp.put(servletProperties.PEER_STAT_CLIENTNAME, switchboard.getConfig("peerName", "anomic"));
tp.putHTML(servletProperties.PEER_STAT_CLIENTNAME, switchboard.getConfig("peerName", "anomic"));
tp.put(servletProperties.PEER_STAT_MYTIME, serverDate.formatShortSecond());
//System.out.println("respond props: " + ((tp == null) ? "null" : tp.toString())); // debug
} catch (InvocationTargetException e) {

@ -46,6 +46,7 @@ import java.util.Iterator;
import java.util.Set;
import java.util.TreeSet;
import de.anomic.data.htmlTools;
import de.anomic.htmlFilter.htmlFilterAbstractScraper;
import de.anomic.index.indexWord;
import de.anomic.kelondro.kelondroBase64Order;
@ -276,8 +277,12 @@ public final class plasmaSearchQuery {
return new TreeSet[]{query, exclude};
}
public String queryString() {
return this.queryString;
public String queryString(boolean encodeHTML) {
if(encodeHTML){
return htmlTools.encodeUnicode2html(this.queryString, true);
} else {
return this.queryString;
}
}
public TreeSet<String>[] queryWords() {

Loading…
Cancel
Save