Fixed potential XSS vulnerability in the module not found error message.

Patch by: jat
Review by: tobyr (desk review)



git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@1443 8db76d5a-ed1c-0410-87a9-c151d255dfc7

dev/core/src/com/google/gwt/dev/shell/GWTShellServlet.java

diff --git a/dev/core/src/com/google/gwt/dev/shell/GWTShellServlet.java b/dev/core/src/com/google/gwt/dev/shell/GWTShellServlet.java
index 08798a6..afd57bc 100644
--- a/dev/core/src/com/google/gwt/dev/shell/GWTShellServlet.java
+++ b/dev/core/src/com/google/gwt/dev/shell/GWTShellServlet.java
@@ -21,6 +21,7 @@
 import com.google.gwt.dev.cfg.ModuleDefLoader;
 import com.google.gwt.dev.util.HttpHeaders;
 import com.google.gwt.dev.util.SelectionScriptGenerator;
+import com.google.gwt.dev.util.Util;
 import com.google.gwt.dev.util.log.ServletContextTreeLogger;
 
 import java.io.File;
@@ -324,7 +325,7 @@
       getModuleDef(logger, parts.moduleName);
     } catch (UnableToCompleteException e) {
       sendErrorResponse(response, HttpServletResponse.SC_NOT_FOUND,
-          "Unable to find/load module '" + parts.moduleName
+          "Unable to find/load module '" + Util.escapeXml(parts.moduleName)
               + "' (see server log for details)");
       return;
     }

dev/core/src/com/google/gwt/dev/util/Util.java

diff --git a/dev/core/src/com/google/gwt/dev/util/Util.java b/dev/core/src/com/google/gwt/dev/util/Util.java
index b325312..9d4c7a1 100644
--- a/dev/core/src/com/google/gwt/dev/util/Util.java
+++ b/dev/core/src/com/google/gwt/dev/util/Util.java
@@ -991,7 +991,7 @@
   /**
    * Escapes '&', '<', '>', '"', and '\'' to their XML entity equivalents.
    */
-  private static String escapeXml(String unescaped) {
+  public static String escapeXml(String unescaped) {
     String escaped = unescaped.replaceAll("\\&", "&amp;");
     escaped = escaped.replaceAll("\\<", "&lt;");
     escaped = escaped.replaceAll("\\>", "&gt;");