FELIX-6757 : Properly encode bundle information

cziegeler · cziegeler · commit 2d37b3ca3250 · 2025-03-09T11:14:47.000+01:00
diff --git a/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java b/webconsole/src/main/java/org/apache/felix/webconsole/internal/core/BundlesServlet.java
@@ -77,6 +77,7 @@
 import org.osgi.service.packageadmin.PackageAdmin;
 import org.osgi.util.tracker.ServiceTracker;
 import org.osgi.util.tracker.ServiceTrackerCustomizer;
+import org.owasp.encoder.Encode;
 
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -137,14 +138,14 @@ public class BundlesServlet extends AbstractOsgiManagerPlugin implements Invento
     private ServiceRegistration<BundleInfoProvider> bipCapabilitiesRequired;
 
     /**
-     * Default constructor 
+     * Default constructor
      * @throws IOException If template can't be read
      */
     public BundlesServlet() throws IOException {
         // load templates
         TEMPLATE_MAIN = readTemplateFile( "/templates/bundles.html" );
     }
-    
+
     @Override
     protected String getCategory() {
         return CATEGORY_OSGI;
@@ -170,24 +171,24 @@ public void activate( BundleContext bundleContext ) {
         super.activate( bundleContext );
 
         bundleInfoTracker = new ServiceTracker<>( bundleContext, BundleInfoProvider.class, new ServiceTrackerCustomizer<BundleInfoProvider,BundleInfoProvider>() {
-                
+
                 @Override
                 public BundleInfoProvider addingService(ServiceReference<BundleInfoProvider> reference) {
                     return bundleContext.getService(reference);
                 }
-    
+
                 @Override
                 public void modifiedService(ServiceReference<BundleInfoProvider> reference, BundleInfoProvider service) {
                     // nothing to do
                 }
-    
+
                 @Override
                 public void removedService(ServiceReference<BundleInfoProvider> reference, BundleInfoProvider service) {
                     try {
                         bundleContext.ungetService(reference);
                     } catch ( final IllegalStateException ise) {
                         // might happen on shutdown, ignore
-                    } 
+                    }
                 }
         });
         bundleInfoTracker.open();
@@ -762,7 +763,11 @@ private void keyVal(final List<Map<String, Object>> props, final String key, fin
         {
             final Map<String, Object> obj = new LinkedHashMap<String, Object>();
             obj.put("key", key);
-            obj.put("value", val);
+            if ( val instanceof String ) {
+                obj.put("value", Encode.forJavaScript((String)val));
+            } else {
+                obj.put("value", val);
+            }
             props.add(obj);
         }
     }
