#58990 #1. SQL インジェクションの影響を受ける可能性がある

#58991 #2. XSS（反射型）の影響を受ける可能性がある

src/main/java/jp/agentec/sinaburocast/service/MemberService.java

@@ -9,6 +9,7 @@ import javax.mail.MessagingException;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.RandomStringUtils;
 import org.seasar.extension.jdbc.AutoSelect;
+import org.seasar.extension.jdbc.where.ComplexWhere;
 import org.seasar.extension.jdbc.where.SimpleWhere;
 import org.seasar.framework.beans.util.BeanMap;
 import org.seasar.framework.beans.util.Beans;
@@ -93,10 +94,15 @@ public class MemberService extends AbstractService<Member> {
 	 */
 	public List<Member> findByEmail(String email) {
 		//入力されたemailでsub_pc_email,main_pc_emailともに検索する。
-		return jdbcManager.from(Member.class).where(" '"+email+"' in (sub_pc_email,main_pc_email) and del_flg = ? and valid_flg = ? "
-			,Integer.parseInt(SinaburoConstant.DelFlg.NOT_DEL)
-			,SinaburoConstant.ValidFlg.VALID
-			).getResultList();
+//		return jdbcManager.from(Member.class).where(" '"+email+"' in (sub_pc_email,main_pc_email) and del_flg = ? and valid_flg = ? "
+//			,Integer.parseInt(SinaburoConstant.DelFlg.NOT_DEL)
+//			,SinaburoConstant.ValidFlg.VALID
+//			).getResultList();
+		// 脆弱性対応
+		return select().where(new SimpleWhere().eq("delFlg", SinaburoConstant.DelFlg.NOT_DEL).eq("validFlg", SinaburoConstant.ValidFlg.VALID),
+							  new ComplexWhere().eq("mainPcEmail", email)
+												.or()
+												.eq("subPcEmail", email)).getResultList();
 	}
 
 

src/main/webapp/WEB-INF/view/admin/member/memberConfirm.html

@@ -111,10 +111,11 @@
 	<tr>
 		<td>生年月日</td>
 		<td>
-		#if($!memberEditForm.birthdayY+$!memberEditForm.birthdayM+$!memberEditForm.birthdayD.length() != 0)
-			$!memberEditForm.birthdayY年$!memberEditForm.birthdayM月$!memberEditForm.birthdayD日
-		#else 未選択
-		#end
+			#set($yyyymmdd = $!memberEditForm.birthdayY + $!memberEditForm.birthdayM + $!memberEditForm.birthdayD)
+			#if($yyyymmdd.length() != 0)
+				#he($!memberEditForm.birthdayY)年#he($!memberEditForm.birthdayM)月#he($!memberEditForm.birthdayD)日
+			#else 未選択
+			#end
 		</td>
 	</tr>
 	<tr>
@@ -123,12 +124,12 @@
 	</tr>
 	<tr>
 		<td>ポイント</td>
-		<td>$!escape.html($!memberEditForm.point)
+		<td>#he($!memberEditForm.point)
 		</td>
 	</tr>
 	<tr style="vertical-align:top">
 		<td style="vertical-align:top" >メモ</td>
-		<td>$!escape.html($!memberEditForm.memo)
+		<td>#he($!memberEditForm.memo)
 		</td>
 	</tr>
 
@@ -140,9 +141,9 @@
 </div>
 ##</div>
 #makeToken()
-<input type="hidden" name="loginIdBefore" value="$!memberEditForm.loginIdBefore">
-<input type="hidden" name="mainPcEmailBefore" value="$!memberEditForm.mainPcEmailBefore">
-<input type="hidden" name="subPcEmailBefore" value="$!memberEditForm.subPcEmailBefore">
+<input type="hidden" name="loginIdBefore" value='#he("$!{memberEditForm.loginIdBefore}")'>
+<input type="hidden" name="mainPcEmailBefore" value='#he("$!{memberEditForm.mainPcEmailBefore}")'>
+<input type="hidden" name="subPcEmailBefore" value='#he("$!{memberEditForm.subPcEmailBefore}")'>
 </form>
 </div>
 </div>

src/main/webapp/WEB-INF/view/admin/member/memberEdit.html

@@ -242,14 +242,14 @@
 	</tr>
 	<tr>
 		<td>ポイント<font class="listpoint">*</font></td>
-		<td><input name="point" type="text" / class="w250" value="$!escape.html($!memberEditForm.point)">
+		<td><input name="point" type="text" / class="w250" value='#he("$!{memberEditForm.point}")'>
 		<BR>$!tools.getMsg("point")
 		</td>
 	</tr>
 	<tr>
 		<td style="vertical-align:top" >メモ</td>
 		<td>
- 		<textarea name="memo" cols="35"  rows="5" class="w180 mgt5">$!memberEditForm.memo</textarea>
+ 		<textarea name="memo" cols="35"  rows="5" class="w180 mgt5">#he($!memberEditForm.memo)</textarea>
 		<BR>$!tools.getMsg("memo")
 		</td>
 	</tr>
@@ -267,11 +267,11 @@
 </div>
 ##</div>
 #makeToken()
-<input type="hidden" name="loginIdBefore" value="$!memberEditForm.loginIdBefore">
-<input type="hidden" name="mainPcEmailBefore" value="$!memberEditForm.mainPcEmailBefore">
-<input type="hidden" name="subPcEmailBefore" value="$!memberEditForm.subPcEmailBefore">
-<input type="hidden" name="memberId" value="$!memberEditForm.memberId">
-<input type="hidden" name="withDrawFlgBefore" value="$!memberEditForm.withDrawFlgBefore">
+<input type="hidden" name="loginIdBefore" value='#he("$!{memberEditForm.loginIdBefore}")'>
+<input type="hidden" name="mainPcEmailBefore" value='#he("$!{memberEditForm.mainPcEmailBefore}")'>
+<input type="hidden" name="subPcEmailBefore" value='#he("$!{memberEditForm.subPcEmailBefore}")'>
+<input type="hidden" name="memberId" value='#he("$!{memberEditForm.memberId}")'>
+<input type="hidden" name="withDrawFlgBefore" value='#he("$!{memberEditForm.withDrawFlgBefore}")'>
 </form>
 
 </div>

src/main/webapp/WEB-INF/view/admin/member/memberInput.html

@@ -220,14 +220,14 @@
 ##	</tr>
 	<tr>
 		<td>ポイント<font class="listpoint">*</font></td>
-		<td><input name="point" type="text" / class="w250" value="$!escape.html($!memberEditForm.point)">
+		<td><input name="point" type="text" / class="w250" value='#he("$!{memberEditForm.point}")'>
 		<BR>$!tools.getMsg("point")
 		</td>
 	</tr>
 	<tr>
 		<td style="vertical-align:top" >メモ</td>
 		<td>
-	 		<textarea name="memo" cols="35"  rows="5" class="w180 mgt5">$!memberEditForm.memo</textarea>
+	 		<textarea name="memo" cols="35"  rows="5" class="w180 mgt5">#he($!memberEditForm.memo)</textarea>
 			<BR>$!tools.getMsg("memo")
 		</td>
 	</tr>
@@ -242,10 +242,10 @@
 		<button class="button" onclick="send_check(); return false;">入力情報確認</button>
 </div>
 ##</div>
-<input type="hidden" name="loginIdBefore" value="$!memberEditForm.loginIdBefore">
-<input type="hidden" name="mainPcEmailBefore" value="$!memberEditForm.mainPcEmailBefore">
-<input type="hidden" name="subPcEmailBefore" value="$!memberEditForm.subPcEmailBefore">
-<input type="hidden" name="memberId" value="$!memberEditForm.memberId">
+<input type="hidden" name="loginIdBefore" value='#he("$!{memberEditForm.loginIdBefore}")'>
+<input type="hidden" name="mainPcEmailBefore" value='#he("$!{memberEditForm.mainPcEmailBefore}")'>
+<input type="hidden" name="subPcEmailBefore" value='#he("$!{memberEditForm.subPcEmailBefore}")'>
+<input type="hidden" name="memberId" value='#he("$!{memberEditForm.memberId}")'>
 </form>
 
 </div>

src/main/webapp/WEB-INF/view/admin/member/memberInputConfirm.html

@@ -106,8 +106,9 @@
 	<tr>
 		<td style="vertical-align:top">生年月日</td>
 		<td>
-			#if($!memberEditForm.birthdayY+$!memberEditForm.birthdayM+$!memberEditForm.birthdayD.length() != 0)
-				$!memberEditForm.birthdayY年$!memberEditForm.birthdayM月$!memberEditForm.birthdayD日
+			#set($yyyymmdd = $!memberEditForm.birthdayY + $!memberEditForm.birthdayM + $!memberEditForm.birthdayD)
+			#if($yyyymmdd.length() != 0)
+				#he($!memberEditForm.birthdayY)年#he($!memberEditForm.birthdayM)月#he($!memberEditForm.birthdayD)日
 			#else 未選択
 			#end
 		</td>
@@ -119,12 +120,12 @@
 ##	</tr>
 	<tr>
 		<td>ポイント</td>
-		<td>$!escape.html($!memberEditForm.point)
+		<td>#he($!memberEditForm.point)
 		</td>
 	</tr>
 	<tr>
 		<td style="vertical-align:top" >メモ</td>
-		<td>$!escape.html($!memberEditForm.memo)
+		<td>#he($!memberEditForm.memo)
 		</td>
 	</tr>
 
@@ -136,9 +137,9 @@
 </div>
 ##</div>
 #makeToken()
-<input type="hidden" name="loginIdBefore" value="$!memberEditForm.loginIdBefore">
-<input type="hidden" name="mainPcEmailBefore" value="$!memberEditForm.mainPcEmailBefore">
-<input type="hidden" name="subPcEmailBefore" value="$!memberEditForm.subPcEmailBefore">
+<input type="hidden" name="loginIdBefore" value='#he("$!{memberEditForm.loginIdBefore}")'>
+<input type="hidden" name="mainPcEmailBefore" value='#he("$!{memberEditForm.mainPcEmailBefore}")'>
+<input type="hidden" name="subPcEmailBefore" value='#he("$!{memberEditForm.subPcEmailBefore}")'>
 </form>
 </div>
 </div>

src/main/webapp/WEB-INF/view/admin/member/memberSearch.html

@@ -88,7 +88,7 @@ function formClear(form_obj){
 	<tr>
 		<td class="w100">電話</td>
 		<td><input name="telNo" type="text" class="w180 mgl10" value="$!escape.html($!memberSearchForm.telNo)">&nbsp;を含む</td>
-		<td  class="w100">性別$!memberSearchForm.genderCd</td>
+		<td  class="w100">性別#he($!memberSearchForm.genderCd)</td>
 		<td>
 			<select name="genderCd" id="genderCd"  class="w100 mgl10">
 				<option value=""></option>

src/main/webapp/WEB-INF/view/admin/setting/adminRegist.html

@@ -38,19 +38,19 @@
 #end
 <h3 class="table_title">管理者情報 </h3>
 <form method="POST" action="#q('/admin/setting/adminRegist/confirm/')" >
-<input type="hidden" name="clickedLoginId" id="clickedLoginId" value="$!clickedLoginId"/>
+<input type="hidden" name="clickedLoginId" id="clickedLoginId" value='#he("$!{clickedLoginId}")'/>
 #if($adminUserIndex)
 	#set($adminUser = $adminRegistForm.adminUserList.get($adminUserIndex))
 #end
-<input type="hidden" name="updateFlag" id="updateFlag" value="$!adminRegistForm.updateFlag"/>
-<input type="hidden" name="pageNo" id="pageNo" value="${pageNo}"/>
+<input type="hidden" name="updateFlag" id="updateFlag" value='#he("$!{adminRegistForm.updateFlag}")'/>
+<input type="hidden" name="pageNo" id="pageNo" value='#he("$!{pageNo}")'/>
 
 <table border="0" cellpadding="0" cellspacing="0" class="stripe2 mgb10 w840">
 		<tr>
 			<td class="w240  t_center">ログインID<font class="listpoint">*</font></td>
 			<td class="w600  t_left" colspan="2"><input name="loginId" type="text" class="w230" value="$!escape.html($!{adminRegistForm.loginId})"/><BR>$tools.getMsg("loginId") $tools.getMsg("repetLoginId")
-			<input name="adminUserId" type="hidden" value="$!{adminUserId}"/>
-			<input name="delFlg" type="hidden" value="$!{delFlg}"/>
+			<input name="adminUserId" type="hidden" value='#he("$!{adminUserId}")'/>
+			<input name="delFlg" type="hidden" value='#he("$!{delFlg}")'/>
 			</td>
 		</tr>
 		<tr>

src/main/webapp/WEB-INF/view/admin/setting/adminRegistConfirm.html

@@ -39,10 +39,10 @@
 <div id="right_contents">
 <h3 class="table_title">管理者#if($!adminRegistForm.updateFlag=="update")編集#else登録#end確認</h3>
 <form method="POST" action="#q('/admin/setting/adminRegist/regist/')" >
-<input type="hidden" name="loginIdFromList" id="loginIdFromList" value="$!loginIdFromList"/>
-<input type="hidden" name="clickedLoginId" id="clickedLoginId" value="$!clickedLoginId"/>
-<input type="hidden" name="updateFlag" id="updateFlag" value="$!adminRegistForm.updateFlag"/>
-<input type="hidden" name="pageNo" id="pageNo" value="${pageNo}"/>
+<input type="hidden" name="loginIdFromList" id="loginIdFromList" value='#he("$!{loginIdFromList}")'/>
+<input type="hidden" name="clickedLoginId" id="clickedLoginId" value='#he("$!{clickedLoginId}")'/>
+<input type="hidden" name="updateFlag" id="updateFlag" value='#he("$!{adminRegistForm.updateFlag}")'/>
+<input type="hidden" name="pageNo" id="pageNo" value='#he("$!{pageNo}")'/>
 
 
 <table border="0" cellpadding="0" cellspacing="0" class="stripe2 mgb30 w850">
@@ -65,12 +65,12 @@
 		</tr>
 		##<tr>
 			##<td class="w840  t_center" colspan="2">
-##			    <input type="hidden" name="adminUserId" value="$!{adminRegistForm.adminUserId}"/>
-##				<input type="hidden" name="loginId" value="$!{adminRegistForm.loginId}"/>
-##				<input type="hidden" name="password" value="$!{adminRegistForm.password}"/>
-##				<input type="hidden" name="adminUserName" value="$!{adminRegistForm.adminUserName}"/>
-##				<input type="hidden" name="email" value="$!{adminRegistForm.email}"/>
-				<input type="hidden" name="delFlg" value="$!{adminRegistForm.delFlg}"/>
+##			    <input type="hidden" name="adminUserId" value='#he("$!{adminUserId}")'/>
+##				<input type="hidden" name="loginId" value='#he("$!{adminRegistForm.loginId}")'/>
+##				<input type="hidden" name="password" value='#he("$!{adminRegistForm.password}")'/>
+##				<input type="hidden" name="adminUserName" value='#he("$!{adminRegistForm.adminUserName}")'/>
+##				<input type="hidden" name="email" value='#he("$!{adminRegistForm.email}")'/>
+				<input type="hidden" name="delFlg" value='#he("$!{adminRegistForm.delFlg}")'/>
 
 				##<input type="button" class="button" onclick="back();" value="戻る"/>&nbsp;&nbsp;<input type="submit" class="button"  value="登録"/>
 			##</td>