Patched: "/tmp/tmpy_92zrla/WebContent/header.jspf"

patched-codes · Mar 15, 2024 · 0f43bb7 · 0f43bb7
1 parent 6c45d00
commit 0f43bb7
Showing 1 changed file with 11 additions and 9 deletions.
diff --git a/WebContent/header.jspf b/WebContent/header.jspf
@@ -1,4 +1,5 @@
 <%@page import="com.ibm.security.appscan.altoromutual.util.ServletUtil"%>
+<%@page import="org.apache.commons.text.StringEscapeUtils"%>
 <%
 /**
  This application is for demonstration use only. It contains known application security
@@ -29,35 +30,36 @@ IBM AltoroJ
 <head>
 	<title>Altoro Mutual</title>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-  <link href="<%=request.getContextPath()%>/style.css" rel="stylesheet" type="text/css" />
+  <link href="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/style.css" rel="stylesheet" type="text/css" />
 </head>
 <body style="margin-top:5px;">
 
 <div id="header" style="margin-bottom:5px; width: 99%;">
-  <form id="frmSearch" method="get" action="<%=request.getContextPath()%>/search.jsp">
+  <form id="frmSearch" method="get" action="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/search.jsp">
 	  <table width="100%" border="0" cellpadding="0" cellspacing="0">
 		  <tr>
-		      <td rowspan="2"><a id="HyperLink1" href="<%=request.getContextPath()%>/index.jsp"><img src="<%=request.getContextPath()%>/images/logo.gif" width=283 height=80/></a></td>
+		      <td rowspan="2"><a id="HyperLink1" href="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/index.jsp"><img src="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/images/logo.gif" width=283 height=80/></a></td>
 			  <td align="right" valign="top">
-  			  <a id="LoginLink" href="<%=(!loggedIn)?request.getContextPath()+"/login.jsp":request.getContextPath()+"/logout.jsp"%>"><font style="font-weight: bold; color: red;"><%=(!loggedIn)?"Sign In":"Sign Off"%></font></a> | <a id="HyperLink3" href="<%=request.getContextPath()%>/index.jsp?content=inside_contact.htm">Contact Us</a> | <a id="HyperLink4" href="<%=request.getContextPath()%>/feedback.jsp">Feedback</a> | <label for="txtSearch">Search</label>
+  			  <a id="LoginLink" href="<%=StringEscapeUtils.escapeHtml4((!loggedIn)?request.getContextPath()+"/login.jsp":request.getContextPath()+"/logout.jsp")%>"><font style="font-weight: bold; color: red;"><%=(!loggedIn)?"Sign In":"Sign Off"%></font></a> | <a id="HyperLink3" href="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/index.jsp?content=inside_contact.htm">Contact Us</a> | <a id="HyperLink4" href="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/feedback.jsp">Feedback</a> | <label for="txtSearch">Search</label>
           <input type="text" name="query" id="query" accesskey="S" />
           <input type="submit" value="Go" />
 			  </td>
 		  </tr>
 		  <tr>
-			  <td align="right" style="background-image:url('<%=request.getContextPath()%>/images/gradient.jpg');padding:0px;margin:0px;"><img src="<%=request.getContextPath()%>/images/header_pic.jpg" alt="" width=354 height=60/></td>
+			  <td align="right" style="background-image:url('<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/images/gradient.jpg');padding:0px;margin:0px;"><img src="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/images/header_pic.jpg" alt="" width=354 height=60/></td>
 		  </tr>
 	  </table>
 	</form>
 </div>
 
 <table cellspacing="0" width="100%">
   <tr>
-    <td width="25%" class="bt br bb"><div id="Header1"><img id="Image1" src="<%=request.getContextPath()%>/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/> &nbsp; <a id="AccountLink" href="<%=(loggedIn)?request.getContextPath()+"/bank/main.jsp":request.getContextPath()+"/login.jsp"%>" class="focus" ><%=(loggedIn)?"MY ACCOUNT":"ONLINE BANKING LOGIN"%></a></div></td>
-    <td width="25%" class="cc bt br bb"><div id="Header2"><a id="LinkHeader2" class="focus" href="<%=request.getContextPath()%>/index.jsp?content=personal.htm" >PERSONAL</a></div></td>
-    <td width="25%" class="cc bt br bb"><div id="Header3"><a id="LinkHeader3" class="focus" href="<%=request.getContextPath()%>/index.jsp?content=business.htm" >SMALL BUSINESS</a></div></td>
-    <td width="25%" class="cc bt bb"><div id="Header4"><a id="LinkHeader4" class="focus" href="<%=request.getContextPath()%>/index.jsp?content=inside.htm">INSIDE ALTORO MUTUAL</a></div></td>
+    <td width="25%" class="bt br bb"><div id="Header1"><img id="Image1" src="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/images/pf_lock.gif" width=12 height=14 style="vertical-align: bottom;" alt="Secure Login"/> &nbsp; <a id="AccountLink" href="<%=StringEscapeUtils.escapeHtml4((loggedIn)?request.getContextPath()+"/bank/main.jsp":request.getContextPath()+"/login.jsp")%>" class="focus" ><%=(loggedIn)?"MY ACCOUNT":"ONLINE BANKING LOGIN"%></a></div></td>
+    <td width="25%" class="cc bt br bb"><div id="Header2"><a id="LinkHeader2" class="focus" href="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/index.jsp?content=personal.htm" >PERSONAL</a></div></td>
+    <td width="25%" class="cc bt br bb"><div id="Header3"><a id="LinkHeader3" class="focus" href="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/index.jsp?content=business.htm" >SMALL BUSINESS</a></div></td>
+    <td width="25%" class="cc bt bb"><div id="Header4"><a id="LinkHeader4" class="focus" href="<%=StringEscapeUtils.escapeHtml4(request.getContextPath())%>/index.jsp?content=inside.htm">INSIDE ALTORO MUTUAL</a></div></td>
   </tr>
   <tr>
 
   <!-- END HEADER -->
+