From ff86cb683ffbbc19b407dcbf82a2505bc186306f Mon Sep 17 00:00:00 2001
From: orbiter <mc@yacy.net>
Date: Sat, 16 Nov 2013 20:34:31 +0100
Subject: [PATCH] fixed some XSS bugs reported by Marius from
 http://ctf365.com/

---
 htroot/User.java                                  | 4 ++--
 htroot/ViewProfile.java                           | 2 +-
 source/net/yacy/server/http/HTTPDFileHandler.java | 3 ++-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/htroot/User.java b/htroot/User.java
index 6d2ae091d..85f99e42c 100644
--- a/htroot/User.java
+++ b/htroot/User.java
@@ -96,7 +96,7 @@ public class User{
         		prop.putHTML("logged-in_returnto", post.get("returnto"));
             final String username=post.get("username");
             final String password=post.get("password");
-            prop.put("logged-in_username", username);
+            prop.putHTML("logged-in_username", username);
 
             entry=sb.userDB.passwordAuth(username, password);
             final boolean staticAdmin = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").equals(
@@ -160,7 +160,7 @@ public class User{
             	prop.authenticationRequired();
             }
             if(post.containsKey("returnto")){
-                prop.put(serverObjects.ACTION_LOCATION, post.get("returnto"));
+                prop.putHTML(serverObjects.ACTION_LOCATION, post.get("returnto"));
             }
         }
         // return rewrite properties
diff --git a/htroot/ViewProfile.java b/htroot/ViewProfile.java
index 1ccec60b9..716c0d32f 100644
--- a/htroot/ViewProfile.java
+++ b/htroot/ViewProfile.java
@@ -69,7 +69,7 @@ public class ViewProfile {
             prop.put("success", "0");
             return prop;
         }
-        prop.put("hash", hash);
+        prop.putHTML("hash", hash);
 
         // get the profile
         Map<String, String> profile = null;
diff --git a/source/net/yacy/server/http/HTTPDFileHandler.java b/source/net/yacy/server/http/HTTPDFileHandler.java
index 86179c8e2..b2d39b1e6 100644
--- a/source/net/yacy/server/http/HTTPDFileHandler.java
+++ b/source/net/yacy/server/http/HTTPDFileHandler.java
@@ -109,6 +109,7 @@ import net.yacy.cora.util.ConcurrentLog;
 import net.yacy.cora.util.NumberTools;
 import net.yacy.data.UserDB;
 import net.yacy.document.parser.htmlParser;
+import net.yacy.document.parser.html.CharacterCoding;
 import net.yacy.document.parser.html.ContentScraper;
 import net.yacy.document.parser.html.ScraperInputStream;
 import net.yacy.kelondro.util.FileUtils;
@@ -484,7 +485,7 @@ public final class HTTPDFileHandler {
                 //no defaultfile, send a dirlisting
                 if (targetFile == null || !targetFile.exists() || (targetFile.exists() && targetFile.isDirectory())) {
                     final StringBuilder aBuffer = new StringBuilder();
-                    aBuffer.append("<html>\n<head>\n</head>\n<body>\n<h1>Index of " + path + "</h1>\n  <ul>\n");
+                    aBuffer.append("<html>\n<head>\n</head>\n<body>\n<h1>Index of " + CharacterCoding.unicode2html(path, true) + "</h1>\n  <ul>\n");
                     String[] list = targetFile.list();
                     if (list == null) list = new String[0]; // should not occur!
                     File f;