add String escaping on same methods

author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2017-11-26 21:04:51 +0100
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2017-11-26 21:04:51 +0100
commit: cc09b52b5cb1c93543d8b4353dfc59b8192e79af (patch)
tree: c66cabed572557945ff66da64d3babe8df11143d /id/server/modules/moa-id-module-ssoTransfer
parent: 7cba2dfc31076ac4ec9f4a46bc4901e7dd082121 (diff)
download: moa-id-spss-cc09b52b5cb1c93543d8b4353dfc59b8192e79af.tar.gz
moa-id-spss-cc09b52b5cb1c93543d8b4353dfc59b8192e79af.tar.bz2
moa-id-spss-cc09b52b5cb1c93543d8b4353dfc59b8192e79af.zip
1 files changed, 3 insertions, 4 deletions
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
index 7d1bfd7b9..a37beac70 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
@@ -50,6 +50,7 @@ import javax.security.cert.X509Certificate;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.Extension;
@@ -186,7 +187,7 @@ public class SSOTransferServlet{
 		Logger.debug("Receive " + this.getClass().getName() + " request");
 		Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN);		
 		if (tokenObj != null && tokenObj instanceof String) {
-			String token = (String)tokenObj;
+			String token = StringEscapeUtils.escapeHtml((String)tokenObj);
 			try {
 				Logger.debug("Load token:" + token + " from storage.");
 				SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut * 1000);
@@ -285,7 +286,7 @@ public class SSOTransferServlet{
 		
 		Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN);		
 		if (tokenObj != null && tokenObj instanceof String) {
-			String token = (String)tokenObj;
+			String token = StringEscapeUtils.escapeHtml((String)tokenObj);
 			try {								
 				SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut);
 				if (container != null) {				
@@ -402,8 +403,6 @@ public class SSOTransferServlet{
 					null);
 			
 			if (ssomanager.isValidSSOSession(ssoid, null)) {
-				//Object createQRObj = req.getParameter(SSOTransferConstants.REQ_PARAM_GENERATE_QR);		
-				
 				//create first step of SSO Transfer GUI
 								
 				IAuthenticationSession authSession = authenticationSessionStorage.getInternalMOASessionWithSSOID(ssoid);
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2017-11-26 21:04:51 +0100
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2017-11-26 21:04:51 +0100
commit	cc09b52b5cb1c93543d8b4353dfc59b8192e79af (patch)
tree	c66cabed572557945ff66da64d3babe8df11143d /id/server/modules/moa-id-module-ssoTransfer
parent	7cba2dfc31076ac4ec9f4a46bc4901e7dd082121 (diff)
download	moa-id-spss-cc09b52b5cb1c93543d8b4353dfc59b8192e79af.tar.gz moa-id-spss-cc09b52b5cb1c93543d8b4353dfc59b8192e79af.tar.bz2 moa-id-spss-cc09b52b5cb1c93543d8b4353dfc59b8192e79af.zip