Project

General

Profile

« Previous | Next » 

Revision 7677

Added by ben leinfelder over 11 years ago

escape special XML characters when constructing a pathquery from user input (&). https://projects.ecoinformatics.org/ecoinfo/issues/3017

View differences:

src/edu/ucsb/nceas/metacat/DBQuery.java
60 60 
import javax.servlet.ServletOutputStream;
61 61 
import javax.servlet.http.HttpServletResponse;
62 62 

  		




  
  63
  
    
import org.apache.commons.lang.StringEscapeUtils;


  		




  63
  64
  
    
import org.apache.log4j.Logger;


  		




  64
  65
  
    

  		




  65
  66
  
    
import edu.ucsb.nceas.metacat.database.DBConnection;


  		




  ......




  1746
  1747
  
    
                if (anyfield[i] != null && !anyfield[i].equals("")) {


  		




  1747
  1748
  
    
                    query.append("<queryterm casesensitive=\"" + casesensitive


  		




  1748
  1749
  
    
                            + "\" " + "searchmode=\"" + searchmode


  		




  1749
  
  
    
                            + "\"><value>" + anyfield[i]


  		




  
  1750
  
    
                            + "\"><value>" 


  		




  
  1751
  
    
                            + StringEscapeUtils.escapeXml(anyfield[i])


  		




  1750
  1752
  
    
                            + "</value></queryterm>");


  		




  1751
  1753
  
    
                }


  		




  1752
  1754
  
    
            }


  		




  ......




  1795
  1797
  
    
                                + casesensitive + "\" " + "searchmode=\""


  		




  1796
  1798
  
    
                                + searchmode + "\">" + "<value>" +


  		




  1797
  1799
  
    
                                //add the query value


  		




  1798
  
  
    
                                ((String[]) nextelement)[i]


  		




  
  1800
  
    
                                StringEscapeUtils.escapeXml(((String[]) nextelement)[i])


  		




  1799
  1801
  
    
                                + "</value><pathexpr>" +


  		




  1800
  1802
  
    
                                //add the path to query by


  		




  1801
  1803
  
    
                                nextkey.toString() + "</pathexpr></queryterm>");


  		












Also available in:  Unified diff