Fixes Issue #1421. HistoryImplIE6 did a $doc.write of the unsanitized historyToken exposing an XSS vulnerability. This fix adds html entity escaping to the token before it is written. Found by: akimpton Review by: scottb, jgw git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@1257 8db76d5a-ed1c-0410-87a9-c151d255dfc7

diff --git a/user/src/com/google/gwt/user/client/impl/HistoryImplIE6.java b/user/src/com/google/gwt/user/client/impl/HistoryImplIE6.java
index e56e037..c032343 100644
--- a/user/src/com/google/gwt/user/client/impl/HistoryImplIE6.java
+++ b/user/src/com/google/gwt/user/client/impl/HistoryImplIE6.java

@@ -15,6 +15,7 @@
  */
 package com.google.gwt.user.client.impl;
 
+import com.google.gwt.user.client.DOM;
 import com.google.gwt.user.client.Element;
 
 /**
@@ -22,7 +23,20 @@
  * {@link com.google.gwt.user.client.impl.HistoryImplFrame}.
  */
 class HistoryImplIE6 extends HistoryImplFrame {
-
+  
+  /**
+   * Sanitizes an untrusted string to be used in an HTML context. NOTE: This
+   * method of escaping strings should only be used on Internet Explorer.
+   * 
+   * @param maybeHtml untrusted string that may contain html
+   * @return sanitized string
+   */
+  private static String escapeHtml(String maybeHtml) {
+    final Element div = DOM.createDiv();
+    DOM.setInnerText(div, maybeHtml);
+    return DOM.getInnerHTML(div);
+  }
+  
   private static native void initUrlCheckTimer() /*-{
     // This is the URL check timer.  It detects when an unexpected change
     // occurs in the document's URL (e.g. when the user enters one manually
@@ -95,8 +109,7 @@
   }-*/;
 
   protected native void newItemImpl(Element historyFrame, String historyToken, boolean forceAdd) /*-{
-    historyToken = historyToken || "";
-
+    historyToken = @com.google.gwt.user.client.impl.HistoryImplIE6::escapeHtml(Ljava/lang/String;)(historyToken || "");
     if (forceAdd || ($wnd.__gwt_historyToken != historyToken)) {
       var doc = historyFrame.contentWindow.document;
       doc.open();