litvinovg/vitro
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update to escape html search input

Browse source
This commit is contained in:
hjkhjk54 2011-09-14 19:20:21 +00:00
parent 32186e4351
commit ff05d69b69
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/PagedSearchController.java
View file

@ -18,6 +18,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
@ -148,7 +149,9 @@ public class PagedSearchController extends FreemarkerHttpServlet {
int startIndex = getStartIndex(vreq); int startIndex = getStartIndex(vreq);
int hitsPerPage = getHitsPerPage( vreq ); int hitsPerPage = getHitsPerPage( vreq );
String qtxt = vreq.getParameter(VitroQuery.QUERY_PARAMETER_NAME); String qtxt = vreq.getParameter(VitroQuery.QUERY_PARAMETER_NAME);
//Clean text to prevent cross-scripting errors
qtxt = StringEscapeUtils.escapeHtml(qtxt);
log.debug("Query text is \""+ qtxt + "\""); log.debug("Query text is \""+ qtxt + "\"");
String badQueryMsg = badQueryText( qtxt ); String badQueryMsg = badQueryText( qtxt );