Fix XSS issue in Manager and Host Manager. This is CVE-2007-2450.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk@547077 13f79535-47bb-0310-9956-ffa450edef68

Author: markt-asf

java/org/apache/catalina/manager/HTMLManagerServlet.java

@@ -130,8 +130,7 @@ public void doGet(HttpServletRequest request,
             message = stop(path);
         } else {
             message =
-                sm.getString("managerServlet.unknownCommand",
-                             RequestUtil.filter(command));
+                sm.getString("managerServlet.unknownCommand", command);
         }
 
         list(request, response, message);
@@ -305,7 +304,11 @@ public void list(HttpServletRequest request,
         // Message Section
         args = new Object[3];
         args[0] = sm.getString("htmlManagerServlet.messageLabel");
-        args[1] = (message == null || message.length() == 0) ? "OK" : message;
+        if (message == null || message.length() == 0) {
+            args[1] = "OK";
+        } else {
+            args[1] = RequestUtil.filter(message);
+        }
         writer.print(MessageFormat.format(Constants.MESSAGE_SECTION, args));
 
         // Manager Section

java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java

@@ -32,6 +32,7 @@
 
 import org.apache.catalina.Container;
 import org.apache.catalina.Host;
+import org.apache.catalina.util.RequestUtil;
 import org.apache.catalina.util.ServerInfo;
 
 /**
@@ -195,7 +196,11 @@ public void list(HttpServletRequest request,
         // Message Section
         args = new Object[3];
         args[0] = sm.getString("htmlHostManagerServlet.messageLabel");
-        args[1] = (message == null || message.length() == 0) ? "OK" : message;
+        if (message == null || message.length() == 0) {
+            args[1] = "OK";
+        } else {
+            args[1] = RequestUtil.filter(message);
+        }
         writer.print(MessageFormat.format(Constants.MESSAGE_SECTION, args));
 
         // Manager Section