refresh tweaks

another escape html

apps/routerconsole/java/src/net/i2p/router/web/EventLogHelper.java

@@ -160,6 +160,7 @@ public class EventLogHelper extends FormHandler {
         String xev = _xevents.get(_event);
         if (xev == null)
             xev = _event;
+        xev = DataHelper.escapeHTML(xev);
         if (events.isEmpty()) {
             if (isAll) {
                 if (_age == 0)

apps/routerconsole/jsp/summary.jsi

@@ -17,9 +17,14 @@
         if (d == null || "".equals(d))
             d = intl.getRefresh();
         else {
-            d = net.i2p.data.DataHelper.stripHTML(d);  // XSS
+            long delay;
+            try {
+                delay = Long.parseLong(d);
+            } catch (NumberFormatException nfe) {
+                delay = 60;
+            }
             // pass the new delay parameter to the iframe
-            newDelay = "?refresh=" + d;
+            newDelay = "?refresh=" + delay;
             // update disable boolean
             intl.setDisableRefresh(d);
         }

apps/routerconsole/jsp/summaryframe.jsp

@@ -23,7 +23,7 @@
     if (!shutdownSoon) {
         if (d == null || "".equals(d)) {
             // set below
-        } else {
+        } else if (intl.getNonce().equals(conNonceParam)) {
             d = net.i2p.data.DataHelper.stripHTML(d);  // XSS
             intl.setRefresh(d);
             intl.setDisableRefresh(d);

router/java/src/net/i2p/router/RouterVersion.java

@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 27;
+    public final static long BUILD = 28;
 
     /** for example "-test" */
     public final static String EXTRA = "-rc";