[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [pki-devel[PATCH] 0035-Fix-XSS-attacks-on-the-dogtag-administration-page-13.patch



Resubmitting based on a couple of things.

1.  Informal feedback stating that I left out one of the minor original packages.


2. Refactoring of a few confusing copied methods was necessary in my opinion. Discussed below:

  1. Too many copies of escapeJavaScriptString all over the place. Consolidated dow to the two related functions "escapeJavaScriptString" and "escapeJavaScriptStringHTML" methods in the CMSTemplate class to be called everywhere. Removed the duplicated methods in other classes.
    
    2. There were some places where "escapeJavaScriptString" was called, when we really wanted "escapeJavaScriptStringHTML". Fixed that everywhere. One reason for this is a copied version of "escapeJavaScriptString" actually was identical to CMSTemplate.escapeJavaScriptString, which has been removed.


All major test cases from the various bugs retested to work fine.


----- Original Message -----
From: "John Magne" <jmagne redhat com>
To: "pki-devel" <pki-devel redhat com>
Sent: Tuesday, May 12, 2015 2:02:01 PM
Subject: [pki-devel[PATCH] 0034-Fix-XSS-attacks-on-the-dogtag-administration-page-13.patch

Fix XSS attacks on the dogtag administration page #1373.
    
    Porting this set of fixes over from last downstream release upstream.
From 2610c40e66222c44614ec6cfa47aa75815d954a5 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne localhost localdomain>
Date: Tue, 12 May 2015 13:49:00 -0700
Subject: [PATCH] Fix XSS attacks on the dogtag administration page #1373.

Porting this set of fixes over from last downstream release upstream.

Upon further review, decided to fix a few missing things pointed out by the code review and a few other things:

1. Too many copies of escapeJavaScriptString all over the place. Consolidated the two related functions "escapeJavaScriptString" and "escapeJavaScriptStringHTML" methods in the CMSTemplate class to be called everywhere. Removed the duplicated methods in other classes.

2. There were some places where "escapeJavaScriptString" was called, when we really wanted "escapeJavaScriptStringHTML". Fixed that everywhere. One reason for this is a copied version of "escapeJavaScriptString" actually was identical to CMSTemplate.escapeJavaScriptString, which has been removed.

XSS fixes.
---
 .../com/netscape/cms/servlet/cert/DisplayCRL.java  |   2 +-
 .../cms/servlet/cert/EnrollmentProcessor.java      |   9 +-
 .../cms/servlet/cert/GetCertFromRequest.java       |   5 +-
 .../cms/servlet/cert/RenewalProcessor.java         |  15 +--
 .../netscape/cms/servlet/common/CMSTemplate.java   | 113 ++++++++++++++++-----
 .../cms/servlet/profile/ProfileApproveServlet.java |   5 +-
 .../cms/servlet/profile/ProfileProcessServlet.java |   5 +-
 .../cms/servlet/profile/ProfileReviewServlet.java  |   7 +-
 .../cms/servlet/profile/ProfileSelectServlet.java  |   3 +-
 .../cms/servlet/profile/ProfileServlet.java        |  93 +----------------
 .../servlet/profile/ProfileSubmitCMCServlet.java   |   5 +-
 .../netscape/cms/servlet/request/CheckRequest.java |   6 +-
 12 files changed, 127 insertions(+), 141 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayCRL.java
index 3c9d577..e42deee 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayCRL.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayCRL.java
@@ -231,7 +231,7 @@ public class DisplayCRL extends CMSServlet {
         }
         if (crlIssuingPointId == null) {
             header.addStringValue("error",
-                    "Request to unspecified or non-existing CRL issuing point: " + ipId);
+                    "Request to unspecified or non-existing CRL issuing point: " + CMSTemplate.escapeJavaScriptStringHTML(ipId));
             return;
         }
 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
index ee56f01..8d9d05c 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
@@ -38,6 +38,7 @@ import com.netscape.certsrv.profile.ProfileAttribute;
 import com.netscape.certsrv.profile.ProfileInput;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
 import com.netscape.cms.servlet.profile.SSLClientCertProvider;
 import com.netscape.cmsutil.ldap.LDAPUtil;
 
@@ -92,8 +93,8 @@ public class EnrollmentProcessor extends CertProcessor {
         IProfile profile = ps.getProfile(profileId);
 
         if (profile == null) {
-            CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId));
-            throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId));
+            CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
+            throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)));
         }
 
         CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
@@ -136,8 +137,8 @@ public class EnrollmentProcessor extends CertProcessor {
 
             IProfile profile = ps.getProfile(profileId);
             if (profile == null) {
-                CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId));
-                throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId));
+                CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
+                throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
             }
             if (!ps.isProfileEnable(profileId)) {
                 CMS.debug("EnrollmentSubmitter: Profile " + profileId + " not enabled");
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/GetCertFromRequest.java b/base/server/cms/src/com/netscape/cms/servlet/cert/GetCertFromRequest.java
index af8b3cc..afba866 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/GetCertFromRequest.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/GetCertFromRequest.java
@@ -18,8 +18,8 @@
 package com.netscape.cms.servlet.cert;
 
 import java.io.IOException;
-import java.util.Locale;
 import java.math.BigInteger;
+import java.util.Locale;
 
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
@@ -49,6 +49,7 @@ import com.netscape.certsrv.request.RequestId;
 import com.netscape.certsrv.request.RequestStatus;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
 import com.netscape.cms.servlet.common.CMSTemplateParams;
 import com.netscape.cms.servlet.common.ECMSGWException;
 import com.netscape.cms.servlet.common.ICMSTemplateFiller;
@@ -175,7 +176,7 @@ public class GetCertFromRequest extends CMSServlet {
         } catch (NumberFormatException e) {
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_INVALID_REQ_ID_FORMAT", requestId));
             throw new EBaseException(
-                    CMS.getUserMessage(getLocale(httpReq), "CMS_BASE_INVALID_NUMBER_FORMAT_1", requestId));
+                    CMS.getUserMessage(getLocale(httpReq), "CMS_BASE_INVALID_NUMBER_FORMAT_1", CMSTemplate.escapeJavaScriptStringHTML(requestId)));
         }
 
         IRequest r = mQueue.findRequest(new RequestId(requestId));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
index 7daad6c..efd1d7b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
@@ -46,6 +46,7 @@ import com.netscape.certsrv.profile.IProfileContext;
 import com.netscape.certsrv.profile.IProfileInput;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
 import com.netscape.cms.servlet.profile.SSLClientCertProvider;
 
 public class RenewalProcessor extends CertProcessor {
@@ -59,7 +60,8 @@ public class RenewalProcessor extends CertProcessor {
         String profileId = (this.profileID == null) ? req.getParameter("profileId") : this.profileID;
         IProfile profile = ps.getProfile(profileId);
         if (profile == null) {
-            throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId));
+            throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",
+                    CMSTemplate.escapeJavaScriptStringHTML(profileId)));
         }
 
         CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
@@ -83,7 +85,7 @@ public class RenewalProcessor extends CertProcessor {
             throws EBaseException {
         try {
             if (CMS.debugOn()) {
-                HashMap<String,String> params = data.toParams();
+                HashMap<String, String> params = data.toParams();
                 printParameterValues(params);
             }
             CMS.debug("RenewalSubmitter: isRenewal true");
@@ -98,8 +100,9 @@ public class RenewalProcessor extends CertProcessor {
 
             IProfile renewProfile = ps.getProfile(renewProfileId);
             if (renewProfile == null) {
-                CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", renewProfileId));
-                throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", renewProfileId));
+                CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",
+                        CMSTemplate.escapeJavaScriptStringHTML(renewProfileId)));
+                throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(renewProfileId)));
             }
             if (!ps.isProfileEnable(renewProfileId)) {
                 CMS.debug("RenewalSubmitter: Profile " + renewProfileId + " not enabled");
@@ -171,8 +174,8 @@ public class RenewalProcessor extends CertProcessor {
             Integer origSeqNum = origReq.getExtDataInInteger(IEnrollProfile.REQUEST_SEQ_NUM);
             IProfile profile = ps.getProfile(profileId);
             if (profile == null) {
-                CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId));
-                throw new EBaseException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId));
+                CMS.debug(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)));
+                throw new EBaseException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
             }
             if (!ps.isProfileEnable(profileId)) {
                 CMS.debug("RenewalSubmitter: Profile " + profileId + " not enabled");
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java
index dc8cef6..ba4e840 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java
@@ -145,7 +145,7 @@ public class CMSTemplate extends CMSFile {
         CMSTemplateParams data = input;
 
         try (HTTPOutputStreamWriter http_out = (mCharset == null ?
-                new HTTPOutputStreamWriter(rout): new HTTPOutputStreamWriter(rout, mCharset))) {
+                new HTTPOutputStreamWriter(rout) : new HTTPOutputStreamWriter(rout, mCharset))) {
             templateLine out = new templateLine();
 
             // Output the prolog
@@ -319,7 +319,7 @@ public class CMSTemplate extends CMSFile {
             if (v.equals(""))
                 s = "null";
             else
-                s = "\"" + escapeJavaScriptString((String) v) + "\"";
+                s = "\"" + CMSTemplate.escapeJavaScriptString((String) v) + "\"";
         } else if (v instanceof Integer) {
             s = ((Integer) v).toString();
         } else if (v instanceof Boolean) {
@@ -347,6 +347,7 @@ public class CMSTemplate extends CMSFile {
      * portion of an HTML document.
      * stevep - performance improvements - about 4 times faster than before.
      */
+
     public static String escapeJavaScriptString(String v) {
         int l = v.length();
         char in[] = new char[l];
@@ -358,28 +359,55 @@ public class CMSTemplate extends CMSFile {
         for (int i = 0; i < l; i++) {
             char c = in[i];
 
-            if ((c > 0x23) && (c != 0x5c) && (c != 0x3c) && (c != 0x3e)) {
+            if ((c > 0x23) && (c != 0x5c) && (c != 0x3c) && (c != 0x3e) && (c != 0x3b)) {
                 out[j++] = c;
                 continue;
             }
 
-            if ((c == 0x5c) && ((i + 1) < l) && (in[i + 1] == 'n' ||
-                    in[i + 1] == 'r' || in[i + 1] == 'f' || in[i + 1] == 't' ||
-                    in[i + 1] == '<' || in[i + 1] == '>' ||
-                    in[i + 1] == '\"' || in[i + 1] == '\'' || in[i + 1] == '\\')) {
-                if (in[i + 1] == 'x' && ((i + 3) < l) && in[i + 2] == '3' &&
-                        (in[i + 3] == 'c' || in[i + 3] == 'e')) {
+            /* some inputs are coming in as '\' and 'n' */
+            /* see BZ 500736 for details */
+            if ((c == 0x5c) && ((i+1)<l) && (in[i+1] == 'n' ||
+                 in[i+1] == 'r' || in[i+1] == 'f' || in[i+1] == 't' ||
+                 in[i+1] == '<' || in[i+1] == '>' ||
+                 in[i+1] == 'x' || in[i+1] == ';' ||
+                 in[i+1] == '\"' || in[i+1] == '\'' || in[i+1] == '\\')) {
+                if (in[i+1] == 'x' && ((i+3)<l) && in[i+2] == '3' &&
+                    (in[i+3] == 'c' || in[i+3] == 'e')) {
                     out[j++] = '\\';
-                    out[j++] = in[i + 1];
-                    out[j++] = in[i + 2];
-                    out[j++] = in[i + 3];
+                    out[j++] = in[i+1];
+                    out[j++] = in[i+2];
+                    out[j++] = in[i+3];
                     i += 3;
+                    continue;
+                } else if (in[i+1] == '<' || in[i+1] == '>') {
+                    c = in[i+1];
+                    i++;
+                } else if (in[i+1] == ';') {
+                    out[j++] = in[i+1];
+                    i++;
+                    continue;
                 } else {
                     out[j++] = '\\';
-                    out[j++] = in[i + 1];
+                    out[j++] = in[i+1];
                     i++;
+                    continue;
+                }
+            }
+            if (c == '&') {
+                int k;
+                for (k = 0; k < 8 && (i+k) < l; k++) {
+                    out[j+k] = in[i+k];
+                    if (in[i+k] == ';') break;
+                    if (in[i+k] == '<' || in[i+k] == '>') {
+                        k = 8;
+                        break;
+                    }
+                }
+                if (k < 8) {
+                    i += k;
+                    j += k + 1;
+                    continue;
                 }
-                continue;
             }
 
             switch (c) {
@@ -427,6 +455,14 @@ public class CMSTemplate extends CMSFile {
                 out[j++] = 'e';
                 break;
 
+            case '&':
+                out[j++] = '&';
+                out[j++] = 'a';
+                out[j++] = 'm';
+                out[j++] = 'p';
+                out[j++] = ';';
+                break;
+
             default:
                 out[j++] = c;
             }
@@ -438,10 +474,11 @@ public class CMSTemplate extends CMSFile {
      * Like escapeJavaScriptString(String s) but also escape '[' for
      * HTML processing.
      */
+
     public static String escapeJavaScriptStringHTML(String v) {
         int l = v.length();
         char in[] = new char[l];
-        char out[] = new char[l * 4];
+        char out[] = new char[l * 8];
         int j = 0;
 
         v.getChars(0, l, in, 0);
@@ -457,6 +494,7 @@ public class CMSTemplate extends CMSFile {
             if ((c == 0x5c) && ((i + 1) < l) && (in[i + 1] == 'n' ||
                     in[i + 1] == 'r' || in[i + 1] == 'f' || in[i + 1] == 't' ||
                     in[i + 1] == '<' || in[i + 1] == '>' ||
+                    in[i + 1] == 'x' || in[i + 1] == ';' ||
                     in[i + 1] == '\"' || in[i + 1] == '\'' || in[i + 1] == '\\')) {
                 if (in[i + 1] == 'x' && ((i + 3) < l) && in[i + 2] == '3' &&
                         (in[i + 3] == 'c' || in[i + 3] == 'e')) {
@@ -465,12 +503,38 @@ public class CMSTemplate extends CMSFile {
                     out[j++] = in[i + 2];
                     out[j++] = in[i + 3];
                     i += 3;
+
+                    continue;
+                } else if (in[i + 1] == '<' || in[i + 1] == '>') {
+                    c = in[i + 1];
+                    i++;
+                } else if (in[i + 1] == ';') {
+                    out[j++] = in[i + 1];
+                    i++;
+                    continue;
                 } else {
                     out[j++] = '\\';
                     out[j++] = in[i + 1];
                     i++;
+                    continue;
+                }
+            }
+            if (c == '&') {
+                int k;
+                for (k = 0; k < 8 && (i + k) < l; k++) {
+                    out[j + k] = in[i + k];
+                    if (in[i + k] == ';')
+                        break;
+                    if (in[i + k] == '<' || in[i + k] == '>') {
+                        k = 8;
+                        break;
+                    }
+                }
+                if (k < 8) {
+                    i += k;
+                    j += k + 1;
+                    continue;
                 }
-                continue;
             }
 
             switch (c) {
@@ -505,16 +569,17 @@ public class CMSTemplate extends CMSFile {
                 break;
 
             case '<':
-                out[j++] = '\\';
-                out[j++] = 'x';
-                out[j++] = '3';
-                out[j++] = 'c';
+                out[j++] = '&';
+                out[j++] = 'l';
+                out[j++] = 't';
+                out[j++] = ';';
                 break;
+
             case '>':
-                out[j++] = '\\';
-                out[j++] = 'x';
-                out[j++] = '3';
-                out[j++] = 'e';
+                out[j++] = '&';
+                out[j++] = 'g';
+                out[j++] = 't';
+                out[j++] = ';';
                 break;
 
             default:
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java
index 7b53430..7ae623f 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java
@@ -44,6 +44,7 @@ import com.netscape.certsrv.request.IRequestQueue;
 import com.netscape.certsrv.template.ArgList;
 import com.netscape.certsrv.template.ArgSet;
 import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
 
 /**
  * Toggle the approval state of a profile
@@ -359,14 +360,14 @@ public class ProfileApproveServlet extends ProfileServlet {
             args.set(ARG_ERROR_CODE, "1");
             args.set(ARG_ERROR_REASON, e.toString());
             args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale,
-                    "CMS_PROFILE_NOT_FOUND", profileId));
+                    "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
             outputTemplate(request, response, args);
             return;
         }
         if (profile == null) {
             args.set(ARG_ERROR_CODE, "1");
             args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale,
-                    "CMS_PROFILE_NOT_FOUND", profileId));
+                    "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
             outputTemplate(request, response, args);
             return;
         }
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java
index 82b168e..33de8ff 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java
@@ -45,6 +45,7 @@ import com.netscape.certsrv.template.ArgSet;
 import com.netscape.certsrv.template.ArgString;
 import com.netscape.cms.servlet.cert.RequestProcessor;
 import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
 
 /**
  * This servlet approves profile-based request.
@@ -89,14 +90,14 @@ public class ProfileProcessServlet extends ProfileServlet {
 
         IRequest req = processor.getRequest(requestId);
         if (req == null) {
-            setError(args, CMS.getUserMessage(locale, "CMS_REQUEST_NOT_FOUND", requestId), request, response);
+            setError(args, CMS.getUserMessage(locale, "CMS_REQUEST_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(requestId)), request, response);
             return;
         }
 
         String profileId = req.getExtDataInString("profileId");
         if (profileId == null || profileId.equals("")) {
             CMS.debug("ProfileProcessServlet: Profile Id not found");
-            setError(args, CMS.getUserMessage(locale, "CMS_PROFILE_ID_NOT_FOUND"), request, response);
+            setError(args, CMS.getUserMessage(locale, "CMS_PROFILE_ID_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)), request, response);
             return;
         }
         CMS.debug("ProfileProcessServlet: profileId=" + profileId);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
index 2b3ef83..3cbf0f9 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
@@ -51,6 +51,7 @@ import com.netscape.certsrv.request.RequestId;
 import com.netscape.certsrv.template.ArgList;
 import com.netscape.certsrv.template.ArgSet;
 import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
 
 /**
  * This servlet allows reviewing of profile-based request.
@@ -201,7 +202,7 @@ public class ProfileReviewServlet extends ProfileServlet {
         if (req == null) {
             args.set(ARG_ERROR_CODE, "1");
             args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale,
-                    "CMS_REQUEST_NOT_FOUND", requestId));
+                    "CMS_REQUEST_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(requestId)));
             outputTemplate(request, response, args);
             return;
         }
@@ -222,7 +223,7 @@ public class ProfileReviewServlet extends ProfileServlet {
         if (profile == null) {
             args.set(ARG_ERROR_CODE, "1");
             args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale,
-                    "CMS_PROFILE_NOT_FOUND", profileId));
+                    "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)));
             outputTemplate(request, response, args);
             return;
         }
@@ -287,7 +288,7 @@ public class ProfileReviewServlet extends ProfileServlet {
             args.set(ARG_REQUEST_NOTES, "");
         } else {
             args.set(ARG_REQUEST_NOTES,
-                    req.getExtDataInString("requestNotes"));
+                    CMSTemplate.escapeJavaScriptStringHTML(req.getExtDataInString("requestNotes")));
         }
 
         args.set(ARG_RECORD, list);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSelectServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSelectServlet.java
index 10013c8..4b24679 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSelectServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSelectServlet.java
@@ -46,6 +46,7 @@ import com.netscape.certsrv.request.IRequestQueue;
 import com.netscape.certsrv.template.ArgList;
 import com.netscape.certsrv.template.ArgSet;
 import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
 
 /**
  * Retrieve detailed information of a particular profile.
@@ -183,7 +184,7 @@ public class ProfileSelectServlet extends ProfileServlet {
         if (profile == null) {
             args.set(ARG_ERROR_CODE, "1");
             args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale,
-                    "CMS_PROFILE_NOT_FOUND", profileId));
+                    "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
             outputTemplate(request, response, args);
             return;
         }
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileServlet.java
index be331d6..6145651 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileServlet.java
@@ -44,6 +44,7 @@ import com.netscape.certsrv.util.IStatsSubsystem;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.base.UserInfo;
 import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
 import com.netscape.cms.servlet.common.ServletUtils;
 
 /**
@@ -390,103 +391,13 @@ public class ProfileServlet extends CMSServlet {
         statEvents.remove(event);
     }
 
-    protected String escapeJavaScriptString(String v) {
-        int l = v.length();
-        char in[] = new char[l];
-        char out[] = new char[l * 4];
-        int j = 0;
-
-        v.getChars(0, l, in, 0);
-
-        for (int i = 0; i < l; i++) {
-            char c = in[i];
-
-            /* presumably this gives better performance */
-            if ((c > 0x23) && (c != 0x5c) && (c != 0x3c) && (c != 0x3e)) {
-                out[j++] = c;
-                continue;
-            }
-
-            /* some inputs are coming in as '\' and 'n' */
-            /* see BZ 500736 for details */
-            if ((c == 0x5c) && ((i + 1) < l) && (in[i + 1] == 'n' ||
-                    in[i + 1] == 'r' || in[i + 1] == 'f' || in[i + 1] == 't' ||
-                    in[i + 1] == '<' || in[i + 1] == '>' ||
-                    in[i + 1] == '\"' || in[i + 1] == '\'' || in[i + 1] == '\\')) {
-                if (in[i + 1] == 'x' && ((i + 3) < l) && in[i + 2] == '3' &&
-                        (in[i + 3] == 'c' || in[i + 3] == 'e')) {
-                    out[j++] = '\\';
-                    out[j++] = in[i + 1];
-                    out[j++] = in[i + 2];
-                    out[j++] = in[i + 3];
-                    i += 3;
-                } else {
-                    out[j++] = '\\';
-                    out[j++] = in[i + 1];
-                    i++;
-                }
-                continue;
-            }
-
-            switch (c) {
-            case '\n':
-                out[j++] = '\\';
-                out[j++] = 'n';
-                break;
-
-            case '\\':
-                out[j++] = '\\';
-                out[j++] = '\\';
-                break;
-
-            case '\"':
-                out[j++] = '\\';
-                out[j++] = '\"';
-                break;
-
-            case '\r':
-                out[j++] = '\\';
-                out[j++] = 'r';
-                break;
-
-            case '\f':
-                out[j++] = '\\';
-                out[j++] = 'f';
-                break;
-
-            case '\t':
-                out[j++] = '\\';
-                out[j++] = 't';
-                break;
-
-            case '<':
-                out[j++] = '\\';
-                out[j++] = 'x';
-                out[j++] = '3';
-                out[j++] = 'c';
-                break;
-
-            case '>':
-                out[j++] = '\\';
-                out[j++] = 'x';
-                out[j++] = '3';
-                out[j++] = 'e';
-                break;
-
-            default:
-                out[j++] = c;
-            }
-        }
-        return new String(out, 0, j);
-    }
-
     protected void outputArgString(PrintWriter writer, String name, ArgString str)
             throws IOException {
         String s = str.getValue();
 
         // sub \n with "\n"
         if (s != null) {
-            s = escapeJavaScriptString(s);
+            s = CMSTemplate.escapeJavaScriptStringHTML(s);
         }
         writer.println(name + "=\"" + s + "\";");
     }
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
index 1ee527c..f3adc5e 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
@@ -62,6 +62,7 @@ import com.netscape.certsrv.request.RequestStatus;
 import com.netscape.cms.servlet.common.AuthCredentials;
 import com.netscape.cms.servlet.common.CMCOutputTemplate;
 import com.netscape.cms.servlet.common.CMSRequest;
+import com.netscape.cms.servlet.common.CMSTemplate;
 import com.netscape.cmsutil.util.Utils;
 
 /**
@@ -331,7 +332,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
             seq.addElement(new INTEGER(0));
             UTF8String s = null;
             try {
-                s = new UTF8String(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId));
+                s = new UTF8String(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)));
             } catch (Exception ee) {
             }
             template.createFullResponseWithFailedStatus(response, seq,
@@ -347,7 +348,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
             seq.addElement(new INTEGER(0));
             UTF8String s = null;
             try {
-                s = new UTF8String(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId));
+                s = new UTF8String(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)));
             } catch (Exception ee) {
             }
             template.createFullResponseWithFailedStatus(response, seq,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java b/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java
index 246cefd..cba79c3 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java
@@ -279,9 +279,9 @@ public class CheckRequest extends CMSServlet {
         try {
             new BigInteger(requestId);
         } catch (NumberFormatException e) {
-            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT_1", requestId));
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT_1",  requestId));
             throw new EBaseException(
-                    CMS.getUserMessage(getLocale(req), "CMS_BASE_INVALID_NUMBER_FORMAT_1", requestId));
+                    CMS.getUserMessage(getLocale(req), "CMS_BASE_INVALID_NUMBER_FORMAT_1",CMSTemplate.escapeJavaScriptStringHTML( requestId)));
         }
 
         IRequest r = mQueue.findRequest(new RequestId(requestId));
@@ -321,7 +321,7 @@ public class CheckRequest extends CMSServlet {
         header.addLongValue(CREATE_ON, r.getCreationTime().getTime() / 1000);
         header.addLongValue(UPDATE_ON, r.getModificationTime().getTime() / 1000);
         if (note != null && note.length() > 0)
-            header.addStringValue("requestNotes", note);
+            header.addStringValue("requestNotes",CMSTemplate.escapeJavaScriptStringHTML(note));
 
         String type = r.getRequestType();
         Integer result = r.getExtDataInInteger(IRequest.RESULT);
-- 
2.1.0


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]