From 2f9046d6b4cfbfd0cef624ca301c321a1dc7825a Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Thu, 28 Mar 2019 23:38:37 +0100
Subject: [PATCH] Fix a xss and clean up some js

- Fix a stupid self-XSS. I doubt that there are ways to
  use it against other users, but well, better safe than sorry
- Replace the javascript-on-focus hacks with the `autofocus` attribute
---
 .../src/main/webapp/WEB-INF/jsp/avatarUploadResult.jsp        | 4 ++--
 airsonic-main/src/main/webapp/WEB-INF/jsp/login.jsp           | 4 ++--
 airsonic-main/src/main/webapp/WEB-INF/jsp/recover.jsp         | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/airsonic-main/src/main/webapp/WEB-INF/jsp/avatarUploadResult.jsp b/airsonic-main/src/main/webapp/WEB-INF/jsp/avatarUploadResult.jsp
index a9c6466a..4b1973b5 100644
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/avatarUploadResult.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/avatarUploadResult.jsp
@@ -14,7 +14,7 @@
 <c:choose>
     <c:when test="${empty model.error}">
         <p>
-            <fmt:message key="avataruploadresult.success"><fmt:param value="${model.avatar.name}"/></fmt:message>
+            <fmt:message key="avataruploadresult.success"><fmt:param value="${fn:escapeXml(model.avatar.name)}"/></fmt:message>
             <sub:url value="avatar.view" var="avatarUrl">
                 <sub:param name="username" value="${model.username}"/>
                 <sub:param name="forceCustom" value="true"/>
@@ -33,4 +33,4 @@
 <div class="back"><a href="personalSettings.view?"><fmt:message key="common.back"/></a></div>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/airsonic-main/src/main/webapp/WEB-INF/jsp/login.jsp b/airsonic-main/src/main/webapp/WEB-INF/jsp/login.jsp
index 08b4d80e..4d74aa49 100644
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/login.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/login.jsp
@@ -10,7 +10,7 @@
     </script>
 
 </head>
-<body style="min-width:550px" class="mainframe bgcolor1" onload="document.getElementById('j_username').focus()">
+<body style="min-width:550px" class="mainframe bgcolor1">
 
     <form action="<c:url value="/login"/>" method="POST">
         <sec:csrfInput />
@@ -21,7 +21,7 @@
 
             <div class="loginmessagetop"><sub:wiki text="${model.loginMessage}"/></div>
 
-            <input type="text" id="j_username" name="j_username" tabindex="1" placeholder="<fmt:message key="login.username"/>">
+            <input type="text" autofocus id="j_username" name="j_username" tabindex="1" placeholder="<fmt:message key="login.username"/>">
 
             <input type="password" name="j_password" tabindex="2" placeholder="<fmt:message key="login.password"/>">
 
diff --git a/airsonic-main/src/main/webapp/WEB-INF/jsp/recover.jsp b/airsonic-main/src/main/webapp/WEB-INF/jsp/recover.jsp
index ff26a610..4e2d92df 100644
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/recover.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/recover.jsp
@@ -5,7 +5,7 @@
 <head>
     <%@ include file="head.jsp" %>
 </head>
-<body class="mainframe bgcolor1" onload="document.getElementById('usernameOrEmail').focus()">
+<body class="mainframe bgcolor1">
 
 <form action="recover.view" method="POST">
     <sec:csrfInput />
@@ -17,7 +17,7 @@
             <p style="padding-top: 1em; padding-bottom: 0.5em"><fmt:message key="recover.text"/></p>
 
             <c:if test="${empty model.sentTo}">
-                <input type="text" id="usernameOrEmail" name="usernameOrEmail" style="width:18em;margin-right: 1em">
+                <input type="text" id="usernameOrEmail" autofocus name="usernameOrEmail" style="width:18em;margin-right: 1em">
                 <input name="submit" type="submit" value="<fmt:message key="recover.send"/>">
             </c:if>