Security-related fix (OF-90)

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@11513 b35dd754-fafc-0310-a699-88a17e54d16e

src/java/org/jivesoftware/util/StringUtils.java

@@ -1103,4 +1103,26 @@ public class StringUtils {
             return false;
         }
     }
+    
+    /**
+	 * Removes characters likely to enable Cross Site Scripting attacks from the
+	 * provided input string. The characters that are removed from the input
+	 * string, if present, are:
+	 * 
+	 * <pre>
+	 * &lt; &gt; &quot; ' % ; ) ( &amp; + -
+	 * </pre>
+	 * 
+	 * @param string
+	 *            input
+	 * @return Input without certain characters;
+	 */
+	public static String removeXSSCharacters(String input) {
+		final String[] xss = { "<", ">", "\"", "'", "%", ";", ")", "(", "&",
+				"+", "-" };
+		for (int i = 0; i < xss.length; i++) {
+			input = input.replace(xss[i], "");
+		}
+		return input;
+	}
 }
\ No newline at end of file

src/web/login.jsp

@@ -240,7 +240,7 @@
                             </tr>
                         <%  } %>
                         <tr>
-                            <td><input type="text" name="username" size="15" maxlength="50" id="u01" value="<%= (username != null ? username : "") %>"></td>
+                            <td><input type="text" name="username" size="15" maxlength="50" id="u01" value="<%= (username != null ? StringUtils.removeXSSCharacters(username) : "") %>"></td>
                             <td><input type="password" name="password" size="15" maxlength="50" id="p01"></td>
                             <td align="center"><input type="submit" value="&nbsp; <fmt:message key="login.login" /> &nbsp;"></td>
                         </tr>