Backport XSS security fixes to Eclipse 3.2 maintenance stream
diff --git a/org.eclipse.help.webapp/META-INF/MANIFEST.MF b/org.eclipse.help.webapp/META-INF/MANIFEST.MF
index 7a6711e..c5d9ff6 100644
--- a/org.eclipse.help.webapp/META-INF/MANIFEST.MF
+++ b/org.eclipse.help.webapp/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@
Bundle-ManifestVersion: 2
Bundle-Name: %help_webapp_plugin_name
Bundle-SymbolicName: org.eclipse.help.webapp; singleton:=true
-Bundle-Version: 3.2.2.qualifier
+Bundle-Version: 3.2.3.qualifier
Bundle-ClassPath: webapp.jar
Bundle-Activator: org.eclipse.help.internal.webapp.HelpWebappPlugin
Bundle-Vendor: %providerName
diff --git a/org.eclipse.help.webapp/advanced/confirm.jsp b/org.eclipse.help.webapp/advanced/confirm.jsp
index 5bdb3f1..9f191be 100644
--- a/org.eclipse.help.webapp/advanced/confirm.jsp
+++ b/org.eclipse.help.webapp/advanced/confirm.jsp
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2006 IBM Corporation and others.
+ Copyright (c) 2000, 2010 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -75,7 +75,7 @@
%>
sizeButtons();
<%}%>
- document.getElementById("<%=request.getParameter("initialFocus")%>").focus();
+ document.getElementById("<%=UrlUtil.JavaScriptEncode(request.getParameter("initialFocus"))%>").focus();
}
function sizeButtons() {
@@ -93,10 +93,10 @@
try{
<% if ("true".equalsIgnoreCase(request.getParameter("dontaskagain")) ){ %>
if(document.getElementById("dontask").checked){
- window.opener.<%=request.getParameter("dontaskagainCallback")%>;
+ window.opener.<%=UrlUtil.JavaScriptEncode(request.getParameter("dontaskagainCallback"))%>;
}
<% } %>
- window.opener.<%=request.getParameter("confirmCallback")%>;
+ window.opener.<%=UrlUtil.JavaScriptEncode(request.getParameter("confirmCallback"))%>;
} catch(e) {}
window.close();
return false;
diff --git a/org.eclipse.help.webapp/advanced/help.jsp b/org.eclipse.help.webapp/advanced/help.jsp
index 3090d20..ad3f62d 100644
--- a/org.eclipse.help.webapp/advanced/help.jsp
+++ b/org.eclipse.help.webapp/advanced/help.jsp
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2004 IBM Corporation and others.
+ Copyright (c) 2000, 2010 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -134,13 +134,13 @@
<%
if (isRTL) {
%>
- <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes>
- <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes>
+ <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes>
+ <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes>
<%
} else {
%>
- <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes>
- <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes>
+ <frame class="nav" name="NavFrame" title="<%=ServletResources.getString("ignore", "NavFrame", request)%>" src='<%="nav.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="1" resize=yes>
+ <frame name="ContentFrame" title="<%=ServletResources.getString("ignore", "ContentFrame", request)%>" class="content" src='<%="content.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" resize=yes>
<%
}
%>
diff --git a/org.eclipse.help.webapp/advanced/index.jsp b/org.eclipse.help.webapp/advanced/index.jsp
index 9bf393c..ac9b6c4 100644
--- a/org.eclipse.help.webapp/advanced/index.jsp
+++ b/org.eclipse.help.webapp/advanced/index.jsp
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2004 IBM Corporation and others.
+ Copyright (c) 2000, 2009 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -69,8 +69,8 @@
<%
}
%>
- <frame name="SearchFrame" title="<%=ServletResources.getString("helpToolbarFrame", request)%>" src='<%="advanced/search.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize=0>
- <frame name="HelpFrame" title="<%=ServletResources.getString("ignore", "HelpFrame", request)%>" src='<%="advanced/help.jsp"+data.getQuery()%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" >
+ <frame name="SearchFrame" title="<%=ServletResources.getString("helpToolbarFrame", request)%>" src='<%="advanced/search.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize=0>
+ <frame name="HelpFrame" title="<%=ServletResources.getString("ignore", "HelpFrame", request)%>" src='<%="advanced/help.jsp"+UrlUtil.htmlEncode(data.getQuery())%>' marginwidth="0" marginheight="0" scrolling="no" frameborder="0" >
</frameset>
</html>
diff --git a/org.eclipse.help.webapp/advanced/searchScoped.jsp b/org.eclipse.help.webapp/advanced/searchScoped.jsp
index f85a944..814aff4 100644
--- a/org.eclipse.help.webapp/advanced/searchScoped.jsp
+++ b/org.eclipse.help.webapp/advanced/searchScoped.jsp
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2004 IBM Corporation and others.
+ Copyright (c) 2000, 2010 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -234,8 +234,8 @@
<a id="scopeLabel" href="javascript:openAdvanced();" title='<%=ServletResources.getString("ScopeTooltip", request)%>' alt='<%=ServletResources.getString("ScopeTooltip", request)%>' onmouseover="window.status='<%=ServletResources.getString("ScopeTooltip", request)%>'; return true;" onmouseout="window.status='';"><%=ServletResources.getLabel("Scope", request)%>:</a>
</td>
<td nowrap>
- <input type="hidden" name="workingSet" value='<%=data.getScope()%>'>
- <div id="scope" ><%=data.getScope()%></div>
+ <input type="hidden" name="workingSet" value='<%=UrlUtil.htmlEncode(data.getScope())%>'>
+ <div id="scope" ><%=UrlUtil.htmlEncode(data.getScope())%></div>
</td>
</tr>
diff --git a/org.eclipse.help.webapp/advanced/searchView.jsp b/org.eclipse.help.webapp/advanced/searchView.jsp
index 5ab85b4..10c323d 100644
--- a/org.eclipse.help.webapp/advanced/searchView.jsp
+++ b/org.eclipse.help.webapp/advanced/searchView.jsp
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2006 IBM Corporation and others.
+ Copyright (c) 2000, 2010 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -39,7 +39,7 @@
function refresh()
{
- window.location.replace("searchView.jsp?<%=request.getQueryString()%>");
+ window.location.replace("searchView.jsp?<%=UrlUtil.htmlEncode(request.getQueryString())%>");
}
</script>
diff --git a/org.eclipse.help.webapp/advanced/tabs.jsp b/org.eclipse.help.webapp/advanced/tabs.jsp
index 8592b38..c71ef14 100644
--- a/org.eclipse.help.webapp/advanced/tabs.jsp
+++ b/org.eclipse.help.webapp/advanced/tabs.jsp
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2004 IBM Corporation and others.
+ Copyright (c) 2000, 2009 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -262,7 +262,7 @@
<%
}
%>
- <td title="<%=title%>"
+ <td title="<%=UrlUtil.htmlEncode(title)%>"
align="center"
valign="middle"
class="tab"
@@ -276,8 +276,8 @@
onmouseout="window.status='';"
id="link<%=views[i].getName()%>"
<%=views[i].getKey()==View.NO_SHORTCUT?"":"ACCESSKEY=\""+views[i].getKey()+"\""%>>
- <img alt="<%=title%>"
- title="<%=title%>"
+ <img alt="<%=UrlUtil.htmlEncode(title)%>"
+ title="<%=UrlUtil.htmlEncode(title)%>"
src="<%=views[i].getOnImage()%>"
id="img<%=views[i].getName()%>"
height="16"
diff --git a/org.eclipse.help.webapp/advanced/views.jsp b/org.eclipse.help.webapp/advanced/views.jsp
index f9c3b17..64c35df 100644
--- a/org.eclipse.help.webapp/advanced/views.jsp
+++ b/org.eclipse.help.webapp/advanced/views.jsp
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2006 IBM Corporation and others.
+ Copyright (c) 2000, 2010 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -208,7 +208,7 @@
name="<%=views[i].getName()%>"
title="<%=ServletResources.getString("ignore", views[i].getName(), request)%>"
id="<%=views[i].getName()%>"
- src='<%="view.jsp?view="+views[i].getName()+(request.getQueryString()==null?"":("&"+request.getQueryString()))%>'>
+ src='<%="view.jsp?view="+views[i].getName()+(request.getQueryString()==null?"":("&"+UrlUtil.htmlEncode(request.getQueryString())))%>'>
</iframe>
<%
}
diff --git a/org.eclipse.help.webapp/advanced/workingSet.jsp b/org.eclipse.help.webapp/advanced/workingSet.jsp
index 2fdc77d..b5eee04 100644
--- a/org.eclipse.help.webapp/advanced/workingSet.jsp
+++ b/org.eclipse.help.webapp/advanced/workingSet.jsp
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2004 IBM Corporation and others.
+ Copyright (c) 2000, 2010 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -129,7 +129,7 @@
var plus = new Image();
plus.src = "<%=prefs.getImagesDirectory()%>"+"/plus.gif";
-var oldName = '<%=data.isEditMode()?data.getWorkingSetName():""%>';
+var oldName = '<%=data.isEditMode()?UrlUtil.JavaScriptEncode(data.getWorkingSetName()):""%>';
var altBookClosed = "<%=UrlUtil.JavaScriptEncode(ServletResources.getString("bookClosed", request))%>";
var altBookOpen = "<%=UrlUtil.JavaScriptEncode(ServletResources.getString("bookOpen", request))%>";
@@ -169,7 +169,7 @@
if (!hrefs || hrefs == "")
return false;
- var query = "operation="+'<%=data.getOperation()%>'+"&workingSet="+encodeURIComponent(workingSet)+ hrefs+"&oldName="+encodeURIComponent(oldName);
+ var query = "operation="+'<%=UrlUtil.JavaScriptEncode(data.getOperation())%>'+"&workingSet="+encodeURIComponent(workingSet)+ hrefs+"&oldName="+encodeURIComponent(oldName);
window.opener.location.replace("workingSetManager.jsp?"+query);
window.opener.focus();
window.close();
@@ -349,7 +349,8 @@
<table id="wsTable" width="100%" cellspacing=0 cellpading=0 border=0 align=center >
<tr><td style="padding:5px 10px 0px 10px;"><label for="workingSet" accesskey="<%=ServletResources.getAccessKey("WorkingSetName", request)%>"><%=ServletResources.getLabel("WorkingSetName", request)%>:</label>
</td></tr>
- <tr><td style="padding:0px 10px;"><input type="text" id="workingSet" name="workingSet" value='<%=data.isEditMode()?data.getWorkingSetName():""%>' maxlength=256 alt='<%=ServletResources.getString("WorkingSetName", request)%>' title='<%=ServletResources.getString("WorkingSetName", request)%>' onkeyup="enableOK();return true;">
+ <tr><td style="padding:0px 10px;"><input type="text" id="workingSet" name="workingSet"
+ value='<%=data.isEditMode()?UrlUtil.htmlEncode(data.getWorkingSetName()):""%>' maxlength=256 alt='<%=ServletResources.getString("WorkingSetName", request)%>' title='<%=ServletResources.getString("WorkingSetName", request)%>' onkeyup="enableOK();return true;">
</td></tr>
<tr><td><div id="selectBook" style="padding-top:5px; margin-<%=isRTL?"right":"left"%>:10px;"><%=ServletResources.getString("WorkingSetContent", request)%>:</div>
</td></tr>
diff --git a/org.eclipse.help.webapp/advanced/workingSetManager.jsp b/org.eclipse.help.webapp/advanced/workingSetManager.jsp
index cf6ecbc..a045496 100644
--- a/org.eclipse.help.webapp/advanced/workingSetManager.jsp
+++ b/org.eclipse.help.webapp/advanced/workingSetManager.jsp
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2004 IBM Corporation and others.
+ Copyright (c) 2000, 2010 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -261,8 +261,8 @@
href='#'
onclick="active=this;highlightHandler()"
ondblclick="selectWorkingSet()"
- title="<%=wsets[i]%>">
- <%=wsets[i]%>
+ title="<%=UrlUtil.htmlEncode(wsets[i])%>">
+ <%=UrlUtil.htmlEncode(wsets[i])%>
</a>
</td>
</tr>
diff --git a/org.eclipse.help.webapp/basic/advanced.inc b/org.eclipse.help.webapp/basic/advanced.inc
index bcbddd6..91474ee 100644
--- a/org.eclipse.help.webapp/basic/advanced.inc
+++ b/org.eclipse.help.webapp/basic/advanced.inc
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2004 IBM Corporation and others.
+ Copyright (c) 2000, 2009 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -18,7 +18,7 @@
</tr>
<tr>
<td nowrap>
- <input type="text" name="searchWord" id="searchWord" value='<%=data.getSearchWord()%>' maxlength=256 alt='<%=ServletResources.getString("SearchExpression", request)%>' title='<%=ServletResources.getString("SearchExpression", request)%>'>
+ <input type="text" name="searchWord" id="searchWord" value='<%=UrlUtil.htmlEncode(data.getSearchWord())%>' maxlength=256 alt='<%=ServletResources.getString("SearchExpression", request)%>' title='<%=ServletResources.getString("SearchExpression", request)%>'>
<input type="hidden" name="maxHits" value="500" >
<input type="hidden" name="scopedSearch" value="true" >
<input type="submit" value='<%=ServletResources.getString("GO", request)%>' alt='<%=ServletResources.getString("GO", request)%>' title='<%=ServletResources.getString("GO", request)%>'>
diff --git a/org.eclipse.help.webapp/basic/searchView.jsp b/org.eclipse.help.webapp/basic/searchView.jsp
index b154f11..b31b69a 100644
--- a/org.eclipse.help.webapp/basic/searchView.jsp
+++ b/org.eclipse.help.webapp/basic/searchView.jsp
@@ -1,5 +1,5 @@
<%--
- Copyright (c) 2000, 2006 IBM Corporation and others.
+ Copyright (c) 2000, 2009 IBM Corporation and others.
All rights reserved. This program and the accompanying materials
are made available under the terms of the Eclipse Public License v1.0
which accompanies this distribution, and is available at
@@ -24,7 +24,7 @@
<%
if (data.isProgressRequest()) {
%>
- <meta HTTP-EQUIV="REFRESH" CONTENT="2;URL=<%="searchView.jsp?"+request.getQueryString()%>">
+ <meta HTTP-EQUIV="REFRESH" CONTENT="2;URL=<%="searchView.jsp?"+UrlUtil.htmlEncode(request.getQueryString())%>">
<%
}
%>
@@ -83,9 +83,9 @@
<td align='<%=isRTL?"right":"left"%>' nowrap>
<a <%=("a"+topic).equals(data.getSelectedTopicId())?" name=\"selectedItem\" ":""%>
- href='<%=data.getTopicHref(topic)%>'
- title="<%=data.getTopicTocLabel(topic)%>">
- <%=data.getTopicLabel(topic)%>
+ href='<%=UrlUtil.htmlEncode(data.getTopicHref(topic))%>'
+ title="<%=UrlUtil.htmlEncode(data.getTopicTocLabel(topic))%>">
+ <%=UrlUtil.htmlEncode(data.getTopicLabel(topic))%>
</a>
</td>
</tr>
diff --git a/org.eclipse.help.webapp/basic/tabs.jsp b/org.eclipse.help.webapp/basic/tabs.jsp
index a6f364c..40fa415 100644
--- a/org.eclipse.help.webapp/basic/tabs.jsp
+++ b/org.eclipse.help.webapp/basic/tabs.jsp
@@ -62,7 +62,7 @@
String viewHref="view.jsp?view="+views[i].getName();
// always pass query string to "links view"
if("links".equals(views[i].getName())){
- viewHref=viewHref+(request.getQueryString()!=null?"&"+request.getQueryString():"");
+ viewHref=viewHref+(request.getQueryString()!=null?"&"+UrlUtil.htmlEncode(request.getQueryString()):"");
}
%>
diff --git a/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/data/UrlUtil.java b/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/data/UrlUtil.java
index fad14cc..826e70e 100644
--- a/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/data/UrlUtil.java
+++ b/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/data/UrlUtil.java
@@ -1,5 +1,5 @@
/*******************************************************************************
- * Copyright (c) 2000, 2006 IBM Corporation and others.
+ * Copyright (c) 2000, 2010 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
@@ -22,9 +22,10 @@
public class UrlUtil {
// XML escaped characters mapping
- private static final String invalidXML[] = {"&", ">", "<", "\""}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$
+ private static final String invalidXML[] = {"&", ">", "<", "\"", "'"}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ //$NON-NLS-5$
+ // Note that we have to use ' instead of ' because ' does not work in all versions of IE
private static final String escapedXML[] = {
- "&", ">", "<", """}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$
+ "&", ">", "<", """, "'"}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ //$NON-NLS-5$
// for Safari build 125.1 finds version 125
static final Pattern safariPatern = Pattern.compile(
diff --git a/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/servlet/FramesetFilter.java b/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/servlet/FramesetFilter.java
index 07a3755..b5c5ef2 100644
--- a/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/servlet/FramesetFilter.java
+++ b/org.eclipse.help.webapp/src_servlets/org/eclipse/help/internal/webapp/servlet/FramesetFilter.java
@@ -1,5 +1,5 @@
/*******************************************************************************
- * Copyright (c) 2000, 2006 IBM Corporation and others.
+ * Copyright (c) 2000, 2010 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
@@ -12,6 +12,7 @@
package org.eclipse.help.internal.webapp.servlet;
import java.io.*;
+import java.net.URLEncoder;
import javax.servlet.http.*;
@@ -30,6 +31,8 @@
*/
public OutputStream filter(HttpServletRequest req, OutputStream out) {
String uri = req.getRequestURI();
+ String url = req.getPathInfo();
+
if (uri == null || !uri.endsWith("html") && !uri.endsWith("htm")) { //$NON-NLS-1$ //$NON-NLS-2$
return out;
}
@@ -54,7 +57,16 @@
script.append("../"); //$NON-NLS-1$
}
script.append("?topic="); //$NON-NLS-1$
- script.append(req.getPathInfo());
+
+
+ // Sanitize the url
+ try{
+ url = URLEncoder.encode(url, "UTF-8"); //$NON-NLS-1$
+ script.append(url);
+ } catch (UnsupportedEncodingException uee){
+ return out;
+ }
+
script.append(scriptPart3);
try {
return new FilterHTMLHeadOutputStream(out, script.toString()
