Fix potential XSS holes

apps/routerconsole/java/src/net/i2p/router/web/NetDbHelper.java

@@ -4,6 +4,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.OutputStreamWriter;
 
+import net.i2p.data.DataHelper;
 
 public class NetDbHelper extends HelperBase {
     private String _routerPrefix;
@@ -12,7 +13,10 @@ public class NetDbHelper extends HelperBase {
     
     public NetDbHelper() {}
     
-    public void setRouter(String r) { _routerPrefix = r; }
+    public void setRouter(String r) {
+        _routerPrefix = DataHelper.stripHTML(r);  // XSS
+    }
+
     public void setFull(String f) {
         try {
             _full = Integer.parseInt(f);

apps/routerconsole/jsp/configpeer.jsp

@@ -24,7 +24,7 @@
 
  <% String peer = "";
     if (request.getParameter("peer") != null)
-        peer = request.getParameter("peer");
+        peer = net.i2p.data.DataHelper.stripHTML(request.getParameter("peer"));  // XSS
  %>
  <div class="configure">
  <form action="configpeer.jsp" method="POST">

apps/susidns/src/java/src/i2p/susi/dns/AddressbookBean.java

@@ -35,6 +35,8 @@ import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.Properties;
 
+import net.i2p.data.DataHelper;
+
 public class AddressbookBean
 {
 	private String book, action, serial, lastSerial, filter, search, hostname, destination;
@@ -140,7 +142,7 @@ public class AddressbookBean
 		return book;
 	}
 	public void setBook(String book) {
-		this.book = book;
+		this.book = DataHelper.stripHTML(book);  // XSS
 	}
 	public String getSerial() {
 		lastSerial = "" + Math.random();
@@ -326,7 +328,7 @@ public class AddressbookBean
 		return destination;
 	}
 	public void setDestination(String destination) {
-		this.destination = destination;
+		this.destination = DataHelper.stripHTML(destination);  // XSS
 	}
 	public String getHostname() {
 		return hostname;
@@ -338,7 +340,7 @@ public class AddressbookBean
 		deletionMarks.addLast( name );
 	}
 	public void setHostname(String hostname) {
-		this.hostname = hostname;
+		this.hostname = DataHelper.stripHTML(hostname);  // XSS
 	}
 	private int getBeginInt() {
 		return Math.max(0, Math.min(entries.length - 1, beginIndex));

history.txt

@@ -1,3 +1,8 @@
+2009-12-04 zzz
+    * Console: Close up some possible XSS (thanks Pragmatk)
+    * i2psnark: Config cleanup, more HTML transitional fixes
+    * readme*.html: Point to translated pages on www.i2p2.i2p
+
 2009-11-29 zzz
     * config.jsp: Comment out unused stuff better
     * profiles.jsp: Hide non-ff from ff table

router/java/src/net/i2p/router/RouterVersion.java

@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 24;
+    public final static long BUILD = 25;
     /** for example "-test" */
     public final static String EXTRA = "";
     public final static String FULL_VERSION = VERSION + "-" + BUILD + EXTRA;