Commit 708ef85d authored by Dave Cridland's avatar Dave Cridland

Merge pull request #446 from surevine/reflected-xss

Reflected XSS Issues in Admin Console
parents 8bb250ef c784a6f2
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
<%@ taglib uri="admin" prefix="admin" %> <%@ taglib uri="admin" prefix="admin" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
<jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" /> <jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" />
<% webManager.init(request, response, session, application, out ); %> <% webManager.init(request, response, session, application, out ); %>
<% <%
...@@ -503,7 +504,7 @@ ...@@ -503,7 +504,7 @@
<tr valign="top"> <tr valign="top">
<td colspan="2"> <td colspan="2">
<label for="defaultSecret"><fmt:message key="component.settings.defaultSecret" /></label>&nbsp; <label for="defaultSecret"><fmt:message key="component.settings.defaultSecret" /></label>&nbsp;
<input type="text" size="15" maxlength="70" name="defaultSecret" id="defaultSecret" value="${defaultSecret}"/> <input type="text" size="15" maxlength="70" name="defaultSecret" id="defaultSecret" value="${fn:escapeXml(defaultSecret)}"/>
</td> </td>
</tr> </tr>
...@@ -574,13 +575,13 @@ ...@@ -574,13 +575,13 @@
<label for="componentAllowedSubdomain"><fmt:message key="component.settings.subdomain" /></label> <label for="componentAllowedSubdomain"><fmt:message key="component.settings.subdomain" /></label>
</td> </td>
<td> <td>
<input type="text" size="40" name="subdomain" id="componentAllowedSubdomain" value="${param.containsKey('componentAllowed') and not empty errors ? param[ 'subdomain' ] : ''}"/> <input type="text" size="40" name="subdomain" id="componentAllowedSubdomain" value="${fn:escapeXml(param.containsKey('componentAllowed') and not empty errors ? param[ 'subdomain' ] : '')}"/>
</td> </td>
<td nowrap width="1%"> <td nowrap width="1%">
<label for="componentAllowedSecret"><fmt:message key="component.settings.secret" /></label> <label for="componentAllowedSecret"><fmt:message key="component.settings.secret" /></label>
</td> </td>
<td> <td>
<input type="text" size="15" name="secret" id="componentAllowedSecret" value="${param.containsKey('componentAllowed') and not empty errors ? param[ 'secret' ] : ''}"/> <input type="text" size="15" name="secret" id="componentAllowedSecret" value="${fn:escapeXml(param.containsKey('componentAllowed') and not empty errors ? param[ 'secret' ] : '')}"/>
</td> </td>
</tr> </tr>
<tr align="center"> <tr align="center">
......
...@@ -525,11 +525,11 @@ ...@@ -525,11 +525,11 @@
</tr> </tr>
<tr> <tr>
<td><fmt:message key="muc.room.edit.form.required_password" />:</td> <td><fmt:message key="muc.room.edit.form.required_password" />:</td>
<td><input type="password" name="roomconfig_roomsecret" <% if(password != null) { %> value="<%= password %>" <% } %>></td> <td><input type="password" name="roomconfig_roomsecret" <% if(password != null) { %> value="<%= (password == null ? "" : StringUtils.escapeForXML(password)) %>" <% } %>></td>
</tr> </tr>
<tr> <tr>
<td><fmt:message key="muc.room.edit.form.confirm_password" />:</td> <td><fmt:message key="muc.room.edit.form.confirm_password" />:</td>
<td><input type="password" name="roomconfig_roomsecret2" <% if(confirmPassword != null) { %> value="<%= confirmPassword %>" <% } %>> <td><input type="password" name="roomconfig_roomsecret2" <% if(confirmPassword != null) { %> value="<%= (confirmPassword == null ? "" : StringUtils.escapeForXML(confirmPassword)) %>" <% } %>>
</td> </td>
</tr> </tr>
<tr> <tr>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment