From 1bc355b8fdef94bfe52d6c8ee50f7ba3d6af6506 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Sat, 23 Aug 2014 13:19:44 +0000
Subject: [PATCH] i2psnark escape fixes
---
.../java/src/org/klomp/snark/Snark.java | 1 +
.../java/src/org/klomp/snark/TrackerInfo.java | 3 +++
.../src/org/klomp/snark/UpdateRunner.java | 8 +++++---
.../org/klomp/snark/web/I2PSnarkServlet.java | 19 ++++++++++++-------
4 files changed, 21 insertions(+), 10 deletions(-)
diff --git a/apps/i2psnark/java/src/org/klomp/snark/Snark.java b/apps/i2psnark/java/src/org/klomp/snark/Snark.java
index e9d0937e65..9358623b79 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/Snark.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/Snark.java
@@ -797,6 +797,7 @@ public class Snark
}
/**
+ * Not HTML escaped.
* @return String returned from tracker, or null if no error
* @since 0.8.4
*/
diff --git a/apps/i2psnark/java/src/org/klomp/snark/TrackerInfo.java b/apps/i2psnark/java/src/org/klomp/snark/TrackerInfo.java
index 0de45da06e..9c39fa4d66 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/TrackerInfo.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/TrackerInfo.java
@@ -196,6 +196,9 @@ class TrackerInfo
return complete;
}
+ /**
+ * Not HTML escaped.
+ */
public String getFailureReason()
{
return failure_reason;
diff --git a/apps/i2psnark/java/src/org/klomp/snark/UpdateRunner.java b/apps/i2psnark/java/src/org/klomp/snark/UpdateRunner.java
index 28fe34ef91..db35a6910f 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/UpdateRunner.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/UpdateRunner.java
@@ -6,6 +6,7 @@ import java.util.List;
import net.i2p.I2PAppContext;
import net.i2p.crypto.TrustedUpdate;
+import net.i2p.data.DataHelper;
import net.i2p.update.*;
import net.i2p.util.Log;
import net.i2p.util.SimpleTimer2;
@@ -297,9 +298,10 @@ class UpdateRunner implements UpdateTask, CompleteListener {
//////// end CompleteListener methods
private static String linkify(String url) {
- String durl = url.length() <= 28 ? url :
- url.substring(0, 25) + "…";
- return "<a target=\"_blank\" href=\"" + url + "\"/>" + durl + "</a>";
+ String durl = url.length() <= 28 ? DataHelper.escapeHTML(url) :
+ DataHelper.escapeHTML(url.substring(0, 25)) + "…";
+ // TODO urlEncode instead
+ return "<a target=\"_blank\" href=\"" + DataHelper.escapeHTML(url) + "\"/>" + durl + "</a>";
}
private void updateStatus(String s) {
diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
index 3296ea0f41..8ff57e4307 100644
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@@ -60,6 +60,7 @@ public class I2PSnarkServlet extends BasicServlet {
private static final String DEFAULT_NAME = "i2psnark";
public static final String PROP_CONFIG_FILE = "i2psnark.configFile";
private static final String WARBASE = "/.icons/";
+ private static final char HELLIP = '\u2026';
public I2PSnarkServlet() {
super();
@@ -1256,7 +1257,7 @@ public class I2PSnarkServlet extends BasicServlet {
String start = basename.substring(0, MAX_DISPLAYED_FILENAME_LENGTH);
if (start.indexOf(" ") < 0 && start.indexOf("-") < 0) {
// browser has nowhere to break it
- basename = start + "…";
+ basename = start + HELLIP;
}
}
// includes skipped files, -1 for magnet mode
@@ -1307,7 +1308,9 @@ public class I2PSnarkServlet extends BasicServlet {
ngettext("1 peer", "{0} peers", knownPeers);
else {
if (err.length() > MAX_DISPLAYED_ERROR_LENGTH)
- err = err.substring(0, MAX_DISPLAYED_ERROR_LENGTH) + "…";
+ err = DataHelper.escapeHTML(err.substring(0, MAX_DISPLAYED_ERROR_LENGTH)) + "…";
+ else
+ err = DataHelper.escapeHTML(err);
statusString = "<img alt=\"\" border=\"0\" src=\"" + _imgPath + "trackererror.png\" title=\"" + err + "\"></td>" +
"<td class=\"snarkTorrentStatus\">" + _("Tracker Error");
}
@@ -1729,8 +1732,8 @@ public class I2PSnarkServlet extends BasicServlet {
(announce.startsWith("http://lnQ6yoBT") && aURL.startsWith("http://tracker2.postman.i2p/")) ||
(announce.startsWith("http://ahsplxkbhemefwvvml7qovzl5a2b5xo5i7lyai7ntdunvcyfdtna.b32.i2p/") && aURL.startsWith("http://tracker2.postman.i2p/"))))
continue;
- String baseURL = t.baseURL;
- String name = t.name;
+ String baseURL = urlEncode(t.baseURL);
+ String name = DataHelper.escapeHTML(t.name);
StringBuilder buf = new StringBuilder(128);
buf.append("<a href=\"").append(baseURL).append("details.php?dllist=1&filelist=1&info_hash=")
.append(TrackerClient.urlencode(infohash))
@@ -1774,9 +1777,11 @@ public class I2PSnarkServlet extends BasicServlet {
if (trackerLinkUrl != null)
buf.append(trackerLinkUrl);
else
- buf.append("<a href=\"http://").append(announce).append("/\">");
+ // TODO encode
+ buf.append("<a href=\"http://").append(urlEncode(announce)).append("/\">");
if (announce.length() > 67)
- announce = announce.substring(0, 40) + "…" + announce.substring(announce.length() - 8);
+ announce = DataHelper.escapeHTML(announce.substring(0, 40)) + "…" +
+ DataHelper.escapeHTML(announce.substring(announce.length() - 8));
buf.append(announce);
buf.append("</a>");
return buf.toString();
@@ -2274,7 +2279,7 @@ public class I2PSnarkServlet extends BasicServlet {
*/
private static String urlEncode(String s) {
return s.replace(";", "%3B").replace("&", "&").replace(" ", "%20")
- .replace("<", "<").replace(">", ">")
+ .replace("<", "%3C").replace(">", "%3E")
.replace("[", "%5B").replace("]", "%5D");
}
--
GitLab