1 files changed, 22 insertions, 2 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
index 2430095b2..10b4041df 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java
@@ -17,12 +17,16 @@ package at.gv.egovernment.moa.id.auth.servlet;
 
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.io.Reader;
+import java.io.StringReader;
 
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
+
 import at.gv.egovernment.moa.id.MOAIDException;
 import at.gv.egovernment.moa.id.auth.AuthenticationServer;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthInitializer;
@@ -64,16 +68,27 @@ public class StartAuthenticationServlet extends AuthServlet {
     authURL = authURL.concat(req.getContextPath() + "/");
 
     String target = req.getParameter(PARAM_TARGET);
-	 String oaURL = req.getParameter(PARAM_OA);
+    String oaURL = req.getParameter(PARAM_OA);
     String bkuURL = req.getParameter(PARAM_BKU);
     String templateURL = req.getParameter(PARAM_TEMPLATE);
     String sessionID = req.getParameter(PARAM_SESSIONID);
+    String useMandate = req.getParameter(PARAM_USEMANDATE);
+    
     
+    // escape parameter strings
+    target = StringEscapeUtils.escapeHtml(target);
+    oaURL = StringEscapeUtils.escapeHtml(oaURL);
+    bkuURL = StringEscapeUtils.escapeHtml(bkuURL);
+    templateURL = StringEscapeUtils.escapeHtml(templateURL);
+    sessionID = StringEscapeUtils.escapeHtml(sessionID);
+    useMandate = StringEscapeUtils.escapeHtml(useMandate);
+       
     resp.setHeader(HEADER_EXPIRES,HEADER_VALUE_EXPIRES);
     resp.setHeader(HEADER_PRAGMA,HEADER_VALUE_PRAGMA);
     resp.setHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL);
     resp.addHeader(HEADER_CACHE_CONTROL,HEADER_VALUE_CACHE_CONTROL_IE);
     
+    //System.out.println("useMandate: " + useMandate);
     
     	try {
 		      // check parameter
@@ -83,10 +98,14 @@ public class StartAuthenticationServlet extends AuthServlet {
              throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12");
 		    if (!ParamValidatorUtils.isValidBKUURI(bkuURL))
 		       throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12");
-		    if (!ParamValidatorUtils.isValidTemplate(templateURL))
+		    if (!ParamValidatorUtils.isValidTemplate(req, templateURL))
 		       throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12");
 		    if (!ParamValidatorUtils.isValidSessionID(sessionID))
              throw new WrongParametersException("StartAuthentication", PARAM_SESSIONID, "auth.12");
+		    if (!ParamValidatorUtils.isValidUseMandate(useMandate))
+	             throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12");
+		    
+		    
 		    
 		    
 			String getIdentityLinkForm =
@@ -97,6 +116,7 @@ public class StartAuthenticationServlet extends AuthServlet {
 			out.print(getIdentityLinkForm);
 			out.flush();
 			Logger.debug("Finished GET StartAuthentication");
+		
 		}
     catch (WrongParametersException ex) {
       handleWrongParameters(ex, req, resp);