Console: Fix URLs caught in XSS filter on /confighome (ticket #1569)

Fix name and URL escaping Truncate long URLs in display

Console: Fix URLs caught in XSS filter on /confighome (ticket #1569)
081f1865 · zzz · 0e17c560 · 081f1865 · 081f1865
Commit 081f1865 authored 9 years ago by zzz
--- a/apps/routerconsole/java/src/net/i2p/router/web/ConfigHomeHandler.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/ConfigHomeHandler.java
@@ -58,18 +58,21 @@ public class ConfigHomeHandler extends FormHandler {
            else
                apps = HomeHelper.buildApps(_context, config);
            if (adding) {
-                String name = getJettyString("name");
+                String name = getJettyString("nofilter_name");
                if (name == null || name.length() <= 0) {
                    addFormError(_("No name entered"));
                    return;
                }
-                String url = getJettyString("url");
+                String url = getJettyString("nofilter_url");
                if (url == null || url.length() <= 0) {
                    addFormError(_("No URL entered"));
                    return;
                }
-                name = DataHelper.escapeHTML(name).replace(",", "&#44;");   // HomeHelper.S
+                // these would get double-escaped so we can't do it this way...
-                url = DataHelper.escapeHTML(url).replace(",", "&#44;");
+                //name = DataHelper.escapeHTML(name).replace(",", "&#44;");
+                //url = DataHelper.escapeHTML(url).replace(",", "&#44;");
+                name = name.replace(",", ".");
+                url = url.replace(",", "."); // fail
                HomeHelper.App app = null;
                if ("1".equals(group))
                    app = new HomeHelper.App(name, "", url, "/themes/console/images/eepsite.png");

--- a/apps/routerconsole/java/src/net/i2p/router/web/HomeHelper.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/HomeHelper.java
@@ -7,6 +7,7 @@ import java.util.List;
 import java.util.Set;
 import java.util.TreeSet;
+import net.i2p.data.DataHelper;
 import net.i2p.router.RouterContext;
 import net.i2p.util.PortMapper;
@@ -209,17 +210,22 @@ public class HomeHelper extends HelperBase {
                buf.append("<img height=\"16\" alt=\"\" src=\"").append(app.icon).append("\">");
            }
            buf.append("</td><td align=\"left\">")
-               .append(app.name)
+               .append(DataHelper.escapeHTML(app.name))
-               .append("</td><td align=\"left\"><a href=\"")
+               .append("</td><td align=\"left\"><a href=\"");
-               .append(app.url.replace("&", "&amp;"))
+            String url = DataHelper.escapeHTML(app.url);
-               .append("\">")
+            buf.append(url)
-               .append(app.url.replace("&", "&amp;"))
+               .append("\">");
-               .append("</a></td></tr>\n");
+            // truncate before escaping
+            if (app.url.length() > 50)
+                buf.append(DataHelper.escapeHTML(app.url.substring(0, 48))).append("&hellip;");
+            else
+                buf.append(url);
+            buf.append("</a></td></tr>\n");
        }
        buf.append("<tr><td colspan=\"2\" align=\"center\"><b>")
           .append(_("Add")).append(":</b>" +
-                   "</td><td align=\"left\"><input type=\"text\" name=\"name\"></td>" +
+                   "</td><td align=\"left\"><input type=\"text\" name=\"nofilter_name\"></td>" +
-                   "<td align=\"left\"><input type=\"text\" size=\"40\" name=\"url\"></td></tr>");
+                   "<td align=\"left\"><input type=\"text\" size=\"40\" name=\"nofilter_url\"></td></tr>");
        buf.append("</table>\n");
        return buf.toString();
    }