Skip to content

Commit c6e8b8c

Browse files
vladakvladak
committed
sanitize pagination query in history view
1 parent 1d5764a commit c6e8b8c

File tree

2 files changed

+14
-1
lines changed

2 files changed

+14
-1
lines changed

opengrok-indexer/src/main/java/org/opengrok/indexer/web/Laundromat.java

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919

2020
/*
2121
* Copyright (c) 2020, Chris Fraire <[email protected]>.
22+
* Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
2223
*/
2324
package org.opengrok.indexer.web;
2425

@@ -72,6 +73,17 @@ public static String launderRevision(String value) {
7273
return replaceAll(value, "[^a-zA-Z0-9:]", "");
7374
}
7475

76+
/**
77+
* Sanitize {@code value} where it will be used in subsequent OpenGrok
78+
* (non-logging) processing. The value is assumed to represent a pagination query string,
79+
* e.g. {@code n=25&start=25}
80+
* @return {@code null} if null or else {@code value} with anything besides
81+
* alphanumeric or {@code &}, {@code =} characters removed.
82+
*/
83+
public static String launderPaginationQueryString(String value) {
84+
return replaceAll(value, "[^a-zA-Z0-9=&]", "");
85+
}
86+
7587
/**
7688
* Sanitize {@code value} where it will be used in subsequent OpenGrok
7789
* (non-logging) processing. The value is assumed to represent URI path,

opengrok-web/src/main/webapp/history.jsp

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ org.opengrok.indexer.web.Util"
4848
<%@ page import="jakarta.servlet.http.HttpServletResponse" %>
4949
<%@ page import="org.opengrok.indexer.web.SortOrder" %>
5050
<%@ page import="java.util.Optional" %>
51+
<%@ page import="org.opengrok.indexer.web.Laundromat" %>
5152
<%/* ---------------------- history.jsp start --------------------- */
5253
{
5354
final Logger LOGGER = LoggerFactory.getLogger(getClass());
@@ -291,7 +292,7 @@ document.domReady.push(function() {domReadyHistory();});
291292
if (entry.isActive()) {
292293
StringBuffer urlBuffer = new StringBuffer(context + Prefix.HIST_L + uriEncodedName);
293294
if (request.getQueryString() != null) {
294-
urlBuffer.append('?').append(request.getQueryString());
295+
urlBuffer.append('?').append(Laundromat.launderPaginationQueryString(request.getQueryString()));
295296
}
296297
urlBuffer.append('#').append(Util.uriEncode(rev));
297298
%>

0 commit comments

Comments
 (0)