Skip to content

O
Openfire
Commit ed3492a2 authored by Sven Tantau's avatar Sven Tantau
Browse files
Options

xss filter

parent 1e103cc3
Hide whitespace changes
Inline Side-by-side
Showing with 293 additions and 265 deletions
src/web/audit-policy.jsp
View file @ ed3492a2
......@@ -17,9 +17,10 @@
--%>
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.audit.AuditManager,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.audit.AuditManager,
org.jivesoftware.openfire.user.UserNotFoundException,
org.jivesoftware.util.StringUtils,
org.xmpp.packet.JID,
java.io.File"
errorPage="error.jsp"
......@@ -226,7 +227,7 @@
</td>
<td width="99%">
<input type="text" size="50" maxlength="150" name="logDir"
value="<%= ((logDir != null) ? logDir : "") %>">
value="<%= ((logDir != null) ? StringUtils.escapeForXML(logDir) : "") %>">
<% if (errors.get("logDir") != null) { %>
......@@ -361,7 +362,7 @@
<fmt:message key="audit.policy.ignore" />
</td>
<td width="99%">
<textarea name="ignore" cols="40" rows="3" wrap="virtual"><%= ((ignore != null) ? ignore : "") %></textarea>
<textarea name="ignore" cols="40" rows="3" wrap="virtual"><%= ((ignore != null) ? StringUtils.escapeHTMLTags(ignore) : "") %></textarea>
<% if (errors.get("ignore") != null) { %>
<span class="jive-error-text">
......@@ -393,4 +394,4 @@
</body>
</html>
\ No newline at end of file
</html>
src/web/available-plugins.jsp
View file @ ed3492a2
......@@ -15,7 +15,8 @@
<%@ page errorPage="error.jsp" import="org.jivesoftware.util.ByteFormat,
org.jivesoftware.util.Version,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.container.Plugin"
org.jivesoftware.openfire.container.Plugin,
org.jivesoftware.util.StringUtils"
%>
<%@ page import="org.jivesoftware.openfire.container.PluginManager" %>
<%@ page import="org.jivesoftware.openfire.update.AvailablePlugin" %>
......@@ -284,38 +285,38 @@
<tr id="<%= plugin.hashCode()%>">
<td width="1%" class="line-bottom-border">
<% if (plugin.getIcon() != null) { %>
<img src="<%= plugin.getIcon() %>" width="16" height="16" alt="Plugin">
<img src="<%= StringUtils.escapeForXML(plugin.getIcon()) %>" width="16" height="16" alt="Plugin">
<% }
else { %>
<img src="images/plugin-16x16.gif" width="16" height="16" alt="Plugin">
<% } %>
</td>
<td width="20%" nowrap class="line-bottom-border">
<%= (pluginName != null ? pluginName : "") %> &nbsp;
<%= (pluginName != null ? StringUtils.escapeHTMLTags(pluginName) : "") %> &nbsp;
</td>
<td nowrap valign="top" class="line-bottom-border">
<% if (plugin.getReadme() != null) { %>
<a href="<%= plugin.getReadme() %>"
<a href="<%= StringUtils.escapeForXML(plugin.getReadme()) %>"
><img src="images/doc-readme-16x16.gif" width="16" height="16" border="0" alt="README"></a>
<% }
else { %> &nbsp; <% } %>
<% if (plugin.getChangelog() != null) { %>
<a href="<%= plugin.getChangelog() %>"
<a href="<%= StringUtils.escapeForXML(plugin.getChangelog()) %>"
><img src="images/doc-changelog-16x16.gif" width="16" height="16" border="0" alt="changelog"></a>
<% }
else { %> &nbsp; <% } %>
</td>
<td width="60%" class="line-bottom-border">
<%= pluginDescription != null ? pluginDescription : "" %>
<%= pluginDescription != null ? StringUtils.escapeHTMLTags(pluginDescription) : "" %>
</td>
<td width="5%" align="center" valign="top" class="line-bottom-border">
<%= pluginVersion != null ? pluginVersion : "" %>
<%= pluginVersion != null ? StringUtils.escapeHTMLTags(pluginVersion) : "" %>
</td>
<td width="15%" nowrap valign="top" class="line-bottom-border">
<%= pluginAuthor != null ? pluginAuthor : "" %> &nbsp;
<%= pluginAuthor != null ? StringUtils.escapeHTMLTags(pluginAuthor) : "" %> &nbsp;
</td>
<td width="15%" nowrap valign="top" class="line-bottom-border" align="right">
<%= fileSize %>
<%= StringUtils.escapeHTMLTags(fileSize) %>
</td>
<td width="1%" align="center" valign="top" class="line-bottom-border">
<%
......@@ -328,7 +329,7 @@
<%
%>
<a href="javascript:downloadPlugin('<%=updateURL%>', '<%= plugin.hashCode()%>')"><span id="<%= plugin.hashCode() %>-image"><img src="images/add-16x16.gif" width="16" height="16" border="0"
<a href="javascript:downloadPlugin('<%=StringUtils.escapeForXML(updateURL)%>', '<%= plugin.hashCode()%>')"><span id="<%= plugin.hashCode() %>-image"><img src="images/add-16x16.gif" width="16" height="16" border="0"
alt="<fmt:message key="plugin.available.download" />"></span></a>
<% } %>
......@@ -336,9 +337,9 @@
</tr>
<tr id="<%= plugin.hashCode()%>-row" style="display:none;background: #E7FBDE;">
<td width="1%" class="line-bottom-border">
<img src="<%= plugin.getIcon()%>" width="16" height="16" alt=""/>
<img src="<%= StringUtils.escapeForXML(plugin.getIcon())%>" width="16" height="16" alt=""/>
</td>
<td colspan="6" nowrap class="line-bottom-border"><%= plugin.getName()%> <fmt:message key="plugin.available.installation.success" /></td>
<td colspan="6" nowrap class="line-bottom-border"><%= StringUtils.escapeHTMLTags(plugin.getName())%> <fmt:message key="plugin.available.installation.success" /></td>
<td class="line-bottom-border" align="center">
<img src="images/success-16x16.gif" height="16" width="16" alt=""/>
</td>
......@@ -367,38 +368,38 @@
<tr id="<%= plugin.hashCode()%>">
<td width="1%" class="line-bottom-border">
<% if (plugin.getIcon() != null) { %>
<img src="<%= plugin.getIcon() %>" width="16" height="16" alt="Plugin">
<img src="<%= StringUtils.escapeForXML(plugin.getIcon()) %>" width="16" height="16" alt="Plugin">
<% }
else { %>
<img src="images/plugin-16x16.gif" width="16" height="16" alt="Plugin">
<% } %>
</td>
<td width="20%" nowrap class="line-bottom-border">
<%= (pluginName != null ? pluginName : "") %> &nbsp;
<%= (pluginName != null ? StringUtils.escapeHTMLTags(pluginName) : "") %> &nbsp;
</td>
<td nowrap valign="top" class="line-bottom-border">
<% if (plugin.getReadme() != null) { %>
<a href="<%= plugin.getReadme() %>"
<a href="<%= StringUtils.escapeForXML(plugin.getReadme()) %>"
><img src="images/doc-readme-16x16.gif" width="16" height="16" border="0" alt="README"></a>
<% }
else { %> &nbsp; <% } %>
<% if (plugin.getChangelog() != null) { %>
<a href="<%= plugin.getChangelog() %>"
<a href="<%= StringUtils.escapeForXML(plugin.getChangelog()) %>"
><img src="images/doc-changelog-16x16.gif" width="16" height="16" border="0" alt="changelog"></a>
<% }
else { %> &nbsp; <% } %>
</td>
<td width="60%" class="line-bottom-border">
<%= pluginDescription != null ? pluginDescription : "" %>
<%= pluginDescription != null ? StringUtils.escapeHTMLTags(pluginDescription) : "" %>
</td>
<td width="5%" align="center" valign="top" class="line-bottom-border">
<%= pluginVersion != null ? pluginVersion : "" %>
<%= pluginVersion != null ? StringUtils.escapeHTMLTags(pluginVersion) : "" %>
</td>
<td width="15%" nowrap valign="top" class="line-bottom-border">
<%= pluginAuthor != null ? pluginAuthor : "" %> &nbsp;
<%= pluginAuthor != null ? StringUtils.escapeHTMLTags(pluginAuthor) : "" %> &nbsp;
</td>
<td width="15%" nowrap valign="top" class="line-bottom-border">
<%= fileSize %>
<%= StringUtils.escapeHTMLTags(fileSize) %>
</td>
<td width="1%" align="center" valign="top" class="line-bottom-border">
<%
......@@ -409,16 +410,16 @@
<% }
else { %>
<span id="<%= plugin.hashCode() %>-image"><a href="javascript:downloadPlugin('<%=updateURL%>', '<%= plugin.hashCode()%>')"><img src="images/add-16x16.gif" width="16" height="16" border="0"
<span id="<%= plugin.hashCode() %>-image"><a href="javascript:downloadPlugin('<%=StringUtils.escapeForXML(updateURL) %>', '<%= plugin.hashCode() %>')"><img src="images/add-16x16.gif" width="16" height="16" border="0"
alt="<fmt:message key="plugin.available.download" />"></a></span>
<% } %>
</td>
</tr>
<tr id="<%= plugin.hashCode()%>-row" style="display:none;background: #E7FBDE;">
<td width="1%" class="line-bottom-border">
<img src="<%= plugin.getIcon()%>" width="16" height="16" alt=""/>
<img src="<%= StringUtils.escapeForXML(plugin.getIcon())%>" width="16" height="16" alt=""/>
</td>
<td colspan="6" nowrap class="line-bottom-border"><%= plugin.getName()%> <fmt:message key="plugin.available.installation.success" /></td>
<td colspan="6" nowrap class="line-bottom-border"><%= StringUtils.escapeHTMLTags(plugin.getName())%> <fmt:message key="plugin.available.installation.success" /></td>
<td class="line-bottom-border" align="center">
<img src="images/success-16x16.gif" height="16" width="16" alt=""/>
</td>
......@@ -493,13 +494,13 @@
else { %> &nbsp; <% } %></p>
</td>
<td class="line-bottom-border">
<%= pluginDescription %>
<%= StringUtils.escapeHTMLTags(pluginDescription) %>
</td>
<td class="line-bottom-border">
<%= pluginVersion%>
<%= StringUtils.escapeHTMLTags(pluginVersion) %>
</td>
<td class="line-bottom-border">
<%= pluginAuthor%>
<%= StringUtils.escapeHTMLTags(pluginAuthor) %>
</td>
</tr>
<% }%>
......@@ -529,4 +530,4 @@
<% } %>
</body>
</html>
\ No newline at end of file
</html>
src/web/clearspace-status.jsp
View file @ ed3492a2
......@@ -20,6 +20,7 @@
<%@ page import="org.jivesoftware.openfire.clearspace.ClearspaceManager" %>
<%@ page import="org.jivesoftware.openfire.session.ComponentSession" %>
<%@ page import="org.jivesoftware.util.JiveGlobals" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="java.text.NumberFormat" %>
<%@ page import="java.util.Collection" %>
<%@ page import="java.util.Date" %>
......@@ -189,17 +190,17 @@
<fmt:message key="clearspace.status.connected.table.label.hostname" />
</td>
<td>
<%= cs.getHostAddress() %>
<%= StringUtils.escapeHTMLTags(cs.getHostAddress()) %>
/
<%= cs.getHostName() %>
<%= StringUtils.escapeHTMLTags(cs.getHostName()) %>
</td>
</tr>
<% } else { %>
<tr>
<td>
<%= cs.getHostAddress() %>
<%= StringUtils.escapeHTMLTags(cs.getHostAddress()) %>
/
<%= cs.getHostName() %>
<%= StringUtils.escapeHTMLTags(cs.getHostName()) %>
</td>
</tr>
<% } %>
......@@ -268,4 +269,4 @@
<% } %>
</body>
</html>
\ No newline at end of file
</html>
src/web/component-session-details.jsp
View file @ ed3492a2
......@@ -21,6 +21,7 @@
<%@ page import="org.jivesoftware.openfire.SessionManager,
org.jivesoftware.openfire.session.ComponentSession,
org.jivesoftware.util.JiveGlobals,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.ParamUtils"
errorPage="error.jsp"
%>
......@@ -86,7 +87,7 @@
<fmt:message key="component.session.label.name" />
</td>
<td>
<%= componentSession.getExternalComponent().getName() %>
<%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getName()) %>
</td>
</tr>
<tr>
......@@ -94,7 +95,7 @@
<fmt:message key="component.session.label.category" />:
</td>
<td>
<%= componentSession.getExternalComponent().getCategory() %>
<%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getCategory()) %>
</td>
</tr>
<tr>
......@@ -117,7 +118,7 @@
<% }
}
%>
<%= componentSession.getExternalComponent().getType() %>
<%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getType()) %>
</td>
</tr>
<tr>
......@@ -150,9 +151,9 @@
<fmt:message key="session.details.hostname" />
</td>
<td>
<%= componentSession.getHostAddress() %>
<%= StringUtils.escapeHTMLTags(componentSession.getHostAddress()) %>
/
<%= componentSession.getHostName() %>
<%= StringUtils.escapeHTMLTags(componentSession.getHostName()) %>
</td>
</tr>
</tbody>
......@@ -167,4 +168,4 @@
</form>
</body>
</html>
\ No newline at end of file
</html>
src/web/component-session-summary.jsp
View file @ ed3492a2
......@@ -22,6 +22,7 @@
org.jivesoftware.openfire.session.ComponentSession,
org.jivesoftware.openfire.session.Session,
org.jivesoftware.util.JiveGlobals,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.ParamUtils,
java.net.URLEncoder"
errorPage="error.jsp"
......@@ -187,10 +188,10 @@
<a href="component-session-details.jsp?jid=<%= URLEncoder.encode(componentSession.getAddress().toString(), "UTF-8") %>" title="<fmt:message key="session.row.cliked" />"><%= componentSession.getAddress() %></a>
</td>
<td align="center" width="15%" nowrap>
<%= componentSession.getExternalComponent().getName() %>
<%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getName()) %>
</td>
<td align="center" width="10%" nowrap>
<%= componentSession.getExternalComponent().getCategory() %>
<%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getCategory()) %>
</td>
<td align="center" width="10%" nowrap>
<table border="0">
......@@ -218,7 +219,7 @@
<% }
}
%>
<td><%= componentSession.getExternalComponent().getType() %></td>
<td><%= StringUtils.escapeHTMLTags(componentSession.getExternalComponent().getType()) %></td>
</tr></table>
</td>
<% Date creationDate = componentSession.getCreationDate();
......@@ -279,4 +280,4 @@
</p>
</body>
</html>
\ No newline at end of file
</html>
src/web/error.jsp
View file @ ed3492a2
......@@ -7,6 +7,7 @@
<%@ page import="java.io.*,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.JiveGlobals,
org.jivesoftware.util.StringUtils,
org.jivesoftware.openfire.auth.UnauthorizedException,
org.jivesoftware.openfire.user.UserNotFoundException,
org.jivesoftware.openfire.group.GroupNotFoundException"
......@@ -54,7 +55,7 @@
%>
<fmt:message key="error.exception" />
<pre>
<%= sout.toString() %>
<%= StringUtils.escapeHTMLTags(sout.toString()) %>
</pre>
<% } %>
\ No newline at end of file
<% } %>
src/web/external-components-settings.jsp
View file @ ed3492a2
......@@ -25,8 +25,10 @@
org.jivesoftware.openfire.component.ExternalComponentConfiguration,
org.jivesoftware.openfire.component.ExternalComponentManager,
org.jivesoftware.util.ModificationNotAllowedException,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.ParamUtils,
java.util.Collection"
java.util.Collection,
java.net.URLEncoder"
errorPage="error.jsp"
%>
<%@ page import="java.util.HashMap" %>
......@@ -243,7 +245,7 @@
<tr>
<td class="jive-icon"><img src="images/error-16x16.gif" width="16" height="16" border="0" alt=""/></td>
<td class="jive-icon-label">
<fmt:message key="component.settings.modification.denied" /> <%= operationFailedDetail != null ? operationFailedDetail : ""%>
<fmt:message key="component.settings.modification.denied" /> <%= operationFailedDetail != null ? StringUtils.escapeHTMLTags(operationFailedDetail) : ""%>
</td>
</tr>
</tbody>
......@@ -328,7 +330,7 @@
</td>
<td width="99%">
<input type="text" size="15" maxlength="70" name="defaultSecret"
value="<%= ((defaultSecret != null) ? defaultSecret : "") %>">
value="<%= ((defaultSecret != null) ? StringUtils.escapeForXML(defaultSecret) : "") %>">
</td>
</tr>
</table>
......@@ -408,13 +410,13 @@
<%= count %>
</td>
<td>
<%= configuration.getSubdomain() %>
<%= StringUtils.escapeHTMLTags(configuration.getSubdomain()) %>
</td>
<td>
<%= configuration.getSecret() %>
</td>
<td align="center" style="border-right:1px #ccc solid;">
<a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('external-components-settings.jsp?deleteConf=<%= configuration.getSubdomain() %>'); } "
<a href="#" onclick="if (confirm('<fmt:message key="component.settings.confirm_delete" />')) { location.replace('external-components-settings.jsp?deleteConf=<%= URLEncoder.encode(configuration.getSubdomain(),"UTF-8") %>'); } "
title="<fmt:message key="global.click_delete" />"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
......
src/web/group-create.jsp
View file @ ed3492a2
......@@ -20,6 +20,7 @@
<%@ page import="org.jivesoftware.openfire.group.Group,
org.jivesoftware.openfire.group.GroupAlreadyExistsException,
org.jivesoftware.openfire.security.SecurityAuditManager,
org.jivesoftware.util.StringUtils,
org.jivesoftware.util.Log"
errorPage="error.jsp"
%>
......@@ -188,7 +189,7 @@
<form name="f" action="group-create.jsp" method="post">
<% if (groupName != null) { %>
<input type="hidden" name="group" value="<%= groupName %>" id="existingName">
<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>" id="existingName">
<% } %>
<!-- BEGIN create group -->
......@@ -213,7 +214,7 @@
</td>
<td width="99%">
<input type="text" name="name" size="30" maxlength="75"
value="<%= ((name != null) ? name : "") %>" id="gname">
value="<%= ((name != null) ? StringUtils.escapeForXML(name) : "") %>" id="gname">
</td>
</tr>
......@@ -238,7 +239,7 @@
</td>
<td width="99%">
<textarea name="description" cols="30" rows="3" id="gdesc"
><%= ((description != null) ? description : "") %></textarea>
><%= ((description != null) ? StringUtils.escapeHTMLTags(description) : "") %></textarea>
</td>
</tr>
......@@ -298,4 +299,4 @@ for (i=0;i<limit;i++) {
<% } %>
</body>
</html>%>
\ No newline at end of file
</html>%>
src/web/group-delete.jsp
View file @ ed3492a2
......@@ -81,7 +81,7 @@
</p>
<form action="group-delete.jsp">
<input type="hidden" name="group" value="<%= groupName %>">
<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
<input type="submit" name="delete" value="<fmt:message key="group.delete.delete" />">
<input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
</form>
......@@ -101,4 +101,4 @@
<% } %>
</body>
</html>
\ No newline at end of file
</html>
src/web/group-edit.jsp
View file @ ed3492a2
......@@ -314,7 +314,7 @@
<td class="jive-icon-label">
<% if(add) { %>
<fmt:message key="group.edit.not_update" />
<%= errorBuf %>
<%= StringUtils.escapeHTMLTags(errorBuf.toString()) %>
<% } %>
</td></tr>
</tbody>
......@@ -325,7 +325,7 @@
<div class="jive-horizontalRule"></div>
<form name="ff" action="group-edit.jsp">
<input type="hidden" name="group" value="<%= groupName %>"/>
<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>"/>
<!-- BEGIN group name and description -->
......@@ -387,7 +387,7 @@
<div id="jive-roster" style="display: <%= !enableRosterGroups ? "none" : "block" %>;">
<b><fmt:message key="group.edit.share_display_name" /></b>
<input type="text" name="groupDisplayName" size="30" maxlength="100" value="<%= (groupDisplayName != null ? groupDisplayName : "") %>"><br>
<input type="text" name="groupDisplayName" size="30" maxlength="100" value="<%= (groupDisplayName != null ? StringUtils.escapeForXML(groupDisplayName) : "") %>"><br>
<% if (errors.get("groupDisplayName") != null) { %>
<span class="jive-error-text"><fmt:message key="group.edit.share_display_name" /></span><br/>
<% } %>
......@@ -489,7 +489,7 @@
</p>
<form action="group-edit.jsp" method="post" name="f">
<input type="hidden" name="group" value="<%= groupName %>">
<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
<input type="hidden" name="add" value="Add"/>
<table cellpadding="3" cellspacing="1" border="0" style="margin: 0 0 8px 0;">
<tr>
......@@ -507,7 +507,7 @@
<% } %>
<form action="group-edit.jsp" method="post" name="main">
<input type="hidden" name="group" value="<%= groupName %>">
<input type="hidden" name="group" value="<%= StringUtils.escapeForXML(groupName) %>">
<table class="jive-table" cellpadding="3" cellspacing="0" border="0" width="435">
<tr>
<th>&nbsp;</th>
......@@ -581,7 +581,7 @@
</td>
<% if (user != null) { %>
<td><a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= JID.unescapeNode(user.getUsername()) %></a><% if (!isLocal) { showRemoteJIDsWarning = true; %> <font color="red"><b>*</b></font><%}%></td>
<td><a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %></a><% if (!isLocal) { showRemoteJIDsWarning = true; %> <font color="red"><b>*</b></font><%}%></td>
<% } else { %>
<td><%= jid %><% showRemoteJIDsWarning = true; %> <font color="red"><b>*</b></font></td>
<% } %>
......@@ -672,4 +672,4 @@
}
return false;
}
%>
\ No newline at end of file
%>
src/web/group-summary.jsp
View file @ ed3492a2
......@@ -178,7 +178,7 @@ document.searchForm.search.focus();
<%= i %>
</td>
<td width="60%">
<a href="group-edit.jsp?group=<%= groupName %>"><%= StringUtils.escapeHTMLTags(group.getName()) %></a>
<a href="group-edit.jsp?group=<%= URLEncoder.encode(groupName,"UTF-8") %>"><%= StringUtils.escapeHTMLTags(group.getName()) %></a>
<% if (group.getDescription() != null) { %>
<br>
<span class="jive-description">
......@@ -195,12 +195,12 @@ document.searchForm.search.focus();
<% // Only show edit and delete options if the groups aren't read-only.
if (!webManager.getGroupManager().isReadOnly()) { %>
<td width="1%" align="center">
<a href="group-edit.jsp?group=<%= groupName %>"
<a href="group-edit.jsp?group=<%= URLEncoder.encode(groupName,"UTF-8") %>"
title=<fmt:message key="global.click_edit" />
><img src="images/edit-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
<td width="1%" align="center" style="border-right:1px #ccc solid;">
<a href="group-delete.jsp?group=<%= groupName %>"
<a href="group-delete.jsp?group=<%= URLEncoder.encode(groupName,"UTF-8") %>"
title=<fmt:message key="global.click_delete" />
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
......@@ -234,4 +234,4 @@ document.searchForm.search.focus();
<% } %>
</body>
</html>
\ No newline at end of file
</html>
src/web/http-bind.jsp
View file @ ed3492a2
......@@ -17,6 +17,7 @@
- limitations under the License.
--%>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="java.io.File" %>
<%@ page import="java.util.Map" %>
<%@ page import="java.util.HashMap" %>
......@@ -261,7 +262,7 @@
</tr>
<tr>
<td>
<input id="CORSDomains" type="text" size="80" name="CORSDomains" value="<%= serverManager.getCORSAllowOrigin() %>">
<input id="CORSDomains" type="text" size="80" name="CORSDomains" value="<%= StringUtils.escapeForXML(serverManager.getCORSAllowOrigin()) %>">
</td>
</tr>
</table>
......@@ -303,7 +304,7 @@
<label for="XFFHeader"><fmt:message key="httpbind.settings.xff.forwarded_for"/></label>
</td>
<td>
<input id="XFFHeader" type="text" size="40" name="XFFHeader" value="<%= xffHeader == null ? "" : xffHeader %>">
<input id="XFFHeader" type="text" size="40" name="XFFHeader" value="<%= xffHeader == null ? "" : StringUtils.escapeForXML(xffHeader) %>">
</td>
</tr>
<tr>
......@@ -311,7 +312,7 @@
<label for="XFFServerHeader"><fmt:message key="httpbind.settings.xff.forwarded_server"/></label>
</td>
<td>
<input id="XFFServerHeader" type="text" size="40" name="XFFServerHeader" value="<%= xffServerHeader == null ? "" : xffServerHeader %>">
<input id="XFFServerHeader" type="text" size="40" name="XFFServerHeader" value="<%= xffServerHeader == null ? "" : StringUtils.escapeForXML(xffServerHeader) %>">
</td>
</tr>
<tr>
......@@ -319,7 +320,7 @@
<label for="XFFHostHeader"><fmt:message key="httpbind.settings.xff.forwarded_host"/></label>
</td>
<td>
<input id="XFFHostHeader" type="text" size="40" name="XFFHostHeader" value="<%= xffHostHeader == null ? "" : xffHostHeader %>">
<input id="XFFHostHeader" type="text" size="40" name="XFFHostHeader" value="<%= xffHostHeader == null ? "" : StringUtils.escapeForXML(xffHostHeader) %>">
</td>
</tr>
<tr>
......@@ -327,7 +328,7 @@
<label for="XFFHostName"><fmt:message key="httpbind.settings.xff.host_name"/></label>
</td>
<td>
<input id="XFFHostName" type="text" size="40" name="XFFHostName" value="<%= xffHostName == null ? "" : xffHostName %>">
<input id="XFFHostName" type="text" size="40" name="XFFHostName" value="<%= xffHostName == null ? "" : StringUtils.escapeForXML(xffHostName) %>">
</td>
</tr>
</table>
......@@ -363,4 +364,4 @@
value="<fmt:message key="global.save_settings" />">
</form>
</body>
</html>
\ No newline at end of file
</html>
src/web/import-certificate.jsp
View file @ ed3492a2
<%@ page import="org.jivesoftware.util.CertificateManager,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.net.SSLConfig,
java.io.ByteArrayInputStream,
......@@ -114,7 +115,7 @@
<td class="jive-icon-label">
<fmt:message key="ssl.import.certificate.error.import" />
<% if (e != null && e.getMessage() != null) { %>
<fmt:message key="ssl.certificates.error_messenge" />: <%= e.getMessage() %>
<fmt:message key="ssl.certificates.error_messenge" />: <%= StringUtils.escapeHTMLTags(e.getMessage()) %>
<% } %>
</td></tr>
</tbody>
......
src/web/log.jsp
View file @ ed3492a2
......@@ -156,7 +156,7 @@
<html>
<head>
<title><%= log %></title>
<title><%= StringUtils.escapeHTMLTags(log) %></title>
<meta name="decorator" content="none"/>
<style type="text/css">
.log TABLE {
......@@ -239,4 +239,4 @@
</div>
</body>
</html>
\ No newline at end of file
</html>
src/web/login.jsp
View file @ ed3492a2
......@@ -191,7 +191,7 @@
<% if (url != null) { try { %>
<input type="hidden" name="url" value="<%= url %>">
<input type="hidden" name="url" value="<%= StringUtils.escapeForXML(url) %>">
<% } catch (Exception e) { Log.error(e); } } %>
......
src/web/logviewer.jsp
View file @ ed3492a2
......@@ -21,6 +21,7 @@
<%@ page import="java.io.*,
org.jivesoftware.util.*,
java.text.*,
java.net.URLEncoder,
org.jivesoftware.util.JiveGlobals,
org.jivesoftware.openfire.user.*,
java.util.*"
......@@ -250,7 +251,7 @@ IFRAME {
</style>
<form action="logviewer.jsp" name="logViewer" method="get">
<input type="hidden" name="log" value="<%= log %>">
<input type="hidden" name="log" value="<%= StringUtils.escapeForXML(log) %>">
<div class="logviewer">
<table cellpadding="0" cellspacing="0" border="0" width="100%">
......@@ -309,7 +310,7 @@ IFRAME {
<table cellpadding="3" cellspacing="0" border="0" width="100%">
<tr>
<td nowrap><fmt:message key="logviewer.log" /></td>
<td nowrap><b><%= logFile.getName() %></b> (<%= byteFormatter.format(logFile.length()) %>)</td>
<td nowrap><b><%= StringUtils.escapeHTMLTags(logFile.getName()) %></b> (<%= byteFormatter.format(logFile.length()) %>)</td>
<td width="96%" rowspan="3">&nbsp;</td>
<td nowrap><fmt:message key="logviewer.order" /></td>
<td nowrap>
......@@ -446,7 +447,7 @@ IFRAME {
<br><br>
<iframe src="log.jsp?log=<%= log %>&mode=<%= mode %>&lines=<%= ("All".equals(numLinesParam) ? "All" : String.valueOf(numLines)) %>"
<iframe src="log.jsp?log=<%= URLEncoder.encode(log) %>&mode=<%= URLEncoder.encode(mode) %>&lines=<%= ("All".equals(numLinesParam) ? "All" : String.valueOf(numLines)) %>"
frameborder="0" height="400" width="100%" marginheight="0" marginwidth="0" scrolling="auto"></iframe>
</form>
......@@ -454,4 +455,4 @@ IFRAME {
</div>
</body>
</html>
\ No newline at end of file
</html>
src/web/manage-updates.jsp
View file @ ed3492a2
......@@ -23,6 +23,7 @@
<%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
org.jivesoftware.openfire.XMPPServer,
org.jivesoftware.openfire.update.UpdateManager,
java.util.HashMap,
......@@ -233,7 +234,7 @@ else if (updateSucess) { %>
</td>
<td width="99%">
<input type="text" size="15" maxlength="70" name="proxyHost"
value="<%= ((proxyHost != null) ? proxyHost : "") %>">
value="<%= ((proxyHost != null) ? StringUtils.escapeForXML(proxyHost) : "") %>">
</td>
</tr>
<tr valign="top">
......
src/web/media-proxy.jsp
View file @ ed3492a2
......@@ -20,6 +20,7 @@
<%@ page import="org.jivesoftware.util.JiveGlobals" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
<%@ page import="org.jivesoftware.openfire.mediaproxy.MediaProxyService" %>
<%@ page import="org.jivesoftware.openfire.mediaproxy.MediaProxySession" %>
......@@ -292,7 +293,7 @@
<%= i %>
</td>
<td width="10%" align="left" valign="middle">
<%=proxySession.getCreator()%>
<%= StringUtils.escapeHTMLTags(proxySession.getCreator())%>
</td>
<td width="15%" align="left" valign="middle">
<%=proxySession.getHostA()%>:<%=proxySession.getLocalPortA()%>
......@@ -328,4 +329,4 @@
<% } // end enabled check %>
</body>
</html>
\ No newline at end of file
</html>
src/web/muc-create-permission.jsp
View file @ ed3492a2
......@@ -121,7 +121,7 @@
<p>
<fmt:message key="muc.create.permission.info" />
<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
</p>
<% if (errors.size() > 0) { %>
......@@ -166,7 +166,7 @@
<!-- BEGIN 'Permission Policy' -->
<form action="muc-create-permission.jsp?save" method="post">
<input type="hidden" name="mucname" value="<%= mucname %>" />
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="muc.create.permission.policy" />
</div>
......@@ -205,7 +205,7 @@
<% if (mucService.isRoomCreationRestricted()) { %>
<!-- BEGIN 'Allowed Users' -->
<form action="muc-create-permission.jsp?add" method="post">
<input type="hidden" name="mucname" value="<%= mucname %>" />
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="muc.create.permission.allowed_users" />
</div>
......@@ -262,4 +262,4 @@
</body>
</html>
\ No newline at end of file
</html>
src/web/muc-default-settings.jsp
View file @ ed3492a2
......@@ -149,7 +149,7 @@
<p>
<fmt:message key="muc.default.settings.info" />
<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
</p>
<% if (errors.size() > 0) { %>
......@@ -182,7 +182,7 @@
<!-- BEGIN 'Default Room Settings' -->
<form action="muc-default-settings.jsp?save" method="post">
<input type="hidden" name="mucname" value="<%= mucname %>" />
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="muc.default.settings.title" />
</div>
......
src/web/muc-history-settings.jsp
View file @ ed3492a2
......@@ -115,7 +115,7 @@
<p>
<fmt:message key="groupchat.history.settings.introduction" />
<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
</p>
<% if ("true".equals(request.getParameter("success"))) { %>
......@@ -135,7 +135,7 @@
<!-- BEGIN 'History Settings' -->
<form action="muc-history-settings.jsp" method="post">
<input type="hidden" name="mucname" value="<%= mucname %>" />
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="groupchat.history.settings.legend" />
</div>
......@@ -187,4 +187,4 @@
</body>
</html>
\ No newline at end of file
</html>
src/web/muc-room-affiliations.jsp
View file @ ed3492a2
......@@ -23,6 +23,7 @@
org.jivesoftware.openfire.muc.MUCRoom,
org.jivesoftware.openfire.muc.NotAllowedException,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
org.xmpp.packet.IQ"
errorPage="error.jsp"
%>
......@@ -250,10 +251,10 @@
<tr>
<td>&nbsp;</td>
<td>
<%= userDisplay %>
<%= StringUtils.escapeHTMLTags(userDisplay) %>
</td>
<td width="1%" align="center">
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= user %>&delete=true&affiliation=owner"
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=owner"
title="<fmt:message key="global.click_delete" />"
onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......@@ -282,10 +283,10 @@
<tr>
<td>&nbsp;</td>
<td>
<%= userDisplay %>
<%= StringUtils.escapeHTMLTags(userDisplay) %>
</td>
<td width="1%" align="center">
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= user %>&delete=true&affiliation=admin"
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=admin"
title="<fmt:message key="global.click_delete" />"
onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......@@ -316,10 +317,10 @@
<tr>
<td>&nbsp;</td>
<td>
<%= userDisplay %><%= nickname %>
<%= StringUtils.escapeHTMLTags(userDisplay) %><%= StringUtils.escapeHTMLTags(nickname) %>
</td>
<td width="1%" align="center">
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= user %>&delete=true&affiliation=member"
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=member"
title="<fmt:message key="global.click_delete" />"
onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......@@ -348,10 +349,10 @@
<tr>
<td>&nbsp;</td>
<td>
<%= userDisplay %>
<%= StringUtils.escapeHTMLTags(userDisplay) %>
</td>
<td width="1%" align="center">
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= user %>&delete=true&affiliation=outcast"
<a href="muc-room-affiliations.jsp?roomJID=<%= URLEncoder.encode(roomJID.toBareJID(), "UTF-8") %>&userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&affiliation=outcast"
title="<fmt:message key="global.click_delete" />"
onclick="return confirm('<fmt:message key="muc.room.affiliations.confirm_removed" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......
src/web/muc-room-delete.jsp
View file @ ed3492a2
......@@ -88,12 +88,12 @@
<p>
<fmt:message key="muc.room.delete.info" />
<b><a href="muc-room-edit-form.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>"><%= room.getJID().toBareJID() %></a></b>
<b><a href="muc-room-edit-form.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(room.getJID().toBareJID()) %></a></b>
<fmt:message key="muc.room.delete.detail" />
</p>
<form action="muc-room-delete.jsp">
<input type="hidden" name="roomJID" value="<%= roomJID.toBareJID() %>">
<input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
<fieldset>
<legend><fmt:message key="muc.room.delete.destructon_title" /></legend>
......@@ -105,7 +105,7 @@
<fmt:message key="muc.room.delete.room_id" />
</td>
<td>
<%= room.getJID().toBareJID() %>
<%= StringUtils.escapeHTMLTags(room.getJID().toBareJID()) %>
</td>
</tr>
<tr>
......@@ -136,4 +136,4 @@
</form>
</body>
</html>
\ No newline at end of file
</html>
src/web/muc-room-edit-form.jsp
View file @ ed3492a2
......@@ -18,6 +18,7 @@
--%>
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
java.text.DateFormat,
java.util.*,
org.jivesoftware.openfire.muc.MUCRoom,
......@@ -424,7 +425,7 @@
</thead>
<tbody>
<tr>
<td><%= room.getName() %></td>
<td><%= StringUtils.escapeHTMLTags(room.getName()) %></td>
<% if (room.getOccupantsCount() == 0) { %>
<td><%= room.getOccupantsCount() %> / <%= room.getMaxUsers() %></td>
<% } else { %>
......@@ -443,7 +444,7 @@
<% } %>
<form action="muc-room-edit-form.jsp">
<% if (!create) { %>
<input type="hidden" name="roomJID" value="<%= roomJID.toBareJID() %>">
<input type="hidden" name="roomJID" value="<%= StringUtils.escapeForXML(roomJID.toBareJID()) %>">
<% } %>
<input type="hidden" name="save" value="true">
<input type="hidden" name="create" value="<%= create %>">
......@@ -456,12 +457,12 @@
<% if (create) { %>
<tr>
<td><fmt:message key="muc.room.edit.form.room_id" />:</td>
<td><input type="text" name="roomName" value="<%= roomName %>">
<td><input type="text" name="roomName" value="<%= StringUtils.escapeForXML(roomName) %>">
<% if (webManager.getMultiUserChatManager().getMultiUserChatServicesCount() > 1) { %>
@<select name="mucName">
<% for (MultiUserChatService service : webManager.getMultiUserChatManager().getMultiUserChatServices()) { %>
<% if (service.isHidden()) continue; %>
<option value="<%= service.getServiceDomain() %>"<%= service.getServiceDomain().equals(mucName) ? " selected='selected'" : "" %>><%= service.getServiceDomain() %></option>
<option value="<%= StringUtils.escapeForXML(service.getServiceDomain()) %>"<%= service.getServiceDomain().equals(mucName) ? " selected='selected'" : "" %>><%= StringUtils.escapeHTMLTags(service.getServiceDomain()) %></option>
<% } %>
</select>
<% } else { %>
......@@ -472,7 +473,7 @@
// Private and hidden, skip it.
continue;
}
out.print("<input type='hidden' name='mucName' value='"+service.getServiceDomain()+"'/>"+service.getServiceDomain());
out.print("<input type='hidden' name='mucName' value='"+StringUtils.escapeForXML(service.getServiceDomain())+"'/>"+StringUtils.escapeHTMLTags(service.getServiceDomain()));
break;
}
%>
......@@ -482,22 +483,22 @@
<% } else { %>
<tr>
<td><fmt:message key="muc.room.edit.form.service" />:</td>
<td><%= roomJID.getDomain() %></td>
<td><%= StringUtils.escapeHTMLTags(roomJID.getDomain()) %></td>
</tr>
<% } %>
<tr>
<td><fmt:message key="muc.room.edit.form.room_name" />:</td>
<td><input type="text" name="roomconfig_roomname" value="<%= (naturalName == null ? "" : naturalName) %>">
<td><input type="text" name="roomconfig_roomname" value="<%= (naturalName == null ? "" : StringUtils.escapeForXML(naturalName)) %>">
</td>
</tr>
<tr>
<td><fmt:message key="muc.room.edit.form.description" />:</td>
<td><input name="roomconfig_roomdesc" value="<%= (description == null ? "" : description) %>" type="text" size="40">
<td><input name="roomconfig_roomdesc" value="<%= (description == null ? "" : StringUtils.escapeForXML(description)) %>" type="text" size="40">
</td>
</tr>
<tr>
<td><fmt:message key="muc.room.edit.form.topic" />:</td>
<td><input name="room_topic" value="<%= (roomSubject == null ? "" : roomSubject) %>" type="text" size="40">
<td><input name="room_topic" value="<%= (roomSubject == null ? "" : StringUtils.escapeForXML(roomSubject)) %>" type="text" size="40">
</td>
</tr>
<tr>
......
src/web/muc-room-occupants.jsp
View file @ ed3492a2
......@@ -20,9 +20,9 @@
<%@ page import="org.jivesoftware.openfire.muc.MUCRole,
org.jivesoftware.openfire.muc.MUCRoom,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
java.net.URLEncoder,
java.text.DateFormat,
java.util.List"
java.text.DateFormat"
errorPage="error.jsp"
%>
<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
......@@ -50,23 +50,19 @@
// Kick nick specified
if (kick != null) {
List<MUCRole> roles = room.getOccupantsByNickname(nickName);
if (roles != null && roles.size() > 0) {
MUCRole role = room.getOccupant(nickName);
if (role != null) {
try {
for (MUCRole role : roles) {
room.kickOccupant(role.getUserAddress(), XMPPServer.getInstance().createJID(webManager.getUser().getUsername(), null), "");
}
room.kickOccupant(role.getUserAddress(), XMPPServer.getInstance().createJID(webManager.getUser().getUsername(), null), "");
// Log the event
webManager.logEvent("kicked MUC occupant "+nickName+" from "+roomName, null);
// Done, so redirect
response.sendRedirect("muc-room-occupants.jsp?roomJID="+URLEncoder.encode(room.getJID().toBareJID(), "UTF-8")+
"&nickName="+URLEncoder.encode(nickName, "UTF-8")+"&deletesuccess=true");
response.sendRedirect("muc-room-occupants.jsp?roomJID="+URLEncoder.encode(room.getJID().toBareJID(), "UTF-8")+"&nickName="+URLEncoder.encode(role.getNickname(), "UTF-8")+"&deletesuccess=true");
return;
}
catch (NotAllowedException e) {
// Done, so redirect
response.sendRedirect("muc-room-occupants.jsp?roomJID="+URLEncoder.encode(room.getJID().toBareJID(), "UTF-8")+
"&nickName="+URLEncoder.encode(nickName, "UTF-8")+"&deletefailed=true");
response.sendRedirect("muc-room-occupants.jsp?roomJID="+URLEncoder.encode(room.getJID().toBareJID(), "UTF-8")+"&nickName="+URLEncoder.encode(role.getNickname(), "UTF-8")+"&deletefailed=true");
return;
}
}
......@@ -96,7 +92,7 @@
<tr><td class="jive-icon"><img src="images/success-16x16.gif" width="16" height="16" border="0" alt=""></td>
<td class="jive-icon-label">
<fmt:message key="muc.room.occupants.kicked">
<fmt:param value="<%= nickName %>"/>
<fmt:param value="<%= StringUtils.escapeForXML(nickName) %>"/>
</fmt:message>
</td></tr>
</tbody>
......@@ -113,7 +109,7 @@
<tr><td class="jive-icon"><img src="images/error-16x16.gif" width="16" height="16" border="0" alt=""></td>
<td class="jive-icon-label">
<fmt:message key="muc.room.occupants.kickfailed">
<fmt:param value="<%= nickName %>"/>
<fmt:param value="<%= StringUtils.escapeForXML(nickName) %>"/>
</fmt:message>
</td></tr>
</tbody>
......@@ -134,7 +130,7 @@
</thead>
<tbody>
<tr>
<td><%= room.getName() %></td>
<td><%= StringUtils.escapeHTMLTags(room.getName()) %></td>
<td><%= room.getOccupantsCount() %> / <%= room.getMaxUsers() %></td>
<td><%= dateFormatter.format(room.getCreationDate()) %></td>
<td><%= dateFormatter.format(room.getModificationDate()) %></td>
......@@ -162,10 +158,10 @@
<tbody>
<% for (MUCRole role : room.getOccupants()) { %>
<tr>
<td><%= role.getUserAddress() %></td>
<td><%= role.getNickname() %></td>
<td><%= role.getRole() %></td>
<td><%= role.getAffiliation() %></td>
<td><%= StringUtils.escapeHTMLTags(role.getUserAddress().toString()) %></td>
<td><%= StringUtils.escapeHTMLTags(role.getNickname().toString()) %></td>
<td><%= StringUtils.escapeHTMLTags(role.getRole().toString()) %></td>
<td><%= StringUtils.escapeHTMLTags(role.getAffiliation().toString()) %></td>
<td><a href="muc-room-occupants.jsp?roomJID=<%= URLEncoder.encode(room.getJID().toBareJID(), "UTF-8") %>&nickName=<%= URLEncoder.encode(role.getNickname(), "UTF-8") %>&kick=1" title="<fmt:message key="muc.room.occupants.kick"/>"><img src="images/delete-16x16.gif" alt="<fmt:message key="muc.room.occupants.kick"/>" border="0" width="16" height="16"/></a></td>
</tr>
<% } %>
......
src/web/muc-room-summary.jsp
View file @ ed3492a2
......@@ -91,7 +91,7 @@
<p>
<fmt:message key="muc.room.summary.info" />
<a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucService.getServiceName(), "UTF-8")%>"><%= mucService.getServiceDomain() %></a>
<a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucService.getServiceName(), "UTF-8")%>"><%= StringUtils.escapeHTMLTags(mucService.getServiceDomain()) %></a>
<fmt:message key="muc.room.summary.info2" />
</p>
......@@ -128,7 +128,7 @@
continue;
}
%>
<option value="<%= service.getServiceName() %>"<%= mucService.getServiceName().equals(service.getServiceName()) ? " selected='selected'" : "" %>><%= service.getServiceDomain() %></option>
<option value="<%= StringUtils.escapeForXML(service.getServiceName()) %>"<%= mucService.getServiceName().equals(service.getServiceName()) ? " selected='selected'" : "" %>><%= StringUtils.escapeHTMLTags(service.getServiceDomain()) %></option>
<% } %>
</select>
<% } %>
......@@ -144,7 +144,7 @@
String sep = ((i+1)<numPages) ? " " : "";
boolean isCurrent = (i+1) == curPage;
%>
<a href="muc-room-summary.jsp?mucname=<%= mucname == null ? "" : mucname %>&start=<%= (i*range) %>"
<a href="muc-room-summary.jsp?mucname=<%= mucname == null ? "" : URLEncoder.encode(mucname) %>&start=<%= (i*range) %>"
class="<%= ((isCurrent) ? "jive-current" : "") %>"
><%= (i+1) %></a><%= sep %>
......@@ -248,7 +248,7 @@
String sep = ((i+1)<numPages) ? " " : "";
boolean isCurrent = (i+1) == curPage;
%>
<a href="muc-room-summary.jsp?mucname=<%= mucname == null ? "" : mucname %>&start=<%= (i*range) %>"
<a href="muc-room-summary.jsp?mucname=<%= mucname == null ? "" : URLEncoder.encode(mucname) %>&start=<%= (i*range) %>"
class="<%= ((isCurrent) ? "jive-current" : "") %>"
><%= (i+1) %></a><%= sep %>
......@@ -259,4 +259,4 @@
<% } %>
</body>
</html>
\ No newline at end of file
</html>
src/web/muc-service-delete.jsp
View file @ ed3492a2
......@@ -73,12 +73,12 @@
<p>
<fmt:message key="muc.service.delete.info" />
<b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
<b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
<fmt:message key="muc.service.delete.detail" />
</p>
<form action="muc-service-delete.jsp">
<input type="hidden" name="mucname" value="<%= mucname %>">
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>">
<fieldset>
<legend><fmt:message key="muc.service.delete.destructon_title" /></legend>
......@@ -90,7 +90,7 @@
<fmt:message key="muc.service.delete.service_name" />
</td>
<td>
<%= mucname %>
<%= StringUtils.escapeHTMLTags(mucname) %>
</td>
</tr>
<tr>
......@@ -113,4 +113,4 @@
</form>
</body>
</html>
\ No newline at end of file
</html>
src/web/muc-service-edit-form.jsp
View file @ ed3492a2
......@@ -17,7 +17,8 @@
- limitations under the License.
--%>
<%@ page import="org.jivesoftware.util.ParamUtils,
<%@ page import="org.jivesoftware.util.StringUtils,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.AlreadyExistsException,
java.util.*"
errorPage="error.jsp"
......@@ -147,7 +148,7 @@
<form action="muc-service-edit-form.jsp" method="post">
<input type="hidden" name="save" value="true">
<% if (!create) { %>
<input type="hidden" name="mucname" value="<%= mucname %>">
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>">
<% } else { %>
<input type="hidden" name="create" value="true" />
<% } %>
......@@ -163,7 +164,7 @@
</td>
<td>
<% if (create) { %>
<input type="text" size="30" maxlength="150" name="mucname" value="<%= (mucname != null ? mucname : "") %>">
<input type="text" size="30" maxlength="150" name="mucname" value="<%= (mucname != null ? StringUtils.escapeForXML(mucname) : "") %>">
<% if (errors.get("mucname") != null) { %>
......@@ -173,7 +174,7 @@
<% } %>
<% } else { %>
<%= mucname %>
<%= StringUtils.escapeHTMLTags(mucname) %>
<% } %>
</td>
</tr>
......@@ -182,7 +183,7 @@
<fmt:message key="groupchat.service.properties.label_service_description" />
</td>
<td>
<input type="text" size="30" maxlength="150" name="mucdesc" value="<%= (mucdesc != null ? mucdesc : "") %>">
<input type="text" size="30" maxlength="150" name="mucdesc" value="<%= (mucdesc != null ? StringUtils.escapeForXML(mucdesc) : "") %>">
</td>
</tr>
</table>
......@@ -193,4 +194,4 @@
</body>
</html>
\ No newline at end of file
</html>
src/web/muc-service-summary.jsp
View file @ ed3492a2
......@@ -19,7 +19,8 @@
--%>
<%@ page import="org.jivesoftware.util.LocaleUtils,
org.jivesoftware.util.ParamUtils"
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils"
%><%@ page import="org.xmpp.packet.JID"%>
<%@ page import="java.net.URLEncoder" %>
<%@ page import="org.jivesoftware.openfire.muc.MultiUserChatService" %>
......@@ -196,7 +197,7 @@
<%= i %>
</td>
<td width="23%">
<a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= JID.unescapeNode(service.getServiceName()) %></a>
<a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(service.getServiceName())) %></a>
</td>
<td width="33%">
<%= service.getDescription() %> &nbsp;
......
src/web/muc-sysadmins.jsp
View file @ ed3492a2
......@@ -88,7 +88,7 @@
<p>
<fmt:message key="groupchat.admins.introduction" />
<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
</p>
<% if ("true".equals(request.getParameter("deletesuccess"))) { %>
......@@ -135,13 +135,13 @@
<!-- BEGIN 'Administrators' -->
<form action="muc-sysadmins.jsp?add" method="post">
<input type="hidden" name="mucname" value="<%= mucname %>" />
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="groupchat.admins.legend" />
</div>
<div class="jive-contentBox">
<label for="userJIDtf"><fmt:message key="groupchat.admins.label_add_admin" /></label>
<input type="text" name="userJID" size="30" maxlength="100" value="<%= (userJID != null ? userJID : "") %>"
<input type="text" name="userJID" size="30" maxlength="100" value="<%= (userJID != null ? StringUtils.escapeForXML(userJID) : "") %>"
id="userJIDtf">
<input type="submit" value="<fmt:message key="groupchat.admins.add" />">
<br><br>
......@@ -171,10 +171,10 @@
%>
<tr>
<td width="99%">
<%= userDisplay %>
<%= StringUtils.escapeHTMLTags(userDisplay) %>
</td>
<td width="1%" align="center">
<a href="muc-sysadmins.jsp?userJID=<%= user.toString() %>&delete=true&mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"
<a href="muc-sysadmins.jsp?userJID=<%= URLEncoder.encode(user.toString()) %>&delete=true&mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"
title="<fmt:message key="groupchat.admins.dialog.title" />"
onclick="return confirm('<fmt:message key="groupchat.admins.dialog.text" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......@@ -191,4 +191,4 @@
</body>
</html>
\ No newline at end of file
</html>
src/web/muc-tasks.jsp
View file @ ed3492a2
......@@ -137,7 +137,7 @@
<p>
<fmt:message key="muc.tasks.info" />
<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= mucname %></a></b>
<fmt:message key="groupchat.service.settings_affect" /> <b><a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(mucname, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(mucname) %></a></b>
</p>
<% if (kickSettingSuccess || logSettingSuccess) { %>
......@@ -187,7 +187,7 @@
<!-- BEGIN 'Idle User Settings' -->
<form action="muc-tasks.jsp?kickSettings" method="post">
<input type="hidden" name="mucname" value="<%= mucname %>" />
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="muc.tasks.user_setting" />
</div>
......@@ -228,7 +228,7 @@
<!-- BEGIN 'Conversation Logging' -->
<form action="muc-tasks.jsp?logSettings" method="post">
<input type="hidden" name="mucname" value="<%= mucname %>" />
<input type="hidden" name="mucname" value="<%= StringUtils.escapeForXML(mucname) %>" />
<div class="jive-contentBoxHeader">
<fmt:message key="muc.tasks.conversation.logging" />
</div>
......@@ -261,4 +261,4 @@
</body>
</html>
\ No newline at end of file
</html>
src/web/security-audit-viewer.jsp
View file @ ed3492a2
......@@ -116,7 +116,7 @@
</select>
&nbsp;&nbsp;
<strong><fmt:message key="security.audit.viewer.username" /></strong>:
<input type="text" size="30" maxlength="150" name="username" value="<%= username != null ? username : "" %>"/>
<input type="text" size="30" maxlength="150" name="username" value="<%= username != null ? StringUtils.escapeForXML(username) : "" %>"/>
<br/>
<strong><fmt:message key="security.audit.viewer.date_range"/></strong>:
<fmt:message key="security.audit.viewer.date_range.start"/>:
......@@ -164,7 +164,7 @@
<%= event.getMsgID() %>
</td>
<td width="10%">
<a href="user-properties.jsp?username=<%= URLEncoder.encode(event.getUsername(), "UTF-8") %>"><%= JID.unescapeNode(event.getUsername()) %></a>
<a href="user-properties.jsp?username=<%= URLEncoder.encode(event.getUsername(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(event.getUsername())) %></a>
</td>
<td width="15%">
<%= event.getNode() %>
......
src/web/server-properties.jsp
View file @ ed3492a2
......@@ -298,7 +298,7 @@ function dodelete(propName) {
<td>
<div class="hidebox" style="width:200px;">
<span title="<%= StringUtils.escapeHTMLTags(n) %>">
<span title="<%= StringUtils.escapeForXML(n) %>">
<%= StringUtils.escapeHTMLTags(n) %>
</span>
</div>
......@@ -368,12 +368,12 @@ function dodelete(propName) {
<td>
<% if (edit) { %>
<input type="hidden" name="propName" value="<%= StringUtils.escapeHTMLTags(propName) %>">
<input type="hidden" name="propName" value="<%= StringUtils.escapeForXML(propName) %>">
<%= StringUtils.escapeHTMLTags(propName) %>
<% } else { %>
<input type="text" name="propName" size="40" maxlength="100" value="<%= (propName != null ? StringUtils.escapeHTMLTags(propName) : "") %>">
<input type="text" name="propName" size="40" maxlength="100" value="<%= (propName != null ? StringUtils.escapeForXML(propName) : "") %>">
<% if (errors.containsKey("propName")) { %>
......@@ -432,4 +432,4 @@ function dodelete(propName) {
<br><br><br><br><br><br>
</body>
</html>
\ No newline at end of file
</html>
src/web/server-session-row.jspf
View file @ ed3492a2
......@@ -5,6 +5,7 @@
<%@ page import="org.jivesoftware.openfire.session.IncomingServerSession,
org.jivesoftware.util.JiveGlobals,
org.jivesoftware.util.StringUtils,
java.net.URLEncoder,
java.util.Calendar,
java.util.Date"%>
......@@ -38,8 +39,8 @@
<td width="47%" nowrap>
<table cellpadding="0" cellspacing="0" border="0">
<tr>
<td width="1%" ><img src="getFavicon?host=<%=host%>" width="16" height="16" alt=""></td>
<td><a href="server-session-details.jsp?hostname=<%= URLEncoder.encode(host, "UTF-8") %>" title="<fmt:message key='session.row.cliked' />"><%= host %></a></td>
<td width="1%" ><img src="getFavicon?host=<%=URLEncoder.encode(host, "UTF-8")%>" width="16" height="16" alt=""></td>
<td><a href="server-session-details.jsp?hostname=<%= URLEncoder.encode(host, "UTF-8") %>" title="<fmt:message key='session.row.cliked' />"><%= StringUtils.escapeHTMLTags(host) %></a></td>
</tr>
</table>
</td>
......@@ -124,4 +125,4 @@
onclick="return confirm('<fmt:message key="session.row.confirm_close" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0"></a>
</td>
</tr>
\ No newline at end of file
</tr>
src/web/session-details.jsp
View file @ ed3492a2
......@@ -25,6 +25,7 @@
org.jivesoftware.openfire.user.UserManager,
org.jivesoftware.util.JiveGlobals,
org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
java.text.NumberFormat,
java.util.Collection"
errorPage="error.jsp"
......@@ -114,7 +115,7 @@
<fmt:message key="session.details.session_id" />
</td>
<td>
<%= StringUtils.escapeForXML(address.toString()) %>
<%= StringUtils.escapeHTMLTags(address.toString()) %>
</td>
</tr>
<tr>
......@@ -125,11 +126,11 @@
<% String n = address.getNode(); %>
<% if (isAnonymous) { %>
<i> <fmt:message key="session.details.anonymous" /> </i> - <%= address.getResource()==null?"":StringUtils.escapeForXML(address.getResource()) %>
<i> <fmt:message key="session.details.anonymous" /> </i> - <%= address.getResource()==null?"":StringUtils.escapeHTMLTags(address.getResource()) %>
<% } else { %>
<a href="user-properties.jsp?username=<%= URLEncoder.encode(n, "UTF-8") %>"><%= JID.unescapeNode(n) %></a>
<a href="user-properties.jsp?username=<%= URLEncoder.encode(n, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(n)) %></a>
- <%= address.getResource()==null?"":StringUtils.escapeForXML(address.getResource()) %>
<% } %>
......@@ -190,7 +191,7 @@
Presence.Show show = currentSess.getPresence().getShow();
String statusTxt = currentSess.getPresence().getStatus();
if (statusTxt != null) {
statusTxt = " -- " + StringUtils.escapeForXML(statusTxt);
statusTxt = " -- " + StringUtils.escapeHTMLTags(statusTxt);
}
else {
statusTxt = "";
......@@ -360,4 +361,4 @@
</form>
</body>
</html>
\ No newline at end of file
</html>
src/web/session-row.jspf
View file @ ed3492a2
......@@ -39,7 +39,7 @@
><%= ((!sessionManager.isAnonymousRoute(sess.getUsername())) ? JID.unescapeNode(name): "<i>"+LocaleUtils.getLocalizedString("session.details.anonymous")+"</i>") %></a>
</td>
<td width="15%" nowrap>
<%= StringUtils.escapeForXML(sess.getAddress().getResource()) %>
<%= StringUtils.escapeHTMLTags(sess.getAddress().getResource()) %>
</td>
<td nowrap>
<% if (sess instanceof LocalClientSession) { %>
......@@ -94,7 +94,7 @@
<td width="46%">
<% if (_stat != null) { %>
<%= _stat %>
<%= StringUtils.escapeHTMLTags(_stat) %>
<% } else { %>
......@@ -120,7 +120,7 @@
<td width="46%">
<% if (_stat != null) { %>
<%= sess.getPresence().getStatus() %>
<%= StringUtils.escapeHTMLTags(sess.getPresence().getStatus()) %>
<% } else { %>
......@@ -146,7 +146,7 @@
<td width="46%">
<% if (_stat != null) { %>
<%= sess.getPresence().getStatus() %>
<%= StringUtils.escapeHTMLTags(sess.getPresence().getStatus()) %>
<% } else { %>
......@@ -177,4 +177,4 @@
onclick="return confirm('<fmt:message key="session.row.confirm_close" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
</td>
</tr>
\ No newline at end of file
</tr>
src/web/session-summary.jsp
View file @ ed3492a2
......@@ -290,4 +290,4 @@
</p>
</body>
</html>
\ No newline at end of file
</html>
src/web/ssl-certificates.jsp
View file @ ed3492a2
......@@ -14,6 +14,7 @@
<%@ page import="java.util.HashMap" %>
<%@ page import="java.util.LinkedHashMap" %>
<%@ page import="java.util.Map" %>
<%@ page import="java.net.URLEncoder" %>
<%@ page import="org.jivesoftware.openfire.container.PluginManager" %>
<%@ page import="org.jivesoftware.openfire.container.AdminConsolePlugin" %>
<%@ page import="java.io.IOException" %>
......@@ -356,7 +357,7 @@
<tr valign="top">
<td id="rs<%=i%>" width="1" rowspan="1"><%= (i) %>.</td>
<td>
<%= identities.toString() %> (<%= a %>)
<%= StringUtils.escapeHTMLTags(identities.toString()) %> (<%= StringUtils.escapeHTMLTags(a) %>)
</td>
<td>
<% boolean expired = c.getNotAfter().before(new Date());
......@@ -388,7 +389,7 @@
<%= c.getPublicKey().getAlgorithm() %>
</td>
<td width="1" align="center">
<a href="ssl-certificates.jsp?alias=<%= a %>&type=server&delete=true"
<a href="ssl-certificates.jsp?alias=<%= URLEncoder.encode(a) %>&type=server&delete=true"
title="<fmt:message key="global.click_delete" />"
onclick="return confirm('<fmt:message key="ssl.certificates.confirm_delete" />');"
><img src="images/delete-16x16.gif" width="16" height="16" border="0" alt=""></a>
......@@ -397,7 +398,7 @@
<% if (isSigningPending) { %>
<form action="ssl-certificates.jsp" method="post">
<input name="importReply" type="hidden" value="true">
<input name="alias" type="hidden" value="<%= a%>">
<input name="alias" type="hidden" value="<%= StringUtils.escapeForXML(a)%>">
<tr id="pk<%=i%>">
<td colspan="6">
<span class="jive-description">
......
src/web/ssl-signing-request.jsp
View file @ ed3492a2
<%@ page import="org.jivesoftware.util.CertificateManager" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.jivesoftware.openfire.XMPPServer" %>
<%@ page import="org.jivesoftware.openfire.net.SSLConfig" %>
<%@ page import="java.security.KeyStore" %>
......@@ -204,42 +205,42 @@
</td>
<td width="99%">
<input type="text" name="name" size="50" maxlength="75"
value="<%= ((name!=null) ? name : "") %>" id="namef">
value="<%= ((name!=null) ? StringUtils.escapeForXML(name) : "") %>" id="namef">
</td>
</tr>
<tr>
<td width="1%" nowrap>
<label for="ouf"><fmt:message key="ssl.signing-request.organizational_unit"/>:</label></td>
<td width="99%">
<input type="text" name="ou" size="50" maxlength="75" value="<%= ((organizationalUnit!=null) ? organizationalUnit : "") %>" id="ouf">
<input type="text" name="ou" size="50" maxlength="75" value="<%= ((organizationalUnit!=null) ? StringUtils.escapeForXML(organizationalUnit) : "") %>" id="ouf">
</td>
</tr>
<tr>
<td width="1%" nowrap>
<label for="of"><fmt:message key="ssl.signing-request.organization"/>:</label></td>
<td width="99%">
<input type="text" name="o" size="50" maxlength="75" value="<%= ((organization!=null) ? organization : "") %>" id="of">
<input type="text" name="o" size="50" maxlength="75" value="<%= ((organization!=null) ? StringUtils.escapeForXML(organization) : "") %>" id="of">
</td>
</tr>
<tr>
<td width="1%" nowrap>
<label for="cityf"><fmt:message key="ssl.signing-request.city"/>:</label></td>
<td width="99%">
<input type="text" name="city" size="50" maxlength="75" value="<%= ((city!=null) ? city : "") %>" id="cityf">
<input type="text" name="city" size="50" maxlength="75" value="<%= ((city!=null) ? StringUtils.escapeForXML(city) : "") %>" id="cityf">
</td>
</tr>
<tr>
<td width="1%" nowrap>
<label for="statef"><fmt:message key="ssl.signing-request.state"/>:</label></td>
<td width="99%">
<input type="text" name="state" size="30" maxlength="75" value="<%= ((state!=null) ? state : "") %>" id="statef">
<input type="text" name="state" size="30" maxlength="75" value="<%= ((state!=null) ? StringUtils.escapeForXML(state) : "") %>" id="statef">
</td>
</tr>
<tr>
<td width="1%" nowrap>
<label for="countryf"><fmt:message key="ssl.signing-request.country"/>:</label></td>
<td width="99%">
<input type="text" name="country" size="2" maxlength="2" value="<%= ((countryCode!=null) ? countryCode : "") %>" id="countryf">
<input type="text" name="country" size="2" maxlength="2" value="<%= ((countryCode!=null) ? StringUtils.escapeForXML(countryCode) : "") %>" id="countryf">
</td>
</tr>
<tr>
......@@ -254,4 +255,4 @@
</form>
<!-- END 'Issuer information form' -->
</body>
</html>
\ No newline at end of file
</html>
src/web/system-cache.jsp
View file @ ed3492a2
<%@ page import="org.jivesoftware.util.cache.Cache"%>
<%@ page import="org.jivesoftware.util.ParamUtils"%>
<%@ page import="org.jivesoftware.util.StringUtils"%>
<%@ page import="java.text.DecimalFormat"%>
<%--
- $RCSfile$
......@@ -193,7 +194,7 @@
<table cellpadding="0" cellspacing="0" border="0">
<tr>
<td class="icon"><img src="images/cache-16x16.gif" width="16" height="16" alt="" border="0"></td>
<td><%= cache.getName() %></td>
<td><%= StringUtils.escapeHTMLTags(cache.getName()) %></td>
</tr>
</table>
</td>
......
src/web/system-clustering.jsp
View file @ ed3492a2
......@@ -37,6 +37,7 @@
<%@ page import="java.util.Collection" %>
<%@ page import="java.util.Date" %>
<%@ page import="java.util.Map" %>
<%@ page import="java.net.URLEncoder" %>
<%@ page import="org.jivesoftware.util.Base64" %>
<jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" />
......@@ -282,12 +283,12 @@
%>
<tr class="<%= (isLocalMember ? "local" : "") %>" valign="middle">
<td align="center" width="1%">
<a href="plugins/<%= CacheFactory.getPluginName() %>/system-clustering-node.jsp?UID=<%= nodeID %>"
<a href="plugins/<%= CacheFactory.getPluginName() %>/system-clustering-node.jsp?UID=<%= URLEncoder.encode(nodeID) %>"
title="Click for more details"
><img src="images/server-network-24x24.gif" width="24" height="24" border="0" alt=""></a>
</td>
<td class="jive-description" nowrap width="1%" valign="middle">
<a href="plugins/<%= CacheFactory.getPluginName() %>/system-clustering-node.jsp?UID=<%= nodeID %>">
<a href="plugins/<%= CacheFactory.getPluginName() %>/system-clustering-node.jsp?UID=<%= URLEncoder.encode(nodeID) %>">
<% if (isLocalMember) { %>
<b><%= nodeInfo.getHostName() %></b>
<% } else { %>
......
src/web/system-email.jsp
View file @ ed3492a2
......@@ -156,7 +156,7 @@
<fmt:message key="system.email.mail_host" />:
</td>
<td nowrap>
<input type="text" name="host" value="<%= (host != null)?host:"" %>" size="40" maxlength="150">
<input type="text" name="host" value="<%= (host != null)? StringUtils.escapeForXML(host):"" %>" size="40" maxlength="150">
</td>
</tr>
......@@ -201,7 +201,7 @@
<fmt:message key="system.email.server_username" />:
</td>
<td nowrap>
<input type="text" name="server_username" value="<%= (username != null) ? username : "" %>" size="40" maxlength="150">
<input type="text" name="server_username" value="<%= (username != null) ? StringUtils.escapeForXML(username) : "" %>" size="40" maxlength="150">
</td>
</tr>
<tr>
......@@ -230,4 +230,4 @@
<!-- END SMTP settings -->
</body>
</html>
\ No newline at end of file
</html>
src/web/system-emailtest.jsp
View file @ ed3492a2
......@@ -17,6 +17,7 @@
<%@ page import="org.jivesoftware.util.*,
org.jivesoftware.openfire.user.*,
java.util.*,
java.net.URLEncoder,
javax.mail.*,
javax.mail.internet.*"
errorPage="error.jsp"
......@@ -199,7 +200,7 @@ function checkClick(el) {
<% if (mex instanceof AuthenticationFailedException) { %>
<fmt:message key="system.emailtest.failure_authentication" />
<% } else { %>
(Message: <%= mex.getMessage() %>)
(Message: <%= StringUtils.escapeHTMLTags(mex.getMessage()) %>)
<% } %>
<% } %>
</td></tr>
......@@ -229,7 +230,7 @@ function checkClick(el) {
<%
} else {
%>
<%= host %>:<%= JiveGlobals.getIntProperty("mail.smtp.port", 25) %>
<%= StringUtils.escapeHTMLTags(host) %>:<%= JiveGlobals.getIntProperty("mail.smtp.port", 25) %>
<% if (JiveGlobals.getBooleanProperty("mail.smtp.ssl", false)) { %>
......@@ -244,10 +245,10 @@ function checkClick(el) {
<fmt:message key="system.emailtest.from" />:
</td>
<td>
<input type="hidden" name="from" value="<%= from %>">
<input type="hidden" name="from" value="<%= StringUtils.escapeForXML(from) %>">
<%= StringUtils.escapeHTMLTags(from) %>
<span class="jive-description">
(<a href="user-edit-form.jsp?username=<%=user.getUsername()%>">Update Address</a>)
(<a href="user-edit-form.jsp?username=<%= URLEncoder.encode(user.getUsername())%>">Update Address</a>)
</span>
</td>
</tr>
......@@ -256,7 +257,7 @@ function checkClick(el) {
<fmt:message key="system.emailtest.to" />:
</td>
<td>
<input type="text" name="to" value="<%= ((to != null) ? to : "") %>"
<input type="text" name="to" value="<%= ((to != null) ? StringUtils.escapeForXML(to) : "") %>"
size="40" maxlength="100">
</td>
</tr>
......@@ -265,7 +266,7 @@ function checkClick(el) {
<fmt:message key="system.emailtest.subject" />:
</td>
<td>
<input type="text" name="subject" value="<%= ((subject != null) ? subject : "") %>"
<input type="text" name="subject" value="<%= ((subject != null) ? StringUtils.escapeForXML(subject) : "") %>"
size="40" maxlength="100">
</td>
</tr>
......@@ -274,7 +275,7 @@ function checkClick(el) {
<fmt:message key="system.emailtest.body" />:
</td>
<td>
<textarea name="body" cols="45" rows="5" wrap="virtual"><%= body %></textarea>
<textarea name="body" cols="45" rows="5" wrap="virtual"><%= StringUtils.escapeHTMLTags(body) %></textarea>
</td>
</tr>
<tr>
......@@ -290,4 +291,4 @@ function checkClick(el) {
</form>
</body>
</html>
\ No newline at end of file
</html>
src/web/user-create.jsp
View file @ ed3492a2
......@@ -213,14 +213,14 @@
<tr>
<td width="1%" nowrap><label for="usernametf"><fmt:message key="user.create.username" />:</label> *</td>
<td width="99%">
<input type="text" name="username" size="30" maxlength="75" value="<%= ((username!=null) ? username : "") %>"
<input type="text" name="username" size="30" maxlength="75" value="<%= ((username!=null) ? StringUtils.escapeForXML(username) : "") %>"
id="usernametf" autocomplete="off">
</td>
</tr>
<tr>
<td width="1%" nowrap><label for="nametf"><fmt:message key="user.create.name" />:</label> <%= UserManager.getUserProvider().isNameRequired() ? "*" : "" %></td>
<td width="99%">
<input type="text" name="name" size="30" maxlength="75" value="<%= ((name!=null) ? name : "") %>"
<input type="text" name="name" size="30" maxlength="75" value="<%= ((name!=null) ? StringUtils.escapeForXML(name) : "") %>"
id="nametf">
</td>
</tr>
......@@ -228,7 +228,7 @@
<td width="1%" nowrap>
<label for="emailtf"><fmt:message key="user.create.email" />:</label> <%= UserManager.getUserProvider().isEmailRequired() ? "*" : "" %></td>
<td width="99%">
<input type="text" name="email" size="30" maxlength="75" value="<%= ((email!=null) ? email : "") %>"
<input type="text" name="email" size="30" maxlength="75" value="<%= ((email!=null) ? StringUtils.escapeForXML(email) : "") %>"
id="emailtf">
</td>
</tr>
......@@ -299,4 +299,4 @@ if (UserManager.getUserProvider().isReadOnly()) { %>
<% } %>
</body>
</html>
\ No newline at end of file
</html>
src/web/user-delete.jsp
View file @ ed3492a2
......@@ -24,6 +24,7 @@
%>
<%@ page import="org.jivesoftware.openfire.user.UserManager" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.xmpp.packet.JID" %>
<%@ page import="org.xmpp.packet.StreamError" %>
<%@ page import="java.net.URLEncoder" %>
......@@ -95,7 +96,7 @@
<p>
<fmt:message key="user.delete.info" />
<b><a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= JID.unescapeNode(user.getUsername()) %></a></b>
<b><a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %></a></b>
<fmt:message key="user.delete.info1" />
</p>
......@@ -106,7 +107,7 @@
</c:if>
<form action="user-delete.jsp">
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<input type="submit" name="delete" value="<fmt:message key="user.delete.delete" />">
<input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
</form>
......
src/web/user-edit-form.jsp
View file @ ed3492a2
......@@ -18,6 +18,7 @@
--%>
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
org.jivesoftware.openfire.user.*,
java.net.URLEncoder"
errorPage="error.jsp"
......@@ -141,7 +142,7 @@
<form action="user-edit-form.jsp">
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<input type="hidden" name="save" value="true">
<fieldset>
......@@ -154,7 +155,7 @@
<fmt:message key="user.create.username" />:
</td>
<td>
<%= JID.unescapeNode(user.getUsername()) %>
<%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %>
</td>
</tr>
<tr>
......@@ -163,7 +164,7 @@
</td>
<td>
<input type="text" size="30" maxlength="150" name="name"
value="<%= user.getName() %>">
value="<%= StringUtils.escapeForXML(user.getName()) %>">
</td>
</tr>
<tr>
......@@ -172,7 +173,7 @@
</td>
<td>
<input type="text" size="30" maxlength="150" name="email"
value="<%= ((user.getEmail()!=null) ? user.getEmail() : "") %>">
value="<%= ((user.getEmail()!=null) ? StringUtils.escapeForXML(user.getEmail()) : "") %>">
</td>
</tr>
<% if (!AdminManager.getAdminProvider().isReadOnly()) { %>
......
src/web/user-lockout.jsp
View file @ ed3492a2
......@@ -24,6 +24,7 @@
<%@ page import="org.jivesoftware.openfire.security.SecurityAuditManager" %>
<%@ page import="org.jivesoftware.openfire.session.ClientSession" %>
<%@ page import="org.jivesoftware.util.ParamUtils" %>
<%@ page import="org.jivesoftware.util.StringUtils" %>
<%@ page import="org.xmpp.packet.JID" %>
<%@ page import="org.xmpp.packet.StreamError" %>
<%@ page import="java.net.URLEncoder" %>
......@@ -133,7 +134,7 @@
<p>
<fmt:message key="user.lockout.locked">
<fmt:param value="<%= "<b><a href='user-properties.jsp?username="+URLEncoder.encode(username, "UTF-8")+"'>"+JID.unescapeNode(username)+"</a></b>" %>"/>
<fmt:param value="<%= "<b><a href='user-properties.jsp?username="+URLEncoder.encode(username, "UTF-8")+"'>"+StringUtils.escapeHTMLTags(JID.unescapeNode(username))+"</a></b>" %>"/>
</fmt:message>
<% if (flag.getStartTime() != null) { %><fmt:message key="user.lockout.locked2"><fmt:param value="<%= flag.getStartTime().toString() %>"/></fmt:message> <% } %>
<% if (flag.getStartTime() != null && flag.getEndTime() != null) { %> <fmt:message key="user.lockout.lockedand" /> <% } %>
......@@ -141,7 +142,7 @@
</p>
<form action="user-lockout.jsp">
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<input type="submit" name="unlock" value="<fmt:message key="user.lockout.unlock" />">
<input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
</form>
......@@ -154,7 +155,7 @@
<p>
<fmt:message key="user.lockout.info" />
<b><a href="user-properties.jsp?username=<%= URLEncoder.encode(username, "UTF-8") %>"><%= JID.unescapeNode(username) %></a></b>
<b><a href="user-properties.jsp?username=<%= URLEncoder.encode(username, "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(username)) %></a></b>
<fmt:message key="user.lockout.info1" />
</p>
......@@ -183,7 +184,7 @@
<input type="radio" name="duration" value="-2" /> <fmt:message key="user.lockout.time.for" /> <input type="text" size="5" maxlength="10" name="duration_custom" /> <fmt:message key="user.lockout.time.minutes"/><br />
<br />
<% } %>
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<input type="submit" name="lock" value="<fmt:message key="user.lockout.lock" />">
<input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
</form>
......
src/web/user-message.jsp
View file @ ed3492a2
......@@ -19,6 +19,7 @@
--%>
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
org.jivesoftware.openfire.SessionManager,
org.jivesoftware.openfire.session.ClientSession,
org.jivesoftware.openfire.user.User,
......@@ -169,7 +170,7 @@ function updateSelect(el) {
<form action="user-message.jsp" method="post" name="f">
<% if(username != null){ %>
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<% } %>
<input type="hidden" name="tabs" value="<%= tabs %>">
<input type="hidden" name="send" value="true">
......@@ -276,4 +277,4 @@ document.f.message.focus();
</body>
</html>
\ No newline at end of file
</html>
src/web/user-password.jsp
View file @ ed3492a2
......@@ -132,7 +132,7 @@
</p>
<form action="user-password.jsp" name="passform" method="post">
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="username" value="<%=StringUtils.escapeForXML(username) %>">
<fieldset>
<legend><fmt:message key="user.password.change" /></legend>
......@@ -144,7 +144,7 @@
<fmt:message key="user.create.username" />:
</td>
<td class="c2">
<%= JID.unescapeNode(user.getUsername()) %>
<%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %>
</td>
</tr>
<tr>
......
src/web/user-properties.jsp
View file @ ed3492a2
......@@ -28,6 +28,7 @@
<%@ page import="org.jivesoftware.util.JiveGlobals"%>
<%@ page import="org.jivesoftware.util.LocaleUtils"%>
<%@ page import="org.jivesoftware.util.ParamUtils"%>
<%@ page import="org.jivesoftware.util.StringUtils"%>
<%@ page import="org.xmpp.packet.JID"%><%@ page import="org.xmpp.packet.Presence"%>
<%@ page import="java.net.URLEncoder" %>
<%@ page import="java.util.Collection" %>
......@@ -185,7 +186,7 @@
<fmt:message key="user.create.username" />:
</td>
<td>
<%= JID.unescapeNode(user.getUsername()) %>
<%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %>
<% if (lockedOut) { %><img src="/images/forbidden-16x16.gif" align="top" height="16" width="16" alt="<fmt:message key='user.properties.locked'/>" title="<fmt:message key='user.properties.locked'/>"/><% } %>
<% if (pendingLockOut) { %><img src="/images/warning-16x16.gif" align="top" height="16" width="16" alt="<fmt:message key='user.properties.locked_set'/>" title="<fmt:message key='user.properties.locked_set'/>"/><% } %>
</td>
......@@ -241,7 +242,7 @@
</span>
<% } else { %>
<%= user.getName() %>
<%= StringUtils.escapeHTMLTags(user.getName()) %>
<% } %>
</td>
......@@ -257,7 +258,7 @@
</span>
<% } else { %>
<a href="mailto:<%= user.getEmail() %>"><%= user.getEmail() %></a>
<a href="mailto:<%= StringUtils.escapeForXML(user.getEmail()) %>"><%= StringUtils.escapeHTMLTags(user.getEmail()) %></a>
<% } %>
&nbsp;
......@@ -306,11 +307,11 @@
<% if (user != null && !UserManager.getUserProvider().isReadOnly()) { %>
<form action="user-edit-form.jsp">
<input type="hidden" name="username" value="<%= user.getUsername() %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(user.getUsername()) %>">
<input type="submit" value="<fmt:message key="global.edit_properties" />">
</form>
<% } %>
</body>
</html>
\ No newline at end of file
</html>
src/web/user-roster-add.jsp
View file @ ed3492a2
......@@ -107,7 +107,7 @@
<p>
<fmt:message key="user.roster.add.info">
<fmt:param value="<%= username %>"/>
<fmt:param value="<%= StringUtils.escapeForXML(username) %>"/>
</fmt:message>
</p>
......@@ -156,7 +156,7 @@
<form name="f" action="user-roster-add.jsp" method="get">
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<div class="jive-contentBoxHeader">
<fmt:message key="user.roster.add.new_item" />
......@@ -167,7 +167,7 @@
<tr>
<td width="1%" nowrap><label for="jidtf"><fmt:message key="user.roster.jid" />:</label> *</td>
<td width="99%">
<input type="text" name="jid" size="30" maxlength="255" value="<%= ((jid!=null) ? jid : "") %>"
<input type="text" name="jid" size="30" maxlength="255" value="<%= ((jid!=null) ? StringUtils.escapeForXML(jid) : "") %>"
id="jidtf">
</td>
</tr>
......@@ -176,7 +176,7 @@
<label for="nicknametf"><fmt:message key="user.roster.nickname" />:</label>
</td>
<td width="99%">
<input type="text" name="nickname" size="30" maxlength="255" value="<%= ((nickname!=null) ? nickname : "") %>"
<input type="text" name="nickname" size="30" maxlength="255" value="<%= ((nickname!=null) ? StringUtils.escapeForXML(nickname) : "") %>"
id="nicknametf">
</td>
</tr>
......@@ -184,7 +184,7 @@
<td width="1%" nowrap>
<label for="groupstf"><fmt:message key="user.roster.groups" />:</label></td>
<td width="99%">
<input type="text" name="groups" size="30" maxlength="255" value="<%= ((groups!=null) ? groups : "") %>"
<input type="text" name="groups" size="30" maxlength="255" value="<%= ((groups!=null) ? StringUtils.escapeForXML(groups) : "") %>"
id="groupstf">
</td>
</tr>
......@@ -211,4 +211,4 @@
</script>
</body>
</html>
\ No newline at end of file
</html>
src/web/user-roster-delete.jsp
View file @ ed3492a2
......@@ -67,14 +67,14 @@
<p>
<fmt:message key="user.roster.delete.info">
<fmt:param value="<%= "<b>"+jid+"</b>" %>" />
<fmt:param value="<%= "<b>"+username+"</b>" %>" />
<fmt:param value="<%= "<b>"+StringUtils.escapeForXML(jid)+"</b>" %>" />
<fmt:param value="<%= "<b>"+StringUtils.escapeForXML(username)+"</b>" %>" />
</fmt:message>
</p>
<form action="user-roster-delete.jsp">
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="jid" value="<%= jid %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<input type="hidden" name="jid" value="<%= StringUtils.escapeForXML(jid) %>">
<input type="submit" name="delete" value="<fmt:message key="user.roster.delete.delete" />">
<input type="submit" name="cancel" value="<fmt:message key="global.cancel" />">
</form>
......
src/web/user-roster-edit.jsp
View file @ ed3492a2
......@@ -18,6 +18,7 @@
--%>
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
java.net.URLEncoder"
errorPage="error.jsp"
%><%@ page import="org.xmpp.packet.JID"%>
......@@ -85,14 +86,14 @@
<p>
<fmt:message key="user.roster.edit.info">
<fmt:param value="<%= username %>"/>
<fmt:param value="<%= StringUtils.escapeForXML(username) %>"/>
</fmt:message>
</p>
<form action="user-roster-edit.jsp">
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="jid" value="<%= jid %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<input type="hidden" name="jid" value="<%= StringUtils.escapeForXML(jid) %>">
<input type="hidden" name="save" value="true">
<fieldset>
......@@ -105,7 +106,7 @@
<fmt:message key="user.roster.jid" />:
</td>
<td>
<%= jid %>
<%= StringUtils.escapeHTMLTags(jid) %>
</td>
</tr>
<tr>
......@@ -114,7 +115,7 @@
</td>
<td>
<input type="text" size="30" maxlength="150" name="nickname"
value="<%= item.getNickname() %>">
value="<%= StringUtils.escapeForXML(item.getNickname()) %>">
</td>
</tr>
<tr>
......@@ -131,7 +132,7 @@
if (count != 0) {
out.print(",");
}
out.print(group);
out.print(StringUtils.escapeForXML(group));
count++;
}
}
......@@ -152,7 +153,7 @@
out.print(",");
}
out.print("<a href='group-edit.jsp?group="+URLEncoder.encode(group.getName(), "UTF-8")+"'>");
out.print(group.getName());
out.print(StringUtils.escapeForXML(group.getName()));
out.print("</a>");
count++;
}
......@@ -190,4 +191,4 @@
</form>
</body>
</html>
\ No newline at end of file
</html>
src/web/user-roster-view.jsp
View file @ ed3492a2
......@@ -18,6 +18,7 @@
--%>
<%@ page import="org.jivesoftware.util.ParamUtils,
org.jivesoftware.util.StringUtils,
java.net.URLEncoder"
errorPage="error.jsp"
%><%@ page import="org.xmpp.packet.JID"%>
......@@ -84,7 +85,7 @@
<p>
<fmt:message key="user.roster.edit.info">
<fmt:param value="<%= username %>"/>
<fmt:param value="<%= StringUtils.escapeForXML(username) %>"/>
</fmt:message>
</p>
......@@ -98,7 +99,7 @@
<fmt:message key="user.roster.jid" />:
</td>
<td>
<%= jid %>
<%= StringUtils.escapeHTMLTags(jid) %>
</td>
</tr>
<tr>
......@@ -106,7 +107,7 @@
<fmt:message key="user.roster.nickname" />:
</td>
<td>
<%= item.getNickname() %>
<%= StringUtils.escapeHTMLTags(item.getNickname()) %>
</td>
</tr>
<tr>
......@@ -122,7 +123,7 @@
if (count != 0) {
out.print(",");
}
out.print(group);
out.print(StringUtils.escapeForXML(group));
count++;
}
}
......@@ -146,7 +147,7 @@
out.print(",");
}
out.print("<a href='group-edit.jsp?group="+URLEncoder.encode(group.getName(), "UTF-8")+"'>");
out.print(group.getName());
out.print(StringUtils.escapeForXML(group.getName()));
out.print("</a>");
count++;
}
......@@ -162,7 +163,7 @@
<fmt:message key="user.roster.subscription" />:
</td>
<td>
<%= item.getSubStatus().getName() %>
<%= StringUtils.escapeHTMLTags(item.getSubStatus().getName()) %>
</td>
</tr>
</tbody>
......@@ -173,18 +174,18 @@
<br><br>
<form style="display: inline" action="user-roster-edit.jsp">
<input type="hidden" name="jid" value="<%= jid %>">
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="jid" value="<%= StringUtils.escapeForXML(jid) %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<input type="submit" value="<fmt:message key="user.roster.edit" />">
</form>
<% if (sharedGroups.isEmpty()) { %>
<form style="display: inline" action="user-roster-delete.jsp">
<input type="hidden" name="jid" value="<%= jid %>">
<input type="hidden" name="username" value="<%= username %>">
<input type="hidden" name="jid" value="<%= StringUtils.escapeForXML(jid) %>">
<input type="hidden" name="username" value="<%= StringUtils.escapeForXML(username) %>">
<input type="submit" value="<fmt:message key="global.delete" />">
</form>
<% } %>
</body>
</html>
\ No newline at end of file
</html>
src/web/user-roster.jsp
View file @ ed3492a2
......@@ -149,7 +149,7 @@
<p>
<fmt:message key="user.roster.info">
<fmt:param value="<%= "<b>"+JID.unescapeNode(username)+"</b>" %>" />
<fmt:param value="<%= "<b>"+StringUtils.escapeForXML(JID.unescapeNode(username))+"</b>" %>" />
</fmt:message>
</p>
......@@ -298,7 +298,7 @@
><%= rosterItem.getJid() %></a>
</td>
<td>
<%= (rosterItem.getNickname() != null ? rosterItem.getNickname() : "<i>None</i>") %>
<%= (rosterItem.getNickname() != null ? StringUtils.escapeHTMLTags(rosterItem.getNickname()) : "<i>None</i>") %>
</td>
<td>
<%
......@@ -363,4 +363,4 @@
<br><br>
</body>
</html>
\ No newline at end of file
</html>
src/web/user-search.jsp
View file @ ed3492a2
......@@ -65,7 +65,7 @@
<tr class="c1">
<td width="1%" nowrap><fmt:message key="user.create.username" />:</td>
<td class="c2">
<input type="text" name="username" value="<%= ((username!=null) ? username : "") %>" size="30" maxlength="75"/>
<input type="text" name="username" value="<%= ((username!=null) ? StringUtils.escapeForXML(username) : "") %>" size="30" maxlength="75"/>
</td>
</tr>
<tr><td colspan="2" nowrap><input type="submit" name="search" value="<fmt:message key="user.search.search" />"/><input type="submit" name="cancel" value="<fmt:message key="global.cancel" />"/></td>
......
src/web/user-summary.jsp
View file @ ed3492a2
......@@ -230,13 +230,13 @@
<% } %>
</td>
<td width="23%">
<a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"<%= lockedOut ? " style='text-decoration: line-through underline;'" : "" %>><%= JID.unescapeNode(user.getUsername()) %></a>
<a href="user-properties.jsp?username=<%= URLEncoder.encode(user.getUsername(), "UTF-8") %>"<%= lockedOut ? " style='text-decoration: line-through underline;'" : "" %>><%= StringUtils.escapeHTMLTags(JID.unescapeNode(user.getUsername())) %></a>
<% if (isAdmin) { %><img src="/images/star-16x16.gif" height="16" width="16" align="top" alt="<fmt:message key='user.properties.isadmin'/>" title="<fmt:message key='user.properties.isadmin'/>"/><% } %>
<% if (lockedOut) { %><img src="/images/forbidden-16x16.gif" height="16" width="16" align="top" alt="<fmt:message key='user.properties.locked'/>" title="<fmt:message key='user.properties.locked'/>"/><% } %>
<% if (pendingLockOut) { %><img src="/images/warning-16x16.gif" height="16" width="16" align="top" alt="<fmt:message key='user.properties.locked_set'/>" title="<fmt:message key='user.properties.locked_set'/>"/><% } %>
</td>
<td width="33%">
<%= user.getName() %> &nbsp;
<%= StringUtils.escapeHTMLTags(user.getName()) %> &nbsp;
</td>
<td width="15%">
<%= JiveGlobals.formatDate(user.getCreationDate()) %>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023