mirror of
https://github.com/yacy/yacy_search_server.git
synced 2024-09-19 00:01:41 +02:00
fixed some XSS bugs reported by Marius from http://ctf365.com/
This commit is contained in:
parent
da33ee0d77
commit
ff86cb683f
|
@ -96,7 +96,7 @@ public class User{
|
|||
prop.putHTML("logged-in_returnto", post.get("returnto"));
|
||||
final String username=post.get("username");
|
||||
final String password=post.get("password");
|
||||
prop.put("logged-in_username", username);
|
||||
prop.putHTML("logged-in_username", username);
|
||||
|
||||
entry=sb.userDB.passwordAuth(username, password);
|
||||
final boolean staticAdmin = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").equals(
|
||||
|
@ -160,7 +160,7 @@ public class User{
|
|||
prop.authenticationRequired();
|
||||
}
|
||||
if(post.containsKey("returnto")){
|
||||
prop.put(serverObjects.ACTION_LOCATION, post.get("returnto"));
|
||||
prop.putHTML(serverObjects.ACTION_LOCATION, post.get("returnto"));
|
||||
}
|
||||
}
|
||||
// return rewrite properties
|
||||
|
|
|
@ -69,7 +69,7 @@ public class ViewProfile {
|
|||
prop.put("success", "0");
|
||||
return prop;
|
||||
}
|
||||
prop.put("hash", hash);
|
||||
prop.putHTML("hash", hash);
|
||||
|
||||
// get the profile
|
||||
Map<String, String> profile = null;
|
||||
|
|
|
@ -109,6 +109,7 @@ import net.yacy.cora.util.ConcurrentLog;
|
|||
import net.yacy.cora.util.NumberTools;
|
||||
import net.yacy.data.UserDB;
|
||||
import net.yacy.document.parser.htmlParser;
|
||||
import net.yacy.document.parser.html.CharacterCoding;
|
||||
import net.yacy.document.parser.html.ContentScraper;
|
||||
import net.yacy.document.parser.html.ScraperInputStream;
|
||||
import net.yacy.kelondro.util.FileUtils;
|
||||
|
@ -484,7 +485,7 @@ public final class HTTPDFileHandler {
|
|||
//no defaultfile, send a dirlisting
|
||||
if (targetFile == null || !targetFile.exists() || (targetFile.exists() && targetFile.isDirectory())) {
|
||||
final StringBuilder aBuffer = new StringBuilder();
|
||||
aBuffer.append("<html>\n<head>\n</head>\n<body>\n<h1>Index of " + path + "</h1>\n <ul>\n");
|
||||
aBuffer.append("<html>\n<head>\n</head>\n<body>\n<h1>Index of " + CharacterCoding.unicode2html(path, true) + "</h1>\n <ul>\n");
|
||||
String[] list = targetFile.list();
|
||||
if (list == null) list = new String[0]; // should not occur!
|
||||
File f;
|
||||
|
|
Loading…
Reference in New Issue
Block a user