Fixes issue 40524: Escapes values printed to servlet response
authorNono Carballo <nonofce@gmail.com>
Wed, 24 Apr 2019 17:10:51 -0400
changeset 36068 668fa40104f5
parent 36053 1fbbfb4e42f7
Fixes issue 40524: Escapes values printed to servlet response

Escapes values before printing them to Servlet response.
src/org/openbravo/erpCommon/ad_reports/GeneralAccountingReports.java
src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedger.java
src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedgerJournal.java
src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java
src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java
src/org/openbravo/erpCommon/ad_reports/ReportSalesDimensionalAnalyzeJR.java
src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java
src/org/openbravo/erpCommon/ad_reports/ReportTrialBalance.java
--- a/src/org/openbravo/erpCommon/ad_reports/GeneralAccountingReports.java	Wed Apr 24 13:21:07 2019 +0200
+++ b/src/org/openbravo/erpCommon/ad_reports/GeneralAccountingReports.java	Wed Apr 24 17:10:51 2019 -0400
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2001-2018 Openbravo SLU 
+ * All portions are Copyright (C) 2001-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -33,6 +33,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.codehaus.jettison.json.JSONArray;
 import org.codehaus.jettison.json.JSONException;
@@ -152,7 +153,7 @@
       String strcAcctSchemaId = OBLedgerUtils.getOrgLedger(strOrg);
       response.setContentType("text/html; charset=UTF-8");
       PrintWriter out = response.getWriter();
-      out.print(strcAcctSchemaId);
+      out.print(StringEscapeUtils.escapeHtml(strcAcctSchemaId));
       out.close();
     } else if (vars.commandIn("CMBORG")) {
       String strAccSchema = vars.getStringParameter("inpcAcctSchemaId");
--- a/src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedger.java	Wed Apr 24 13:21:07 2019 +0200
+++ b/src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedger.java	Wed Apr 24 17:10:51 2019 -0400
@@ -11,7 +11,7 @@
  * under the License.
  * The Original Code is Openbravo ERP.
  * The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2001-2017 Openbravo SLU
+ * All portions are Copyright (C) 2001-2019 Openbravo SLU
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -28,6 +28,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.openbravo.base.filter.IsIDFilter;
 import org.openbravo.base.secureApp.HttpSecureAppServlet;
@@ -225,7 +226,7 @@
       String strcAcctSchemaId = OBLedgerUtils.getOrgLedger(strOrg);
       response.setContentType("text/html; charset=UTF-8");
       PrintWriter out = response.getWriter();
-      out.print(strcAcctSchemaId);
+      out.print(StringEscapeUtils.escapeHtml(strcAcctSchemaId));
       out.close();
     }
 
--- a/src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedgerJournal.java	Wed Apr 24 13:21:07 2019 +0200
+++ b/src/org/openbravo/erpCommon/ad_reports/ReportGeneralLedgerJournal.java	Wed Apr 24 17:10:51 2019 -0400
@@ -475,7 +475,7 @@
       String strcAcctSchemaId = OBLedgerUtils.getOrgLedger(strOrg);
       response.setContentType("text/html; charset=UTF-8");
       PrintWriter out = response.getWriter();
-      out.print(strcAcctSchemaId);
+      out.print(StringEscapeUtils.escapeHtml(strcAcctSchemaId));
       out.close();
     } else {
       pageError(response);
--- a/src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java	Wed Apr 24 13:21:07 2019 +0200
+++ b/src/org/openbravo/erpCommon/ad_reports/ReportInvoiceCustomerDimensionalAnalysesJR.java	Wed Apr 24 17:10:51 2019 -0400
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2001-2018 Openbravo SLU 
+ * All portions are Copyright (C) 2001-2019 Openbravo SLU 
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -27,6 +27,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.openbravo.base.filter.IsIDFilter;
 import org.openbravo.base.filter.IsPositiveIntFilter;
@@ -310,7 +311,7 @@
       }
       response.setContentType("text/html; charset=UTF-8");
       PrintWriter out = response.getWriter();
-      out.print(strOrgCurrencyId);
+      out.print(StringEscapeUtils.escapeHtml(strOrgCurrencyId));
       out.close();
     } else {
       pageErrorPopUp(response);
--- a/src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java	Wed Apr 24 13:21:07 2019 +0200
+++ b/src/org/openbravo/erpCommon/ad_reports/ReportMaterialDimensionalAnalysesJR.java	Wed Apr 24 17:10:51 2019 -0400
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2001-2017 Openbravo SLU 
+ * All portions are Copyright (C) 2001-2019 Openbravo SLU 
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -27,6 +27,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.openbravo.base.filter.IsIDFilter;
 import org.openbravo.base.filter.IsPositiveIntFilter;
@@ -177,7 +178,7 @@
       }
       response.setContentType("text/html; charset=UTF-8");
       PrintWriter out = response.getWriter();
-      out.print(strOrgCurrencyId);
+      out.print(StringEscapeUtils.escapeHtml(strOrgCurrencyId));
       out.close();
     } else {
       pageErrorPopUp(response);
--- a/src/org/openbravo/erpCommon/ad_reports/ReportSalesDimensionalAnalyzeJR.java	Wed Apr 24 13:21:07 2019 +0200
+++ b/src/org/openbravo/erpCommon/ad_reports/ReportSalesDimensionalAnalyzeJR.java	Wed Apr 24 17:10:51 2019 -0400
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2001-2017 Openbravo SLU 
+ * All portions are Copyright (C) 2001-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -28,6 +28,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.openbravo.base.filter.IsIDFilter;
 import org.openbravo.base.filter.IsPositiveIntFilter;
@@ -196,7 +197,7 @@
       }
       response.setContentType("text/html; charset=UTF-8");
       PrintWriter out = response.getWriter();
-      out.print(strOrgCurrencyId);
+      out.print(StringEscapeUtils.escapeHtml(strOrgCurrencyId));
       out.close();
     } else {
       pageErrorPopUp(response);
--- a/src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java	Wed Apr 24 13:21:07 2019 +0200
+++ b/src/org/openbravo/erpCommon/ad_reports/ReportShipmentDimensionalAnalyzeJR.java	Wed Apr 24 17:10:51 2019 -0400
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2001-2017 Openbravo SLU 
+ * All portions are Copyright (C) 2001-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -27,6 +27,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.openbravo.base.filter.IsIDFilter;
 import org.openbravo.base.filter.IsPositiveIntFilter;
@@ -204,7 +205,7 @@
       }
       response.setContentType("text/html; charset=UTF-8");
       PrintWriter out = response.getWriter();
-      out.print(strOrgCurrencyId);
+      out.print(StringEscapeUtils.escapeHtml(strOrgCurrencyId));
       out.close();
     } else {
       pageErrorPopUp(response);
--- a/src/org/openbravo/erpCommon/ad_reports/ReportTrialBalance.java	Wed Apr 24 13:21:07 2019 +0200
+++ b/src/org/openbravo/erpCommon/ad_reports/ReportTrialBalance.java	Wed Apr 24 17:10:51 2019 -0400
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2001-2018 Openbravo SLU 
+ * All portions are Copyright (C) 2001-2019 Openbravo SLU 
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -33,6 +33,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.lang.StringUtils;
 import org.codehaus.jettison.json.JSONArray;
 import org.codehaus.jettison.json.JSONException;
@@ -229,7 +230,7 @@
       String strcAcctSchemaId = OBLedgerUtils.getOrgLedger(strOrg);
       response.setContentType("text/html; charset=UTF-8");
       PrintWriter out = response.getWriter();
-      out.print(strcAcctSchemaId);
+      out.print(StringEscapeUtils.escapeHtml(strcAcctSchemaId));
       out.close();
     } else {
       pageError(response);