add escaping on some places

author: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-11-27 12:11:45 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2017-11-27 15:45:21 +0100
commit: 366c463274f3ca06d500c59c0839feb225b4e0b5 (patch)
tree: 8130bfea98bf99a36f172f4aa89c8a1ff843c52d /id/server/idserverlib/src
parent: 868d6e587cb262683a658fdbd56bb752913638b4 (diff)
download: moa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.tar.gz
moa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.tar.bz2
moa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.zip
2 files changed, 4 insertions, 3 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 67611dd72..dcf337213 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -91,7 +91,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 		resp.setContentType(MediaType.HTML_UTF_8.toString());
 		resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error!" +
 				"(Errorcode=9199"
-				+" | Description="+ exception.getMessage() + ")");
+				+" | Description="+ StringEscapeUtils.escapeHtml(exception.getMessage()) + ")");
 		return;
 		
 	}
@@ -318,7 +318,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 		if (e instanceof ProtocolNotActiveException) {
 			resp.getWriter().write(e.getMessage());
 			resp.setContentType(MediaType.HTML_UTF_8.toString());
-			resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
+			resp.sendError(HttpServletResponse.SC_FORBIDDEN, StringEscapeUtils.escapeHtml(e.getMessage()));
 		
 		} else if (e instanceof AuthnRequestValidatorException) {
 			AuthnRequestValidatorException ex = (AuthnRequestValidatorException)e;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
index 2976dc420..c8c6c1fb5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
@@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.servlet.interceptor;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.ModelAndView;
@@ -76,7 +77,7 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor {
 			Logger.info(errorMsg);
 			response.sendError(
 					HttpServletResponse.SC_FORBIDDEN, 
-					errorMsg);
+					StringEscapeUtils.escapeHtml(errorMsg));
 						
 			return false;
 		} else {
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-11-27 12:11:45 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2017-11-27 15:45:21 +0100
commit	366c463274f3ca06d500c59c0839feb225b4e0b5 (patch)
tree	8130bfea98bf99a36f172f4aa89c8a1ff843c52d /id/server/idserverlib/src
parent	868d6e587cb262683a658fdbd56bb752913638b4 (diff)
download	moa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.tar.gz moa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.tar.bz2 moa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.zip