Changeset 33720 for main/trunk/greenstone3/src/java/org

Timestamp:

2019-11-25T20:08:31+13:00 (5 years ago)

Author:

ak19

Message:

Implemented Dr Bainbridge's suggestions based on Kathy's solution to preventing script elements in queries (like a close script tag, open script tag, alert(1), close script tag) from ending up live when a search is performed.

File:

• main/trunk/greenstone3/src/java/org/greenstone/gsdl3/util/XSLTUtil.java (modified) (2 diffs)

main/trunk/greenstone3/src/java/org/greenstone/gsdl3/util/XSLTUtil.java

@@ -752 +752 @@
         return str.replace("\"", "\\\"");
     }
-
+        public static String escapeAngleBrackets(String str)
+    {
+        if (str == null || str.length() < 1)
+        {
+            return null;
+        }
+        return str.replace("<", "&lt;").replace(">", "&gt;");
+    }
+    
     public static String escapeNewLinesAndQuotes(String str)
     {
@@ -761 +769 @@
         return escapeNewLines(escapeQuotes(str));
     }
-
+    
+    public static String escapeNewLinesQuotesAngleBracketsForJSString(String str)
+    {
+        // The \n and " becomes \\\n and \\\"
+        // but the <> are escaped/encoded for html, i.e. &gt; and &lt;  
+        if (str == null || str.length() < 1)
+        {
+            return null;
+        }
+        return escapeAngleBrackets(escapeNewLines(escapeQuotes(str)));
+    }
     public static String getGlobalProperty(String name)
     {