From 366c463274f3ca06d500c59c0839feb225b4e0b5 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 27 Nov 2017 12:11:45 +0100
Subject: add escaping on some places

---
 .../at/gv/egovernment/moa/id/auth/servlet/AbstractController.java     | 4 ++--
 .../id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java   | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

(limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
index 67611dd72..dcf337213 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java
@@ -91,7 +91,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 		resp.setContentType(MediaType.HTML_UTF_8.toString());
 		resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error!" +
 				"(Errorcode=9199"
-				+" | Description="+ exception.getMessage() + ")");
+				+" | Description="+ StringEscapeUtils.escapeHtml(exception.getMessage()) + ")");
 		return;
 		
 	}
@@ -318,7 +318,7 @@ public abstract class AbstractController extends MOAIDAuthConstants {
 		if (e instanceof ProtocolNotActiveException) {
 			resp.getWriter().write(e.getMessage());
 			resp.setContentType(MediaType.HTML_UTF_8.toString());
-			resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage());
+			resp.sendError(HttpServletResponse.SC_FORBIDDEN, StringEscapeUtils.escapeHtml(e.getMessage()));
 		
 		} else if (e instanceof AuthnRequestValidatorException) {
 			AuthnRequestValidatorException ex = (AuthnRequestValidatorException)e;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
index 2976dc420..c8c6c1fb5 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java
@@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.servlet.interceptor;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.ModelAndView;
@@ -76,7 +77,7 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor {
 			Logger.info(errorMsg);
 			response.sendError(
 					HttpServletResponse.SC_FORBIDDEN, 
-					errorMsg);
+					StringEscapeUtils.escapeHtml(errorMsg));
 						
 			return false;
 		} else {		
-- 
cgit v1.2.3