fixed XSS for locale parameter

author: Andreas Fitzek <andreas.fitzek@iaik.tugraz.at> 2016-11-30 10:53:50 +0100
committer: Andreas Fitzek <andreas.fitzek@iaik.tugraz.at> 2016-11-30 10:53:50 +0100
commit: 57ffbe830705003caa2af2e12f7e38c38d3a2ff8 (patch)
tree: d6ffa9214b73096b592b2a4a3468aadbaaacc880
parent: 6f198db080646dc7fd9708fe30cbe7ed9565909d (diff)
download: pdf-as-4-57ffbe830705003caa2af2e12f7e38c38d3a2ff8.tar.gz
pdf-as-4-57ffbe830705003caa2af2e12f7e38c38d3a2ff8.tar.bz2
pdf-as-4-57ffbe830705003caa2af2e12f7e38c38d3a2ff8.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java
index 1c515efa..8a58d364 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java
@@ -181,7 +181,13 @@ public class PdfAsParameterExtractor {
 	}
 	
 	public static String getLocale(HttpServletRequest request) {
-		return (String)request.getAttribute(PARAM_LOCALE);
+		String locale = (String)request.getAttribute(PARAM_LOCALE);
+		if(locale != null) {
+			if ("DE".equalsIgnoreCase(locale) || "EN".equalsIgnoreCase(locale)) {
+				return locale;
+			}
+		}
+		return null;
 	}
 	
 	public static String getNumBytes(HttpServletRequest request) {
author	Andreas Fitzek <andreas.fitzek@iaik.tugraz.at>	2016-11-30 10:53:50 +0100
committer	Andreas Fitzek <andreas.fitzek@iaik.tugraz.at>	2016-11-30 10:53:50 +0100
commit	57ffbe830705003caa2af2e12f7e38c38d3a2ff8 (patch)
tree	d6ffa9214b73096b592b2a4a3468aadbaaacc880
parent	6f198db080646dc7fd9708fe30cbe7ed9565909d (diff)
download	pdf-as-4-57ffbe830705003caa2af2e12f7e38c38d3a2ff8.tar.gz pdf-as-4-57ffbe830705003caa2af2e12f7e38c38d3a2ff8.tar.bz2 pdf-as-4-57ffbe830705003caa2af2e12f7e38c38d3a2ff8.zip