diff --git a/apps/routerconsole/java/src/net/i2p/router/web/NetDbHelper.java b/apps/routerconsole/java/src/net/i2p/router/web/NetDbHelper.java index ef61f0663..2e97b957e 100644 --- a/apps/routerconsole/java/src/net/i2p/router/web/NetDbHelper.java +++ b/apps/routerconsole/java/src/net/i2p/router/web/NetDbHelper.java @@ -4,6 +4,7 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStreamWriter; +import net.i2p.data.DataHelper; public class NetDbHelper extends HelperBase { private String _routerPrefix; @@ -12,7 +13,10 @@ public class NetDbHelper extends HelperBase { public NetDbHelper() {} - public void setRouter(String r) { _routerPrefix = r; } + public void setRouter(String r) { + _routerPrefix = DataHelper.stripHTML(r); // XSS + } + public void setFull(String f) { try { _full = Integer.parseInt(f); diff --git a/apps/routerconsole/jsp/configpeer.jsp b/apps/routerconsole/jsp/configpeer.jsp index 8b61f274d..bd5390108 100644 --- a/apps/routerconsole/jsp/configpeer.jsp +++ b/apps/routerconsole/jsp/configpeer.jsp @@ -24,7 +24,7 @@ <% String peer = ""; if (request.getParameter("peer") != null) - peer = request.getParameter("peer"); + peer = net.i2p.data.DataHelper.stripHTML(request.getParameter("peer")); // XSS %>
diff --git a/apps/routerconsole/jsp/i2ptunnel/index.jsp b/apps/routerconsole/jsp/i2ptunnel/index.jsp index 8c7eefc2e..f3cceda0d 100644 --- a/apps/routerconsole/jsp/i2ptunnel/index.jsp +++ b/apps/routerconsole/jsp/i2ptunnel/index.jsp @@ -3,5 +3,5 @@ -The I2P Tunnel Manager is not currently running. Please visit theClient Configuration page to start it. +The I2P Tunnel Manager is not currently running. Please visit the Client Configuration page to start it. diff --git a/apps/susidns/src/java/src/i2p/susi/dns/AddressbookBean.java b/apps/susidns/src/java/src/i2p/susi/dns/AddressbookBean.java index a5dcf86cf..4036462bd 100644 --- a/apps/susidns/src/java/src/i2p/susi/dns/AddressbookBean.java +++ b/apps/susidns/src/java/src/i2p/susi/dns/AddressbookBean.java @@ -35,6 +35,8 @@ import java.util.Iterator; import java.util.LinkedList; import java.util.Properties; +import net.i2p.data.DataHelper; + public class AddressbookBean { private String book, action, serial, lastSerial, filter, search, hostname, destination; @@ -140,7 +142,7 @@ public class AddressbookBean return book; } public void setBook(String book) { - this.book = book; + this.book = DataHelper.stripHTML(book); // XSS } public String getSerial() { lastSerial = "" + Math.random(); @@ -326,7 +328,7 @@ public class AddressbookBean return destination; } public void setDestination(String destination) { - this.destination = destination; + this.destination = DataHelper.stripHTML(destination); // XSS } public String getHostname() { return hostname; @@ -338,7 +340,7 @@ public class AddressbookBean deletionMarks.addLast( name ); } public void setHostname(String hostname) { - this.hostname = hostname; + this.hostname = DataHelper.stripHTML(hostname); // XSS } private int getBeginInt() { return Math.max(0, Math.min(entries.length - 1, beginIndex)); diff --git a/history.txt b/history.txt index 62af66cba..ce9463465 100644 --- a/history.txt +++ b/history.txt @@ -1,3 +1,8 @@ +2009-12-04 zzz + * Console: Close up some possible XSS (thanks Pragmatk) + * i2psnark: Config cleanup, more HTML transitional fixes + * readme*.html: Point to translated pages on www.i2p2.i2p + 2009-11-29 zzz * config.jsp: Comment out unused stuff better * profiles.jsp: Hide non-ff from ff table diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java index 458d45df4..b2865c3c1 100644 --- a/router/java/src/net/i2p/router/RouterVersion.java +++ b/router/java/src/net/i2p/router/RouterVersion.java @@ -18,7 +18,7 @@ public class RouterVersion { /** deprecated */ public final static String ID = "Monotone"; public final static String VERSION = CoreVersion.VERSION; - public final static long BUILD = 24; + public final static long BUILD = 25; /** for example "-test" */ public final static String EXTRA = ""; public final static String FULL_VERSION = VERSION + "-" + BUILD + EXTRA;