[Bow-commits] 02/02: rewrite to prevent XSS rewrite to have correct URL

21 Jul 2015

This is an automated email from the git hooks/post-receive script.

New commit to branch develop in repository bow.

See http://git.chorem.org/bow.git

commit 5d624c342408b229057e4b6c04a9a2e717cc8ed5
Author: Benjamin POUSSIN <poussin@codelutin.com>
Date:   Tue Jul 21 16:34:51 2015 +0200

    rewrite to prevent XSS
    rewrite to have correct URL
---
 bow-ui/src/main/webapp/WEB-INF/jsp/atom.jsp | 40 ++++++++++++++---------------
 1 file changed, 19 insertions(+), 21 deletions(-)

diff --git a/bow-ui/src/main/webapp/WEB-INF/jsp/atom.jsp b/bow-ui/src/main/webapp/WEB-INF/jsp/atom.jsp
index ebdd941..656593d 100644
--- a/bow-ui/src/main/webapp/WEB-INF/jsp/atom.jsp
+++ b/bow-ui/src/main/webapp/WEB-INF/jsp/atom.jsp
@@ -31,37 +31,38 @@
     <title>Bow<s:if test="!tagLine.empty"> (${tagLine})</s:if><s:if test="!fullTextLine.empty"> (${fullTextLine})</s:if></title>
     <subtitle>tag='${tagLine}' filter='${fullTextLine}'</subtitle>
 
-    <s:url var="bowUrl" action="home" escapeAmp="true">
+    <s:url var="bowUrl" value="%{#bowDomain + 'home.action'}" escapeAmp="true">
         <s:param name="token" value="%{bowSession.permanentToken}" />
         <s:param name="tagLine" value="%{tagLine}" />
         <s:param name="fullTextLine" value="%{fullTextLine}" />
     </s:url>
-    <s:url var="atomUrl" action="atom" escapeAmp="true">
+    <s:url var="atomUrl" value="%{#bowDomain + 'atom.action'}" escapeAmp="true">
         <s:param name="token" value="%{bowSession.permanentToken}" />
         <s:param name="tagLine" value="%{tagLine}" />
         <s:param name="fullTextLine" value="%{fullTextLine}" />
         <s:param name="count" value="%{count}" />
     </s:url>
-    <link rel="alternate" type="text/html" href="${bowDomain}${bowUrl}"/>
-    <link rel="self" type="application/atom+xml" href="${bowDomain}${atomUrl}"/>
+    <link rel="alternate" type="text/html" href="${bowUrl}"/>
+    <link rel="self" type="application/atom+xml" href="${atomUrl}"/>
 
     <updated><fmt:formatDate value="${date}" pattern="yyyy-MM-dd'T'HH:mm:ssXXX" /></updated>
     <author>
         <name>${bowSession.user.login}</name>
     </author>
-    <id>${bowDomain}${bowUrl}</id>
-    <s:url var="favicon" value="/img/favicon.png" />
-    <icon>${bowDomain}${favicon}</icon>
+    <id>${bowUrl}</id>
+    <s:url var="favicon" value="%{#bowDomain + 'img/favicon.png'}" />
+    <icon>${favicon}</icon>
 
      <s:iterator value="bookmarks" var="bookmark">
          <s:set name="bookmark" value="bookmark"/>
          <entry>
-             <title>${bookmarkUtils.getTitle(bookmark, 100)}</title>
-             <s:url var="bookmarkUrl" action="home" escapeAmp="true">
+             <s:set name="title" value="%{bookmarkUtils.getTitle(#bookmark, 100)}"/>
+             <title><s:property value="%{#title}" /></title>
+             <s:url var="bookmarkUrl" value="%{#bowDomain + 'home.action'}" escapeAmp="true">
                  <s:param name="token" value="%{bowSession.permanentToken}" />
                  <s:param name="listId" value="%{#bookmark.wikittyId}" />
              </s:url>
-             <link rel="alternate" type="text/html" href="${bowDomain}${bookmarkUrl}"/>
+             <link rel="alternate" type="text/html" href="${bookmarkUrl}"/>
              <link rel="via" href="${bookmark.link}"/>
              <id>${bowDomain}${bookmark.wikittyId}</id>
              <updated><fmt:formatDate value="${bookmark.creationDate}" pattern="yyyy-MM-dd'T'HH:mm:ssXXX" /></updated>
@@ -82,7 +83,7 @@
                          <span>
                              <s:a href="%{config.aliasUrl + #bookmark.wikittyId}.action"
                                   title="%{#bookmark.link}" target="_blank">
-                                 alias: ${bookmark.privateAlias}
+                                 alias: <s:property value="%{#bookmark.privateAlias}" />
                              </s:a>
                          </span>
                      </c:if>
@@ -90,31 +91,28 @@
                          <span>
                              <s:a href="%{config.aliasUrl + #bookmark.publicAlias}.action"
                                   title="%{#bookmark.link}" target="_blank">
-                                 alias public: ${bookmark.publicAlias}
+                                 alias public: <s:property value="%{#bookmark.publicAlias}" />
                              </s:a>
                          </span>
                      </c:if>
                  </span>
 
                  <div>
-                     <p>
-                         <s:a href="%{config.aliasUrl + #bookmark.wikittyId}.action">${bookmark.link}</s:a>
-                     </p>
+                     <p><s:a href="%{config.aliasUrl + #bookmark.wikittyId}.action"><s:property value="%{#bookmark.link}" /></s:a></p>
+                     
                      <h3><s:text name="bow.bookmark.description" /> :</h3>
-                     <p>
-                         ${bookmark.description}
-                     </p>
+                     <p><s:property value="%{#bookmark.description}"/></p>
                      <p>
                          <strong><s:text name="bow.bookmark.tags" /> :</strong>
                          <s:iterator value="#bookmark.labels" var="tag">
-                             <s:url var="search" action="home" escapeAmp="true">
+                             <s:url var="search" value="%{#bowDomain + 'home.action'}" escapeAmp="true">
                                  <s:param name="addTag" value="%{#tag}"/>
                                  <s:param name="tagLine" value="%{tagLine}"/>
                                  <s:param name="fullTextLine" value="%{fullTextLine}"/>
-                                 <s:param name="order" value="%{order}"/>
+                                 <s:param name="order" value="descDate"/>
                                  <%-- on ne met pas 'first', il faut repartir de 0 --%>
                              </s:url>
-                             <a href="${bowDomain}${search}"><s:property value="%{#tag}"/></a>
+                             <a href="${search}"><s:property value="%{#tag}"/></a>
                          </s:iterator>
                      </p>
                  </div>

-- 
To stop receiving notification emails like this one, please contact
chorem.org SCM administrator <admin+scm@chorem.org>.

    

[Bow-commits] 02/02: rewrite to prevent XSS rewrite to have correct URL

chorem.org scm