Console: Fix escaping of plugin description on /configclients (ticket #1711)

2015-11-21 17:39:10 +00:00
parent 9efb3c8751
commit 9a9832cb77
3 changed files with 11 additions and 7 deletions
--- a/apps/routerconsole/java/src/net/i2p/router/web/ConfigClientsHelper.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/ConfigClientsHelper.java
@@ -151,7 +151,7 @@ public class ConfigClientsHelper extends HelperBase {
                       //"webConsole".equals(ca.clientName) || "Web console".equals(ca.clientName),
                       false, RouterConsoleRunner.class.getName().equals(ca.className),
                       // description
-                       ca.className + ((ca.args != null) ? " " + ca.args : ""),
+                       DataHelper.escapeHTML(ca.className + ((ca.args != null) ? " " + ca.args : "")),
                       // edit
                       allowEdit && (""+cur).equals(_edit),
                       // show edit button, show update button
@@ -212,7 +212,7 @@ public class ConfigClientsHelper extends HelperBase {
                boolean isRunning = WebAppStarter.isWebAppRunning(app);
                renderForm(buf, app, app, !"addressbook".equals(app),
                           "true".equals(val), RouterConsoleRunner.ROUTERCONSOLE.equals(app),
-                           RouterConsoleRunner.ROUTERCONSOLE.equals(app), app + ".war",
+                           RouterConsoleRunner.ROUTERCONSOLE.equals(app), DataHelper.escapeHTML(app + ".war"),
                           false, false, false, isRunning, false, !isRunning);
            }
        }
@@ -316,14 +316,15 @@ public class ConfigClientsHelper extends HelperBase {
    /**
     *  Misnamed, renders a single line in a table for a single client/webapp/plugin.
     *
-     *  ro trumps edit and showEditButton
+     *  @param name will be escaped here
+     *  @param ro trumps edit and showEditButton
+     *  @param escapedDesc description, must be HTML escaped, except for plugins
     */
    private void renderForm(StringBuilder buf, String index, String name, boolean urlify,
-                            boolean enabled, boolean ro, boolean preventDisable, String desc, boolean edit,
+                            boolean enabled, boolean ro, boolean preventDisable, String escapedDesc, boolean edit,
                            boolean showEditButton, boolean showUpdateButton, boolean showStopButton,
                            boolean showDeleteButton, boolean showStartButton) {
        String escapedName = DataHelper.escapeHTML(name);
-        String escapedDesc = DataHelper.escapeHTML(desc);
        buf.append("<tr><td class=\"mediumtags\" align=\"right\" width=\"25%\">");
        if (urlify && enabled) {
            String link = "/";
--- a/history.txt
+++ b/history.txt
@@ -1,3 +1,6 @@
+2015-11-21 zzz
+  * Console: Fix escaping of plugin description on /configclients (ticket #1711)
+
 * 2015-11-19 0.9.23 released

 2015-11-19 str4d
@@ -9,7 +12,7 @@
 * Translation updates

 2015-11-13 zab
- * Interrupt() when cancelling scheduled tasks
+ * Interrupt() when cancelling scheduled tasks (tickets #1694, #1705)

 2015-11-13 zzz
 * Console: Fix lifetime participating bandwidth display (ticket #1706)
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
    /** deprecated */
    public final static String ID = "Monotone";
    public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 0;
+    public final static long BUILD = 1;

    /** for example "-test" */
    public final static String EXTRA = "";