OF-1272 Close XSS in dbaccess plugin (#742)

Straightforward failure to escape in this debugging plugin.

OF-1272 Close XSS in dbaccess plugin (#742)
Straightforward failure to escape in this debugging plugin.
f4529cd2 · Dave Cridland · daryl herzmann · aabb2bf5 · f4529cd2
Commit f4529cd2 authored Apr 14, 2017 by Dave Cridland Committed by daryl herzmann Apr 14, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

db-access.jsp src/plugins/dbaccess/src/web/db-access.jsp +2 -1

No files found.
--- a/src/plugins/dbaccess/src/web/db-access.jsp
+++ b/src/plugins/dbaccess/src/web/db-access.jsp
 <%@ page import="org.jivesoftware.database.DbConnectionManager" %>
 <%@ page import="java.sql.*" %>
+<%@ page import="org.jivesoftware.util.StringUtils" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>

@@ -68,7 +69,7 @@
                    out.print("<tr>");
                    for (int i=1; i<=count; i++) {
                        out.print("<td>");
-                        out.print(rs.getString(i));
+                        out.print(StringUtils.escapeHTMLTags(rs.getString(i)));
                    }
                    out.println("</tr>");
                }