XSS Fix invoke-app-url-target, invoke-app-error-url

2 files changed, 23 insertions, 5 deletions

diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java
index 670756de..72128a9c 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ErrorPage.java
@@ -32,6 +32,7 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -113,9 +114,16 @@ public class ErrorPage extends HttpServlet {
 			if (errorURL != null
 					&& WebConfiguration.isProvidePdfURLinWhitelist(errorURL)) {
 				String template = PdfAsHelper.getErrorRedirectTemplateSL();
-				template = template.replace("##ERROR_URL##", errorURL);
-
+				
 				URL url = new URL(errorURL);
+				String errorURLProcessed = url.getProtocol() + "://" +   // "http" + "://
+						url.getHost() +       // "myhost"
+			             ":" +                           // ":"
+			             url.getPort() +       // "8080"
+			             url.getPath();  
+				
+				template = template.replace("##ERROR_URL##", errorURLProcessed);
+				
 				String extraParams = UrlParameterExtractor
 						.buildParameterFormString(url);
 				template = template.replace("##ADD_PARAMS##", extraParams);
@@ -126,7 +134,7 @@ public class ErrorPage extends HttpServlet {
 					target = "_self";
 				}
 
-				template = template.replace("##TARGET##", target);
+				template = template.replace("##TARGET##", StringEscapeUtils.escapeHtml4(target));
 
 				if (e != null && WebConfiguration.isShowErrorDetails()) {
 					template = template.replace("##CAUSE##",
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java
index 7909e926..6ff6ccf7 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ProvidePDFServlet.java
@@ -31,7 +31,10 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.swing.text.html.HTML;
 
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.codehaus.stax2.io.EscapingWriterFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -96,9 +99,16 @@ public class ProvidePDFServlet extends HttpServlet {
 			} else {
 				// Redirect Browser
 				String template = PdfAsHelper.getInvokeRedirectTemplateSL();
-				template = template.replace("##INVOKE_URL##", invokeURL);
 				
 				URL url = new URL(invokeURL);
+				String invokeUrlProcessed = url.getProtocol() + "://" +   // "http" + "://
+						url.getHost() +       // "myhost"
+			             ":" +                           // ":"
+			             url.getPort() +       // "8080"
+			             url.getPath();  
+				
+				template = template.replace("##INVOKE_URL##", invokeUrlProcessed);
+				
 				String extraParams = UrlParameterExtractor.buildParameterFormString(url);
 				template = template.replace("##ADD_PARAMS##", extraParams);
 				
@@ -116,7 +126,7 @@ public class ProvidePDFServlet extends HttpServlet {
 					target = "_self";
 				}
 				
-				template = template.replace("##TARGET##", target);
+				template = template.replace("##TARGET##", StringEscapeUtils.escapeHtml4(target));
 				
 				template = template.replace("##PDFURL##",
 						URLEncoder.encode(PdfAsHelper.generatePdfURL(request, response),