From aaba76862af92fbf52e21e7597e60a5df779cc4c Mon Sep 17 00:00:00 2001
From: Stefan Weil <sw@weilnetz.de>
Date: Fri, 14 Oct 2016 07:13:02 +0200
Subject: [PATCH] WebInterface: Escape HTML code (XSS)

Coverity report:
CID 44688 (#1 of 1): Cross-site scripting (XSS)
CID 135806 (#1 of 1): Cross-site scripting (XSS)

Signed-off-by: Stefan Weil <sw@weilnetz.de>
---
 Goobi/src/org/goobi/production/cli/WebInterface.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Goobi/src/org/goobi/production/cli/WebInterface.java b/Goobi/src/org/goobi/production/cli/WebInterface.java
index 5f52fc55658..2dbb40b5ffe 100644
--- a/Goobi/src/org/goobi/production/cli/WebInterface.java
+++ b/Goobi/src/org/goobi/production/cli/WebInterface.java
@@ -40,6 +40,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.log4j.Logger;
 import org.goobi.production.enums.PluginType;
 import org.goobi.production.plugin.PluginLoader;
@@ -103,7 +104,9 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Se
 			List<String> allowedCommands = WebInterfaceConfig.getCredentials(ip, password);
 			if (!allowedCommands.contains(command)) {
 				// error, no command found
-				generateAnswer(resp, 401, "command not allowed", "command " + command + " not allowed for your IP (" + ip + ")");
+				generateAnswer(resp, 401, "command not allowed",
+					"command " + StringEscapeUtils.escapeHtml(command) +
+					" not allowed for your IP (" + StringEscapeUtils.escapeHtml(ip) + ")");
 				return;
 			}