summaryrefslogtreecommitdiff
path: root/BKUOnline/src
diff options
context:
space:
mode:
authormcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2010-01-19 10:56:18 +0000
committermcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2010-01-19 10:56:18 +0000
commit92171e3cf2f3803ddfd0d92e7884b8ca1983adce (patch)
treefb88c8e3ef1456a3a42c992f931ced3222f90ccb /BKUOnline/src
parent32ecfb52f91cf17f42a24ed2a566a832b409f157 (diff)
downloadmocca-92171e3cf2f3803ddfd0d92e7884b8ca1983adce.tar.gz
mocca-92171e3cf2f3803ddfd0d92e7884b8ca1983adce.tar.bz2
mocca-92171e3cf2f3803ddfd0d92e7884b8ca1983adce.zip
Fixed XSS vulerability.
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@579 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
Diffstat (limited to 'BKUOnline/src')
-rw-r--r--BKUOnline/src/main/webapp/applet.jsp89
1 files changed, 44 insertions, 45 deletions
diff --git a/BKUOnline/src/main/webapp/applet.jsp b/BKUOnline/src/main/webapp/applet.jsp
index cd0a4d1b..582bee7e 100644
--- a/BKUOnline/src/main/webapp/applet.jsp
+++ b/BKUOnline/src/main/webapp/applet.jsp
@@ -16,7 +16,7 @@
-->
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"
- import="at.gv.egiz.bku.online.webapp.AppletDispatcher, org.apache.commons.lang.RandomStringUtils" %>
+ import="at.gv.egiz.bku.online.webapp.AppletDispatcher, org.apache.commons.lang.RandomStringUtils, org.apache.commons.lang.StringEscapeUtils" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
@@ -32,23 +32,30 @@
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</head>
<%
+ String locale = StringEscapeUtils.escapeJavaScript(
+ (String) session.getAttribute("locale"));
+
int width = session.getAttribute("appletWidth") == null ? 190
: (Integer) session.getAttribute("appletWidth");
int height = session.getAttribute("appletHeight") == null ? 130
: (Integer) session.getAttribute("appletHeight");
- String backgroundImg = session.getAttribute("appletBackground") == null
+ String backgroundImg = StringEscapeUtils.escapeJavaScript(
+ session.getAttribute("appletBackground") == null
? "../img/chip32.png"
- : (String) session.getAttribute("appletBackground");
- String backgroundColor = (String) session.getAttribute("appletBackgroundColor");
- String guiStyle = (String) session.getAttribute("appletGuiStyle");
- String locale = (String) session.getAttribute("locale");
- String extension = (String) session.getAttribute("extension");
-
+ : (String) session.getAttribute("appletBackground"));
+ String backgroundColor = StringEscapeUtils.escapeJavaScript(
+ (String) session.getAttribute("appletBackgroundColor"));
+ String guiStyle = StringEscapeUtils.escapeJavaScript(
+ (String) session.getAttribute("appletGuiStyle"));
+
+ String sessionId = StringEscapeUtils.escapeJavaScript(session.getId());
+
+ String extension = (String) session.getAttribute("appletExtension");
String appletClass, appletArchive;
- if ("activation".equals(extension)) {
+ if ("activation".equalsIgnoreCase(extension)) {
appletArchive = "BKUAppletExt";
appletClass = "at.gv.egiz.bku.online.applet.ActivationApplet.class";
- } else if ("pin".equals(extension)) {
+ } else if ("pin".equalsIgnoreCase(extension)) {
appletArchive = "BKUAppletExt";
appletClass = "at.gv.egiz.bku.online.applet.PINManagementApplet.class";
} else {
@@ -73,40 +80,32 @@
%>
<body id="appletpage" style="width:<%=width%>px">
<script type="text/javascript">
-
- // avoid selection of applet before it is completely loaded
- var allowSelectionByJS = false;
-
- if (!deployJava.versionCheck('1.6.0_04+')) {
- document.write('<p>Diese Anwendung benötigt Version 6 Update 4 oder höher der <a href="" onclick="deployJava.installLatestJRE();">Java&trade; Laufzeitumgebung</a>.</p>');
- } else {
- // to enable applet caching, remove AppletDispatcher servlet,
- // change codebase to 'applet',
- // remove random suffix for appletArchive
- // and remove '../' for all URL applet parameters
- var attributes = {
- codebase :'<%=codebase %>',
- code : '<%=appletClass%>',
- archive : '<%=appletArchive +".jar, commons-logging.jar, iaik_jce_me4se.jar"%>',
- width : <%=width%>,
- height :<%=height%>,
- name : 'moccaapplet',
- id : 'moccaapplet'
- };
- var parameters = {
- GuiStyle : '<%=guiStyle%>',
- Locale : '<%=locale%>',
- Background : '<%=backgroundImg%>',
- BackgroundColor : '<%=backgroundColor%>',
- WSDL_URL :'../stal;jsessionid=<%=session.getId()%>?wsdl',
- HelpURL : '../help/',
- SessionID : '<%=session.getId()%>',
- RedirectURL : '../bkuResult',
- RedirectTarget: '_parent'
- };
- deployJava.runApplet(attributes, parameters, '1.6.0_04');
- }
- </script>
-
+ if (!deployJava.versionCheck('1.6.0_04+')) {
+ document.write('<p>Diese Anwendung benötigt Version 6 Update 4 oder höher der <a href="" onclick="deployJava.installLatestJRE();">Java&trade; Laufzeitumgebung</a>.</p>');
+ } else {
+ var attributes = {
+ codebase :'<%=codebase%>',
+ code : '<%=appletClass%>',
+ archive : '<%=appletArchive +".jar, commons-logging.jar, iaik_jce_me4se.jar"%>',
+ width : <%=width%>,
+ height :<%=height%>,
+ name : 'moccaapplet',
+ id : 'moccaapplet'
+ };
+ var parameters = {
+ GuiStyle : '<%=guiStyle%>',
+ Locale : '<%=locale%>',
+ Background : '<%=backgroundImg%>',
+ BackgroundColor : '<%=backgroundColor%>',
+ WSDL_URL : '../stal;jsessionid=<%=sessionId%>?wsdl',
+ HelpURL : '../help/',
+ SessionID : '<%=sessionId%>',
+ RedirectURL : '../bkuResult',
+ RedirectTarget: '_parent',
+ EnforceRecommendedPINLength: 'true'
+ };
+ deployJava.runApplet(attributes, parameters, '1.6.0_04');
+ }
+ </script>
</body>
</html>