XML escaping and unescaping not properly handled

[cinlloc]

Problem discovered by attempting XSS injection on UploadAction:

• [SERVER SIDE, UploadAction.java] When creating XML error message, XML entities are not escaped:

postResponse = "<" + TAG_ERROR + ">" + error + "</" + TAG_ERROR + ">";

• [CLIENT SIDE, Uploader.java] When receiving XML error message from server, strange and uncomplete unescaping is done:

serverRawResponse = serverRawResponse.replace(TAG_MSG_LT, "<").replace(TAG_MSG_GT, ">").replace("&lt;", "<").replaceAll("&gt;", ">").replaceAll("&nbsp;", " ");

Suggestions:

• There should be a proper StringEscapeUtils.escapeXml in the first place.
• serverRawResponse shouldn't be unescaped, because serverRawResponse will be parsed as XML.
• Text extracted from parsed serverRawResponse should be unescape only if needed (i.e. if used in a javascript popup). For example, should unescape msg here (BaseUploadStatus.java):

/* (non-Javadoc)
   * @see gwtupload.client.IUploadStatus#setError(java.lang.String)
   */
  public void setError(String msg) {
    setStatus(Status.ERROR);
    Window.alert(msg.replaceAll("\\\\n", "\\n"));
  }

[csware]

Can be closed