]> source.dussan.org Git - vaadin-framework.git/commitdiff
projects / vaadin-framework.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4cc43df)
fixes #6200
authorMatti Tahvonen <matti.tahvonen@itmill.com>
Tue, 28 Dec 2010 13:32:55 +0000 (13:32 +0000)
committerMatti Tahvonen <matti.tahvonen@itmill.com>
Tue, 28 Dec 2010 13:32:55 +0000 (13:32 +0000)
svn changeset:16698/svn branch:6.5

src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java patch | blob | history

diff --git a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
index 5b422b226da38832a60eb0436cb3a67643467cf7..ec75ebfc4a47cb2a2172144367a2a1c6e1e26438 100644 (file)
--- a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
+++ b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
@@ -989,6 +989,10 @@ public abstract class AbstractApplicationServlet extends HttpServlet implements
                 themeName = getDefaultTheme();
             }
         }
+
+        // XSS preventation, theme names shouldn't contain special chars anyway
+        themeName = JsonPaintTarget.escapeJSON(themeName);
+
         return themeName;
     }
 
@@ -1796,9 +1800,11 @@ public abstract class AbstractApplicationServlet extends HttpServlet implements
         String pathInfo = getRequestPathInfo(request);
         if (pathInfo == null) {
             pathInfo = "/";
+        } else {
+            pathInfo = JsonPaintTarget.escapeJSON(pathInfo);
         }
 
-        page.write("pathInfo: '" + pathInfo + "', ");
+        page.write("pathInfo: \"" + pathInfo + "\", ");
         if (window != application.getMainWindow()) {
             page.write("windowName: '" + window.getName() + "', ");
         }
Vaadin 6, 7, 8 is a Java framework for modern Java web applications: https://github.com/vaadin/framework