diff --git a/src/main/java/gov/nasa/pds/search/servlet/RegistryLegacyServlet.java b/src/main/java/gov/nasa/pds/search/servlet/RegistryLegacyServlet.java index bfb03d3..b499eb8 100644 --- a/src/main/java/gov/nasa/pds/search/servlet/RegistryLegacyServlet.java +++ b/src/main/java/gov/nasa/pds/search/servlet/RegistryLegacyServlet.java @@ -3,7 +3,6 @@ import java.io.IOException; import java.io.UnsupportedEncodingException; import java.net.URI; -import java.net.URLDecoder; import java.net.URLEncoder; import java.net.http.HttpClient; import java.net.http.HttpRequest; @@ -20,6 +19,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.http.HttpHeaders; +import gov.nasa.pds.search.util.XssUtils; public class RegistryLegacyServlet extends HttpServlet { @@ -179,8 +179,9 @@ private String appendQueryParameters(String key, String[] parameterValues) String value = ""; String queryString = ""; for (String v : Arrays.asList(parameterValues)) { - value = URLDecoder.decode(v, "UTF-8"); - queryString += String.format("%s=%s&", key, URLEncoder.encode(value, "UTF-8")); + value = XssUtils.clean(v); + queryString += + String.format("%s=%s&", key, URLEncoder.encode(value, "UTF-8")); } return queryString; } diff --git a/src/main/java/gov/nasa/pds/search/util/XssUtils.java b/src/main/java/gov/nasa/pds/search/util/XssUtils.java index c79dae1..9acbd89 100644 --- a/src/main/java/gov/nasa/pds/search/util/XssUtils.java +++ b/src/main/java/gov/nasa/pds/search/util/XssUtils.java @@ -1,5 +1,6 @@ package gov.nasa.pds.search.util; +import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.util.regex.Pattern; @@ -34,11 +35,13 @@ private XssUtils() { Pattern.compile("alert\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL) }; /** - * This method makes up a simple anti cross-site scripting (XSS) filter written - * for Java web applications. What it basically does is remove all suspicious - * strings from request parameters before returning them to the application. - */ - public static String clean(String value) { + * This method makes up a simple anti cross-site scripting (XSS) filter written for Java web + * applications. What it basically does is remove all suspicious strings from request parameters + * before returning them to the application. + * + * @throws UnsupportedEncodingException + */ + public static String clean(String value) throws UnsupportedEncodingException { if (value != null) { // Avoid null characters value = value.replaceAll("\0", ""); @@ -55,7 +58,7 @@ public static String clean(String value) { char badChars[] = { '|', ';', '$', '@', '\'', '"', '<', '>', ',', '\\', /* CR */ '\r', /* LF */ '\n', /* Backspace */ '\b' }; try { - String decodedStr = URLDecoder.decode(value); + String decodedStr = URLDecoder.decode(value, "UTF-8"); for (int i = 0; i < badChars.length; i++) { if (decodedStr.indexOf(badChars[i]) >= 0) { value = "";