From c66b16c5001b2f2c128025e9e0097d67ed68a4a8 Mon Sep 17 00:00:00 2001 From: "mayhew64@gmail.com" Date: Fri, 27 Apr 2012 14:14:24 +0000 Subject: [PATCH] Changed the field1.replaceAll to field1 = field1.replaceAll. The first case does not clean the taint git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@474 4033779f-a91e-0410-96ef-6bf7bf53c507 --- src/main/webapp/lessons/Ajax/eval.jsp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/main/webapp/lessons/Ajax/eval.jsp b/src/main/webapp/lessons/Ajax/eval.jsp index d0c083ab3..f288f7637 100644 --- a/src/main/webapp/lessons/Ajax/eval.jsp +++ b/src/main/webapp/lessons/Ajax/eval.jsp @@ -12,10 +12,11 @@ if(field1 == null) field1 = "123"; if(field2 == null) field2 = "-1"; /** For security reasons, we remove all '<' and '>' characters to prevent XSS **/ -field1.replaceAll("<", ""); -field1.replaceAll(">", ""); -field2.replaceAll("<", ""); -field2.replaceAll(">", ""); +// Thank you Victor Bucutea for noticing replaceAll only cleans taint to the return value. +field1 = field1.replaceAll("<", ""); +field1 = field1.replaceAll(">", ""); +field2 = field2.replaceAll("<", ""); +field2 = field2.replaceAll(">", ""); if("Purchase".equals(action)) {