Port r1443 to the 1.4 release branch. Original log message:
Fixed potential XSS vulnerability in the module not found error message.
Patch by: jat
Review by: tobyr (desk review)
git-svn-id: https://google-web-toolkit.googlecode.com/svn/releases/1.4@1498 8db76d5a-ed1c-0410-87a9-c151d255dfc7
diff --git a/dev/core/src/com/google/gwt/dev/shell/GWTShellServlet.java b/dev/core/src/com/google/gwt/dev/shell/GWTShellServlet.java
index 960c4ba..0b970f0 100644
--- a/dev/core/src/com/google/gwt/dev/shell/GWTShellServlet.java
+++ b/dev/core/src/com/google/gwt/dev/shell/GWTShellServlet.java
@@ -21,6 +21,7 @@
import com.google.gwt.dev.cfg.ModuleDefLoader;
import com.google.gwt.dev.util.HttpHeaders;
import com.google.gwt.dev.util.SelectionScriptGenerator;
+import com.google.gwt.dev.util.Util;
import com.google.gwt.dev.util.log.ServletContextTreeLogger;
import java.io.File;
@@ -322,7 +323,7 @@
getModuleDef(logger, parts.moduleName);
} catch (UnableToCompleteException e) {
sendErrorResponse(response, HttpServletResponse.SC_NOT_FOUND,
- "Unable to find/load module '" + parts.moduleName
+ "Unable to find/load module '" + Util.escapeXml(parts.moduleName)
+ "' (see server log for details)");
return;
}
diff --git a/dev/core/src/com/google/gwt/dev/util/Util.java b/dev/core/src/com/google/gwt/dev/util/Util.java
index eec15fb..b1f4661 100644
--- a/dev/core/src/com/google/gwt/dev/util/Util.java
+++ b/dev/core/src/com/google/gwt/dev/util/Util.java
@@ -988,7 +988,7 @@
/**
* Escapes '&', '<', '>', '"', and '\'' to their XML entity equivalents.
*/
- private static String escapeXml(String unescaped) {
+ public static String escapeXml(String unescaped) {
String escaped = unescaped.replaceAll("\\&", "&");
escaped = escaped.replaceAll("\\<", "<");
escaped = escaped.replaceAll("\\>", ">");