-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Uwe,
On 12/20/11 9:07 AM, uwe.hellm...@t-systems.com wrote: > It is a webformular. > > The java code should this fragment. > > final String username = req.getParameter("username"); String uParam > = ""; if (StringUtils.isBlank(username) == false) { uParam = > "&u=".concat(username); } > logonFilter.setLoginFailedUrl("/action?login_error=1".concat(uParam)); Ignoring > the unnecessary concatenation when no parameter will be added, and the unnecessary comparison against "false", this looks fairly straightforward. Note that you have an XSS vulnerability in the above code. I notice that the "final String username" has different indentation. Does that come from another part of the code? I also notice that your URL from your original message is "/login.action" but this URL above is simply "/action". Is that due to inconsistent obfuscation of your code, or is this incorrect? If you are using Struts 2 (judging from the ".action" you are), where does the object that runs the above code go into the value stack? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7wzIMACgkQ9CaO5/Lv0PCmBACdEH5tqQ4vpxGmZvKSWOqidWi9 v4EAnA0YmO5gQivSzhL2oY8Ud9EEUkMN =fFXq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org