From d6b0b1b93c1c917f5d0ee82f213bf8f6ff322909 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Sat, 26 Jul 2014 20:14:01 +0000
Subject: [PATCH] refresh tweaks another escape html

---
 .../java/src/net/i2p/router/web/EventLogHelper.java      | 1 +
 apps/routerconsole/jsp/summary.jsi                       | 9 +++++++--
 apps/routerconsole/jsp/summaryframe.jsp                  | 2 +-
 router/java/src/net/i2p/router/RouterVersion.java        | 2 +-
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/apps/routerconsole/java/src/net/i2p/router/web/EventLogHelper.java b/apps/routerconsole/java/src/net/i2p/router/web/EventLogHelper.java
index 1b9e86fa2a..d6882f0a6d 100644
--- a/apps/routerconsole/java/src/net/i2p/router/web/EventLogHelper.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/EventLogHelper.java
@@ -160,6 +160,7 @@ public class EventLogHelper extends FormHandler {
         String xev = _xevents.get(_event);
         if (xev == null)
             xev = _event;
+        xev = DataHelper.escapeHTML(xev);
         if (events.isEmpty()) {
             if (isAll) {
                 if (_age == 0)
diff --git a/apps/routerconsole/jsp/summary.jsi b/apps/routerconsole/jsp/summary.jsi
index d38637d836..d9f62f247d 100644
--- a/apps/routerconsole/jsp/summary.jsi
+++ b/apps/routerconsole/jsp/summary.jsi
@@ -17,9 +17,14 @@
         if (d == null || "".equals(d))
             d = intl.getRefresh();
         else {
-            d = net.i2p.data.DataHelper.stripHTML(d);  // XSS
+            long delay;
+            try {
+                delay = Long.parseLong(d);
+            } catch (NumberFormatException nfe) {
+                delay = 60;
+            }
             // pass the new delay parameter to the iframe
-            newDelay = "?refresh=" + d;
+            newDelay = "?refresh=" + delay;
             // update disable boolean
             intl.setDisableRefresh(d);
         }
diff --git a/apps/routerconsole/jsp/summaryframe.jsp b/apps/routerconsole/jsp/summaryframe.jsp
index 8189635fc1..cb27feab22 100644
--- a/apps/routerconsole/jsp/summaryframe.jsp
+++ b/apps/routerconsole/jsp/summaryframe.jsp
@@ -23,7 +23,7 @@
     if (!shutdownSoon) {
         if (d == null || "".equals(d)) {
             // set below
-        } else {
+        } else if (intl.getNonce().equals(conNonceParam)) {
             d = net.i2p.data.DataHelper.stripHTML(d);  // XSS
             intl.setRefresh(d);
             intl.setDisableRefresh(d);
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index 33006bcb1f..285b64c36d 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 27;
+    public final static long BUILD = 28;
 
     /** for example "-test" */
     public final static String EXTRA = "-rc";
-- 
GitLab