3 files changed, 22 insertions, 23 deletions

diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
index 09c64c267..7bb07df74 100644
--- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
+++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java
@@ -94,24 +94,24 @@ public class ParepUtils {
     return str == null || "".equals(str);
   }
 
-  /**
-   * Reads a XML document from an input stream (namespace-aware).
-   * 
-   * @param is
-   *          the input stream to read from.
-   * @return the read XML document.
-   * @throws SZRGWClientException
-   *           if an error occurs reading the document from the input stream.
-   */
-  public static Document readDocFromIs(InputStream is) throws SZRGWClientException {
-    try {
-      DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
-      f.setNamespaceAware(true);
-      return f.newDocumentBuilder().parse(is);
-    } catch (Exception e) {
-      throw new SZRGWClientException(e);
-    }
-  }
+//  /**
+//   * Reads a XML document from an input stream (namespace-aware).
+//   * 
+//   * @param is
+//   *          the input stream to read from.
+//   * @return the read XML document.
+//   * @throws SZRGWClientException
+//   *           if an error occurs reading the document from the input stream.
+//   */
+//  public static Document readDocFromIs(InputStream is) throws SZRGWClientException {
+//    try {
+//      DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
+//      f.setNamespaceAware(true);
+//      return f.newDocumentBuilder().parse(is);
+//    } catch (Exception e) {
+//      throw new SZRGWClientException(e);
+//    }
+//  }
 
 //  /*
 //   * 
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index b2522ea33..b7c54203f 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -71,7 +71,7 @@ class OAuth20AuthAction implements IAction {
 		
 		revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_AUTHREQUEST);
 		
-		String code = Random.nextRandom();		
+		String code = Random.nextHexRandom32();		
 				
 		try {
 			
diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
index 7d1bfd7b9..a37beac70 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
@@ -50,6 +50,7 @@ import javax.security.cert.X509Certificate;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.Extension;
@@ -186,7 +187,7 @@ public class SSOTransferServlet{
 		Logger.debug("Receive " + this.getClass().getName() + " request");
 		Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN);		
 		if (tokenObj != null && tokenObj instanceof String) {
-			String token = (String)tokenObj;
+			String token = StringEscapeUtils.escapeHtml((String)tokenObj);
 			try {
 				Logger.debug("Load token:" + token + " from storage.");
 				SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut * 1000);
@@ -285,7 +286,7 @@ public class SSOTransferServlet{
 		
 		Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN);		
 		if (tokenObj != null && tokenObj instanceof String) {
-			String token = (String)tokenObj;
+			String token = StringEscapeUtils.escapeHtml((String)tokenObj);
 			try {								
 				SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut);
 				if (container != null) {				
@@ -402,8 +403,6 @@ public class SSOTransferServlet{
 					null);
 			
 			if (ssomanager.isValidSSOSession(ssoid, null)) {
-				//Object createQRObj = req.getParameter(SSOTransferConstants.REQ_PARAM_GENERATE_QR);		
-				
 				//create first step of SSO Transfer GUI
 								
 				IAuthenticationSession authSession = authenticationSessionStorage.getInternalMOASessionWithSSOID(ssoid);