add escaping on some places

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-11-27 12:11:45 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-11-27 12:11:45 +0100
commit: 5f2ad9d48b83d5979b1a147190f5177e3327744a (patch)
tree: 81cfcaae779036292c0fbe2213d22d7bab2fa0d1 /id/server/idserverlib/src/main/java
parent: aca73741002d4285492d2b95f88779a14171b4e7 (diff)
download: moa-id-spss-5f2ad9d48b83d5979b1a147190f5177e3327744a.tar.gz
moa-id-spss-5f2ad9d48b83d5979b1a147190f5177e3327744a.tar.bz2
moa-id-spss-5f2ad9d48b83d5979b1a147190f5177e3327744a.zip
2 files changed, 4 insertions, 3 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 5f74d8fdd..e396433e4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -91,7 +91,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 		resp.setContentType(MediaType.HTML_UTF_8.toString());
 		resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error!" +
 				"(Errorcode=9199"
-				+" | Description="+ exception.getMessage() + ")");
+				+" | Description="+ StringEscapeUtils.escapeHtml(exception.getMessage()) + ")");
 		return;
 		
 	}
@@ -317,7 +317,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 		if (e instanceof ProtocolNotActiveException) {
 			resp.getWriter().write(e.getMessage());
 			resp.setContentType(MediaType.HTML_UTF_8.toString());
-			resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
+			resp.sendError(HttpServletResponse.SC_FORBIDDEN, StringEscapeUtils.escapeHtml(e.getMessage()));
 		
 		} else if (e instanceof AuthnRequestValidatorException) {
 			AuthnRequestValidatorException ex = (AuthnRequestValidatorException)e;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
index 2976dc420..c8c6c1fb5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
@@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.servlet.interceptor;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.ModelAndView;
@@ -76,7 +77,7 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor {
 			Logger.info(errorMsg);
 			response.sendError(
 					HttpServletResponse.SC_FORBIDDEN, 
-					errorMsg);
+					StringEscapeUtils.escapeHtml(errorMsg));
 						
 			return false;
 		} else {
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-11-27 12:11:45 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-11-27 12:11:45 +0100
commit	5f2ad9d48b83d5979b1a147190f5177e3327744a (patch)
tree	81cfcaae779036292c0fbe2213d22d7bab2fa0d1 /id/server/idserverlib/src/main/java
parent	aca73741002d4285492d2b95f88779a14171b4e7 (diff)
download	moa-id-spss-5f2ad9d48b83d5979b1a147190f5177e3327744a.tar.gz moa-id-spss-5f2ad9d48b83d5979b1a147190f5177e3327744a.tar.bz2 moa-id-spss-5f2ad9d48b83d5979b1a147190f5177e3327744a.zip