From cc09b52b5cb1c93543d8b4353dfc59b8192e79af Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Sun, 26 Nov 2017 21:04:51 +0100
Subject: add String escaping on same methods

---
 .../id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java    | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'id/server/modules/moa-id-module-ssoTransfer/src/main')

diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
index 7d1bfd7b9..a37beac70 100644
--- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
+++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java
@@ -50,6 +50,7 @@ import javax.security.cert.X509Certificate;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.Extension;
@@ -186,7 +187,7 @@ public class SSOTransferServlet{
 		Logger.debug("Receive " + this.getClass().getName() + " request");
 		Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN);		
 		if (tokenObj != null && tokenObj instanceof String) {
-			String token = (String)tokenObj;
+			String token = StringEscapeUtils.escapeHtml((String)tokenObj);
 			try {
 				Logger.debug("Load token:" + token + " from storage.");
 				SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut * 1000);
@@ -285,7 +286,7 @@ public class SSOTransferServlet{
 		
 		Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN);		
 		if (tokenObj != null && tokenObj instanceof String) {
-			String token = (String)tokenObj;
+			String token = StringEscapeUtils.escapeHtml((String)tokenObj);
 			try {								
 				SSOTransferContainer container = transactionStorage.get(token, SSOTransferContainer.class, transmisionTimeOut);
 				if (container != null) {				
@@ -402,8 +403,6 @@ public class SSOTransferServlet{
 					null);
 			
 			if (ssomanager.isValidSSOSession(ssoid, null)) {
-				//Object createQRObj = req.getParameter(SSOTransferConstants.REQ_PARAM_GENERATE_QR);		
-				
 				//create first step of SSO Transfer GUI
 								
 				IAuthenticationSession authSession = authenticationSessionStorage.getInternalMOASessionWithSSOID(ssoid);
-- 
cgit v1.2.3