From 1603353ae85fa785ca1cb27e20b74c49bc1281fc Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Sat, 26 Jul 2014 16:50:58 +0000
Subject: [PATCH] Susimail escaping from psi plus some more
---
.../src/src/i2p/susi/webmail/Mail.java | 6 +-
.../src/src/i2p/susi/webmail/WebMail.java | 80 +++++++++----------
.../src/i2p/susi/webmail/smtp/SMTPClient.java | 20 ++---
core/java/src/net/i2p/data/DataHelper.java | 4 +-
.../src/net/i2p/router/RouterVersion.java | 2 +-
5 files changed, 56 insertions(+), 56 deletions(-)
diff --git a/apps/susimail/src/src/i2p/susi/webmail/Mail.java b/apps/susimail/src/src/i2p/susi/webmail/Mail.java
index 462ee32742..95e0829bfe 100644
--- a/apps/susimail/src/src/i2p/susi/webmail/Mail.java
+++ b/apps/susimail/src/src/i2p/susi/webmail/Mail.java
@@ -283,14 +283,14 @@ class Mail {
Encoding html = EncodingFactory.getEncoding( "HTML" );
if( html == null ) {
- error += "HTML encoder not found.<br>";
+ error += "HTML encoder not found.\n";
ok = false;
}
Encoding hl = EncodingFactory.getEncoding( "HEADERLINE" );
if( hl == null ) {
- error += "Header line encoder not found.<br>";
+ error += "Header line encoder not found.\n";
ok = false;
}
@@ -369,7 +369,7 @@ class Mail {
}
}
catch( Exception e ) {
- error += "Error parsing mail header: " + e.getClass().getName() + "<br>";
+ error += "Error parsing mail header: " + e.getClass().getName() + '\n';
}
}
}
diff --git a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
index b67dbdfb80..3755c9fbd4 100644
--- a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
+++ b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
@@ -677,7 +677,7 @@ public class WebMail extends HttpServlet
static String quoteHTML( String line )
{
if( line != null )
- line = line.replace("&", "&").replace( "<", "<" ).replace( ">", ">" );
+ line = DataHelper.escapeHTML(line);
else
line = "";
return line;
@@ -710,52 +710,52 @@ public class WebMail extends HttpServlet
if (buttonPressed(request, LOGIN) || offline) {
if( user == null || user.length() == 0 ) {
- sessionObject.error += _("Need username for authentication.") + "<br>";
+ sessionObject.error += _("Need username for authentication.") + '\n';
doContinue = false;
}
if( pass == null || pass.length() == 0 ) {
- sessionObject.error += _("Need password for authentication.") + "<br>";
+ sessionObject.error += _("Need password for authentication.") + '\n';
doContinue = false;
}
if( host == null || host.length() == 0 ) {
- sessionObject.error += _("Need hostname for connect.") + "<br>";
+ sessionObject.error += _("Need hostname for connect.") + '\n';
doContinue = false;
}
int pop3PortNo = 0;
if( pop3Port == null || pop3Port.length() == 0 ) {
- sessionObject.error += _("Need port number for pop3 connect.") + "<br>";
+ sessionObject.error += _("Need port number for pop3 connect.") + '\n';
doContinue = false;
}
else {
try {
pop3PortNo = Integer.parseInt( pop3Port );
if( pop3PortNo < 0 || pop3PortNo > 65535 ) {
- sessionObject.error += _("POP3 port number is not in range 0..65535.") + "<br>";
+ sessionObject.error += _("POP3 port number is not in range 0..65535.") + '\n';
doContinue = false;
}
}
catch( NumberFormatException nfe )
{
- sessionObject.error += _("POP3 port number is invalid.") + "<br>";
+ sessionObject.error += _("POP3 port number is invalid.") + '\n';
doContinue = false;
}
}
int smtpPortNo = 0;
if( smtpPort == null || smtpPort.length() == 0 ) {
- sessionObject.error += _("Need port number for smtp connect.") + "<br>";
+ sessionObject.error += _("Need port number for smtp connect.") + '\n';
doContinue = false;
}
else {
try {
smtpPortNo = Integer.parseInt( smtpPort );
if( smtpPortNo < 0 || smtpPortNo > 65535 ) {
- sessionObject.error += _("SMTP port number is not in range 0..65535.") + "<br>";
+ sessionObject.error += _("SMTP port number is not in range 0..65535.") + '\n';
doContinue = false;
}
}
catch( NumberFormatException nfe )
{
- sessionObject.error += _("SMTP port number is invalid.") + "<br>";
+ sessionObject.error += _("SMTP port number is invalid.") + '\n';
doContinue = false;
}
}
@@ -829,10 +829,10 @@ public class WebMail extends HttpServlet
sessionObject.mailbox = null;
sessionObject.mailCache = null;
}
- sessionObject.info += _("User logged out.") + "<br>";
+ sessionObject.info += _("User logged out.") + '\n';
sessionObject.state = STATE_AUTH;
} else if( sessionObject.mailbox == null ) {
- sessionObject.error += _("Internal error, lost connection.") + "<br>";
+ sessionObject.error += _("Internal error, lost connection.") + '\n';
sessionObject.state = STATE_AUTH;
}
}
@@ -1065,7 +1065,7 @@ public class WebMail extends HttpServlet
sessionObject.state = STATE_NEW;
}
else {
- sessionObject.error += _("Could not fetch mail body.") + "<br>";
+ sessionObject.error += _("Could not fetch mail body.") + '\n';
}
}
}
@@ -1095,7 +1095,7 @@ public class WebMail extends HttpServlet
}
catch( NumberFormatException nfe )
{
- sessionObject.error += _("Message id not valid.") + "<br>";
+ sessionObject.error += _("Message id not valid.") + '\n';
}
}
}
@@ -1194,7 +1194,7 @@ public class WebMail extends HttpServlet
);
}
else {
- sessionObject.error += _("No Encoding found for {0}", encodeTo) + "<br>";
+ sessionObject.error += _("No Encoding found for {0}", encodeTo) + '\n';
}
}
catch (EncodingException e1) {
@@ -1203,7 +1203,7 @@ public class WebMail extends HttpServlet
}
}
catch (IOException e) {
- sessionObject.error += _("Error reading uploaded file: {0}", e.getMessage()) + "<br>";
+ sessionObject.error += _("Error reading uploaded file: {0}", e.getMessage()) + '\n';
}
}
}
@@ -1338,7 +1338,7 @@ public class WebMail extends HttpServlet
sessionObject.folder.setPageSize( pageSize );
}
catch( NumberFormatException nfe ) {
- sessionObject.error += _("Invalid pagesize number, resetting to default value.") + "<br>";
+ sessionObject.error += _("Invalid pagesize number, resetting to default value.") + '\n';
}
}
if( buttonPressed( request, PREVPAGE ) ) {
@@ -1362,7 +1362,7 @@ public class WebMail extends HttpServlet
if (m > 0)
sessionObject.reallyDelete = true;
else
- sessionObject.error += _("No messages marked for deletion.") + "<br>";
+ sessionObject.error += _("No messages marked for deletion.") + '\n';
}
else {
if( buttonPressed( request, REALLYDELETE ) ) {
@@ -1379,7 +1379,7 @@ public class WebMail extends HttpServlet
sessionObject.folder.removeElements(toDelete);
sessionObject.pageChanged = true;
sessionObject.info += ngettext("1 message deleted.", "{0} messages deleted.", numberDeleted);
- //sessionObject.error += _("Error deleting message: {0}", sessionObject.mailbox.lastError()) + "<br>";
+ //sessionObject.error += _("Error deleting message: {0}", sessionObject.mailbox.lastError()) + '\n';
}
}
sessionObject.reallyDelete = false;
@@ -1466,7 +1466,7 @@ public class WebMail extends HttpServlet
} catch (IOException ioe) {
sessionObject.error = ioe.toString();
} catch( NumberFormatException nfe ) {
- sessionObject.error += _("Invalid pagesize number, resetting to default value.") + "<br>";
+ sessionObject.error += _("Invalid pagesize number, resetting to default value.") + '\n';
}
} else if (buttonPressed(request, CANCEL)) {
sessionObject.state = (sessionObject.folder != null) ? STATE_LIST : STATE_AUTH;
@@ -1670,7 +1670,7 @@ public class WebMail extends HttpServlet
} else if( sessionObject.state == STATE_SHOW ) {
Mail mail = sessionObject.mailCache.getMail(sessionObject.showUIDL, MailCache.FetchMode.HEADER);
if (mail != null && mail.shortSubject != null)
- subtitle = mail.shortSubject;
+ subtitle = quoteHTML(mail.shortSubject);
else
subtitle = _("Show Message");
} else if( sessionObject.state == STATE_NEW ) {
@@ -1714,10 +1714,10 @@ public class WebMail extends HttpServlet
"<form method=\"POST\" enctype=\"multipart/form-data\" action=\"" + myself + "\" accept-charset=\"UTF-8\">" );
if( sessionObject.error != null && sessionObject.error.length() > 0 ) {
- out.println( "<p class=\"error\">" + sessionObject.error + "</p>" );
+ out.println( "<p class=\"error\">" + quoteHTML(sessionObject.error).replace("\n", "<br>") + "</p>" );
}
if( sessionObject.info != null && sessionObject.info.length() > 0 ) {
- out.println( "<p class=\"info\"><b>" + sessionObject.info + "</b></p>" );
+ out.println( "<p class=\"info\"><b>" + quoteHTML(sessionObject.info).replace("\n", "<br>") + "</b></p>" );
}
/*
* now write body
@@ -1762,7 +1762,7 @@ public class WebMail extends HttpServlet
content = part.decode(2);
}
catch (DecodingException e) {
- sessionObject.error += _("Error decoding content: {0}", e.getMessage()) + "<br>";
+ sessionObject.error += _("Error decoding content: {0}", e.getMessage()) + '\n';
content = null;
}
}
@@ -1839,13 +1839,13 @@ public class WebMail extends HttpServlet
if( from == null || !Mail.validateAddress( from ) ) {
ok = false;
- sessionObject.error += _("Found no valid sender address.") + "<br>";
+ sessionObject.error += _("Found no valid sender address.") + '\n';
}
else {
sender = Mail.getAddress( from );
if( sender == null || sender.length() == 0 ) {
ok = false;
- sessionObject.error += _("Found no valid address in \\''{0}\\''.", quoteHTML( from )) + "<br>";
+ sessionObject.error += _("Found no valid address in \\''{0}\\''.", quoteHTML( from )) + '\n';
}
}
@@ -1866,7 +1866,7 @@ public class WebMail extends HttpServlet
if( toList.isEmpty() ) {
ok = false;
- sessionObject.error += _("No recipients found.") + "<br>";
+ sessionObject.error += _("No recipients found.") + '\n';
}
Encoding qp = EncodingFactory.getEncoding( "quoted-printable" );
Encoding hl = EncodingFactory.getEncoding( "HEADERLINE" );
@@ -2018,12 +2018,12 @@ public class WebMail extends HttpServlet
out.println( "<table cellspacing=\"0\" cellpadding=\"5\">\n" +
"<tr><td colspan=\"2\" align=\"center\"><hr></td></tr>\n" +
- "<tr><td align=\"right\">" + _("From") + ":</td><td align=\"left\"><input type=\"text\" size=\"80\" name=\"" + NEW_FROM + "\" value=\"" + from + "\" " + ( fixed ? "disabled" : "" ) +"></td></tr>\n" +
- "<tr><td align=\"right\">" + _("To") + ":</td><td align=\"left\"><input type=\"text\" size=\"80\" name=\"" + NEW_TO + "\" value=\"" + to + "\"></td></tr>\n" +
- "<tr><td align=\"right\">" + _("Cc") + ":</td><td align=\"left\"><input type=\"text\" size=\"80\" name=\"" + NEW_CC + "\" value=\"" + cc + "\"></td></tr>\n" +
- "<tr><td align=\"right\">" + _("Bcc") + ":</td><td align=\"left\"><input type=\"text\" size=\"80\" name=\"" + NEW_BCC + "\" value=\"" + bcc + "\"></td></tr>\n" +
+ "<tr><td align=\"right\">" + _("From") + ":</td><td align=\"left\"><input type=\"text\" size=\"80\" name=\"" + NEW_FROM + "\" value=\"" + quoteHTML(from) + "\" " + ( fixed ? "disabled" : "" ) +"></td></tr>\n" +
+ "<tr><td align=\"right\">" + _("To") + ":</td><td align=\"left\"><input type=\"text\" size=\"80\" name=\"" + NEW_TO + "\" value=\"" + quoteHTML(to) + "\"></td></tr>\n" +
+ "<tr><td align=\"right\">" + _("Cc") + ":</td><td align=\"left\"><input type=\"text\" size=\"80\" name=\"" + NEW_CC + "\" value=\"" + quoteHTML(cc) + "\"></td></tr>\n" +
+ "<tr><td align=\"right\">" + _("Bcc") + ":</td><td align=\"left\"><input type=\"text\" size=\"80\" name=\"" + NEW_BCC + "\" value=\"" + quoteHTML(bcc) + "\"></td></tr>\n" +
"<tr><td align=\"right\">" + _("Bcc to self") + ": </td><td align=\"left\"><input type=\"checkbox\" class=\"optbox\" name=\"" + NEW_BCC_TO_SELF + "\" value=\"1\" " + (sessionObject.bccToSelf ? "checked" : "" ) + "></td></tr>\n" +
- "<tr><td align=\"right\">" + _("Subject") + ":</td><td align=\"left\"><input type=\"text\" size=\"80\" name=\"" + NEW_SUBJECT + "\" value=\"" + subject + "\"></td></tr>\n" +
+ "<tr><td align=\"right\">" + _("Subject") + ":</td><td align=\"left\"><input type=\"text\" size=\"80\" name=\"" + NEW_SUBJECT + "\" value=\"" + quoteHTML(subject) + "\"></td></tr>\n" +
"<tr><td colspan=\"2\" align=\"center\"><textarea cols=\"" + Config.getProperty( CONFIG_COMPOSER_COLS, 80 )+ "\" rows=\"" + Config.getProperty( CONFIG_COMPOSER_ROWS, 10 )+ "\" name=\"" + NEW_TEXT + "\">" + text + "</textarea>" +
"<tr class=\"bottombuttons\"><td colspan=\"2\" align=\"center\"><hr></td></tr>\n" +
"<tr class=\"bottombuttons\"><td align=\"right\">" + _("Add Attachment") + ":</td><td align=\"left\"><input type=\"file\" size=\"50%\" name=\"" + NEW_FILENAME + "\" value=\"\"></td></tr>" +
@@ -2039,7 +2039,7 @@ public class WebMail extends HttpServlet
} else {
out.println("<tr><td align=\"right\"> </td>");
}
- out.println("<td align=\"left\"><input type=\"checkbox\" class=\"optbox\" name=\"check" + attachment.hashCode() + "\" value=\"1\"> " + attachment.getFileName() + "</td></tr>");
+ out.println("<td align=\"left\"><input type=\"checkbox\" class=\"optbox\" name=\"check" + attachment.hashCode() + "\" value=\"1\"> " + quoteHTML(attachment.getFileName()) + "</td></tr>");
}
// TODO disable in JS if none selected
out.println("<tr class=\"bottombuttons\"><td> </td><td align=\"left\">" +
@@ -2068,9 +2068,9 @@ public class WebMail extends HttpServlet
//if (!fixed) {
if (true) {
out.println(
- "<tr><td align=\"right\" width=\"30%\">" + _("Host") + "</td><td width=\"40%\" align=\"left\"><input type=\"text\" size=\"32\" name=\"" + HOST +"\" value=\"" + host + "\"" + ( fixed ? " disabled" : "" ) + "></td></tr>\n" +
- "<tr><td align=\"right\" width=\"30%\">" + _("POP3 Port") + "</td><td width=\"40%\" align=\"left\"><input type=\"text\" style=\"text-align: right;\" size=\"5\" name=\"" + POP3 +"\" value=\"" + pop3 + "\"" + ( fixed ? " disabled" : "" ) + "></td></tr>\n" +
- "<tr><td align=\"right\" width=\"30%\">" + _("SMTP Port") + "</td><td width=\"40%\" align=\"left\"><input type=\"text\" style=\"text-align: right;\" size=\"5\" name=\"" + SMTP +"\" value=\"" + smtp + "\"" + ( fixed ? " disabled" : "" ) + "></td></tr>\n");
+ "<tr><td align=\"right\" width=\"30%\">" + _("Host") + "</td><td width=\"40%\" align=\"left\"><input type=\"text\" size=\"32\" name=\"" + HOST +"\" value=\"" + quoteHTML(host) + "\"" + ( fixed ? " disabled" : "" ) + "></td></tr>\n" +
+ "<tr><td align=\"right\" width=\"30%\">" + _("POP3 Port") + "</td><td width=\"40%\" align=\"left\"><input type=\"text\" style=\"text-align: right;\" size=\"5\" name=\"" + POP3 +"\" value=\"" + quoteHTML(pop3) + "\"" + ( fixed ? " disabled" : "" ) + "></td></tr>\n" +
+ "<tr><td align=\"right\" width=\"30%\">" + _("SMTP Port") + "</td><td width=\"40%\" align=\"left\"><input type=\"text\" style=\"text-align: right;\" size=\"5\" name=\"" + SMTP +"\" value=\"" + quoteHTML(smtp) + "\"" + ( fixed ? " disabled" : "" ) + "></td></tr>\n");
}
out.println(
"<tr><td colspan=\"2\"> </td></tr>\n" +
@@ -2164,9 +2164,9 @@ public class WebMail extends HttpServlet
" onclick=\"deleteboxclicked();\" " +
( idChecked ? "checked" : "" ) + ">" + "</td><td " + jslink + ">" +
(mail.isNew() ? "<img src=\"/susimail/icons/flag_green.png\" alt=\"\" title=\"" + _("Message is new") + "\">" : " ") + "</td><td " + jslink + ">" +
- link + mail.shortSender + "</a></td><td " + jslink + ">" +
+ link + quoteHTML(mail.shortSender) + "</a></td><td " + jslink + ">" +
(mail.hasAttachment() ? "<img src=\"/susimail/icons/attach.png\" alt=\"\" title=\"" + _("Message has an attachment") + "\">" : " ") + "</td><td " + jslink + ">" +
- link + mail.shortSubject + "</a></td><td " + jslink + ">" +
+ link + quoteHTML(mail.shortSubject) + "</a></td><td " + jslink + ">" +
(mail.isSpam() ? "<img src=\"/susimail/icons/flag_red.png\" alt=\"\" title=\"" + _("Message is spam") + "\">" : " ") + "</td><td " + jslink + ">" +
// don't let date get split across lines
mail.localFormattedDate.replace(" ", " ") + "</td><td " + jslink + "> </td><td align=\"right\" " + jslink + ">" +
@@ -2314,9 +2314,9 @@ public class WebMail extends HttpServlet
Properties config = Config.getProperties();
out.print(":</p><textarea cols=\"80\" rows=\"" + Math.max(8, config.size() + 2) + "\" spellcheck=\"false\" name=\"" + CONFIG_TEXT + "\">");
for (Map.Entry<Object, Object> e : config.entrySet()) {
- out.print(e.getKey());
+ out.print(quoteHTML(e.getKey().toString()));
out.print('=');
- out.println(e.getValue());
+ out.println(quoteHTML(e.getValue().toString()));
}
out.println("</textarea>");
out.println("<div id=\"bottombuttons\">");
diff --git a/apps/susimail/src/src/i2p/susi/webmail/smtp/SMTPClient.java b/apps/susimail/src/src/i2p/susi/webmail/smtp/SMTPClient.java
index 9cbc209bce..f3f7556985 100644
--- a/apps/susimail/src/src/i2p/susi/webmail/smtp/SMTPClient.java
+++ b/apps/susimail/src/src/i2p/susi/webmail/smtp/SMTPClient.java
@@ -89,7 +89,7 @@ public class SMTPClient {
socket.getOutputStream().flush();
return getResult();
} catch (IOException e) {
- error += "IOException occured.<br>";
+ error += "IOException occured.\n";
return 0;
}
}
@@ -193,7 +193,7 @@ public class SMTPClient {
buf.setLength(0);
}
} catch (IOException e) {
- error += "IOException occured.<br>";
+ error += "IOException occured.\n";
result = 0;
}
lastResponse = fullResponse.toString();
@@ -211,7 +211,7 @@ public class SMTPClient {
try {
socket = new Socket( host, port );
} catch (Exception e) {
- error += _("Cannot connect") + ": " + e.getMessage() + "<br>";
+ error += _("Cannot connect") + ": " + e.getMessage() + '\n';
ok = false;
}
try {
@@ -222,7 +222,7 @@ public class SMTPClient {
socket.setSoTimeout(120*1000);
int result = sendCmd(null);
if (result != 220) {
- error += _("Server refused connection") + " (" + result + ")<br>";
+ error += _("Server refused connection") + " (" + result + ")\n";
ok = false;
}
}
@@ -234,7 +234,7 @@ public class SMTPClient {
if (r.result == 250) {
supportsPipelining = r.recv.contains("PIPELINING");
} else {
- error += _("Server refused connection") + " (" + r.result + ")<br>";
+ error += _("Server refused connection") + " (" + r.result + ")\n";
ok = false;
}
}
@@ -246,7 +246,7 @@ public class SMTPClient {
cmds.add(new SendExpect(base64.encode(user), 334));
cmds.add(new SendExpect(base64.encode(pass), 235));
if (sendCmds(cmds) != 3) {
- error += _("Login failed") + "<br>";
+ error += _("Login failed") + '\n';
ok = false;
}
}
@@ -259,7 +259,7 @@ public class SMTPClient {
cmds.add(new SendExpect("DATA", 354));
if (sendCmds(cmds) != cmds.size()) {
// TODO which recipient?
- error += _("Mail rejected") + "<br>";
+ error += _("Mail rejected") + '\n';
ok = false;
}
}
@@ -273,10 +273,10 @@ public class SMTPClient {
if (result == 250)
mailSent = true;
else
- error += _("Error sending mail") + " (" + result + ")<br>";
+ error += _("Error sending mail") + " (" + result + ")\n";
}
} catch (IOException e) {
- error += _("Error sending mail") + ": " + e.getMessage() + "<br>";
+ error += _("Error sending mail") + ": " + e.getMessage() + '\n';
} catch (EncodingException e) {
error += e.getMessage();
@@ -284,7 +284,7 @@ public class SMTPClient {
if( !mailSent && lastResponse.length() > 0 ) {
String[] lines = lastResponse.split( "\r" );
for( int i = 0; i < lines.length; i++ )
- error += lines[i] + "<br>";
+ error += lines[i] + '\n';
}
sendCmd("QUIT", false);
if( socket != null ) {
diff --git a/core/java/src/net/i2p/data/DataHelper.java b/core/java/src/net/i2p/data/DataHelper.java
index 826de50eb7..e008f6c630 100644
--- a/core/java/src/net/i2p/data/DataHelper.java
+++ b/core/java/src/net/i2p/data/DataHelper.java
@@ -1628,8 +1628,8 @@ public class DataHelper {
return rv;
}
- private static final String escapeChars[] = {"&", "\"", "<", ">"};
- private static final String escapeCodes[] = {"&", """, "<", ">"};
+ private static final String escapeChars[] = {"&", "\"", "<", ">", "\"", "'"};
+ private static final String escapeCodes[] = {"&", """, "<", ">", """, "'"};
/**
* Escape a string for inclusion in HTML
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index f7d70ed0aa..3c775e75ad 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
/** deprecated */
public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION;
- public final static long BUILD = 24;
+ public final static long BUILD = 25;
/** for example "-test" */
public final static String EXTRA = "-rc";
--
GitLab