Fixed 9578: Use proper validation for list-style request parameters.
authorStefan Hühner <stefan.huehner@openbravo.com>
Mon, 22 Jun 2009 12:21:08 +0200
changeset 4050 18bbfdbf067f
parent 4049 d8c293b8cc2c
child 4051 fabc8fbe0b1b
Fixed 9578: Use proper validation for list-style request parameters.
This avoids deprecation warning coming up when using the old method without validation.
src/org/openbravo/erpCommon/ad_reports/ReportAccountingCountDimensionalAnalyses.java
--- a/src/org/openbravo/erpCommon/ad_reports/ReportAccountingCountDimensionalAnalyses.java	Mon Jun 22 11:05:32 2009 +0200
+++ b/src/org/openbravo/erpCommon/ad_reports/ReportAccountingCountDimensionalAnalyses.java	Mon Jun 22 12:21:08 2009 +0200
@@ -28,6 +28,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.openbravo.base.filter.IsIDFilter;
+import org.openbravo.base.filter.RequestFilter;
 import org.openbravo.base.secureApp.HttpSecureAppServlet;
 import org.openbravo.base.secureApp.VariablesSecureApp;
 import org.openbravo.erpCommon.ad_combos.OrganizationComboData;
@@ -47,6 +48,19 @@
 public class ReportAccountingCountDimensionalAnalyses extends HttpSecureAppServlet {
   private static final long serialVersionUID = 1L;
 
+  private static final RequestFilter columnNameFilter = new RequestFilter() {
+    @Override
+    public boolean accept(String value) {
+      for (int i = 0; i < value.length(); i++) {
+        int c = value.codePointAt(i);
+        if (Character.isLetter(c) || Character.isDigit(c) || value.charAt(i) == '_') {
+          return true;
+        }
+      }
+      return false;
+    }
+  };
+
   public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException,
       ServletException {
     VariablesSecureApp vars = new VariablesSecureApp(request);
@@ -69,7 +83,7 @@
       String strmProductId = vars.getInGlobalVariable("inpmProductId_IN",
           "ReportAccountingCountDimensionalAnalyses|mProductId", "", IsIDFilter.instance);
       String strShown = vars.getInGlobalVariable("inpShown",
-          "ReportAccountingCountDimensionalAnalyses|shown", "");
+          "ReportAccountingCountDimensionalAnalyses|shown", "", columnNameFilter);
       String strOrg = vars.getGlobalVariable("inpOrg",
           "ReportAccountingCountDimensionalAnalyses|org", "0");
       String strcProjectId = vars.getGlobalVariable("inpcProjectId",
@@ -104,7 +118,7 @@
       String strmProductId = vars.getRequestInGlobalVariable("inpmProductId_IN",
           "ReportAccountingCountDimensionalAnalyses|mProductId", IsIDFilter.instance);
       String strShown = vars.getRequestInGlobalVariable("inpShown",
-          "ReportAccountingCountDimensionalAnalyses|shown");
+          "ReportAccountingCountDimensionalAnalyses|shown", columnNameFilter);
       String strOrg = vars.getGlobalVariable("inpOrg",
           "ReportAccountingCountDimensionalAnalyses|org", "0");
       String strcProjectId = vars.getRequestGlobalVariable("inpcProjectId",