From fe2a02ec2afcbe2d7b9d59a9969d05923813ffdf Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 13 Nov 2017 09:38:00 +0100
Subject: fix some open CrossSiteScripting paths

---
 .../gv/egovernment/moa/id/auth/servlet/MonitoringController.java   | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java
index b232b9512..fdc1c9cc1 100644
--- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java
+++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringController.java
@@ -30,6 +30,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -58,11 +59,9 @@ public class MonitoringController {
 			    throws ServletException, IOException{
 		  
 		  if (authConfig.isMonitoringActive()) {
-			Logger.debug("Monitoring Servlet received request");
-
-			
+			Logger.debug("Monitoring Servlet received request");					
+			String modulename = StringEscapeUtils.escapeHtml(req.getParameter(REQUEST_ATTR_MODULE));
 			
-			String modulename = req.getParameter(REQUEST_ATTR_MODULE);
 			if (MiscUtil.isEmpty(modulename)) {
 			
 				List<String> error = tests.executeTests();
-- 
cgit v1.2.3