From 95cb32d86dd9ad6aae8f8ab64328b00f2372f2af Mon Sep 17 00:00:00 2001
From: Mic <misvy@vmware.com>
Date: Sat, 19 Jan 2013 03:02:12 +0800
Subject: [PATCH] used tag c:out for EL to prevent HTML injection
---
.../webapp/WEB-INF/jsp/owners/ownerDetails.jsp | 14 +++++++-------
src/main/webapp/WEB-INF/jsp/owners/ownersList.jsp | 10 +++++-----
.../WEB-INF/jsp/pets/createOrUpdateVisitForm.jsp | 8 ++++----
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/src/main/webapp/WEB-INF/jsp/owners/ownerDetails.jsp b/src/main/webapp/WEB-INF/jsp/owners/ownerDetails.jsp
index 0f59f5d..00e40d5 100644
--- a/src/main/webapp/WEB-INF/jsp/owners/ownerDetails.jsp
+++ b/src/main/webapp/WEB-INF/jsp/owners/ownerDetails.jsp
@@ -17,19 +17,19 @@
<table class="table table-striped" style="width:600px;">
<tr>
<th>Name</th>
- <td><b>${owner.firstName} ${owner.lastName}</b></td>
+ <td><b><c:out value="${owner.firstName} ${owner.lastName}"/></b></td>
</tr>
<tr>
<th>Address</th>
- <td>${owner.address}</td>
+ <td><c:out value="${owner.address}"/></td>
</tr>
<tr>
<th>City</th>
- <td>${owner.city}</td>
+ <td><c:out value="${owner.city}"/></td>
</tr>
<tr>
<th>Telephone </th>
- <td>${owner.telephone}</td>
+ <td><c:out value="${owner.telephone}"/></td>
</tr>
</table>
<table class="table-buttons">
@@ -57,11 +57,11 @@
<td valign="top" style="width: 120px;">
<dl class="dl-horizontal">
<dt>Name</dt>
- <dd>${pet.name}</dd>
+ <dd><c:out value="${pet.name}"/></dd>
<dt>Birth Date</dt>
<dd><joda:format value="${pet.birthDate}" pattern="yyyy-MM-dd" /></dd>
<dt>Type</dt>
- <dd>${pet.type.name}</dd>
+ <dd><c:out value="${pet.type.name}"/></dd>
</dl>
</td>
<td valign="top">
@@ -75,7 +75,7 @@
<c:forEach var="visit" items="${pet.visits}">
<tr>
<td><joda:format value="${visit.date}" pattern="yyyy-MM-dd"/></td>
- <td>${visit.description}</td>
+ <td><c:out value="${visit.description}"/></td>
</tr>
</c:forEach>
</table>
diff --git a/src/main/webapp/WEB-INF/jsp/owners/ownersList.jsp b/src/main/webapp/WEB-INF/jsp/owners/ownersList.jsp
index 99bf63c..53145ec 100644
--- a/src/main/webapp/WEB-INF/jsp/owners/ownersList.jsp
+++ b/src/main/webapp/WEB-INF/jsp/owners/ownersList.jsp
@@ -29,14 +29,14 @@
<spring:url value="owners/{ownerId}.html" var="ownerUrl">
<spring:param name="ownerId" value="${owner.id}"/>
</spring:url>
- <a href="${fn:escapeXml(ownerUrl)}">${owner.firstName} ${owner.lastName}</a>
+ <a href="${fn:escapeXml(ownerUrl)}"><c:out value="${owner.firstName} ${owner.lastName}" /></a>
</td>
- <td>${owner.address}</td>
- <td>${owner.city}</td>
- <td>${owner.telephone}</td>
+ <td><c:out value="${owner.address}"/></td>
+ <td><c:out value="${owner.city}"/></td>
+ <td><c:out value="${owner.telephone}"/></td>
<td>
<c:forEach var="pet" items="${owner.pets}">
- ${pet.name}
+ <c:out value="${pet.name}"/>
</c:forEach>
</td>
</tr>
diff --git a/src/main/webapp/WEB-INF/jsp/pets/createOrUpdateVisitForm.jsp b/src/main/webapp/WEB-INF/jsp/pets/createOrUpdateVisitForm.jsp
index 11f5016..c3f8b9c 100644
--- a/src/main/webapp/WEB-INF/jsp/pets/createOrUpdateVisitForm.jsp
+++ b/src/main/webapp/WEB-INF/jsp/pets/createOrUpdateVisitForm.jsp
@@ -25,10 +25,10 @@
</tr>
</thead>
<tr>
- <td>${visit.pet.name}</td>
+ <td><c:out value="${visit.pet.name}" /></td>
<td><joda:format value="${visit.pet.birthDate}" pattern="yyyy-MM-dd"/></td>
- <td>${visit.pet.type.name}</td>
- <td>${visit.pet.owner.firstName} ${visit.pet.owner.lastName}</td>
+ <td><c:out value="${visit.pet.type.name}" /></td>
+ <td><c:out value="${visit.pet.owner.firstName} ${visit.pet.owner.lastName}" /></td>
</tr>
</table>
@@ -71,7 +71,7 @@
<c:if test="${!visit['new']}">
<tr>
<td><joda:format value="${visit.date}" pattern="yyyy-MM-dd"/></td>
- <td>${visit.description}</td>
+ <td><c:out value="${visit.description}" /></td>
</tr>
</c:if>
</c:forEach>
--
GitLab