From 9bc56a9edc0f7057c12a9af123670a243a02ad11 Mon Sep 17 00:00:00 2001 From: lotus Date: Wed, 7 May 2008 16:37:13 +0000 Subject: [PATCH] xss protection git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@4772 6c8d7289-2bf4-0310-a012-ef5d649a1542 --- htroot/Connections_p.java | 2 +- htroot/IndexTransfer_p.java | 2 +- htroot/xml/feed.java | 10 +++++----- htroot/yacy/user/sidebar_navigation.java | 4 ++-- htroot/yacysearch.java | 4 ++-- htroot/yacysearchitem.java | 3 ++- source/de/anomic/http/httpdFileHandler.java | 2 +- source/de/anomic/plasma/plasmaSearchQuery.java | 9 +++++++-- 8 files changed, 21 insertions(+), 15 deletions(-) diff --git a/htroot/Connections_p.java b/htroot/Connections_p.java index bbbbd6a6e..b90bfb584 100644 --- a/htroot/Connections_p.java +++ b/htroot/Connections_p.java @@ -208,7 +208,7 @@ public final class Connections_p { prop.putNum("list_" + idx + "_ms_duration", sessionTime); } prop.putHTML("list_" + idx + "_source",(seed!=null)?seed.getName()+".yacy":userAddress.getHostAddress()+":"+userPort); - prop.put("list_" + idx + "_dest",(dest==null)?"-":dest); + prop.putHTML("list_" + idx + "_dest",(dest==null)?"-":dest); if (blockingRequest) { prop.put("list_" + idx + "_running", "0"); prop.putNum("list_" + idx + "_running_reqNr", commandCount+1); diff --git a/htroot/IndexTransfer_p.java b/htroot/IndexTransfer_p.java index a550ce360..440f9bc98 100644 --- a/htroot/IndexTransfer_p.java +++ b/htroot/IndexTransfer_p.java @@ -142,7 +142,7 @@ public final class IndexTransfer_p { try { while ((hostName = (String) hostList.firstKey()) != null) { prop.put("running_hosts_" + hc + "_hosthash", hostList.get(hostName)); - prop.put("running_hosts_" + hc + "_hostname", /*seed.hash + " " +*/ hostName); + prop.putHTML("running_hosts_" + hc + "_hostname", /*seed.hash + " " +*/ hostName); hc++; hostList.remove(hostName); } diff --git a/htroot/xml/feed.java b/htroot/xml/feed.java index 3eecc4758..854be72aa 100755 --- a/htroot/xml/feed.java +++ b/htroot/xml/feed.java @@ -66,8 +66,8 @@ public class feed { RSSMessage message = feed.getChannel(); if (message != null) { - prop.put("channel_title", message.getTitle()); - prop.put("channel_description", message.getDescription()); + prop.putHTML("channel_title", message.getTitle(), true); + prop.putHTML("channel_description", message.getDescription(), true); prop.put("channel_pubDate", message.getPubDate()); } while ((messageMaxCount > 0) && (feed.size() > 0)) { @@ -75,9 +75,9 @@ public class feed { if (message == null) continue; // create RSS entry - prop.putHTML("item_" + messageCount + "_title", channels[channelIndex] + ": " + message.getTitle()); - prop.putHTML("item_" + messageCount + "_description", message.getDescription()); - prop.putHTML("item_" + messageCount + "_link", message.getLink()); + prop.putHTML("item_" + messageCount + "_title", channels[channelIndex] + ": " + message.getTitle(), true); + prop.putHTML("item_" + messageCount + "_description", message.getDescription(), true); + prop.putHTML("item_" + messageCount + "_link", message.getLink(), true); prop.put("item_" + messageCount + "_pubDate", message.getPubDate()); prop.put("item_" + messageCount + "_guid", message.getGuid()); messageCount++; diff --git a/htroot/yacy/user/sidebar_navigation.java b/htroot/yacy/user/sidebar_navigation.java index 2ffc96188..bf5f0a997 100644 --- a/htroot/yacy/user/sidebar_navigation.java +++ b/htroot/yacy/user/sidebar_navigation.java @@ -179,7 +179,7 @@ public class sidebar_navigation { private static String navurla(int page, plasmaSearchQuery theQuery) { return - ""; + "&former=" + theQuery.queryString(true) + "\">"; } private static void domzone(serverObjects prop, String zonename, int zonecount, plasmaSearchQuery theQuery) { diff --git a/htroot/yacysearch.java b/htroot/yacysearch.java index 2401fd135..b1e255d14 100644 --- a/htroot/yacysearch.java +++ b/htroot/yacysearch.java @@ -416,7 +416,7 @@ public class yacysearch { private static String navurla(int page, int display, plasmaSearchQuery theQuery) { return ""; + "&former=" + theQuery.queryString(true) + "\">"; } } diff --git a/htroot/yacysearchitem.java b/htroot/yacysearchitem.java index b2e39bcdf..77846b2d7 100644 --- a/htroot/yacysearchitem.java +++ b/htroot/yacysearchitem.java @@ -224,7 +224,8 @@ public class yacysearchitem { ((yacyURL.probablyRootURL(result.hash())) ? ", probablyRootURL" : "") + (((wordURL = yacyURL.probablyWordURL(result.hash(), query[0])) != null) ? ", probablyWordURL=" + wordURL.toNormalform(false, true) : "")); plasmaSnippetCache.TextSnippet snippet = result.textSnippet(); - prop.putHTML("content_snippet", (snippet == null) ? "(snippet not found)" : snippet.getLineMarked(theQuery.queryHashes)); + // TODO: check if tags are correctly stripped from snippet + prop.put("content_snippet", (snippet == null) ? "(snippet not found)" : snippet.getLineMarked(theQuery.queryHashes)); serverProfiling.update("SEARCH", new plasmaProfiling.searchEvent(theQuery.id(true), plasmaSearchEvent.FINALIZATION + "-" + item, 0, 0)); return prop; diff --git a/source/de/anomic/http/httpdFileHandler.java b/source/de/anomic/http/httpdFileHandler.java index 05d3cf288..64c3157de 100644 --- a/source/de/anomic/http/httpdFileHandler.java +++ b/source/de/anomic/http/httpdFileHandler.java @@ -662,7 +662,7 @@ public final class httpdFileHandler { // add the application version, the uptime and the client name to every rewrite table tp.put(servletProperties.PEER_STAT_VERSION, switchboard.getConfig("version", "")); tp.put(servletProperties.PEER_STAT_UPTIME, ((System.currentTimeMillis() - serverCore.startupTime) / 1000) / 60); // uptime in minutes - tp.put(servletProperties.PEER_STAT_CLIENTNAME, switchboard.getConfig("peerName", "anomic")); + tp.putHTML(servletProperties.PEER_STAT_CLIENTNAME, switchboard.getConfig("peerName", "anomic")); tp.put(servletProperties.PEER_STAT_MYTIME, serverDate.formatShortSecond()); //System.out.println("respond props: " + ((tp == null) ? "null" : tp.toString())); // debug } catch (InvocationTargetException e) { diff --git a/source/de/anomic/plasma/plasmaSearchQuery.java b/source/de/anomic/plasma/plasmaSearchQuery.java index 4f1c74aea..c21e5f28b 100644 --- a/source/de/anomic/plasma/plasmaSearchQuery.java +++ b/source/de/anomic/plasma/plasmaSearchQuery.java @@ -46,6 +46,7 @@ import java.util.Iterator; import java.util.Set; import java.util.TreeSet; +import de.anomic.data.htmlTools; import de.anomic.htmlFilter.htmlFilterAbstractScraper; import de.anomic.index.indexWord; import de.anomic.kelondro.kelondroBase64Order; @@ -276,8 +277,12 @@ public final class plasmaSearchQuery { return new TreeSet[]{query, exclude}; } - public String queryString() { - return this.queryString; + public String queryString(boolean encodeHTML) { + if(encodeHTML){ + return htmlTools.encodeUnicode2html(this.queryString, true); + } else { + return this.queryString; + } } public TreeSet[] queryWords() {