From 92fac5c576b15990b04f6f0f855d373b56e0b511 Mon Sep 17 00:00:00 2001 From: Rowland Date: Sun, 1 May 2022 02:34:43 +0200 Subject: [PATCH] Fixed Vulnerbuility --- .../main/java/org/nanohttpd/router/RouterNanoHTTPD.java | 8 ++++++-- pom.xml | 5 +++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/nanolets/src/main/java/org/nanohttpd/router/RouterNanoHTTPD.java b/nanolets/src/main/java/org/nanohttpd/router/RouterNanoHTTPD.java index de949b0a..69c663cf 100644 --- a/nanolets/src/main/java/org/nanohttpd/router/RouterNanoHTTPD.java +++ b/nanolets/src/main/java/org/nanohttpd/router/RouterNanoHTTPD.java @@ -162,8 +162,8 @@ public Response get(UriResource uriResource, Map urlParams, IHTT Map queryParams = session.getParms(); if (queryParams.size() > 0) { for (Map.Entry entry : queryParams.entrySet()) { - String key = entry.getKey(); - String value = entry.getValue(); + String key = sanitise(entry.getKey()); + String value = sanitise(entry.getValue()); text.append("

Param '"); text.append(key); text.append("' = "); @@ -175,6 +175,10 @@ public Response get(UriResource uriResource, Map urlParams, IHTT } return Response.newFixedLengthResponse(getStatus(), getMimeType(), text.toString()); } + + private String sanitise(String possibleCode) { + return org.apache.commons.text.StringEscapeUtils.escapeHtml4(possibleCode); + } } /** diff --git a/pom.xml b/pom.xml index 34f03e60..d8895c21 100644 --- a/pom.xml +++ b/pom.xml @@ -348,6 +348,11 @@ + + org.apache.commons + commons-text + 1.9 + junit junit