Escape @@value@@ in validation messages to prevent potential xss

attacks.

Frameworks/Ajax/ERDivaLook/Resources/English.lproj/ValidationTemplate.strings

@@ -1,10 +1,10 @@
 {
-	"IllegalCharacterInNumberException" = "Please check the value @@value@@ you supplied for the field @@displayNameForProperty@@.";
-	"InvalidDateFormatException" = "Please check @@displayNameForProperty@@ as @@value@@ is not a valid date";
+	"IllegalCharacterInNumberException" = "Please check the value @@escapedValue@@ you supplied for the field @@displayNameForProperty@@.";
+	"InvalidDateFormatException" = "Please check @@displayNameForProperty@@ as @@escapedValue@@ is not a valid date";
 	"InvalidNumberException" = "The value is an invalid number.";
 	"MandatoryToManyRelationshipException" = "A @@displayNameForEntity@@ must have a least one @@displayNameForDestinationEntity@@.";
 	"MandatoryToOneRelationshipException" = "A @@displayNameForEntity@@ must have a @@displayNameForProperty@@.";
-	"NotANumberException" = "Sorry, I could not read this number @@value@@ ";
+	"NotANumberException" = "Sorry, I could not read this number @@escapedValue@@ ";
 	"NullPropertyException" = "Please provide a @@displayNameForProperty@@.";
 	"ObjectCannotBeDeletedException" = "Cannot delete this @@displayNameForEntity@@ because either this @@displayNameForEntity@@ or any object related to this @@displayNameForEntity@@ cannot be deleted.";
 	"ObjectRemovalException" = "Cannot delete this @@displayNameForEntity@@. You should first delete the item in its @@displayNameForProperty@@.";

Frameworks/Core/ERDirectToWeb/Resources/Dutch.lproj/ValidationTemplate.strings

@@ -1,10 +1,10 @@
 {
-	"IllegalCharacterInNumberException" = "De waarde <b>@@value@@</b> in <b>@@displayNameForProperty@@</b> is niet toegestaan.";
-	"InvalidDateFormatException" = "De waarde <b>@@value@@</b> in <b>@@displayNameForProperty@@</b> is geen geldige datum.";
+	"IllegalCharacterInNumberException" = "De waarde <b>@@escapedValue@@</b> in <b>@@displayNameForProperty@@</b> is niet toegestaan.";
+	"InvalidDateFormatException" = "De waarde <b>@@escapedValue@@</b> in <b>@@displayNameForProperty@@</b> is geen geldige datum.";
 	"InvalidNumberException" = "Deze waarde is geen getal.";
 	"MandatoryToManyRelationshipException" = "@@displayNameForProperty@@ moet ingevuld zijn.";
 	"MandatoryToOneRelationshipException" = "@@displayNameForProperty@@ moet ingevuld zijn.";
-	"NotANumberException" = "De waarde <b>@@value@@</b> is geen getal.";
+	"NotANumberException" = "De waarde <b>@@escapedValue@@</b> is geen getal.";
 	"NullPropertyException" = "Vul het veld <b>@@displayNameForProperty@@</b> in.";
 	"ObjectCannotBeDeletedException" = "Deze <b>@@displayNameForEntity@@</b> kan niet verwijderd worden, omdat u geen rechten hebt deze <b>@@displayNameForEntity@@</b> direct of een van de verwante objecten van <b>@@displayNameForEntity@@</b> te verwijderen.";
 	"ObjectRemovalException" = "<b>@@displayNameForEntity@@</b> kan niet verwijderd worden als <b>@@displayNameForProperty@@</b> nog bestaat.";

Frameworks/Core/ERDirectToWeb/Resources/English.lproj/ValidationTemplate.strings

@@ -1,10 +1,10 @@
 {
-	"IllegalCharacterInNumberException" = "Please check the value <b>@@value@@</b> you supplied for the field <b>@@displayNameForProperty@@</b>.";
-	"InvalidDateFormatException" = "Please check <b>@@displayNameForProperty@@</b> as <b>@@value@@</b> is not a valid date";
+	"IllegalCharacterInNumberException" = "Please check the value <b>@@escapedValue@@</b> you supplied for the field <b>@@displayNameForProperty@@</b>.";
+	"InvalidDateFormatException" = "Please check <b>@@displayNameForProperty@@</b> as <b>@@escapedValue@@</b> is not a valid date";
 	"InvalidNumberException" = "The value is an invalid number.";
 	"MandatoryToManyRelationshipException" = "A <b>@@displayNameForEntity@@</b> must have a least one <b>@@displayNameForDestinationEntity@@</b>.";
 	"MandatoryToOneRelationshipException" = "A <b>@@displayNameForEntity@@</b> must have a <b>@@displayNameForProperty@@</b>.";
-	"NotANumberException" = "Sorry, I could not read this number <b>@@value@@</b> ";
+	"NotANumberException" = "Sorry, I could not read this number <b>@@escapedValue@@</b> ";
 	"NullPropertyException" = "Please provide @@indefiniteArticleForProperty@@ <b>@@displayNameForProperty@@</b>.";
 	"ObjectCannotBeDeletedException" = "Cannot delete this <b>@@displayNameForEntity@@</b> because either this <b>@@displayNameForEntity@@</b> or any object related to this <b>@@displayNameForEntity@@</b> cannot be deleted.";
 	"ObjectRemovalException" = "Cannot delete this <b>@@displayNameForEntity@@</b>. You should first delete the item in its <b>@@displayNameForProperty@@</b>.";

Frameworks/Core/ERDirectToWeb/Resources/German.lproj/ValidationTemplate.strings

@@ -1,10 +1,10 @@
 {
-	"IllegalCharacterInNumberException" = "Bitte \U00fcberpr\U00fcfen Sie den Wert <b>@@value@@</b> in <b>@@displayNameForProperty@@</b>.";
-	"InvalidDateFormatException" = "Der Wert <b>@@value@@</b> in <b>@@displayNameForProperty@@</b> ist kein g\U00fcltiges Datum.";
+	"IllegalCharacterInNumberException" = "Bitte \U00fcberpr\U00fcfen Sie den Wert <b>@@escapedValue@@</b> in <b>@@displayNameForProperty@@</b>.";
+	"InvalidDateFormatException" = "Der Wert <b>@@escapedValue@@</b> in <b>@@displayNameForProperty@@</b> ist kein g\U00fcltiges Datum.";
 	"InvalidNumberException" = "Dieser Wert ist keine Zahl.";
 	"MandatoryToManyRelationshipException" = "@@displayNameForProperty@@ m\U00fcssen gesetzt sein.";
 	"MandatoryToOneRelationshipException" = "@@displayNameForProperty@@ muss gesetzt sein.";
-	"NotANumberException" = "Der Wert <b>@@value@@</b> ist keine Zahl.";
+	"NotANumberException" = "Der Wert <b>@@escapedValue@@</b> ist keine Zahl.";
 	"NullPropertyException" = "Bitte f\U00fcllen Sie das Feld <b>@@displayNameForProperty@@</b> aus.";
 	"ObjectCannotBeDeletedException" = "Diese <b>@@displayNameForEntity@@</b> kann nicht gel\U00f6scht werden, weil Sie keine Rechte haben, diese <b>@@displayNameForEntity@@</b> direkt oder eines der verkn\U00fcpften Objekte dieser <b>@@displayNameForEntity@@</b> zu l\U00f6schen.";
 	"ObjectRemovalException" = "<b>@@displayNameForEntity@@</b> kann nicht gel\U00f6scht werden l\U00f6schen, solange noch <b>@@displayNameForProperty@@</b> gesetzt sind.";

Frameworks/Core/ERExtensions/Resources/Dutch.lproj/ValidationTemplate.strings

@@ -1,7 +1,7 @@
 {
 	"EOObjectNotAvailableException" = "Dit gegeven is niet gevonden in de database. Het gegeven is  vermoedelijk verwijderd door iemand anders.";
 	"ExceedsMaximumLengthException" = "De waarde in <b>@@displayNameForProperty@@</b> is langer dan de maximale lengte van <b>@@attribute.width@@</b> tekens.";
-	"InvalidNumberException" = "Controleer <b>** KEY_MARKER **</b> aangezien @@value@@ een ongeldig getal is.";
+	"InvalidNumberException" = "Controleer <b>** KEY_MARKER **</b> aangezien @@escapedValue@@ een ongeldig getal is.";
 	"MandatoryToManyRelationshipException" = "<b>@@object.entityName@@</b> heeft een verplichte verbinding welke niet ingevuld is.";
 	"MandatoryToOneRelationshipException" = "Een <b>@@displayNameForEntity@@</b> moet een <b>@@displayNameForProperty@@</b> hebben.";
 	"NullPropertyException" = "Vul <b>** KEY_MARKER **</b> in.";

Frameworks/Core/ERExtensions/Resources/German.lproj/ValidationTemplate.strings

@@ -1,7 +1,7 @@
 {
 	"EOObjectNotAvailableException" = "This object was not found in the database. It was probably deleted by someone else.";
 	"ExceedsMaximumLengthException" = "The value entered for <b>@@displayNameForProperty@@</b> exceeds the length of <b>@@attribute.width@@</b>.";
-	"InvalidNumberException" = "Please check <b>@@displayNameForProperty@@</b> as @@value@@ is an invalid number.";
+	"InvalidNumberException" = "Please check <b>@@displayNameForProperty@@</b> as @@escapedValue@@ is an invalid number.";
 	"MandatoryToManyRelationshipException" = "The <b>@@object.entityName@@</b> must has a mandatory relationship which is not being satisfied.";
 	"MandatoryToOneRelationshipException" = "A <b>@@displayNameForEntity@@</b> must have a <b>@@displayNameForProperty@@</b>.";
 	"NullPropertyException" = "Please provide a <b>@@displayNameForProperty@@</b>.";

Frameworks/Core/ERExtensions/Sources/er/extensions/validation/ERXValidationException.java

@@ -8,6 +8,7 @@
 
 import org.apache.log4j.Logger;
 
+import com.webobjects.appserver.WOMessage;
 import com.webobjects.eoaccess.EOAttribute;
 import com.webobjects.eoaccess.EOEntity;
 import com.webobjects.eoaccess.EOUtilities;
@@ -272,6 +273,16 @@ public EOAttribute attribute() {
      * @return failed validation value.
      */
     public Object value() { return value; }
+
+    /**
+     * Provides an escaped value to use in validation template string.
+     */
+    public String escapedValue() {
+    	if(value() != null) {
+    		return WOMessage.stringByEscapingHTMLString(value().toString());
+    	}
+    	return null;
+    }
 
     /**
      * Sets the value that failed validation.

Frameworks/Misc/ERDivaliteLook/Resources/English.lproj/ValidationTemplate.strings

@@ -1,10 +1,10 @@
 {
-	"IllegalCharacterInNumberException" = "Please check the value @@value@@ you supplied for the field @@displayNameForProperty@@.";
-	"InvalidDateFormatException" = "Please check @@displayNameForProperty@@ as @@value@@ is not a valid date";
+	"IllegalCharacterInNumberException" = "Please check the value @@escapedValue@@ you supplied for the field @@displayNameForProperty@@.";
+	"InvalidDateFormatException" = "Please check @@displayNameForProperty@@ as @@escapedValue@@ is not a valid date";
 	"InvalidNumberException" = "The value is an invalid number.";
 	"MandatoryToManyRelationshipException" = "A @@displayNameForEntity@@ must have a least one @@displayNameForDestinationEntity@@.";
 	"MandatoryToOneRelationshipException" = "A @@displayNameForEntity@@ must have a @@displayNameForProperty@@.";
-	"NotANumberException" = "Sorry, I could not read this number @@value@@ ";
+	"NotANumberException" = "Sorry, I could not read this number @@escapedValue@@ ";
 	"NullPropertyException" = "Please provide a @@displayNameForProperty@@.";
 	"ObjectCannotBeDeletedException" = "Cannot delete this @@displayNameForEntity@@ because either this @@displayNameForEntity@@ or any object related to this @@displayNameForEntity@@ cannot be deleted.";
 	"ObjectRemovalException" = "Cannot delete this @@displayNameForEntity@@. You should first delete the item in its @@displayNameForProperty@@.";