From 95cb32d86dd9ad6aae8f8ab64328b00f2372f2af Mon Sep 17 00:00:00 2001
From: Mic <misvy@vmware.com>
Date: Sat, 19 Jan 2013 03:02:12 +0800
Subject: [PATCH] used tag c:out for EL to prevent HTML injection

---
 .../webapp/WEB-INF/jsp/owners/ownerDetails.jsp     | 14 +++++++-------
 src/main/webapp/WEB-INF/jsp/owners/ownersList.jsp  | 10 +++++-----
 .../WEB-INF/jsp/pets/createOrUpdateVisitForm.jsp   |  8 ++++----
 3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/src/main/webapp/WEB-INF/jsp/owners/ownerDetails.jsp b/src/main/webapp/WEB-INF/jsp/owners/ownerDetails.jsp
index 0f59f5dcb..00e40d50f 100644
--- a/src/main/webapp/WEB-INF/jsp/owners/ownerDetails.jsp
+++ b/src/main/webapp/WEB-INF/jsp/owners/ownerDetails.jsp
@@ -17,19 +17,19 @@
 	  <table class="table table-striped"  style="width:600px;">
 	    <tr>
 	      <th>Name</th>
-	      <td><b>${owner.firstName} ${owner.lastName}</b></td>
+	      <td><b><c:out value="${owner.firstName} ${owner.lastName}"/></b></td>
 	    </tr>
 	    <tr>
 	      <th>Address</th>
-	      <td>${owner.address}</td>
+	      <td><c:out value="${owner.address}"/></td>
 	    </tr>
 	    <tr>
 	      <th>City</th>
-	      <td>${owner.city}</td>
+	      <td><c:out value="${owner.city}"/></td>
 	    </tr>
 	    <tr>
 	      <th>Telephone </th>
-	      <td>${owner.telephone}</td>
+	      <td><c:out value="${owner.telephone}"/></td>
 	    </tr>
 	  </table>
 	  <table class="table-buttons">
@@ -57,11 +57,11 @@
 	        <td valign="top" style="width: 120px;">
 	            <dl class="dl-horizontal">
 			    	<dt>Name</dt>
-			    	<dd>${pet.name}</dd>
+			    	<dd><c:out value="${pet.name}"/></dd>
 			    	<dt>Birth Date</dt>
 			    	<dd><joda:format value="${pet.birthDate}" pattern="yyyy-MM-dd" /></dd>
 			    	<dt>Type</dt>
-			    	<dd>${pet.type.name}</dd>
+			    	<dd><c:out value="${pet.type.name}"/></dd>
 			    </dl>
 	        </td>
 	        <td valign="top">
@@ -75,7 +75,7 @@
 	            <c:forEach var="visit" items="${pet.visits}">
 	              <tr>
 	                <td><joda:format value="${visit.date}" pattern="yyyy-MM-dd"/></td>
-	                <td>${visit.description}</td>
+	                <td><c:out value="${visit.description}"/></td>
 	              </tr>
 	            </c:forEach>
 	          </table>
diff --git a/src/main/webapp/WEB-INF/jsp/owners/ownersList.jsp b/src/main/webapp/WEB-INF/jsp/owners/ownersList.jsp
index 99bf63c49..53145ecc3 100644
--- a/src/main/webapp/WEB-INF/jsp/owners/ownersList.jsp
+++ b/src/main/webapp/WEB-INF/jsp/owners/ownersList.jsp
@@ -29,14 +29,14 @@
 		          <spring:url value="owners/{ownerId}.html" var="ownerUrl">
 		              <spring:param name="ownerId" value="${owner.id}"/>
 		          </spring:url>
-		          <a href="${fn:escapeXml(ownerUrl)}">${owner.firstName} ${owner.lastName}</a>
+		          <a href="${fn:escapeXml(ownerUrl)}"><c:out value="${owner.firstName} ${owner.lastName}" /></a>
 		      </td>
-		      <td>${owner.address}</td>
-		      <td>${owner.city}</td>
-		      <td>${owner.telephone}</td>
+		      <td><c:out value="${owner.address}"/></td>
+		      <td><c:out value="${owner.city}"/></td>
+		      <td><c:out value="${owner.telephone}"/></td>
 		      <td>
 		        <c:forEach var="pet" items="${owner.pets}">
-		          ${pet.name} &nbsp;
+		          <c:out value="${pet.name}"/>
 		        </c:forEach>
 		      </td>
 		    </tr>
diff --git a/src/main/webapp/WEB-INF/jsp/pets/createOrUpdateVisitForm.jsp b/src/main/webapp/WEB-INF/jsp/pets/createOrUpdateVisitForm.jsp
index 11f5016db..c3f8b9cf4 100644
--- a/src/main/webapp/WEB-INF/jsp/pets/createOrUpdateVisitForm.jsp
+++ b/src/main/webapp/WEB-INF/jsp/pets/createOrUpdateVisitForm.jsp
@@ -25,10 +25,10 @@
 		      	</tr>
 		    </thead>
 		    <tr>
-		      <td>${visit.pet.name}</td>
+		      <td><c:out value="${visit.pet.name}" /></td>
 		      <td><joda:format value="${visit.pet.birthDate}" pattern="yyyy-MM-dd"/></td>
-		      <td>${visit.pet.type.name}</td>
-		      <td>${visit.pet.owner.firstName} ${visit.pet.owner.lastName}</td>
+		      <td><c:out value="${visit.pet.type.name}" /></td>
+		      <td><c:out value="${visit.pet.owner.firstName} ${visit.pet.owner.lastName}" /></td>
 		    </tr>
 		  </table>
 		
@@ -71,7 +71,7 @@
 		    <c:if test="${!visit['new']}">
 		      <tr>
 		        <td><joda:format value="${visit.date}" pattern="yyyy-MM-dd"/></td>
-		        <td>${visit.description}</td>
+		        <td><c:out value="${visit.description}" /></td>
 		      </tr>
 		    </c:if>
 		  </c:forEach>

Name	${owner.firstName} ${owner.lastName}
Address	${owner.address}
City	${owner.city}
Telephone	${owner.telephone}
Name - ${pet.name} + Birth Date Type - ${pet.type.name} +	@@ -75,7 +75,7 @@
	${visit.description}