WebInterface: Escape HTML code (XSS)

Coverity report: CID 44688 (#1 of 1): Cross-site scripting (XSS) CID 135806 (#1 of 1): Cross-site scripting (XSS) Signed-off-by: Stefan Weil <[email protected]>
UB-Mannheim · Oct 14, 2016 · aaba768 · aaba768
1 parent 9a1bcf4
commit aaba768
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/Goobi/src/org/goobi/production/cli/WebInterface.java b/Goobi/src/org/goobi/production/cli/WebInterface.java
@@ -40,6 +40,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.log4j.Logger;
 import org.goobi.production.enums.PluginType;
 import org.goobi.production.plugin.PluginLoader;
@@ -103,7 +104,9 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Se
 			List<String> allowedCommands = WebInterfaceConfig.getCredentials(ip, password);
 			if (!allowedCommands.contains(command)) {
 				// error, no command found
-				generateAnswer(resp, 401, "command not allowed", "command " + command + " not allowed for your IP (" + ip + ")");
+				generateAnswer(resp, 401, "command not allowed",
+					"command " + StringEscapeUtils.escapeHtml(command) +
+					" not allowed for your IP (" + StringEscapeUtils.escapeHtml(ip) + ")");
 				return;
 			}