diff options
author | mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> | 2010-01-19 10:56:18 +0000 |
---|---|---|
committer | mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> | 2010-01-19 10:56:18 +0000 |
commit | 92171e3cf2f3803ddfd0d92e7884b8ca1983adce (patch) | |
tree | fb88c8e3ef1456a3a42c992f931ced3222f90ccb /BKUOnline/src/main/webapp | |
parent | 32ecfb52f91cf17f42a24ed2a566a832b409f157 (diff) | |
download | mocca-92171e3cf2f3803ddfd0d92e7884b8ca1983adce.tar.gz mocca-92171e3cf2f3803ddfd0d92e7884b8ca1983adce.tar.bz2 mocca-92171e3cf2f3803ddfd0d92e7884b8ca1983adce.zip |
Fixed XSS vulerability.
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@579 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
Diffstat (limited to 'BKUOnline/src/main/webapp')
-rw-r--r-- | BKUOnline/src/main/webapp/applet.jsp | 89 |
1 files changed, 44 insertions, 45 deletions
diff --git a/BKUOnline/src/main/webapp/applet.jsp b/BKUOnline/src/main/webapp/applet.jsp index cd0a4d1b..582bee7e 100644 --- a/BKUOnline/src/main/webapp/applet.jsp +++ b/BKUOnline/src/main/webapp/applet.jsp @@ -16,7 +16,7 @@ --> <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" - import="at.gv.egiz.bku.online.webapp.AppletDispatcher, org.apache.commons.lang.RandomStringUtils" %> + import="at.gv.egiz.bku.online.webapp.AppletDispatcher, org.apache.commons.lang.RandomStringUtils, org.apache.commons.lang.StringEscapeUtils" %> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> @@ -32,23 +32,30 @@ <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> </head> <% + String locale = StringEscapeUtils.escapeJavaScript( + (String) session.getAttribute("locale")); + int width = session.getAttribute("appletWidth") == null ? 190 : (Integer) session.getAttribute("appletWidth"); int height = session.getAttribute("appletHeight") == null ? 130 : (Integer) session.getAttribute("appletHeight"); - String backgroundImg = session.getAttribute("appletBackground") == null + String backgroundImg = StringEscapeUtils.escapeJavaScript( + session.getAttribute("appletBackground") == null ? "../img/chip32.png" - : (String) session.getAttribute("appletBackground"); - String backgroundColor = (String) session.getAttribute("appletBackgroundColor"); - String guiStyle = (String) session.getAttribute("appletGuiStyle"); - String locale = (String) session.getAttribute("locale"); - String extension = (String) session.getAttribute("extension"); - + : (String) session.getAttribute("appletBackground")); + String backgroundColor = StringEscapeUtils.escapeJavaScript( + (String) session.getAttribute("appletBackgroundColor")); + String guiStyle = StringEscapeUtils.escapeJavaScript( + (String) session.getAttribute("appletGuiStyle")); + + String sessionId = StringEscapeUtils.escapeJavaScript(session.getId()); + + String extension = (String) session.getAttribute("appletExtension"); String appletClass, appletArchive; - if ("activation".equals(extension)) { + if ("activation".equalsIgnoreCase(extension)) { appletArchive = "BKUAppletExt"; appletClass = "at.gv.egiz.bku.online.applet.ActivationApplet.class"; - } else if ("pin".equals(extension)) { + } else if ("pin".equalsIgnoreCase(extension)) { appletArchive = "BKUAppletExt"; appletClass = "at.gv.egiz.bku.online.applet.PINManagementApplet.class"; } else { @@ -73,40 +80,32 @@ %> <body id="appletpage" style="width:<%=width%>px"> <script type="text/javascript"> - - // avoid selection of applet before it is completely loaded - var allowSelectionByJS = false; - - if (!deployJava.versionCheck('1.6.0_04+')) { - document.write('<p>Diese Anwendung benötigt Version 6 Update 4 oder höher der <a href="" onclick="deployJava.installLatestJRE();">Java™ Laufzeitumgebung</a>.</p>'); - } else { - // to enable applet caching, remove AppletDispatcher servlet, - // change codebase to 'applet', - // remove random suffix for appletArchive - // and remove '../' for all URL applet parameters - var attributes = { - codebase :'<%=codebase %>', - code : '<%=appletClass%>', - archive : '<%=appletArchive +".jar, commons-logging.jar, iaik_jce_me4se.jar"%>', - width : <%=width%>, - height :<%=height%>, - name : 'moccaapplet', - id : 'moccaapplet' - }; - var parameters = { - GuiStyle : '<%=guiStyle%>', - Locale : '<%=locale%>', - Background : '<%=backgroundImg%>', - BackgroundColor : '<%=backgroundColor%>', - WSDL_URL :'../stal;jsessionid=<%=session.getId()%>?wsdl', - HelpURL : '../help/', - SessionID : '<%=session.getId()%>', - RedirectURL : '../bkuResult', - RedirectTarget: '_parent' - }; - deployJava.runApplet(attributes, parameters, '1.6.0_04'); - } - </script> - + if (!deployJava.versionCheck('1.6.0_04+')) { + document.write('<p>Diese Anwendung benötigt Version 6 Update 4 oder höher der <a href="" onclick="deployJava.installLatestJRE();">Java™ Laufzeitumgebung</a>.</p>'); + } else { + var attributes = { + codebase :'<%=codebase%>', + code : '<%=appletClass%>', + archive : '<%=appletArchive +".jar, commons-logging.jar, iaik_jce_me4se.jar"%>', + width : <%=width%>, + height :<%=height%>, + name : 'moccaapplet', + id : 'moccaapplet' + }; + var parameters = { + GuiStyle : '<%=guiStyle%>', + Locale : '<%=locale%>', + Background : '<%=backgroundImg%>', + BackgroundColor : '<%=backgroundColor%>', + WSDL_URL : '../stal;jsessionid=<%=sessionId%>?wsdl', + HelpURL : '../help/', + SessionID : '<%=sessionId%>', + RedirectURL : '../bkuResult', + RedirectTarget: '_parent', + EnforceRecommendedPINLength: 'true' + }; + deployJava.runApplet(attributes, parameters, '1.6.0_04'); + } + </script> </body> </html> |