public void setParameters(Map<String, String[]> theParams) { myParameters = theParams; myUnqualifiedToQualifiedNames = null; // Sanitize keys if necessary to prevent injection attacks boolean needsSanitization = false; for (String nextKey : theParams.keySet()) { if (UrlUtil.isNeedsSanitization(nextKey)) { needsSanitization = true; break; } } if (needsSanitization) { myParameters = myParameters .entrySet() .stream() .collect(Collectors.toMap(t -> UrlUtil.sanitizeUrlPart((String) ((Map.Entry) t).getKey()), t -> (String[]) ((Map.Entry) t).getValue())); } }
/** * This method specifically HTML-encodes the " and * < characters in order to prevent injection attacks */ public static String sanitizeUrlPart(String theString) { if (theString == null) { return null; } boolean needsSanitization = isNeedsSanitization(theString); if (needsSanitization) { // Ok, we're sanitizing StringBuilder buffer = new StringBuilder(theString.length() + 10); for (int j = 0; j < theString.length(); j++) { char nextChar = theString.charAt(j); switch (nextChar) { case '"': buffer.append("""); break; case '<': buffer.append("<"); break; default: buffer.append(nextChar); break; } } // for build escaped string return buffer.toString(); } return theString; }
public void setParameters(Map<String, String[]> theParams) { myParameters = theParams; myUnqualifiedToQualifiedNames = null; // Sanitize keys if necessary to prevent injection attacks boolean needsSanitization = false; for (String nextKey : theParams.keySet()) { if (UrlUtil.isNeedsSanitization(nextKey)) { needsSanitization = true; break; } } if (needsSanitization) { myParameters = myParameters .entrySet() .stream() .collect(Collectors.toMap(t -> UrlUtil.sanitizeUrlPart((String) ((Map.Entry) t).getKey()), t -> (String[]) ((Map.Entry) t).getValue())); } }
/** * This method specifically HTML-encodes the " and * < characters in order to prevent injection attacks */ public static String sanitizeUrlPart(String theString) { if (theString == null) { return null; } boolean needsSanitization = isNeedsSanitization(theString); if (needsSanitization) { // Ok, we're sanitizing StringBuilder buffer = new StringBuilder(theString.length() + 10); for (int j = 0; j < theString.length(); j++) { char nextChar = theString.charAt(j); switch (nextChar) { case '"': buffer.append("""); break; case '<': buffer.append("<"); break; default: buffer.append(nextChar); break; } } // for build escaped string return buffer.toString(); } return theString; }