From: <di...@us...> - 2009-07-31 21:42:39
|
Revision: 9609 http://exist.svn.sourceforge.net/exist/?rev=9609&view=rev Author: dizzzz Date: 2009-07-31 21:42:23 +0000 (Fri, 31 Jul 2009) Log Message: ----------- [bugfix] escape xml/html chars in REST API exception - ID: 2830333 ; patch by mike sokolov ; test: http://localhost:8080/exist/rest/db/_query=< Modified Paths: -------------- trunk/eXist/src/org/exist/http/RESTServer.java Modified: trunk/eXist/src/org/exist/http/RESTServer.java =================================================================== --- trunk/eXist/src/org/exist/http/RESTServer.java 2009-07-31 21:28:12 UTC (rev 9608) +++ trunk/eXist/src/org/exist/http/RESTServer.java 2009-07-31 21:42:23 UTC (rev 9609) @@ -49,6 +49,7 @@ import javax.xml.transform.TransformerConfigurationException; import org.apache.log4j.Logger; + import org.exist.EXistException; import org.exist.Namespaces; import org.exist.collections.Collection; @@ -59,6 +60,7 @@ import org.exist.dom.DocumentImpl; import org.exist.dom.DocumentMetadata; import org.exist.dom.MutableDocumentSet; +import org.exist.dom.XMLUtil; import org.exist.http.servlets.HttpRequestWrapper; import org.exist.http.servlets.HttpResponseWrapper; import org.exist.http.servlets.ResponseWrapper; @@ -1397,11 +1399,12 @@ writer.write("</a></p>"); writer.write("<p class=\"errmsg\">"); - writer.write( ( e.getMessage() == null ? e.toString() : e.getMessage() ) ); + String message = e.getMessage() == null ? e.toString() : e.getMessage(); + writer.write(XMLUtil.encodeAttrMarkup(message)); writer.write("</p>"); if (query != null) { writer.write("<p><span class=\"high\">Query</span>:</p><pre>"); - writer.write(query); + writer.write(XMLUtil.encodeAttrMarkup(query)); writer.write("</pre>"); } writer.write("</body></html>"); @@ -1437,11 +1440,12 @@ writer.write(path); writer.write("</path>"); writer.write("<message>"); - writer.write( ( e.getMessage() == null ? e.toString() : e.getMessage() ) ); + String message = e.getMessage() == null ? e.toString() : e.getMessage(); + writer.write(XMLUtil.encodeAttrMarkup(message)); writer.write("</message>"); if (query != null) { writer.write("<query>"); - writer.write(query); + writer.write(XMLUtil.encodeAttrMarkup(query)); writer.write("</query>"); } writer.write("</exception>"); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |