openo-beta · yingbull · May 12, 2025 · May 9, 2025 · May 12, 2025 · May 12, 2025
diff --git a/src/main/webapp/admin/adminbackupdownload.jsp b/src/main/webapp/admin/adminbackupdownload.jsp
@@ -25,97 +25,141 @@
 
 --%>
 
+<%@ page contentType="text/html; charset=UTF-8" errorPage="/errorpage.jsp" %>
+<%@ page import="
+      java.util.*,
+      java.io.*,
+      java.net.*,
+      org.apache.commons.io.FileUtils,
+      org.apache.commons.text.StringEscapeUtils,
+      oscar.OscarProperties,
+      oscar.util.FileSortByDate
+" %>
+
 <%@ taglib uri="/WEB-INF/security.tld" prefix="security" %>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core"   prefix="c"   %>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt"    prefix="fmt" %>
+
 <%
-    String roleName$ = (String) session.getAttribute("userrole") + "," + (String) session.getAttribute("user");
+    // 1) Null-safe session check
+    String userRoleAttr = (String) session.getAttribute("userrole");
+    String userNameAttr = (String) session.getAttribute("user");
+    if (userRoleAttr == null || userNameAttr == null) {
+        // no session info → bounce to login
+        response.sendRedirect(request.getContextPath() + "/login.jsp");
+        return;
+    }
+    String roleName$ = userRoleAttr + "," + userNameAttr;
     boolean authed = true;
 %>
-<security:oscarSec roleName="<%=roleName$%>"
-                   objectName="_admin,_admin.backup" rights="r" reverse="<%=true%>">
-    <%authed = false; %>
-    <%response.sendRedirect("../securityError.jsp?type=_admin&type=_admin.backup");%>
+<security:oscarSec
+    roleName="<%= roleName$ %>"
+    objectName="_admin,_admin.backup"
+    rights="r"
+    reverse="true">
+  <%
+    authed = false;
+    response.sendRedirect("../securityError.jsp?type=_admin&type=_admin.backup");
+  %>
 </security:oscarSec>
 <%
     if (!authed) {
         return;
     }
 %>
-<%
-    boolean bodd = false;
-%>
-
-<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
-<%@ page import="java.util.*,oscar.*,java.io.*,java.net.*,oscar.util.*,org.apache.commons.io.FileUtils"
-         errorPage="/errorpage.jsp" %>
-<% java.util.Properties oscarVariables = OscarProperties.getInstance(); %>
-
-<html>
-<head>
-
-    <title>ADMIN PAGE</title>
-
-    <link href="<%=request.getContextPath() %>/css/bootstrap.min.css" rel="stylesheet">
-    <link rel="stylesheet" href="<%=request.getContextPath() %>/css/font-awesome.min.css">
-</head>
-<body>
-
-<h3><fmt:setBundle basename="oscarResources"/><fmt:message key="admin.admin.btnAdminBackupDownload"/></h3>
 
 <%
-    String backuppath = oscarVariables.getProperty("backup_path");
+    // Load backup_path
+    Properties oscarVars = OscarProperties.getInstance();
+    String backuppath = oscarVars.getProperty("backup_path");
+    session.setAttribute("backupfilepath", backuppath);
 
     File dir = new File(backuppath);
     boolean exists = dir.exists();
-
-    if (exists) {
 %>
-<div class="well">
-    <table class="table table-striped  table-condensed">
-        <thead>
-        <tr>
-            <th>File Name</th>
-            <th>Size</th>
-        </tr>
-        </thead>
-
-        <tbody>
-        <%
-
-            if (backuppath == null || backuppath.equals("")) {
-                Exception e = new Exception("Unable to find the key backup_path in the properties file.  Please check the value of this key or add it if it is missing.");
-                throw e;
-            }
-            session.setAttribute("backupfilepath", backuppath);
-
-            File f = new File(backuppath);
-            File[] contents = f.listFiles();
-
-            Arrays.sort(contents, new FileSortByDate());
-            if (contents == null) {
-                Exception e = new Exception("Unable to find any files in the directory " + backuppath + ".  (If this is the incorrect directory, please modify the value of backup_path in your properties file to reflect the correct directory).");
-                throw e;
-            }
-            for (int i = 0; i < contents.length; i++) {
-                bodd = bodd ? false : true;
-                if (contents[i].isDirectory() || contents[i].getName().equals("BackupClient.class") || contents[i].getName().startsWith("."))
-                    continue;
-                out.println("<tr><td><a href="<%= request.getContextPath() %>/servlet/BackupDownload?filename=" + URLEncoder.encode(contents[i].getName()) + "'>" + contents[i].getName() + "</a></td>");
-                long bytes = contents[i].length();
-                String display = FileUtils.byteCountToDisplaySize(bytes);
-
-                out.println("<td align='right' title=\"" + bytes + " by\">" + display + "</td></tr>"); //+System.getProperty("file.separator")
-            }
-        %>
-        </tbody>
-    </table>
-</div>
-<%} else {%>
-
-<div class="alert alert-error">
-    <strong>Warning!</strong> It appears that your backup directory does not exist or there is a problem with the path.
-    Please check <i>backup_path</i> in your properties file.
-</div>
-
-<%}%>
-</body>
+
+<c:set var="calendarLangKey">
+  <fmt:message key="global.javascript.calendar"/>
+</c:set>
+<c:url value="/share/calendar/lang/${calendarLangKey}" var="calendarLangUrl"/>
+
+<html>
+  <head>
+    <title>Admin Backup Download</title>
+    <link href="<%= request.getContextPath() %>/css/bootstrap.min.css" rel="stylesheet"/>
+    <link href="<%= request.getContextPath() %>/css/font-awesome.min.css" rel="stylesheet"/>
+    <script type="text/javascript"
+            src="${pageContext.request.contextPath}${calendarLangUrl}">
+    </script>
+  </head>
+  <body>
+    <h3>
+      <fmt:setBundle basename="oscarResources"/>
+      <fmt:message key="admin.admin.btnAdminBackupDownload"/>
+    </h3>
+
+    <% if (exists) { %>
+      <div class="well">
+        <table class="table table-striped table-condensed">
+          <thead>
+            <tr><th>File Name</th><th>Size</th></tr>
+          </thead>
+          <tbody>
+          <%
+              // missing or empty path → forward to error
+              if (backuppath == null || backuppath.isEmpty()) {
+                  request.setAttribute("errorMessage",
+                    "backup_path missing in properties; please configure.");
+                  request.getRequestDispatcher("/error.jsp")
+                         .forward(request, response);
+                  return;
+              }
+
+              File[] contents = dir.listFiles();
+              if (contents == null || contents.length == 0) {
+                  throw new Exception(
+                    "No files found in " + backuppath +
+                    ". Please correct backup_path."
+                  );
+              }
+              Arrays.sort(contents, new FileSortByDate());
+
+              for (File f : contents) {
+                  String name = f.getName();
+                  if (f.isDirectory() ||
+                      name.equals("BackupClient.class") ||
+                      name.startsWith(".")) {
+                      continue;
+                  }
+
+                  // 2) XSS-safe name
+                  String safeName = StringEscapeUtils.escapeHtml4(name);
+
+                  String encoded = URLEncoder.encode(name, "UTF-8");
+                  long bytes = f.length();
+                  String displaySize = FileUtils.byteCountToDisplaySize(bytes);
+
+                  out.println(
+                    "<tr>" +
+                      "<td><a href=\"" + request.getContextPath() +
+                        "/servlet/BackupDownload?filename=" + encoded + "\">" +
+                        safeName +
+                      "</a></td>" +
+                      "<td align=\"right\" title=\"" + bytes + " bytes\">" +
+                        displaySize +
+                      "</td>" +
+                    "</tr>"
+                  );
+              }
+          %>
+          </tbody>
+        </table>
+      </div>
+    <% } else { %>
+      <div class="alert alert-error">
+        <strong>Warning!</strong>
+        Backup directory not found—check <i>backup_path</i> in your properties.
+      </div>
+    <% } %>
+  </body>
 </html>
diff --git a/src/main/webapp/documentManager/MultiPageDocDisplay.jsp b/src/main/webapp/documentManager/MultiPageDocDisplay.jsp
@@ -118,7 +118,7 @@
     <script type="text/javascript" src="<%= request.getContextPath() %>/share/calendar/calendar.js"></script>
     <!-- language for the calendar -->
     <script type="text/javascript"
-            src="<%= request.getContextPath() %>/share/calendar/lang/<fmt:setBundle basename="oscarResources'/><fmt:message key='global.javascript.calendar'/>"></script>
+            src="<%= request.getContextPath() %>/share/calendar/lang/<fmt:message key='global.javascript.calendar'/>"></script>
     <!-- the following script defines the Calendar.setup helper function, which makes
            adding a calendar a matter of 1 or 2 lines of code. -->
     <script type="text/javascript" src="<%= request.getContextPath() %>/share/calendar/calendar-setup.js"></script>

diff --git a/src/main/webapp/oscarRx/ChooseAllergy2.jsp b/src/main/webapp/oscarRx/ChooseAllergy2.jsp
@@ -266,7 +266,7 @@
                                                             <c:if test="${not empty allergyResults[type]}">
                                                                 <div class="DivContentSectionHead">
                                                                     <a href="javascript:void(0)" onclick="toggleSection('${type}');return false;">
-                                                                        <img border="0" id="${type}_img" src="<%= request.getContextPath() %>/images/${type == 8 || type == 10 || type == 13 || type == 14 ? "collapser' : 'expander'}.png"/>
+                                                                        <img border="0" id="${type}_img" src="<%= request.getContextPath() %>/images/${type == 8 || type == 10 || type == 13 || type == 14 ? 'collapser' : 'expander'}.png"/>
                                                                     </a>
                                                                         ${type == 8 ? 'ATC Class' : type == 10 ? 'AHFS Class' : type == 13 ? 'Brand Name' : type == 11 ? 'Generic Name' : type == 12 ? 'Compound' : 'Ingredient'}
                                                                 </div>
@@ -327,4 +327,4 @@
 
     </body>
 
-</html>
+</html>