From 57ffbe830705003caa2af2e12f7e38c38d3a2ff8 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Wed, 30 Nov 2016 10:53:50 +0100 Subject: fixed XSS for locale parameter --- .../java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'pdf-as-web/src/main/java/at/gv') diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java index 1c515efa..8a58d364 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java @@ -181,7 +181,13 @@ public class PdfAsParameterExtractor { } public static String getLocale(HttpServletRequest request) { - return (String)request.getAttribute(PARAM_LOCALE); + String locale = (String)request.getAttribute(PARAM_LOCALE); + if(locale != null) { + if ("DE".equalsIgnoreCase(locale) || "EN".equalsIgnoreCase(locale)) { + return locale; + } + } + return null; } public static String getNumBytes(HttpServletRequest request) { -- cgit v1.2.3