1 files changed, 23 insertions, 4 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java
index 09b3ae15f..6e285a2c0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/SelectBKUServlet.java
@@ -24,7 +24,10 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
+
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
+import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
 import at.gv.egovernment.moa.id.auth.WrongParametersException;
 import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
@@ -70,6 +73,12 @@ public class SelectBKUServlet extends AuthServlet {
     throws ServletException, IOException {
 
     Logger.debug("GET SelectBKU");
+    
+    resp.setHeader(MOAIDAuthConstants.HEADER_EXPIRES,MOAIDAuthConstants.HEADER_VALUE_EXPIRES);
+    resp.setHeader(MOAIDAuthConstants.HEADER_PRAGMA,MOAIDAuthConstants.HEADER_VALUE_PRAGMA);
+	resp.setHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL);
+	resp.addHeader(MOAIDAuthConstants.HEADER_CACHE_CONTROL,MOAIDAuthConstants.HEADER_VALUE_CACHE_CONTROL_IE);
+    
     String authURL = req.getScheme() + "://" + req.getServerName();
     if ((req.getScheme().equalsIgnoreCase("https") && req.getServerPort()!=443) || (req.getScheme().equalsIgnoreCase("http") && req.getServerPort()!=80)) { 
       authURL = authURL.concat(":" + req.getServerPort());
@@ -80,6 +89,14 @@ public class SelectBKUServlet extends AuthServlet {
     String oaURL = req.getParameter(PARAM_OA);
     String bkuSelectionTemplateURL = req.getParameter(PARAM_BKUTEMPLATE);
     String templateURL = req.getParameter(PARAM_TEMPLATE);
+    
+    // escape parameter strings
+    target = StringEscapeUtils.escapeHtml(target);
+    oaURL = StringEscapeUtils.escapeHtml(oaURL);    
+    templateURL = StringEscapeUtils.escapeHtml(templateURL);
+    bkuSelectionTemplateURL = StringEscapeUtils.escapeHtml(bkuSelectionTemplateURL);
+    
+    
     resp.setHeader(HEADER_EXPIRES,HEADER_VALUE_EXPIRES);
     resp.setHeader(HEADER_PRAGMA,HEADER_VALUE_PRAGMA);
     resp.setHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL);
@@ -89,11 +106,13 @@ public class SelectBKUServlet extends AuthServlet {
        
        // check parameter
        if (!ParamValidatorUtils.isValidTarget(target))
-          throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12");
+          throw new WrongParametersException("SelectBKU", PARAM_TARGET, "auth.12");
        if (!ParamValidatorUtils.isValidOA(oaURL))
-          throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12");
-       if (!ParamValidatorUtils.isValidTemplate(templateURL))
-          throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12");
+          throw new WrongParametersException("SelectBKU", PARAM_OA, "auth.12");
+       if (!ParamValidatorUtils.isValidTemplate(req, templateURL))
+          throw new WrongParametersException("SelectBKU", PARAM_TEMPLATE, "auth.12");
+       if (!ParamValidatorUtils.isValidTemplate(req, bkuSelectionTemplateURL))
+           throw new WrongParametersException("SelectBKU", PARAM_TEMPLATE, "auth.12");
 
        
       String returnValue = AuthenticationServer.getInstance().selectBKU(