From f25e5b26632b9af05df1c6779bda2a0b73acd76b Mon Sep 17 00:00:00 2001
From: Rainer Prosi <rainer.prosi@heidelberg.com>
Date: Fri, 20 Feb 2026 12:25:09 +0100
Subject: [PATCH 1/2] remove idiotic dependency

---
 build.gradle                                        |  5 ++---
 .../java/org/cip4/jdfutility/GetFileServlet.java    | 13 ++++++-------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/build.gradle b/build.gradle
index d96e77e..8cba6c0 100644
--- a/build.gradle
+++ b/build.gradle
@@ -151,11 +151,10 @@ dependencies {
 
     implementation 'org.eclipse.jetty.ee10:jetty-ee10-servlet:12.0.22'
     implementation("org.apache.commons:commons-lang3:3.20.0")
-    implementation 'org.apache.commons:commons-text:1.11.0'
     implementation 'org.apache.commons:commons-fileupload2-jakarta-servlet6:2.+'
     implementation 'jakarta.servlet:jakarta.servlet-api:6.1.0'  
     implementation 	'com.sun.mail:jakarta.mail:2.0.1'
-   implementation 'org.apache.commons:commons-lang3:3.18.0'
+    implementation 'org.apache.commons:commons-lang3:3.18.0'
  
     
     implementation 'org.apache.logging.log4j:log4j-core:2.25.2'
@@ -163,7 +162,7 @@ dependencies {
 
     testImplementation 'org.junit.jupiter:junit-jupiter-api:5.13.4'
     testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.13.4'
-testRuntimeOnly 'org.junit.platform:junit-platform-launcher:1.13.4'
+    testRuntimeOnly 'org.junit.platform:junit-platform-launcher:1.13.4'
     testImplementation 'org.springframework:spring-test:6.2.+'
     testImplementation 'org.springframework:spring-web:6.2.+'
     testImplementation 'org.mockito:mockito-core:5.20.0'
diff --git a/src/main/java/org/cip4/jdfutility/GetFileServlet.java b/src/main/java/org/cip4/jdfutility/GetFileServlet.java
index 90e4259..45feb04 100755
--- a/src/main/java/org/cip4/jdfutility/GetFileServlet.java
+++ b/src/main/java/org/cip4/jdfutility/GetFileServlet.java
@@ -2,7 +2,7 @@
  * The CIP4 Software License, Version 1.0
  *
  *
- * Copyright (c) 2001-2022 The International Cooperation for the Integration of Processes in Prepress, Press and Postpress (CIP4). All rights reserved.
+ * Copyright (c) 2001-2026 The International Cooperation for the Integration of Processes in Prepress, Press and Postpress (CIP4). All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
  *
@@ -44,7 +44,6 @@
 import java.nio.file.InvalidPathException;
 import java.nio.file.Path;
 
-import org.apache.commons.text.StringEscapeUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.cip4.jdflib.util.StreamUtil;
@@ -92,8 +91,8 @@ public void destroy()
 
 	/**
 	 * Handles the HTTP <code>GET</code> method.
-	 * 
-	 * @param request servlet request
+	 *
+	 * @param request  servlet request
 	 * @param response servlet response
 	 */
 	@Override
@@ -104,8 +103,8 @@ protected void doGet(final HttpServletRequest request, final HttpServletResponse
 
 	/**
 	 * Handles the HTTP <code>POST</code> method.
-	 * 
-	 * @param request servlet request
+	 *
+	 * @param request  servlet request
 	 * @param response servlet response
 	 */
 	@Override
@@ -140,7 +139,7 @@ void processRequest(final HttpServletRequest request, final HttpServletResponse
 			response.setContentType(UrlUtil.TEXT_HTML);
 			response.setStatus(404);
 			os.write("<HTML><H1>Error</H1><br/>Cannot find file: ".getBytes());
-			os.write(StringEscapeUtils.escapeHtml3(localName).getBytes());
+			os.write(localName.getBytes());
 			os.write("</HTML>".getBytes());
 		}
 		StreamUtil.close(os);

From cd378bf0fed34f8133a66b6c6cb429a56b073207 Mon Sep 17 00:00:00 2001
From: Rainer Prosi <rainer.prosi@heidelberg.com>
Date: Fri, 20 Feb 2026 12:43:14 +0100
Subject: [PATCH 2/2] need some escape

---
 .../org/cip4/jdfutility/GetFileServlet.java   |  3 +-
 .../cip4/jdfutility/GetFileServletTest.java   | 44 +++++++++----------
 2 files changed, 24 insertions(+), 23 deletions(-)

diff --git a/src/main/java/org/cip4/jdfutility/GetFileServlet.java b/src/main/java/org/cip4/jdfutility/GetFileServlet.java
index 45feb04..ad89ea3 100755
--- a/src/main/java/org/cip4/jdfutility/GetFileServlet.java
+++ b/src/main/java/org/cip4/jdfutility/GetFileServlet.java
@@ -47,6 +47,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.cip4.jdflib.util.StreamUtil;
+import org.cip4.jdflib.util.StringUtil;
 import org.cip4.jdflib.util.UrlUtil;
 
 import jakarta.servlet.ServletConfig;
@@ -139,7 +140,7 @@ void processRequest(final HttpServletRequest request, final HttpServletResponse
 			response.setContentType(UrlUtil.TEXT_HTML);
 			response.setStatus(404);
 			os.write("<HTML><H1>Error</H1><br/>Cannot find file: ".getBytes());
-			os.write(localName.getBytes());
+			os.write(StringUtil.replaceCharSet(localName, "<>", "_", 0).getBytes());
 			os.write("</HTML>".getBytes());
 		}
 		StreamUtil.close(os);
diff --git a/src/test/java/org/cip4/jdfutility/GetFileServletTest.java b/src/test/java/org/cip4/jdfutility/GetFileServletTest.java
index d009388..08986b5 100644
--- a/src/test/java/org/cip4/jdfutility/GetFileServletTest.java
+++ b/src/test/java/org/cip4/jdfutility/GetFileServletTest.java
@@ -2,7 +2,7 @@
  * The CIP4 Software License, Version 1.0
  *
  *
- * Copyright (c) 2001-2022 The International Cooperation for the Integration of Processes in Prepress, Press and Postpress (CIP4). All rights reserved.
+ * Copyright (c) 2001-2026 The International Cooperation for the Integration of Processes in Prepress, Press and Postpress (CIP4). All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
  *
@@ -44,31 +44,31 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 
-import jakarta.servlet.ServletException;
-
 import org.cip4.jdflib.core.JDFCoreConstants;
 import org.junit.jupiter.api.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockServletConfig;
 
+import jakarta.servlet.ServletException;
+
 public class GetFileServletTest
 {
 
 	@Test
 	public void processRequest() throws ServletException, URISyntaxException, IOException
 	{
-		Path file = Paths.get(GetFileServlet.class.getResource("/data/resourceInfo.jmf").toURI());
+		final Path file = Paths.get(GetFileServlet.class.getResource("/data/resourceInfo.jmf").toURI());
 
-		MockServletConfig config = new MockServletConfig();
+		final MockServletConfig config = new MockServletConfig();
 		config.addInitParameter("rootDir", file.getParent().toString());
 
-		GetFileServlet servlet = new GetFileServlet();
+		final GetFileServlet servlet = new GetFileServlet();
 		servlet.init(config);
 
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		final MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setPathInfo(file.getFileName().toString());
-		MockHttpServletResponse response = new MockHttpServletResponse();
+		final MockHttpServletResponse response = new MockHttpServletResponse();
 
 		servlet.processRequest(request, response);
 
@@ -80,17 +80,17 @@ public void processRequest() throws ServletException, URISyntaxException, IOExce
 	@Test
 	public void processRequestFileNotExists() throws ServletException, URISyntaxException, IOException
 	{
-		Path root = Paths.get(GetFileServlet.class.getResource("/data").toURI());
+		final Path root = Paths.get(GetFileServlet.class.getResource("/data").toURI());
 
-		MockServletConfig config = new MockServletConfig();
+		final MockServletConfig config = new MockServletConfig();
 		config.addInitParameter("rootDir", root.toString());
 
-		GetFileServlet servlet = new GetFileServlet();
+		final GetFileServlet servlet = new GetFileServlet();
 		servlet.init(config);
 
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		final MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setPathInfo("file_that_does_not_exist.txt");
-		MockHttpServletResponse response = new MockHttpServletResponse();
+		final MockHttpServletResponse response = new MockHttpServletResponse();
 
 		servlet.processRequest(request, response);
 
@@ -102,15 +102,15 @@ public void processRequestFileNotExists() throws ServletException, URISyntaxExce
 	@Test
 	public void processRequestPathTraversal() throws ServletException, IOException
 	{
-		MockServletConfig config = new MockServletConfig();
+		final MockServletConfig config = new MockServletConfig();
 		config.addInitParameter("rootDir", "./");
 
-		GetFileServlet servlet = new GetFileServlet();
+		final GetFileServlet servlet = new GetFileServlet();
 		servlet.init(config);
 
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		final MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setPathInfo("../attack");
-		MockHttpServletResponse response = new MockHttpServletResponse();
+		final MockHttpServletResponse response = new MockHttpServletResponse();
 
 		servlet.processRequest(request, response);
 
@@ -122,20 +122,20 @@ public void processRequestPathTraversal() throws ServletException, IOException
 	@Test
 	public void processRequestInjection() throws ServletException, IOException
 	{
-		MockServletConfig config = new MockServletConfig();
+		final MockServletConfig config = new MockServletConfig();
 		config.addInitParameter("rootDir", "./");
 
-		GetFileServlet servlet = new GetFileServlet();
+		final GetFileServlet servlet = new GetFileServlet();
 		servlet.init(config);
 
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		final MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setPathInfo("<script>attack</script>");
-		MockHttpServletResponse response = new MockHttpServletResponse();
+		final MockHttpServletResponse response = new MockHttpServletResponse();
 
 		servlet.processRequest(request, response);
 
 		assertEquals(404, response.getStatus());
-		assertEquals("<HTML><H1>Error</H1><br/>Cannot find file: &lt;script&gt;attack&lt;/script&gt;</HTML>", response.getContentAsString());
+		assertEquals("<HTML><H1>Error</H1><br/>Cannot find file: _script_attack_/script_</HTML>", response.getContentAsString());
 		assertEquals("text/html", response.getContentType());
 	}
 }
\ No newline at end of file