# HG changeset patch
# User tatsuki
# Date 1406726243 -32400
# Node ID ac7d1070f44947470f6f28fbe38f48b763d724ab
# Parent  066f58e93a14a8d6cc52005d72194adf82f00820
sanitizing

diff -r 066f58e93a14 -r ac7d1070f449 src/main/java/app/bbs/NetworkJungleBulletinBoard.java
--- a/src/main/java/app/bbs/NetworkJungleBulletinBoard.java	Wed Jul 30 17:57:18 2014 +0900
+++ b/src/main/java/app/bbs/NetworkJungleBulletinBoard.java	Wed Jul 30 22:17:23 2014 +0900
@@ -456,6 +456,7 @@
 						path = path.add(Integer.parseInt(_path.substring(count,	count + 1)));
 				}
 			} catch (Exception _e) {
+				System.out.println("屑");
 			}
 			
 			JungleTreeEditor editor = tree.getTreeEditor();
@@ -631,6 +632,18 @@
 		}
 
 	}
+	
+	public String sanitize( String str ) {
+	    if(str==null) {
+	        return str;
+	    }
+	    str = str.replaceAll("&" , "&" );
+	    str = str.replaceAll("<" , "&lt;"  );
+	    str = str.replaceAll(">" , "&gt;"  );
+	    str = str.replaceAll("\"", "&quot;");
+	    str = str.replaceAll("'" , "&#39;" );
+	    return str;
+	 }
 
 
 }
diff -r 066f58e93a14 -r ac7d1070f449 src/main/java/app/bbs/ShowMessageWithTimeStampServlet.java
--- a/src/main/java/app/bbs/ShowMessageWithTimeStampServlet.java	Wed Jul 30 17:57:18 2014 +0900
+++ b/src/main/java/app/bbs/ShowMessageWithTimeStampServlet.java	Wed Jul 30 22:17:23 2014 +0900
@@ -44,25 +44,24 @@
 
 	private void printBoard(String _bname, PrintWriter _pw) throws Exception {
 		_pw.write("<html><body>\n");
-		_pw.write("<h1>" + _bname + "</h1>\n");
+		_pw.write("<h1>" + bbs.sanitize(_bname) + "</h1>\n");
 		_pw.write("<p>Latest renew time : " + bbs.getRenewTime(_bname)
 				+ "</p>\n");
 		;
 
 		_pw.write("<form action='" + createBoardMessagePath + "' method='POST'\n");
-		_pw.write("<p>Author : <input type='text' name='author'/> <input type='hidden' name='bname' value='" + _bname + "'/> EditKey : <input type='text' name='key'/></p>\n");
+		_pw.write("<p>Author : <input type='text' name='author'/> <input type='hidden' name='bname' value='" +bbs.sanitize( _bname) + "'/> EditKey : <input type='textarea' name='key'/></p>\n");
 		_pw.write("<p>Message<br/> <input type='textarea' name='msg'/> </p>\n");
 		_pw.write("<p><input type='submit' value='submit'/></p>\n");
-		_pw.write("<small><a href=" + showMatrixPath + "?bname=" + _bname + "&uuid= >MatrixMode"+"</a></small><br>");
+		_pw.write("<small><a href=" + showMatrixPath + "?bname=" + bbs.sanitize(_bname) + "&uuid= >MatrixMode"+"</a></small><br>");
 		
 		for (BoardMessage msg : bbs.getMessages(_bname)) {//フォルダの表示
 			_pw.write("<hr/>");
-			_pw.write("<p> Author <b>" + msg.getAuthor() + "</b></p>");
-			_pw.write("<small><a href=" + editMessagePath + "?bname=" + _bname
-					+ "&uuid=" + msg.getUUID() + ">"+ msg.getMessage() +"</a></small><br>");
+			_pw.write("<p> Author <b>" + bbs.sanitize(msg.getAuthor()) + "</b></p>");
+			_pw.write("<small><a href=" + editMessagePath + "?bname=" + bbs.sanitize(_bname)
+					+ "&uuid=" + msg.getUUID() + ">"+ bbs.sanitize(msg.getMessage()) +"</a></small><br>");
 		}
 
-		//forコメントの表示
 		_pw.write("</body></html>");
 		_pw.flush();
 	}
diff -r 066f58e93a14 -r ac7d1070f449 src/main/java/app/bbs/thinks/EditAttributeServlet.java
--- a/src/main/java/app/bbs/thinks/EditAttributeServlet.java	Wed Jul 30 17:57:18 2014 +0900
+++ b/src/main/java/app/bbs/thinks/EditAttributeServlet.java	Wed Jul 30 22:17:23 2014 +0900
@@ -15,7 +15,7 @@
 {
 	private final NetworkBulletinBoard bbs;
 	private static final String PARAM_BOARD_NAME = "bname";
-	private static final String PARAM_NODE_PATH = "uuid";
+	private static final String PARAM_NODE_PATH = "path";
 	private static final String PARAM_BOARD_MESSAGE= "msg";
 	private static final String PARAM_BOARD_EDITKEY = "key";
 	private static final String PARAM_NODE_ID = "id";
@@ -29,7 +29,7 @@
 	public void doGet(HttpServletRequest _req,HttpServletResponse _res)
 	{
 		String bname = (_req.getParameter(PARAM_BOARD_NAME));
-		String path = (_req.getParameter(PARAM_NODE_ID));
+		String path = (_req.getParameter(PARAM_NODE_PATH));
 		String id = (_req.getParameter(PARAM_NODE_ID));
 		
 		
@@ -54,7 +54,7 @@
 	{
 		String boardName = (_req.getParameter(PARAM_BOARD_NAME));
 		String msg = (_req.getParameter(PARAM_BOARD_MESSAGE));
-		String path = (_req.getParameter(PARAM_NODE_ID));
+		String path = (_req.getParameter(PARAM_NODE_PATH));
 		String id = (_req.getParameter(PARAM_NODE_ID));
 		
 		try{
diff -r 066f58e93a14 -r ac7d1070f449 src/main/java/app/bbs/thinks/ShowMatrix.java
--- a/src/main/java/app/bbs/thinks/ShowMatrix.java	Wed Jul 30 17:57:18 2014 +0900
+++ b/src/main/java/app/bbs/thinks/ShowMatrix.java	Wed Jul 30 22:17:23 2014 +0900
@@ -63,11 +63,11 @@
 		if (nodeName == null)
 			nodeName = "rootNode";
 
-		_pw.write("<h1>" + nodeName + " Path = " + path + "</h1>\n");
+		_pw.write("<h1>" + bbs.sanitize(nodeName) + " Path = " + path + "</h1>\n");
 
 		_pw.write("<form action='" + createBoardMessagePath
 				+ "' method='POST'>\n");
-		_pw.write("<p><input type='hidden' name='bname' value='" + _bname
+		_pw.write("<p><input type='hidden' name='bname' value='" + bbs.sanitize(_bname)
 				+ "'/> </p>\n");
 		_pw.write("<p>Folder Name<br/> <input type='textarea' name='name'/> </p>\n");
 		_pw.write("<input type='hidden' name='path' value='" + path + "'/>");
@@ -76,7 +76,7 @@
 
 		_pw.write("<p><br>add Attribute</p>");
 		_pw.write("<form action='" + createAttributePath + "' method='POST'\n");
-		_pw.write("<p><input type='hidden' name='bname' value='" + _bname
+		_pw.write("<p><input type='hidden' name='bname' value='" + bbs.sanitize(_bname)
 				+ "'</p>\n");
 		_pw.write("<p>attributeName<br/> <input type='textarea' name='msg'/> </p>\n");
 		_pw.write("<input type='hidden' name='path' value='" + path + "'/>");
@@ -86,16 +86,16 @@
 		_pw.write("<p>Folder</p>");
 
 		for (BoardMessage msg : bbs.getFolder(_bname, path)) {
-			_pw.write("<small><a href=" + showMatrixPath + "?bname=" + _bname
+			_pw.write("<small><a href=" + showMatrixPath + "?bname=" + bbs.sanitize(_bname)
 					+ "&uuid=" + path + "/" + msg.getUUID() + "&nodeName="
-					+ msg.getMessage() + ">" + msg.getMessage()
+					+ bbs.sanitize(msg.getMessage()) + ">" + bbs.sanitize(msg.getMessage())
 					+ "</a></small>");
 			_pw.write("   ");
-			_pw.write("<small><a href='" + editNodePath + "?bname=" + _bname
+			_pw.write("<small><a href='" + editNodePath + "?bname=" + bbs.sanitize(_bname)
 					+ "&path=" + path + "/" + msg.getUUID()
 					+ "'>edit</a></small>");
 			_pw.write("   ");
-			_pw.write("<small><a href='" + deleteNodePath + "?bname=" + _bname
+			_pw.write("<small><a href='" + deleteNodePath + "?bname=" + bbs.sanitize(_bname)
 					+ "&path=" + path + "&id=" + msg.getUUID()
 					+ "'>delete</a><br><br></small>");
 		}
@@ -104,10 +104,10 @@
 		getAttributeImp attribute = (bbs.getAttribute(_bname, path));
 		for (int count = 0; attribute.getMessage(count) != null; count++) {
 			_pw.write("<p><b>" + count + " :  </b>");
-			_pw.write("<a href='" + editAttributePath + "?bname=" + _bname
+			_pw.write("<a href='" + editAttributePath + "?bname=" + bbs.sanitize(_bname)
 					+ "&path=" + path + "&id=" + count + "'>"
-					+ attribute.getMessage(count) + "</a>");
-			_pw.write("<a href='" + deleteAttributePath + "?bname=" + _bname
+					+ bbs.sanitize(attribute.getMessage(count)) + "</a>");
+			_pw.write("<a href='" + deleteAttributePath + "?bname=" + bbs.sanitize(_bname)
 					+ "&path=" + path + "&id=" + count + "'>" + "   delete"
 					+ "</a></p>");
 		}
diff -r 066f58e93a14 -r ac7d1070f449 src/main/java/app/bbs/thinks/deleteAttributeServlet.java
--- a/src/main/java/app/bbs/thinks/deleteAttributeServlet.java	Wed Jul 30 17:57:18 2014 +0900
+++ b/src/main/java/app/bbs/thinks/deleteAttributeServlet.java	Wed Jul 30 22:17:23 2014 +0900
@@ -15,7 +15,7 @@
 {
 	private final NetworkBulletinBoard bbs;
 	private static final String PARAM_BOARD_NAME = "bname";
-	private static final String PARAM_NODE_PATH = "uuid";
+	private static final String PARAM_NODE_PATH = "path";
 	private static final String PARAM_BOARD_MESSAGE= "msg";
 	private static final String PARAM_BOARD_EDITKEY = "key";
 	private static final String PARAM_NODE_ID = "id";
@@ -29,7 +29,7 @@
 	public void doGet(HttpServletRequest _req,HttpServletResponse _res)
 	{
 		String bname = (_req.getParameter(PARAM_BOARD_NAME));
-		String path = (_req.getParameter(PARAM_NODE_ID));
+		String path = (_req.getParameter(PARAM_NODE_PATH));
 		String id = (_req.getParameter(PARAM_NODE_ID));
 		
 		
@@ -52,7 +52,7 @@
 	public void doPost(HttpServletRequest _req,HttpServletResponse _res)
 	{
 		String boardName = (_req.getParameter(PARAM_BOARD_NAME));
-		String path = (_req.getParameter(PARAM_NODE_ID));
+		String path = (_req.getParameter(PARAM_NODE_PATH));
 		String id = (_req.getParameter(PARAM_NODE_ID));
 		
 		try{