[mapguide-commits] r4744 - in trunk/MgDev/Web/src: mapviewerjava mapviewernet mapviewerphp

svn_mapguide at osgeo.org svn_mapguide at osgeo.org
Tue Apr 6 11:56:33 EDT 2010


Author: chrisclaydon
Date: 2010-04-06 11:56:33 -0400 (Tue, 06 Apr 2010)
New Revision: 4744

Modified:
   trunk/MgDev/Web/src/mapviewerjava/ajaxviewerabout.jsp
   trunk/MgDev/Web/src/mapviewerjava/buffer.jsp
   trunk/MgDev/Web/src/mapviewerjava/bufferui.jsp
   trunk/MgDev/Web/src/mapviewerjava/colorpicker.jsp
   trunk/MgDev/Web/src/mapviewerjava/common.jsp
   trunk/MgDev/Web/src/mapviewerjava/gettingstarted.jsp
   trunk/MgDev/Web/src/mapviewerjava/legend.jsp
   trunk/MgDev/Web/src/mapviewerjava/legendctrl.jsp
   trunk/MgDev/Web/src/mapviewerjava/legendui.jsp
   trunk/MgDev/Web/src/mapviewerjava/mainframe.jsp
   trunk/MgDev/Web/src/mapviewerjava/mapframe.jsp
   trunk/MgDev/Web/src/mapviewerjava/measure.jsp
   trunk/MgDev/Web/src/mapviewerjava/measureui.jsp
   trunk/MgDev/Web/src/mapviewerjava/printablepage.jsp
   trunk/MgDev/Web/src/mapviewerjava/printablepageui.jsp
   trunk/MgDev/Web/src/mapviewerjava/propertyctrl.jsp
   trunk/MgDev/Web/src/mapviewerjava/search.jsp
   trunk/MgDev/Web/src/mapviewerjava/searchprompt.jsp
   trunk/MgDev/Web/src/mapviewerjava/selectwithin.jsp
   trunk/MgDev/Web/src/mapviewerjava/selectwithinui.jsp
   trunk/MgDev/Web/src/mapviewerjava/setselection.jsp
   trunk/MgDev/Web/src/mapviewerjava/statusbar.jsp
   trunk/MgDev/Web/src/mapviewerjava/taskbar.jsp
   trunk/MgDev/Web/src/mapviewerjava/taskframe.jsp
   trunk/MgDev/Web/src/mapviewerjava/tasklist.jsp
   trunk/MgDev/Web/src/mapviewerjava/viewoptions.jsp
   trunk/MgDev/Web/src/mapviewernet/ajaxviewerabout.aspx
   trunk/MgDev/Web/src/mapviewernet/buffer.aspx
   trunk/MgDev/Web/src/mapviewernet/bufferui.aspx
   trunk/MgDev/Web/src/mapviewernet/colorpicker.aspx
   trunk/MgDev/Web/src/mapviewernet/common.aspx
   trunk/MgDev/Web/src/mapviewernet/formframe.aspx
   trunk/MgDev/Web/src/mapviewernet/gettingstarted.aspx
   trunk/MgDev/Web/src/mapviewernet/legend.aspx
   trunk/MgDev/Web/src/mapviewernet/legendctrl.aspx
   trunk/MgDev/Web/src/mapviewernet/legendui.aspx
   trunk/MgDev/Web/src/mapviewernet/mainframe.aspx
   trunk/MgDev/Web/src/mapviewernet/mapframe.aspx
   trunk/MgDev/Web/src/mapviewernet/measure.aspx
   trunk/MgDev/Web/src/mapviewernet/measureui.aspx
   trunk/MgDev/Web/src/mapviewernet/printablepage.aspx
   trunk/MgDev/Web/src/mapviewernet/printablepageui.aspx
   trunk/MgDev/Web/src/mapviewernet/propertyctrl.aspx
   trunk/MgDev/Web/src/mapviewernet/search.aspx
   trunk/MgDev/Web/src/mapviewernet/searchprompt.aspx
   trunk/MgDev/Web/src/mapviewernet/selectwithin.aspx
   trunk/MgDev/Web/src/mapviewernet/selectwithinui.aspx
   trunk/MgDev/Web/src/mapviewernet/setselection.aspx
   trunk/MgDev/Web/src/mapviewernet/statusbar.aspx
   trunk/MgDev/Web/src/mapviewernet/taskbar.aspx
   trunk/MgDev/Web/src/mapviewernet/taskframe.aspx
   trunk/MgDev/Web/src/mapviewernet/tasklist.aspx
   trunk/MgDev/Web/src/mapviewernet/viewoptions.aspx
   trunk/MgDev/Web/src/mapviewerphp/ajaxviewerabout.php
   trunk/MgDev/Web/src/mapviewerphp/buffer.php
   trunk/MgDev/Web/src/mapviewerphp/bufferui.php
   trunk/MgDev/Web/src/mapviewerphp/colorpicker.php
   trunk/MgDev/Web/src/mapviewerphp/common.php
   trunk/MgDev/Web/src/mapviewerphp/gettingstarted.php
   trunk/MgDev/Web/src/mapviewerphp/legend.php
   trunk/MgDev/Web/src/mapviewerphp/legendctrl.php
   trunk/MgDev/Web/src/mapviewerphp/legendui.php
   trunk/MgDev/Web/src/mapviewerphp/mainframe.php
   trunk/MgDev/Web/src/mapviewerphp/mapframe.php
   trunk/MgDev/Web/src/mapviewerphp/measure.php
   trunk/MgDev/Web/src/mapviewerphp/measureui.php
   trunk/MgDev/Web/src/mapviewerphp/printablepage.php
   trunk/MgDev/Web/src/mapviewerphp/printablepageui.php
   trunk/MgDev/Web/src/mapviewerphp/propertyctrl.php
   trunk/MgDev/Web/src/mapviewerphp/search.php
   trunk/MgDev/Web/src/mapviewerphp/searchprompt.php
   trunk/MgDev/Web/src/mapviewerphp/selectwithin.php
   trunk/MgDev/Web/src/mapviewerphp/selectwithinui.php
   trunk/MgDev/Web/src/mapviewerphp/setselection.php
   trunk/MgDev/Web/src/mapviewerphp/statusbar.php
   trunk/MgDev/Web/src/mapviewerphp/taskbar.php
   trunk/MgDev/Web/src/mapviewerphp/taskframe.php
   trunk/MgDev/Web/src/mapviewerphp/tasklist.php
   trunk/MgDev/Web/src/mapviewerphp/viewoptions.php
Log:
Re #1306 - Cross-site scripting security fix

Modified: trunk/MgDev/Web/src/mapviewerjava/ajaxviewerabout.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/ajaxviewerabout.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/ajaxviewerabout.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -93,7 +93,7 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    sessionId = GetParameter(request, "SESSION");
-    locale = GetParameter(request, "LOCALE");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/buffer.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/buffer.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/buffer.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -38,9 +38,9 @@
 String units;
 String linestyle;
 String fillstyle;
-String thickness;
+double thickness;
 int merge;
-int foretrans;
+double foretrans;
 String selText;
 String srs;
 String featureName = "Buffer";
@@ -62,7 +62,7 @@
     units = "";
     linestyle = "";
     fillstyle = "";
-    thickness = "";
+    thickness = 0;
     merge = 0;
     foretrans = 50;
     selText = "";
@@ -387,30 +387,31 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    mapName = GetParameter(request, "MAPNAME");
-    sessionId = GetParameter(request, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
     popup = GetIntParameter(request, "POPUP");
+    lcolor = ValidateColorString(GetParameter(request, "LCOLOR"));
+    ffcolor = ValidateColorString(GetParameter(request, "FFCOLOR"));
+    fbcolor = ValidateColorString(GetParameter(request, "FBCOLOR"));
+    foretrans = GetDoubleParameter(request, "FORETRANS");
+    if(foretrans < 0 || foretrans > 100)
+    {
+        foretrans = 50;
+    }
+    transparent = GetIntParameter(request, "TRANSPARENT");
+    distance = GetLocalizedDoubleParameter(request, "DISTANCE", locale);
+    if(IsParameter(request, "MERGE"))
+         merge = 1;
+    
     bufferName = GetParameter(request, "BUFFER");
     layersParam = GetParameter(request, "LAYERS");
-    lcolor = GetParameter(request, "LCOLOR");
-    ffcolor = GetParameter(request, "FFCOLOR");
-    fbcolor = GetParameter(request, "FBCOLOR");
-    foretrans = GetIntParameter(request, "FORETRANS");
-    transparent = GetIntParameter(request, "TRANSPARENT");
-    locale = GetParameter(request, "LOCALE");
-    distance = GetLocalizedDoubleParameter(request, "DISTANCE", locale);
     units = GetParameter(request, "UNITS");
     linestyle = GetParameter(request, "LINESTYLE");
     fillstyle = GetParameter(request, "FILLSTYLE");
-    thickness = GetParameter(request, "THICKNESS");
+    thickness = GetDoubleParameter(request, "THICKNESS");
     selText = GetParameter(request, "SELECTION");
-    if(IsParameter(request, "MERGE"))
-         merge = 1;
 
-    if(foretrans < 0 || foretrans > 100)
-    {
-        foretrans = 50;
-    }
 }
 
 
@@ -433,7 +434,7 @@
 MgByteReader BuildLayerDefinitionContent() throws MgException, Exception
 {
     String layerTempl = LoadTemplate("/viewerfiles/arealayerdef.templ");
-    String xtrans = String.format("%02x", new Object[]{new Integer(255 * foretrans / 100)});
+    String xtrans = String.format("%02x", new Object[]{new Integer((int)(255 * foretrans / 100))});
     String[] vals = {
                 dataSource,
                 featureName,
@@ -442,7 +443,7 @@
                 xtrans + ffcolor,
                 (0 != transparent? ("ff" + fbcolor): ("00" + fbcolor)),
                 linestyle,
-                thickness,
+                String.valueOf(thickness),
                 lcolor };
     layerTempl = Substitute(layerTempl, vals);
     byte[] bytes = layerTempl.getBytes("UTF-8");

Modified: trunk/MgDev/Web/src/mapviewerjava/bufferui.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/bufferui.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/bufferui.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -61,10 +61,10 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    mapName = GetParameter(request, "MAPNAME");
-    sessionId = GetParameter(request, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
     popup = GetIntParameter(request, "POPUP");
     us = GetIntParameter(request, "US");
-    locale = GetParameter(request, "LOCALE");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/colorpicker.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/colorpicker.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/colorpicker.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -53,9 +53,9 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    clr = GetParameter(request, "CLR");
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    clr = ValidateColorString(GetParameter(request, "CLR"));
     allowTransparency = GetIntParameter(request, "ALLOWTRANS");
     transparent = GetIntParameter(request, "TRANS");
-    locale = GetParameter(request, "LOCALE");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/common.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/common.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/common.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -17,6 +17,7 @@
 <%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
 <%@ page import="org.osgeo.mapguide.*" %>
 <%@ page import="java.util.*" %>
+<%@ page import="java.util.regex.*" %>
 <%@ page import="java.io.*" %>
 <%@ page import="java.net.*" %>
 <%@ page import="javax.servlet.jsp.*" %>
@@ -194,4 +195,97 @@
     return "Ajax Viewer";
 }
 
+String ValidateSessionId(String proposedSessionId)
+{
+    // 00000000-0000-0000-0000-000000000000_aa_00000000000000000000
+    String validSessionId = "";
+    if(proposedSessionId != null && 
+        Pattern.matches("^[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}_[A-Za-z]{2}_[A-Fa-f0-9]{20}$", proposedSessionId))
+    {
+        validSessionId = proposedSessionId;
+    }
+    return validSessionId;
+}
+
+String ValidateLocaleString(String proposedLocaleString)
+{
+    // aa or aa-aa
+    String validLocaleString = GetDefaultLocale(); // Default
+    if(proposedLocaleString != null && 
+        (Pattern.matches("^[A-Za-z]{2}$", proposedLocaleString) || Pattern.matches("^[A-Za-z]{2}-[A-Za-z]{2}$", proposedLocaleString)))
+    {
+        validLocaleString = proposedLocaleString;
+    }
+    return validLocaleString;
+}
+
+String ValidateHyperlinkTargetValue(String proposedHyperlinkTarget)
+{
+    // 1, 2 or 3
+    String validHyperlinkTarget = "1"; // Default
+    if(proposedHyperlinkTarget != null && Pattern.matches("^[1-3]$", proposedHyperlinkTarget))
+    {
+        validHyperlinkTarget = proposedHyperlinkTarget;
+    }
+    return validHyperlinkTarget;
+}
+
+String ValidateFrameName(String proposedFrameName)
+{
+    // Allowing alphanumeric characters and underscores in the frame name
+    String validFrameName = "";
+    if(proposedFrameName != null && Pattern.matches("^[a-zA-Z0-9_]*$", proposedFrameName))
+    {
+        validFrameName = proposedFrameName;
+    }
+    return validFrameName;
+}
+
+String ValidateIntegerString(String proposedNumberString)
+{
+    // Allow numeric characters only
+    String validNumberString = "";
+    if(proposedNumberString != null && Pattern.matches("^[0-9]*$", proposedNumberString))
+    {
+        validNumberString = proposedNumberString;
+    }
+    return validNumberString;    
+}
+
+String ValidateResourceId(String proposedResourceId)
+{
+    String validResourceId = "";
+    try
+    {
+        MgResourceIdentifier resId = new MgResourceIdentifier(proposedResourceId);
+        validResourceId = resId.ToString();
+    }
+    catch(MgException e)
+    {
+        validResourceId = "";
+    }
+    return validResourceId;
+}
+
+String ValidateMapName(String proposedMapName)
+{
+    String validMapName = "";
+    if (proposedMapName != null && Pattern.matches("^[^\\*:|\\?<'&\">=]*$", proposedMapName))
+    {
+        validMapName = proposedMapName;
+    }
+    return validMapName;
+}
+
+String ValidateColorString(String proposedColorString)
+{
+    String validColorString = "000000";
+    if (proposedColorString != null && 
+        Pattern.matches("^[A-Fa-f0-9]{6}$", proposedColorString))
+    {
+        validColorString = proposedColorString;
+    }
+    return validColorString;
+}
+
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/gettingstarted.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/gettingstarted.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/gettingstarted.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -94,13 +94,11 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    sessionId = GetParameter(request, "SESSION");
-    webLayout = GetParameter(request, "WEBLAYOUT");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    webLayout = ValidateResourceId(GetParameter(request, "WEBLAYOUT"));
+    dwf = (GetIntParameter(request, "DWF") == 1);
     pageName = GetParameter(request, "PAGE");
-    dwf = GetParameter(request, "DWF").equals("1");
-    locale = GetParameter(request, "LOCALE");
-    if(locale.length() == 0)
-        locale = GetDefaultLocale();
 }
 
 String FixupPageReferences(String html, String webLayout, boolean dwf, String vpath) throws UnsupportedEncodingException {

Modified: trunk/MgDev/Web/src/mapviewerjava/legend.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/legend.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/legend.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -64,7 +64,6 @@
 String sessionId = "";
 boolean summary = false;
 int layerCount = 0;
-String[] layerIds = null;
 int intermediateVar = 0;
 String output = "\nvar layerData = new Array();\n";
 
@@ -157,12 +156,9 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    if(IsParameter(request, "MAPNAME"))
-        mapName = GetParameter(request, "MAPNAME");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
 
-    if(IsParameter(request, "SESSION"))
-        sessionId = GetParameter(request, "SESSION");
-
     if(IsParameter(request, "SUMMARY"))
     {
         summary = true;
@@ -170,16 +166,7 @@
     else
     {
         summary = false;
-        if(IsParameter(request, "LC"))
-        {
-            layerCount = Integer.parseInt(GetParameter(request, "LC"));
-        }
-
-        if(layerCount > 0 && IsParameter(request, "LAYERS"))
-        {
-            String layers = GetParameter(request, "LAYERS");
-            layerIds = layers.split(",");
-        }
+        layerCount = GetIntParameter(request, "LC");
     }
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/legendctrl.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/legendctrl.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/legendctrl.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -72,12 +72,12 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    mapName = GetParameter(request, "MAPNAME");
-    sessionId = GetParameter(request, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
     if(IsParameter(request, "MAPFRAME"))
-        mapFrame = GetParameter(request, "MAPFRAME");
+        mapFrame = ValidateFrameName(GetParameter(request, "MAPFRAME"));
     else
         mapFrame = "parent";
-    locale = GetParameter(request, "LOCALE");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/legendui.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/legendui.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/legendui.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -56,6 +56,6 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-     locale = GetParameter(request, "LOCALE");
+     locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/mainframe.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/mainframe.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/mainframe.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -147,7 +147,7 @@
     //
     String srcToolbar = showToolbar ? ( "src=\"" + vpath + "toolbar.jsp?LOCALE=" + locale + "\"" ) : "";
     String srcStatusbar = showStatusbar ? ( "src=\"" + vpath + "statusbar.jsp?LOCALE=" + locale + "\"" ) : "";
-    String srcTaskFrame = showTaskPane? ("src=\"" + vpath + "taskframe.jsp?TASK=" + taskPaneUrl + "&WEBLAYOUT=" + URLEncoder.encode(webLayoutDefinition, "UTF-8") + "&DWF=" + (forDwf!=0? "1": "0") + "&SESSION=" + (sessionId != ""? sessionId: "") + "&LOCALE=" + locale + "\"") : "";
+    String srcTaskFrame = showTaskPane? ("src=\"" + vpath + "taskframe.jsp?WEBLAYOUT=" + URLEncoder.encode(webLayoutDefinition, "UTF-8") + "&DWF=" + (forDwf!=0? "1": "0") + "&SESSION=" + (sessionId != ""? sessionId: "") + "&LOCALE=" + locale + "\"") : "";
     String srcTaskBar = "src=\"" + vpath + "taskbar.jsp?LOCALE=" + locale + "\"";
 
     //view center
@@ -605,31 +605,19 @@
 
 void GetRequestParameters(HttpServletRequest request)
 {
-    webLayoutDefinition = request.getParameter("WEBLAYOUT");
-    if (webLayoutDefinition == null)
-        webLayoutDefinition = "";
-
-    String localeParam = request.getParameter("LOCALE");
-    if (localeParam != null && localeParam.length() > 0)
-    {
-        locale = localeParam;
-    }
-    else
-    {
-        locale = GetDefaultLocale();
-    }
-    sessionId = request.getParameter("SESSION");
+    webLayoutDefinition = ValidateResourceId(GetParameter(request, "WEBLAYOUT"));
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
     if (sessionId != null && sessionId.length() > 0)
     {
-        sessionId = request.getParameter("SESSION");
         orgSessionId = sessionId;
     }
     else
     {
-        username = request.getParameter("USERNAME");
+        username = GetParameter(request, "USERNAME");
         if (username != null && username.length() > 0)
         {
-            password = request.getParameter( "PASSWORD");
+            password = GetParameter(request, "PASSWORD");
             if(password == null)
                 password = "";
             return;

Modified: trunk/MgDev/Web/src/mapviewerjava/mapframe.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/mapframe.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/mapframe.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -193,37 +193,15 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    mapDefinition = ValidateResourceId(GetParameter(request, "MAPDEFINITION"));
+    hlTgt = ValidateHyperlinkTargetValue(GetParameter(request, "HLTGT"));
+    hlTgtName = ValidateFrameName(GetParameter(request, "HLTGTNAME"));
+    infoWidth = GetIntParameter(request, "INFOWIDTH");
+    showLegend = GetIntParameter(request, "SHOWLEGEND");
+    showProperties = GetIntParameter(request, "SHOWPROP");
+    showSlider = GetIntParameter(request, "SHOWSLIDER");
     type = GetParameter(request, "TYPE");
-
-    String localeParam = GetParameter(request, "LOCALE");
-    if(localeParam != null && localeParam.length() > 0)
-    {
-        locale = localeParam;
-    }
-    else
-    {
-        locale = GetDefaultLocale();
-    }
-
-    hlTgt = GetParameter(request, "HLTGT");
-    hlTgtName = GetParameter(request, "HLTGTNAME");
-
-    if(IsParameter(request, "INFOWIDTH"))
-        infoWidth = Integer.parseInt(GetParameter(request, "INFOWIDTH"));
-
-    if(IsParameter(request, "SHOWLEGEND"))
-        showLegend = Integer.parseInt(GetParameter(request, "SHOWLEGEND"));
-
-    if(IsParameter(request, "SHOWPROP"))
-        showProperties = Integer.parseInt(GetParameter(request, "SHOWPROP"));
-
-    if(IsParameter(request, "MAPDEFINITION"))
-        mapDefinition = GetParameter(request, "MAPDEFINITION");
-
-    if(IsParameter(request, "SESSION"))
-        sessionId = GetParameter(request, "SESSION");
-
-    if(IsParameter(request, "SHOWSLIDER"))
-        showSlider = Integer.parseInt(GetParameter(request, "SHOWSLIDER"));
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/measure.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/measure.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/measure.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -271,11 +271,11 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    mapName = GetParameter(request, "MAPNAME");
-    sessionId = GetParameter(request, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
     target = GetIntParameter(request, "TGT");
     popup = GetIntParameter(request, "POPUP");
-    locale = GetParameter(request, "LOCALE");
     if(IsParameter(request, "CLEAR"))
     {
         clear = true;

Modified: trunk/MgDev/Web/src/mapviewerjava/measureui.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/measureui.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/measureui.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -63,20 +63,12 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    String localeParam = GetParameter(request, "LOCALE");
-    if(localeParam != null && localeParam.length() > 0)
-    {
-        locale = localeParam;
-    }
-    else
-    {
-        locale = ""; // Default
-    }
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
     target = GetIntParameter(request, "TGT");
     popup = GetIntParameter(request, "POPUP");
     cmdIndex = GetIntParameter(request, "CMDINDEX");
-    mapName = GetParameter(request, "MAPNAME");
-    sessionId = GetParameter(request, "SESSION");
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
     total = GetDoubleParameter(request, "TOTAL");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/printablepage.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/printablepage.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/printablepage.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -31,10 +31,10 @@
 int isLegend;
 int isArrow;
 String title;
-String scale;
-String centerX;
-String centerY;
-String dpi;
+double scale;
+double centerX;
+double centerY;
+int dpi;
 String templFile;
 String locale;
 %>
@@ -46,10 +46,10 @@
 isLegend = 0;
 isArrow = 0;
 title = "";
-scale = "";
-centerX = "";
-centerY = "";
-dpi = "";
+scale = 0;
+centerX = 0;
+centerY = 0;
+dpi = 0;
 templFile = "";
 locale = "";
 
@@ -67,16 +67,16 @@
     String agent = GetRootVirtualFolder(request) + "/mapagent/mapagent.fcgi";
     String vals[] = { mapName,
         agent,
-        scale,
-        centerX,
-        centerY,
-        dpi,
+        String.valueOf(scale),
+        String.valueOf(centerX),
+        String.valueOf(centerY),
+        String.valueOf(dpi),
         mapName,
         sessionId,
         String.valueOf(isTitle),
         String.valueOf(isLegend),
         String.valueOf(isArrow),
-        isTitle == 1 ? title : "",
+        isTitle == 1 ? EscapeForHtml(title) : "",
         agent,
         mapName,
         sessionId };
@@ -98,36 +98,16 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    if(IsParameter(request, "MAPNAME"))
-        mapName = GetParameter(request, "MAPNAME");
-
-    if(IsParameter(request, "SESSION"))
-        sessionId = GetParameter(request, "SESSION");
-
-    if(IsParameter(request, "ISTITLE"))
-        isTitle = Integer.parseInt(GetParameter(request, "ISTITLE"));
-
-    if(IsParameter(request, "ISLEGEND"))
-        isLegend = Integer.parseInt(GetParameter(request, "ISLEGEND"));
-
-    if(IsParameter(request, "ISARROW"))
-        isArrow = Integer.parseInt(GetParameter(request, "ISARROW"));
-
-    if(IsParameter(request, "TITLE"))
-        title = GetParameter(request, "TITLE");
-
-    if(IsParameter(request, "SCALE"))
-        scale = GetParameter(request, "SCALE");
-
-    if(IsParameter(request, "CENTERX"))
-        centerX = GetParameter(request, "CENTERX");
-
-    if(IsParameter(request, "CENTERY"))
-        centerY = GetParameter(request, "CENTERY");
-
-    if(IsParameter(request, "DPI"))
-        dpi = GetParameter(request, "DPI");
-
-    locale = GetParameter(request, "LOCALE");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
+    isTitle = GetIntParameter(request, "ISTITLE");
+    isLegend = GetIntParameter(request, "ISLEGEND");
+    isArrow = GetIntParameter(request, "ISARROW");
+    dpi = GetIntParameter(request, "DPI");
+    scale = GetDoubleParameter(request, "SCALE");
+    centerX = GetDoubleParameter(request, "CENTERX");
+    centerY = GetDoubleParameter(request, "CENTERY");
+    title = GetParameter(request, "TITLE");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/printablepageui.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/printablepageui.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/printablepageui.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -26,13 +26,13 @@
 
 <%!
 int popup;
-String clientWidth;
+int clientWidth;
 String mapName;
 String sessionId;
-String scale;
-String centerX;
-String centerY;
-String dpi;
+double scale;
+double centerX;
+double centerY;
+int dpi;
 String locale;
 %>
 
@@ -43,8 +43,10 @@
 try
 {
     popup = 0;
-    clientWidth = mapName = sessionId = scale = "";
-    centerX = centerY = dpi = "";
+    clientWidth = 0;
+    mapName = sessionId = "";
+    scale = centerX = centerY = 0;
+    dpi = 0;
 
     MgLocalizer.SetLocalizedFilesPath(getServletContext().getRealPath("/") + "localized/");
 
@@ -54,13 +56,13 @@
 
     String templ = MgLocalizer.Localize(LoadTemplate("/viewerfiles/printablepageui.templ"), locale, GetClientOS(request));
     String vals[] = { String.valueOf(popup),
-         clientWidth,
+         String.valueOf(clientWidth),
          sessionId,
          mapName,
-         scale,
-         centerX,
-         centerY,
-         dpi,
+         String.valueOf(scale),
+         String.valueOf(centerX),
+         String.valueOf(centerY),
+         String.valueOf(dpi),
          GetSurroundVirtualPath(request) + "printablepage.jsp"};
     response.getWriter().write(Substitute(templ, vals));
 }
@@ -79,30 +81,14 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    if(IsParameter(request, "POPUP"))
-        popup = Integer.parseInt(GetParameter(request, "POPUP"));
-
-    if(IsParameter(request, "WIDTH"))
-        clientWidth = GetParameter(request, "WIDTH");
-
-    if(IsParameter(request, "MAPNAME"))
-        mapName = GetParameter(request, "MAPNAME");
-
-    if(IsParameter(request, "SESSION"))
-        sessionId = GetParameter(request, "SESSION");
-
-    if(IsParameter(request, "SCALE"))
-        scale = GetParameter(request, "SCALE");
-
-    if(IsParameter(request, "CENTERX"))
-        centerX = GetParameter(request, "CENTERX");
-
-    if(IsParameter(request, "CENTERY"))
-        centerY = GetParameter(request, "CENTERY");
-
-    if(IsParameter(request, "DPI"))
-        dpi = GetParameter(request, "DPI");
-
-    locale = GetParameter(request, "LOCALE");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
+    popup = GetIntParameter(request, "POPUP");
+    clientWidth = GetIntParameter(request, "WIDTH");
+    dpi = GetIntParameter(request, "DPI");
+    scale = GetDoubleParameter(request, "SCALE");
+    centerX = GetDoubleParameter(request, "CENTERX");
+    centerY = GetDoubleParameter(request, "CENTERY");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/propertyctrl.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/propertyctrl.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/propertyctrl.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -59,9 +59,9 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-     locale = GetParameter(request, "LOCALE");
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
     if(IsParameter(request, "MAPFRAME"))
-        mapFrame = GetParameter(request, "MAPFRAME");
+        mapFrame = ValidateFrameName(GetParameter(request, "MAPFRAME"));
     else
         mapFrame = "parent";
 }

Modified: trunk/MgDev/Web/src/mapviewerjava/search.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/search.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/search.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -277,17 +277,13 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    userInput = GetParameter(request, "USERINPUT");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
     target = GetIntParameter(request, "TGT");
     popup = GetIntParameter(request, "POPUP");
-    layerName = GetParameter(request, "LAYER");
-    mapName = GetParameter(request, "MAPNAME");
-    sessionId = GetParameter(request, "SESSION");
-    filter = GetParameter(request, "FILTER");
     matchLimit = GetIntParameter(request, "MR");
     int colCount = GetIntParameter(request, "COLS");
-    locale = GetParameter(request, "LOCALE");
-
     if(colCount > 0)
     {
         for(int i = 0; i < colCount; i++)
@@ -296,6 +292,9 @@
             resProps.add(GetParameter(request, "CP" + i));
         }
     }
+    userInput = GetParameter(request, "USERINPUT");
+    layerName = GetParameter(request, "LAYER");
+    filter = GetParameter(request, "FILTER");
 }
 
 void OnError(String title, String msg, PrintWriter outStream, HttpServletRequest request) throws FileNotFoundException, IOException

Modified: trunk/MgDev/Web/src/mapviewerjava/searchprompt.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/searchprompt.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/searchprompt.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -68,7 +68,7 @@
                     String.valueOf(cmdIndex),
                     String.valueOf(target),
                     String.valueOf(popup),
-                    layerId,
+                    EscapeForHtml(layerId),
                     mapName,
                     sessionId,
                     EscapeForHtml(filter),
@@ -81,15 +81,15 @@
 
 void GetRequestParameters(HttpServletRequest request)
 {
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
     cmdIndex = GetIntParameter(request, "CMDINDEX");
     target = GetIntParameter(request, "TGT");
     popup = GetIntParameter(request, "POPUP");
     clientWidth = GetIntParameter(request, "WIDTH");
+    matchLimit = GetIntParameter(request, "MR");
     layerId = GetParameter(request, "LAYER");
-    mapName = GetParameter(request, "MAPNAME");
-    sessionId = GetParameter(request, "SESSION");
     filter = GetParameter(request, "FILTER");
-    matchLimit = GetIntParameter(request, "MR");
-    locale = GetParameter(request, "LOCALE");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/selectwithin.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/selectwithin.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/selectwithin.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -29,7 +29,6 @@
 String sessionId = "";
 String layers = "";
 String inputSel = "";
-String dwf = "";
 %>
 
 <%
@@ -169,10 +168,9 @@
 
 void GetRequestParameters(HttpServletRequest request)
 {
-    mapName = GetParameter(request, "MAPNAME");
-    sessionId = GetParameter(request, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
     inputSel = GetParameter(request, "SELECTION");
     layers = GetParameter(request, "LAYERS");
-    dwf = GetParameter(request, "DWF");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/selectwithinui.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/selectwithinui.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/selectwithinui.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -28,7 +28,7 @@
 int popup = 0;
 String mapName;
 String sessionId;
-String dwf;
+int dwf;
 String locale;
 %>
 
@@ -38,7 +38,7 @@
     popup = 0;
     mapName = "";
     sessionId = "";
-    dwf = "";
+    dwf = 0;
     locale = "";
 
     MgLocalizer.SetLocalizedFilesPath(getServletContext().getRealPath("/") + "localized/");
@@ -50,7 +50,7 @@
                     GetSurroundVirtualPath(request) + "selectwithin.jsp",
                     mapName,
                     sessionId,
-                    dwf
+                    String.valueOf(dwf)
                     };
     response.getWriter().write(Substitute(templ, vals));
 %>
@@ -58,10 +58,10 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
     popup = GetIntParameter(request, "POPUP");
-    mapName = GetParameter(request, "MAPNAME");
-    sessionId = GetParameter(request, "SESSION");
-    dwf = GetParameter(request, "DWF");
-    locale = GetParameter(request, "LOCALE");
+    dwf = GetIntParameter(request, "DWF");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/setselection.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/setselection.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/setselection.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -114,16 +114,9 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    if(IsParameter(request, "MAPNAME"))
-        mapName = GetParameter(request, "MAPNAME");
-
-    if(IsParameter(request, "SESSION"))
-        sessionId = GetParameter(request, "SESSION");
-
-    if(IsParameter(request, "SELECTION"))
-        selText = GetParameter(request, "SELECTION");
-
-    if(IsParameter(request, "QUERYINFO"))
-        queryInfo = GetParameter(request, "QUERYINFO").equals("1");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    mapName = ValidateMapName(GetParameter(request, "MAPNAME"));
+    queryInfo = (GetIntParameter(request, "QUERYINFO") == 1);
+    selText = GetParameter(request, "SELECTION");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/statusbar.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/statusbar.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/statusbar.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -42,6 +42,6 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    locale = GetParameter(request, "LOCALE");
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/taskbar.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/taskbar.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/taskbar.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -42,6 +42,6 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    locale = GetParameter(request, "LOCALE");
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/taskframe.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/taskframe.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/taskframe.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -1,5 +1,5 @@
 <%--
-  -Copyright (C) 2004-2010 by Autodesk, Inc.
+  -Copyright (C) 2004-2009 by Autodesk, Inc.
   -This library is free software; you can redistribute it and/or
   -modify it under the terms of version 2.1 of the GNU Lesser
   -General Public License as published by the Free Software Foundation.
@@ -25,10 +25,9 @@
 <%@ page isThreadSafe="false" %>
 
 <%!
-String taskPane = "";
 String sessionId = "";
-String webLayout = "";
-String dwf = "";
+String webLayoutId = "";
+int dwf = 0;
 String locale = "";
 %>
 
@@ -37,37 +36,79 @@
     request.setCharacterEncoding("UTF-8");
     GetRequestParameters(request);
 
-    String url = URLDecoder.decode(taskPane, "UTF-8");
-    int index = url.indexOf("?");
-
-    if(index > 0)
+    try
     {
-        String path = url.substring(0, index);
-        String query = url.substring(index+1);
+        InitializeWebTier();
 
-        if(query.length() > 0)
-            url = String.format("%s?SESSION=%s&WEBLAYOUT=%s&DWF=%s&LOCALE=%s&%s", path, sessionId, URLEncoder.encode(webLayout, "UTF-8"), dwf, locale, query);
+        MgUserInformation cred = new MgUserInformation(sessionId);
+        cred.SetClientIp(GetClientIp(request));
+        cred.SetClientAgent(GetClientAgent());
+
+        //connect to the site and get a feature service and a resource service instances
+        MgSiteConnection site = new MgSiteConnection();
+        site.Open(cred);
+        
+        //Get the MgWebLayout object
+        MgResourceService resourceSrvc = (MgResourceService)site.CreateService(MgServiceType.ResourceService);
+        MgResourceIdentifier webLayoutResId = new MgResourceIdentifier(webLayoutId);
+        MgWebLayout webLayout = new MgWebLayout(resourceSrvc, webLayoutResId);
+        MgWebTaskPane taskPane = webLayout.GetTaskPane();
+        String taskPaneUrl = taskPane.GetInitialTaskUrl();
+        String vpath = GetSurroundVirtualPath(request);
+        if (taskPaneUrl == null || taskPaneUrl.length() == 0)
+        {
+            taskPaneUrl = "gettingstarted.jsp";
+        }
+
+        String url = URLDecoder.decode(taskPaneUrl, "UTF-8");
+        int index = url.indexOf("?");
+
+        if(index > 0)
+        {
+            String path = url.substring(0, index);
+            String query = url.substring(index+1);
+
+            if(query.length() > 0)
+                url = String.format("%s?SESSION=%s&WEBLAYOUT=%s&DWF=%s&LOCALE=%s&%s", path, sessionId, URLEncoder.encode(webLayoutId, "UTF-8"), dwf, locale, query);
+            else
+                url = String.format("%s?SESSION=%s&WEBLAYOUT=%s&DWF=%s&LOCALE=%s", path, sessionId, URLEncoder.encode(webLayoutId, "UTF-8"), dwf, locale);
+        }
         else
-            url = String.format("%s?SESSION=%s&WEBLAYOUT=%s&DWF=%s&LOCALE=%s", path, sessionId, URLEncoder.encode(webLayout, "UTF-8"), dwf, locale);
+        {
+            url = String.format("%s?SESSION=%s&WEBLAYOUT=%s&DWF=%s&LOCALE=%s", taskPaneUrl, sessionId, URLEncoder.encode(webLayoutId), dwf, locale);
+        }
+        String templ = LoadTemplate("/viewerfiles/taskframe.templ");
+        String[] vals = { vpath + "tasklist.jsp",
+                    locale,
+                    url };
+        response.getWriter().write(Substitute(templ, vals));
     }
-    else
+    catch (MgException exc)
     {
-        url = String.format("%s?SESSION=%s&WEBLAYOUT=%s&DWF=%s&LOCALE=%s", taskPane, sessionId, URLEncoder.encode(webLayout), dwf, locale);
+        OnError(MgLocalizer.GetString("TASKS", locale), exc.GetMessage(), response.getWriter(), request);
+        return;
     }
-    String templ = LoadTemplate("/viewerfiles/taskframe.templ");
-    String[] vals = { GetSurroundVirtualPath(request) + "tasklist.jsp",
-                    locale,
-                    url };
-    response.getWriter().write(Substitute(templ, vals));
+    catch (Exception ne)
+    {
+        OnError(MgLocalizer.GetString("TASKS", locale), ne.getMessage(), response.getWriter(), request);
+        return;
+    }
+
 %>
 
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    taskPane = GetParameter(request, "TASK");
-    sessionId = GetParameter(request, "SESSION");
-    webLayout = GetParameter(request, "WEBLAYOUT");
-    dwf = GetParameter(request, "DWF");
-    locale = GetParameter(request, "LOCALE");
+    sessionId = ValidateSessionId(GetParameter(request, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
+    webLayoutId = ValidateResourceId(GetParameter(request, "WEBLAYOUT"));
+    dwf = GetIntParameter(request, "DWF");
 }
+
+void OnError(String title, String msg, PrintWriter outStream, HttpServletRequest request) throws FileNotFoundException, IOException
+{
+    String templ = MgLocalizer.Localize(LoadTemplate("/viewerfiles/errorpage.templ"), locale, GetClientOS(request));
+    String[] vals = {"0", title, msg };
+    outStream.write(Substitute(templ, vals));
+}
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/tasklist.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/tasklist.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/tasklist.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -40,6 +40,6 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
-    locale = GetParameter(request, "LOCALE");
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewerjava/viewoptions.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/viewoptions.jsp	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerjava/viewoptions.jsp	2010-04-06 15:56:33 UTC (rev 4744)
@@ -51,9 +51,9 @@
 <%!
 void GetRequestParameters(HttpServletRequest request)
 {
+    locale = ValidateLocaleString(GetParameter(request, "LOCALE"));
     target = GetIntParameter(request, "TGT");
     popup = GetIntParameter(request, "POPUP");
     dwf = GetIntParameter(request, "DWF");
-    locale = GetParameter(request, "LOCALE");
 }
 %>

Modified: trunk/MgDev/Web/src/mapviewernet/ajaxviewerabout.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/ajaxviewerabout.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/ajaxviewerabout.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -94,8 +94,8 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    sessionId = GetParameter(parameters, "SESSION");
-    locale = GetParameter(parameters, "LOCALE");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/buffer.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/buffer.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/buffer.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -38,9 +38,9 @@
 String units = "";
 String linestyle = "";
 String fillstyle = "";
-String thickness = "";
+double thickness = 0;
 int merge = 0;
-int foretrans = 50;
+double foretrans = 50;
 String selText = "";
 String srs = "";
 String featureName = "Buffer";
@@ -386,31 +386,29 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    mapName = GetParameter(parameters, "MAPNAME");
-    sessionId = GetParameter(parameters, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
     popup = GetIntParameter(parameters, "POPUP");
-    bufferName = GetParameter(parameters, "BUFFER");
-    layersParam = GetParameter(parameters, "LAYERS");
-    lcolor = GetParameter(parameters, "LCOLOR");
-    ffcolor = GetParameter(parameters, "FFCOLOR");
-    fbcolor = GetParameter(parameters, "FBCOLOR");
-    foretrans = GetIntParameter(parameters, "FORETRANS");
+    foretrans = GetDoubleParameter(parameters, "FORETRANS");
+    if (foretrans < 0 || foretrans > 100)
+    {
+        foretrans = 50;
+    }
     transparent = GetIntParameter(parameters, "TRANSPARENT");
-    locale = GetParameter(parameters, "LOCALE");
     distance = GetLocalizedDoubleParameter(parameters, "DISTANCE", locale);
+    if(IsParameter(parameters, "MERGE"))
+        merge = 1;
+    lcolor = ValidateColorString(GetParameter(parameters, "LCOLOR"));
+    ffcolor = ValidateColorString(GetParameter(parameters, "FFCOLOR"));
+    fbcolor = ValidateColorString(GetParameter(parameters, "FBCOLOR"));
+    thickness = GetDoubleParameter(parameters, "THICKNESS");
+    bufferName = GetParameter(parameters, "BUFFER");
+    layersParam = GetParameter(parameters, "LAYERS");
     units = GetParameter(parameters, "UNITS");
     linestyle = GetParameter(parameters, "LINESTYLE");
     fillstyle = GetParameter(parameters, "FILLSTYLE");
-    thickness = GetParameter(parameters, "THICKNESS");
     selText = GetParameter(parameters, "SELECTION");
-    if(IsParameter(parameters, "MERGE"))
-        merge = 1;
-
-    if(foretrans < 0 || foretrans > 100)
-    {
-        foretrans = 50;
-    }
-
 }
 
 MgLayer FindLayer(MgLayerCollection layers, String layerName)
@@ -433,7 +431,7 @@
 MgByteReader BuildLayerDefinitionContent()
 {
     String layerTempl = LoadTemplate(Request, "../viewerfiles/arealayerdef.templ");
-    String xtrans = String.Format("{0:x2}", (255 * foretrans / 100));
+    String xtrans = String.Format("{0:x2}", ((int)(255 * foretrans / 100)));
     String[] vals = {
                     dataSource,
                     featureName,
@@ -442,7 +440,7 @@
                     xtrans + ffcolor,
                     (0!=transparent)? "ff" + fbcolor: "00" + fbcolor,
                     linestyle,
-                    thickness,
+                    thickness.ToString(NumberFormatInfo.InvariantInfo),
                     lcolor
                     };
     layerTempl = Substitute(layerTempl, vals);

Modified: trunk/MgDev/Web/src/mapviewernet/bufferui.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/bufferui.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/bufferui.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -66,11 +66,11 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    mapName = GetParameter(parameters, "MAPNAME");
-    sessionId = GetParameter(parameters, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
     popup = GetIntParameter(parameters, "POPUP");
     us = GetIntParameter(parameters, "US");
-    locale = GetParameter(parameters, "LOCALE");
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/colorpicker.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/colorpicker.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/colorpicker.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -56,10 +56,10 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale = GetParameter(parameters, "LOCALE");
-    clr = GetParameter(parameters, "CLR");
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
     allowTransparency = GetIntParameter(parameters, "ALLOWTRANS");
     transparent = GetIntParameter(parameters, "TRANS");
+    clr = ValidateColorString(GetParameter(parameters, "CLR"));
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/common.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/common.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/common.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -21,7 +21,7 @@
 <%@ Import Namespace="System.Globalization" %>
 <%@ Import Namespace="OSGeo.MapGuide" %>
 
-<script runat="server">
+<script language="C#" runat="server">
 
 void InitializeWebTier()
 {
@@ -186,4 +186,98 @@
 {
     return "Ajax Viewer";
 }
+
+String ValidateSessionId(String proposedSessionId)
+{
+    // 00000000-0000-0000-0000-000000000000_aa_00000000000000000000
+    String validSessionId = "";
+    if(proposedSessionId != null && System.Text.RegularExpressions.Regex.IsMatch(proposedSessionId, 
+        "^[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}_[A-Za-z]{2}_[A-Fa-f0-9]{20}$"))
+    {
+        validSessionId = proposedSessionId;
+    }
+    return validSessionId;
+}
+
+String ValidateLocaleString(String proposedLocaleString)
+{
+    // aa or aa-aa
+    String validLocaleString = GetDefaultLocale(); // Default
+    if(proposedLocaleString != null && (System.Text.RegularExpressions.Regex.IsMatch(proposedLocaleString, "^[A-Za-z]{2}$") || 
+        System.Text.RegularExpressions.Regex.IsMatch(proposedLocaleString, "^[A-Za-z]{2}-[A-Za-z]{2}$")))
+    {
+        validLocaleString = proposedLocaleString;
+    }
+    return validLocaleString;
+}
+
+String ValidateHyperlinkTargetValue(String proposedHyperlinkTarget)
+{
+    // 1, 2 or 3
+    String validHyperlinkTarget = "1"; // Default
+    if(proposedHyperlinkTarget != null && System.Text.RegularExpressions.Regex.IsMatch(proposedHyperlinkTarget, "^[1-3]$"))
+    {
+        validHyperlinkTarget = proposedHyperlinkTarget;
+    }
+    return validHyperlinkTarget;
+}
+
+String ValidateFrameName(String proposedFrameName)
+{
+    // Allowing alphanumeric characters and underscores in the frame name
+    String validFrameName = "";
+    if(proposedFrameName != null && System.Text.RegularExpressions.Regex.IsMatch(proposedFrameName, "^[a-zA-Z0-9_]*$"))
+    {
+        validFrameName = proposedFrameName;
+    }
+    return validFrameName;
+}
+
+String ValidateIntegerString(String proposedNumberString)
+{
+    // Allow numeric characters only
+    String validNumberString = "";
+    if(proposedNumberString != null && System.Text.RegularExpressions.Regex.IsMatch(proposedNumberString, "^[0-9]*$"))
+    {
+        validNumberString = proposedNumberString;
+    }
+    return validNumberString;    
+}
+
+String ValidateResourceId(String proposedResourceId)
+{
+    String validResourceId = "";
+    try
+    {
+        MgResourceIdentifier resId = new MgResourceIdentifier(proposedResourceId);
+        validResourceId = resId.ToString();
+    }
+    catch(MgException)
+    {
+        validResourceId = "";
+    }
+    return validResourceId;
+}
+
+String ValidateMapName(String proposedMapName)
+{
+    String validMapName = "";
+    if (proposedMapName.IndexOfAny("*:|?<'&\">=".ToCharArray()) < 0)
+    {
+        validMapName = proposedMapName;
+    }
+    return validMapName;
+}
+
+String ValidateColorString(String proposedColorString)
+{
+    String validColorString = "000000";
+    if (proposedColorString != null && 
+        System.Text.RegularExpressions.Regex.IsMatch(proposedColorString, "^[A-Fa-f0-9]{6}$"))
+    {
+        validColorString = proposedColorString;
+    }
+    return validColorString;
+}
+
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/formframe.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/formframe.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/formframe.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -24,10 +24,6 @@
 
 <!-- #Include File="common.aspx -->
 
-<script runat="server">
-String templFile = "";
-</script>
-
 <%
     try
     {

Modified: trunk/MgDev/Web/src/mapviewernet/gettingstarted.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/gettingstarted.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/gettingstarted.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -100,13 +100,11 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    sessionId = GetParameter(parameters, "SESSION");
-    webLayout = GetParameter(parameters, "WEBLAYOUT");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    dwf = GetIntParameter(parameters, "DWF") == 1;
+    webLayout = ValidateResourceId(GetParameter(parameters, "WEBLAYOUT"));
     pageName = GetParameter(parameters, "PAGE");
-    dwf = GetParameter(parameters, "DWF") == "1";
-    locale = GetParameter(parameters, "LOCALE");
-    if(locale == "")
-        locale = GetDefaultLocale();
 }
 
 String FixupPageReferences(String html, String webLayout, bool dwf, String vpath) {

Modified: trunk/MgDev/Web/src/mapviewernet/legend.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/legend.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/legend.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -63,7 +63,6 @@
 String sessionId = "";
 bool summary = false;
 int layerCount = 0;
-String[] layerIds = null;
 int intermediateVar = 0;
 String output = "\nvar layerData = new Array();\n";
 </script>
@@ -153,31 +152,15 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    if (IsParameter(parameters, "MAPNAME"))
-    {
-        mapName = GetParameter(parameters, "MAPNAME");
-    }
-    if (IsParameter(parameters, "SESSION"))
-    {
-        sessionId = GetParameter(parameters, "SESSION");
-    }
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
     if (IsParameter(parameters, "SUMMARY"))
     {
         summary = true;
     }
     else
     {
-        if (IsParameter(parameters, "LC"))
-        {
-            layerCount = Convert.ToInt32(GetParameter(parameters, "LC"));
-        }
-        if (layerCount > 0 && IsParameter(parameters, "LAYERS"))
-        {
-            String layers = GetParameter(parameters, "LAYERS");
-
-            char[] delimiter = {','};
-            layerIds = layers.Split(delimiter);
-        }
+        layerCount = GetIntParameter(parameters, "LC");
     }
 }
 

Modified: trunk/MgDev/Web/src/mapviewernet/legendctrl.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/legendctrl.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/legendctrl.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -76,13 +76,14 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    mapName = GetParameter(parameters, "MAPNAME");
-    sessionId = GetParameter(parameters, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
+
     if(IsParameter(parameters, "MAPFRAME"))
-        mapFrame = GetParameter(parameters, "MAPFRAME");
+        mapFrame = ValidateFrameName(GetParameter(parameters, "MAPFRAME"));
     else
         mapFrame = "parent";
-    locale = GetParameter(parameters, "LOCALE");
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/legendui.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/legendui.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/legendui.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -58,7 +58,7 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale =  GetParameter(parameters, "LOCALE");
+    locale =  ValidateLocaleString(GetParameter(parameters, "LOCALE"));
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/mainframe.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/mainframe.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/mainframe.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -150,7 +150,7 @@
         //
         String srcToolbar = showToolbar ? ("src=\"" + vpath + "toolbar.aspx?LOCALE=" + locale + "\"") : "";
         String srcStatusbar = showStatusbar ? ("src=\"" + vpath + "statusbar.aspx?LOCALE=" + locale + "\"") : "";
-        String srcTaskFrame = showTaskPane ? ("src=\"" + vpath + "taskframe.aspx?TASK=" + taskPaneUrl + "&WEBLAYOUT=" + HttpUtility.UrlEncode(webLayoutDefinition) + "&DWF=" + (forDwf != 0 ? "1" : "0") + "&SESSION=" + (sessionId != "" ? sessionId : "") + "&LOCALE=" + locale + "\"") : "";
+        String srcTaskFrame = showTaskPane ? ("src=\"" + vpath + "taskframe.aspx?WEBLAYOUT=" + HttpUtility.UrlEncode(webLayoutDefinition) + "&DWF=" + (forDwf != 0 ? "1" : "0") + "&SESSION=" + (sessionId != "" ? sessionId : "") + "&LOCALE=" + locale + "\"") : "";
         String srcTaskBar = "src=\"" + vpath + "taskbar.aspx?LOCALE=" + locale + "\"";
 
         //view center
@@ -598,31 +598,19 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    webLayoutDefinition = parameters["WEBLAYOUT"];
-    if (webLayoutDefinition == null)
-        webLayoutDefinition = "";
-
-    String localeParam = parameters["LOCALE"];
-    if (localeParam != null && localeParam.Length > 0)
-    {
-        locale = localeParam;
-    }
-    else
-    {
-        locale = GetDefaultLocale();
-    }
-    sessionId = parameters["SESSION"];
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    webLayoutDefinition = ValidateResourceId(GetParameter(parameters, "WEBLAYOUT"));
     if (sessionId != null && sessionId.Length > 0)
     {
-        sessionId = parameters["SESSION"];
         orgSessionId = sessionId;
     }
     else
     {
-        username = parameters["USERNAME"];
+        username = GetParameter(parameters, "USERNAME");
         if (null != username && username.Length > 0)
         {
-            password = parameters["PASSWORD"];
+            password = GetParameter(parameters, "PASSWORD");
             if (null == password)
             {
                 password = "";

Modified: trunk/MgDev/Web/src/mapviewernet/mapframe.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/mapframe.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/mapframe.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -214,40 +214,19 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    type = GetParameter(parameters, "TYPE");
+    type = GetParameter(parameters, "TYPE"); // "DWF" or other
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    hlTgt = ValidateHyperlinkTargetValue(GetParameter(parameters, "HLTGT"));
+    hlTgtName = ValidateFrameName(GetParameter(parameters, "HLTGTNAME"));
 
-    locale = GetParameter(parameters, "LOCALE");
-    if(locale == "")
-        locale = GetDefaultLocale();
+    infoWidth = GetIntParameter(parameters, "INFOWIDTH");
+    showLegend = GetIntParameter(parameters, "SHOWLEGEND");
+    showProperties = GetIntParameter(parameters, "SHOWPROP");
+    showSlider = GetIntParameter(parameters, "SHOWSLIDER");
 
-    hlTgt = GetParameter(parameters, "HLTGT");
-    hlTgtName = GetParameter(parameters, "HLTGTNAME");
-
-    if (IsParameter(parameters, "INFOWIDTH"))
-    {
-        infoWidth = Convert.ToInt32(GetParameter(parameters, "INFOWIDTH"));
+    mapDefinition = ValidateResourceId(GetParameter(parameters, "MAPDEFINITION"));
     }
-    if (IsParameter(parameters, "SHOWLEGEND"))
-    {
-        showLegend = Convert.ToInt32(GetParameter(parameters, "SHOWLEGEND"));
-    }
-    if (IsParameter(parameters, "SHOWPROP"))
-    {
-        showProperties = Convert.ToInt32(GetParameter(parameters, "SHOWPROP"));
-    }
-    if (IsParameter(parameters, "MAPDEFINITION"))
-    {
-        mapDefinition = GetParameter(parameters, "MAPDEFINITION");
-    }
-    if (IsParameter(parameters, "SESSION"))
-    {
-        sessionId = GetParameter(parameters, "SESSION");
-    }
-    if (IsParameter(parameters, "SHOWSLIDER"))
-    {
-        showSlider = Convert.ToInt32(GetParameter(parameters, "SHOWSLIDER"));
-    }
-}
 
 String IntToString(int number)
 {

Modified: trunk/MgDev/Web/src/mapviewernet/measure.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/measure.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/measure.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -261,11 +261,11 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    mapName = GetParameter(parameters, "MAPNAME");
-    sessionId = GetParameter(parameters, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
     target = GetIntParameter(parameters, "TGT");
     popup = GetIntParameter(parameters, "POPUP");
-    locale = GetParameter(parameters, "LOCALE");
     if(IsParameter(parameters, "CLEAR"))
         clear = true;
     else

Modified: trunk/MgDev/Web/src/mapviewernet/measureui.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/measureui.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/measureui.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -70,12 +70,12 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale = GetParameter(parameters, "LOCALE");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
     target = GetIntParameter(parameters, "TGT");
     popup = GetIntParameter(parameters, "POPUP");
     cmdIndex = GetIntParameter(parameters, "CMDINDEX");
-    mapName = GetParameter(parameters, "MAPNAME");
-    sessionId = GetParameter(parameters, "SESSION");
     total = GetDoubleParameter(parameters, "TOTAL");
 }
 

Modified: trunk/MgDev/Web/src/mapviewernet/printablepage.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/printablepage.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/printablepage.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -31,11 +31,11 @@
 int isTitle = 0;
 int isLegend = 0;
 int isArrow = 0;
+int dpi = 0;
 String title = "";
-String scale = "";
-String centerX = "";
-String centerY = "";
-String dpi = "";
+double scale = 0;
+double centerX = 0;
+double centerY = 0;
 </script>
 
 <%
@@ -53,16 +53,16 @@
         String[] vals = {
             mapName,
             agent,
-            scale,
-            centerX,
-            centerY,
-            dpi,
+            scale.ToString(NumberFormatInfo.InvariantInfo),
+            centerX.ToString(NumberFormatInfo.InvariantInfo),
+            centerY.ToString(NumberFormatInfo.InvariantInfo),
+            dpi.ToString(NumberFormatInfo.InvariantInfo),
             mapName,
             sessionId,
             isTitle.ToString(NumberFormatInfo.InvariantInfo),
             isLegend.ToString(NumberFormatInfo.InvariantInfo),
             isArrow.ToString(NumberFormatInfo.InvariantInfo),
-            isTitle == 1 ? title : "",
+            isTitle == 1 ? EscapeForHtml(title) : "",
             agent,
             mapName,
             sessionId };
@@ -92,47 +92,18 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale =  GetParameter(parameters, "LOCALE");
-    if(IsParameter(parameters, "MAPNAME"))
-    {
-        mapName = GetParameter(parameters, "MAPNAME");
-    }
-    if(IsParameter(parameters, "SESSION"))
-    {
-        sessionId = GetParameter(parameters, "SESSION");
-    }
-    if(IsParameter(parameters, "ISTITLE"))
-    {
-        isTitle = Convert.ToInt32(GetParameter(parameters, "ISTITLE"));
-    }
-    if(IsParameter(parameters, "ISLEGEND"))
-    {
-        isLegend = Convert.ToInt32(GetParameter(parameters, "ISLEGEND"));
-    }
-    if(IsParameter(parameters, "ISARROW"))
-    {
-       isArrow = Convert.ToInt32(GetParameter(parameters, "ISARROW"));
-    }
-    if(IsParameter(parameters, "TITLE"))
-    {
-        title = GetParameter(parameters, "TITLE");
-    }
-    if(IsParameter(parameters, "SCALE"))
-    {
-        scale = GetParameter(parameters, "SCALE");
-    }
-    if(IsParameter(parameters, "CENTERX"))
-    {
-       centerX = GetParameter(parameters, "CENTERX");
-    }
-    if(IsParameter(parameters, "CENTERY"))
-    {
-        centerY = GetParameter(parameters, "CENTERY");
-    }
-    if(IsParameter(parameters, "DPI"))
-    {
-        dpi = GetParameter(parameters, "DPI");
-    }
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    isTitle = GetIntParameter(parameters, "ISTITLE");
+    isLegend = GetIntParameter(parameters, "ISLEGEND");
+    isArrow = GetIntParameter(parameters, "ISARROW");
+    dpi = GetIntParameter(parameters, "DPI");
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
+    scale = GetDoubleParameter(parameters, "SCALE");
+    centerX = GetDoubleParameter(parameters, "CENTERX");
+    centerY = GetDoubleParameter(parameters, "CENTERY");
+
+    title = GetParameter(parameters, "TITLE");
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/printablepageui.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/printablepageui.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/printablepageui.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -26,13 +26,13 @@
 
 <script runat="server">
 int popup = 0;
-String clientWidth = "";
+int clientWidth = 0;
+int dpi = 96;
 String mapName = "";
 String sessionId = "";
-String scale = "";
-String centerX = "";
-String centerY = "";
-String dpi = "";
+double scale = 0;
+double centerX = 0;
+double centerY = 0;
 String locale = "";
 </script>
 
@@ -50,13 +50,13 @@
 
         String[] vals = {
             popup.ToString(NumberFormatInfo.InvariantInfo),
-            clientWidth,
+            clientWidth.ToString(NumberFormatInfo.InvariantInfo),
             sessionId,
             mapName,
-            scale,
-            centerX,
-            centerY,
-            dpi,
+            scale.ToString(NumberFormatInfo.InvariantInfo),
+            centerX.ToString(NumberFormatInfo.InvariantInfo),
+            centerY.ToString(NumberFormatInfo.InvariantInfo),
+            dpi.ToString(NumberFormatInfo.InvariantInfo),
             GetSurroundVirtualPath(Request) + "printablepage.aspx"};
 
         Response.Write(Substitute(templ, vals));
@@ -84,39 +84,15 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale =  GetParameter(parameters, "LOCALE");
-    if(IsParameter(parameters, "POPUP"))
-    {
-        popup = Convert.ToInt32(GetParameter(parameters, "POPUP"));
-    }
-    if(IsParameter(parameters, "WIDTH"))
-    {
-        clientWidth = GetParameter(parameters, "WIDTH");
-    }
-    if(IsParameter(parameters, "MAPNAME"))
-    {
-        mapName = GetParameter(parameters, "MAPNAME");
-    }
-    if(IsParameter(parameters, "SESSION"))
-    {
-        sessionId = GetParameter(parameters, "SESSION");
-    }
-    if(IsParameter(parameters, "SCALE"))
-    {
-        scale = GetParameter(parameters, "SCALE");
-    }
-    if(IsParameter(parameters, "CENTERX"))
-    {
-       centerX = GetParameter(parameters, "CENTERX");
-    }
-    if(IsParameter(parameters, "CENTERY"))
-    {
-        centerY = GetParameter(parameters, "CENTERY");
-    }
-    if(IsParameter(parameters, "DPI"))
-    {
-        dpi = GetParameter(parameters, "DPI");
-    }
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    popup = GetIntParameter(parameters, "POPUP");
+    clientWidth = GetIntParameter(parameters, "WIDTH");
+    dpi = GetIntParameter(parameters, "DPI");
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
+    scale = GetDoubleParameter(parameters, "SCALE");
+    centerX = GetDoubleParameter(parameters, "CENTERX");
+    centerY = GetDoubleParameter(parameters, "CENTERY");
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/propertyctrl.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/propertyctrl.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/propertyctrl.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -49,9 +49,9 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale =  GetParameter(parameters, "LOCALE");
+    locale =  ValidateLocaleString(GetParameter(parameters, "LOCALE"));
     if(IsParameter(parameters, "MAPFRAME"))
-        mapFrame = GetParameter(parameters, "MAPFRAME");
+        mapFrame = ValidateFrameName(GetParameter(parameters, "MAPFRAME"));
     else
         mapFrame = "parent";
 }

Modified: trunk/MgDev/Web/src/mapviewernet/search.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/search.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/search.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -280,17 +280,12 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale = GetParameter(parameters, "LOCALE");
-    userInput = GetParameter(parameters, "USERINPUT");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
     target = GetIntParameter(parameters, "TGT");
     popup = GetIntParameter(parameters, "POPUP");
-    layerName = GetParameter(parameters, "LAYER");
-    mapName = GetParameter(parameters, "MAPNAME");
-    sessionId = GetParameter(parameters, "SESSION");
-    filter = GetParameter(parameters, "FILTER");
     matchLimit = GetIntParameter(parameters, "MR");
     int colCount = GetIntParameter(parameters, "COLS");
-
     if(colCount > 0)
     {
         for(int i = 0; i < colCount; i++)
@@ -299,6 +294,10 @@
             resProps.Add(parameters["CP" + i]);
         }
     }
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
+    layerName = GetParameter(parameters, "LAYER");
+    filter = GetParameter(parameters, "FILTER");
+    userInput = GetParameter(parameters, "USERINPUT");
 }
 
 void OnError(String title, String msg)

Modified: trunk/MgDev/Web/src/mapviewernet/searchprompt.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/searchprompt.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/searchprompt.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -58,7 +58,7 @@
                     cmdIndex.ToString(NumberFormatInfo.InvariantInfo),
                     target.ToString(NumberFormatInfo.InvariantInfo),
                     popup.ToString(NumberFormatInfo.InvariantInfo),
-                    layerId,
+                    EscapeForHtml(layerId),
                     mapName,
                     sessionId,
                     EscapeForHtml(filter),
@@ -79,16 +79,17 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale =  GetParameter(parameters, "LOCALE");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
     cmdIndex = GetIntParameter(parameters, "CMDINDEX");
     target = GetIntParameter(parameters, "TGT");
     popup = GetIntParameter(parameters, "POPUP");
     clientWidth = GetIntParameter(parameters, "WIDTH");
+    matchLimit = GetIntParameter(parameters, "MR");
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
+
     layerId = GetParameter(parameters, "LAYER");
-    mapName = GetParameter(parameters, "MAPNAME");
-    sessionId = GetParameter(parameters, "SESSION");
     filter = GetParameter(parameters, "FILTER");
-    matchLimit = GetIntParameter(parameters, "MR");
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/selectwithin.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/selectwithin.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/selectwithin.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -29,7 +29,6 @@
 String sessionId = "";
 String layers = "";
 String inputSel = "";
-String dwf = "";
 </script>
 
 <%
@@ -174,11 +173,10 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    mapName = GetParameter(parameters, "MAPNAME");
-    sessionId = GetParameter(parameters, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
     inputSel = GetParameter(parameters, "SELECTION");
     layers = GetParameter(parameters, "LAYERS");
-    dwf = GetParameter(parameters, "DWF");
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/selectwithinui.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/selectwithinui.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/selectwithinui.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -24,9 +24,9 @@
 
 <script runat="server">
 int popup = 0;
+int dwf = 0;
 String mapName = "";
 String sessionId = "";
-String dwf = "";
 String locale = "";
 </script>
 
@@ -47,7 +47,7 @@
                     GetSurroundVirtualPath(Request) + "selectwithin.aspx",
                     mapName,
                     sessionId,
-                    dwf
+                    dwf.ToString(NumberFormatInfo.InvariantInfo)
                     };
     Response.Write(Substitute(templ, vals));
 %>
@@ -64,11 +64,11 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale =  GetParameter(parameters, "LOCALE");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    dwf = GetIntParameter(parameters, "DWF");
     popup = GetIntParameter(parameters, "POPUP");
-    mapName = GetParameter(parameters, "MAPNAME");
-    sessionId = GetParameter(parameters, "SESSION");
-    dwf = GetParameter(parameters, "DWF");
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/setselection.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/setselection.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/setselection.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -117,11 +117,11 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    mapName = GetParameter(parameters, "MAPNAME");
-    sessionId = GetParameter(parameters, "SESSION");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    mapName = ValidateMapName(GetParameter(parameters, "MAPNAME"));
+    if(IsParameter(parameters, "QUERYINFO"))
+        queryInfo = GetIntParameter(parameters, "QUERYINFO") == 1;
     selText = GetParameter(parameters, "SELECTION");
-    if(IsParameter(parameters, "QUERYINFO"))
-        queryInfo = GetParameter(parameters, "QUERYINFO") == "1";
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/statusbar.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/statusbar.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/statusbar.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -46,7 +46,7 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale = GetParameter(parameters, "LOCALE");
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/taskbar.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/taskbar.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/taskbar.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -46,7 +46,7 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale = GetParameter(parameters, "LOCALE");
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/taskframe.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/taskframe.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/taskframe.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -1,5 +1,5 @@
 <%--
-Copyright (C) 2004-2010 by Autodesk, Inc.
+Copyright (C) 2004-2009 by Autodesk, Inc.
 This library is free software; you can redistribute it and/or
 modify it under the terms of version 2.1 of the GNU Lesser
 General Public License as published by the Free Software Foundation.
@@ -24,44 +24,79 @@
 <!-- #Include File="common.aspx -->
 
 <script runat="server">
-String taskPane = "";
-String session = "";
-String webLayout = "";
-String dwf = "";
+String sessionId = "";
+String webLayoutId = "";
+int dwf = 0;
 String locale = "";
 </script>
 
 <%
     Response.Charset = "utf-8";
+    MgLocalizer.SetLocalizedFilesPath(Request.ServerVariables["APPL_PHYSICAL_PATH"] + "..\\localized\\");
 
     GetRequestParameters();
 
-    String url = HttpUtility.UrlDecode(taskPane);
-    int index = url.IndexOf("?");
-
-    if(index > 0)
+    try
     {
-        String path = url.Substring(0, index);
-        String query = url.Substring(index+1);
+        InitializeWebTier();
 
-        if(query.Length > 0)
-            url = String.Format("{0}?SESSION={1}&WEBLAYOUT={2}&DWF={3}&LOCALE={4}&{5}", path, session, HttpUtility.UrlEncode(webLayout), dwf, locale, query);
+        MgUserInformation cred = new MgUserInformation(sessionId);
+        cred.SetClientIp(GetClientIp(Request));
+        cred.SetClientAgent(GetClientAgent());
+
+        //connect to the site and get a feature service and a resource service instances
+        MgSiteConnection site = new MgSiteConnection();
+        site.Open(cred);
+        
+        //Get the MgWebLayout object
+        MgResourceService resourceSrvc = (MgResourceService)site.CreateService(MgServiceType.ResourceService);
+        MgResourceIdentifier webLayoutResId = new MgResourceIdentifier(webLayoutId);
+        MgWebLayout webLayout = new MgWebLayout(resourceSrvc, webLayoutResId);
+        MgWebTaskPane taskPane = webLayout.GetTaskPane();
+        String taskPaneUrl = taskPane.GetInitialTaskUrl();
+        String vpath = GetSurroundVirtualPath(Request);
+        if (taskPaneUrl == null || taskPaneUrl.Length == 0)
+        {
+            taskPaneUrl = "gettingstarted.aspx";
+        }
+
+        String url = HttpUtility.UrlDecode(taskPaneUrl);
+        int index = url.IndexOf("?");
+
+        if(index > 0)
+        {
+            String path = url.Substring(0, index);
+            String query = url.Substring(index+1);
+
+            if(query.Length > 0)
+                url = String.Format("{0}?SESSION={1}&WEBLAYOUT={2}&DWF={3}&LOCALE={4}&{5}", path, sessionId, HttpUtility.UrlEncode(webLayoutId), dwf, locale, query);
+            else
+                url = String.Format("{0}?SESSION={1}&WEBLAYOUT={2}&DWF={3}&LOCALE={4}", path, sessionId, HttpUtility.UrlEncode(webLayoutId), dwf, locale);
+
+        }
         else
-            url = String.Format("{0}?SESSION={1}&WEBLAYOUT={2}&DWF={3}&LOCALE={4}", path, session, HttpUtility.UrlEncode(webLayout), dwf, locale);
+        {
+            url = String.Format("{0}?SESSION={1}&WEBLAYOUT={2}&DWF={3}&LOCALE={4}", taskPaneUrl, sessionId, HttpUtility.UrlEncode(webLayoutId), dwf, locale);
+        }
+        String templ = LoadTemplate(Request, "../viewerfiles/taskframe.templ");
+        String[] vals = {
+                    vpath + "tasklist.aspx",
+                    locale,
+                    url
+                    };
 
+        Response.Write(Substitute(templ, vals));
     }
-    else
+    catch (MgException exc)
     {
-        url = String.Format("{0}?SESSION={1}&WEBLAYOUT={2}&DWF={3}&LOCALE={4}", taskPane, session, HttpUtility.UrlEncode(webLayout), dwf, locale);
+        OnError(MgLocalizer.GetString("TASKS", locale), exc.GetMessage());
+        return;
     }
-    String templ = LoadTemplate(Request, "../viewerfiles/taskframe.templ");
-    String[] vals = {
-                    GetSurroundVirtualPath(Request) + "tasklist.aspx",
-                    locale,
-                    url
-                    };
-
-    Response.Write(Substitute(templ, vals));
+    catch (Exception ne)
+    {
+        OnError(MgLocalizer.GetString("TASKS", locale), ne.Message);
+        return;
+    }
 %>
 
 <script runat="server">
@@ -75,11 +110,17 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    taskPane = GetParameter(parameters, "TASK");
-    session = GetParameter(parameters, "SESSION");
-    webLayout = GetParameter(parameters, "WEBLAYOUT");
-    dwf = GetParameter(parameters, "DWF");
-    locale = GetParameter(parameters, "LOCALE");
+    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
+    webLayoutId = ValidateResourceId(GetParameter(parameters, "WEBLAYOUT"));
+    dwf = GetIntParameter(parameters, "DWF");
 }
 
+void OnError(String title, String msg)
+{
+    String templ = MgLocalizer.Localize(LoadTemplate(Request, "../viewerfiles/errorpage.templ"), locale, GetClientOS(Request));
+    String[] vals = { "0", title, msg };
+    Response.Write(Substitute(templ, vals));
+}
+
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/tasklist.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/tasklist.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/tasklist.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -44,7 +44,7 @@
 
 void GetParameters(NameValueCollection parameters)
 {
-    locale = GetParameter(parameters, "LOCALE");
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewernet/viewoptions.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/viewoptions.aspx	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewernet/viewoptions.aspx	2010-04-06 15:56:33 UTC (rev 4744)
@@ -60,10 +60,10 @@
 
 void GetParameters(NameValueCollection parameters)
 {
+    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
     tgt = GetIntParameter(parameters, "TGT");
     popup = GetIntParameter(parameters, "POPUP");
     dwf = GetIntParameter(parameters, "DWF");
-    locale = GetParameter(parameters, "LOCALE");
 }
 
 </script>

Modified: trunk/MgDev/Web/src/mapviewerphp/ajaxviewerabout.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/ajaxviewerabout.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/ajaxviewerabout.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -70,8 +70,8 @@
 {
     global $sessionId, $locale;
 
-    $sessionId = $params['SESSION'];
-    $locale = $params['LOCALE'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/buffer.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/buffer.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/buffer.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -29,12 +29,12 @@
     $lcolor = "";
     $ffcolor = "";
     $fbcolor = "";
-    $transparent = "";
+    $transparent = 0;
     $distance = 0;
     $units = "";
     $linestyle = "";
     $fillstyle = "";
-    $thickness = "";
+    $thickness = 0;
     $merge = 0;
     $foretrans = 50;
     $selText = "";
@@ -362,27 +362,27 @@
     global $mapName, $sessionId, $bufferName, $lcolor, $ffcolor, $fbcolor, $layersParam, $popup;
     global $transparent, $distance, $units, $linestyle, $fillstyle, $thickness, $merge, $foretrans;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
 
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $popup = $params['POPUP'];
-    $bufferName = $params['BUFFER'];
-    $layersParam = $params['LAYERS'];
-    $lcolor = $params['LCOLOR'];
-    $ffcolor = $params['FFCOLOR'];
-    $fbcolor = $params['FBCOLOR'];
-    $foretrans = $params['FORETRANS'];
-    $transparent = $params['TRANSPARENT'];
-    $distance = GetDecimalFromLocalizedString($params['DISTANCE'], $locale);
-    $units = $params['UNITS'];
-    $linestyle = $params['LINESTYLE'];
-    $fillstyle = $params['FILLSTYLE'];
-    $thickness = $params['THICKNESS'];
+    $lcolor = ValidateColorString(GetParameter($params, 'LCOLOR'));
+    $ffcolor = ValidateColorString(GetParameter($params, 'FFCOLOR'));
+    $fbcolor = ValidateColorString(GetParameter($params, 'FBCOLOR'));
+    $popup = GetIntParameter($params, 'POPUP');
+    $transparent = GetIntParameter($params, 'TRANSPARENT');
+    $distance = GetDecimalFromLocalizedString(GetParameter($params, 'DISTANCE'), $locale);
     if(isset($params['MERGE']))
         $merge = 1;
-    $selText = $params['SELECTION'];
+    $foretrans = GetDoubleParameter($params, 'FORETRANS');
+    $thickness = GetDoubleParameter($params, 'THICKNESS');
+    $bufferName = GetParameter($params, 'BUFFER');
+    
+    $layersParam = GetParameter($params, 'LAYERS');
+    $units = GetParameter($params, 'UNITS');
+    $linestyle = GetParameter($params, 'LINESTYLE');
+    $fillstyle = GetParameter($params, 'FILLSTYLE');
+    $selText = GetParameter($params, 'SELECTION');
 
     //unescape strings
     //

Modified: trunk/MgDev/Web/src/mapviewerphp/bufferui.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/bufferui.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/bufferui.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -48,11 +48,11 @@
 {
     global $target, $cmdIndex, $clientWidth, $mapName, $sessionId, $popup, $us, $locale;
 
-    $locale = $params['LOCALE'];
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $popup = $params['POPUP'];
-    $us = $params['US'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
+    $popup = GetIntParameter($params, 'POPUP');
+    $us = GetParameter($params, 'US');
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/colorpicker.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/colorpicker.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/colorpicker.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -22,26 +22,25 @@
 
     $locale = "";
     $clr = "000000";
-    $allowTransparency = 0;
-    $transparent = 0;
+    $allowTransparency = false;
+    $transparent = false;
 
     GetRequestParameters();
 
     $templ = file_get_contents("../viewerfiles/colorpicker.templ");
     SetLocalizedFilesPath(GetLocalizationPath());
     $templ = Localize($templ, $locale, GetClientOS());
-    print sprintf($templ, $clr, $allowTransparency? "true": "false", $transparent? "true": "false");
+    print sprintf($templ, $clr, $allowTransparency ? "true": "false", $transparent ? "true": "false");
 
 
 function GetParameters($params)
 {
     global $clr, $allowTransparency, $transparent, $locale;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-    $clr = $params['CLR'];
-    $allowTransparency = $params['ALLOWTRANS'];
-    $transparent = $params['TRANS'];
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $clr = ValidateColorString(GetParameter($params, 'CLR'));
+    $allowTransparency = (GetIntParameter($params, 'ALLOWTRANS') == 1);
+    $transparent = (GetIntParameter($params, 'TRANS') == 1);
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/common.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/common.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/common.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -158,4 +158,127 @@
     return "Ajax Viewer";
 }
 
+function ValidateSessionId($proposedSessionId)
+{
+    // 00000000-0000-0000-0000-000000000000_aa_00000000000000000000
+    $validSessionId = "";
+    if($proposedSessionId != null &&
+        preg_match('/^[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}_[A-Za-z]{2}_[A-Fa-f0-9]{20}$/', $proposedSessionId))
+    {
+        $validSessionId = $proposedSessionId;
+    }
+    return $validSessionId;
+}
+
+function ValidateLocaleString($proposedLocaleString)
+{
+    // aa or aa-aa
+    $validLocaleString = GetDefaultLocale(); // Default
+    if($proposedLocaleString != null &&
+        (preg_match('/^[A-Za-z]{2}$/', $proposedLocaleString) || preg_match('/^[A-Za-z]{2}-[A-Za-z]{2}$/', $proposedLocaleString)))
+    {
+        $validLocaleString = $proposedLocaleString;
+    }
+    return $validLocaleString;
+}
+
+function ValidateHyperlinkTargetValue($proposedHyperlinkTarget)
+{
+    // 1, 2 or 3
+    $validHyperlinkTarget = "1"; // Default
+    if($proposedHyperlinkTarget != null && preg_match('/^[1-3]$/', $proposedHyperlinkTarget))
+    {
+        $validHyperlinkTarget = $proposedHyperlinkTarget;
+    }
+    return $validHyperlinkTarget;
+}
+
+function ValidateFrameName($proposedFrameName)
+{
+    // Allowing alphanumeric characters and underscores in the frame name
+    $validFrameName = "";
+    if($proposedFrameName != null && preg_match('/^[a-zA-Z0-9_]*$/', $proposedFrameName))
+    {
+        $validFrameName = $proposedFrameName;
+    }
+    return $validFrameName;
+}
+
+function ValidateIntegerString($proposedNumberString)
+{
+    // Allow numeric characters only
+    $validNumberString = "";
+    if($proposedNumberString != null && preg_match('/^[0-9]*$/', $proposedNumberString))
+    {
+        $validNumberString = $proposedNumberString;
+    }
+    return $validNumberString;
+}
+
+function ValidateResourceId($proposedResourceId)
+{
+    $validResourceId = "";
+    try
+    {
+        $resId = new MgResourceIdentifier($proposedResourceId);
+        $validResourceId = $resId->ToString();
+    }
+    catch(MgException $ex)
+    {
+        $validResourceId = "";
+    }
+    return $validResourceId;
+}
+
+function ValidateMapName($proposedMapName)
+{
+    $validMapName = "";
+    if (strcspn($proposedMapName, "*:|?<'&\">=") == strlen($proposedMapName))
+    {
+        $validMapName = $proposedMapName;
+    }
+    return $validMapName;
+}
+
+function ValidateColorString($proposedColorString)
+{
+    $validColorString = "000000";
+    if ($proposedColorString != null && preg_match('/^[A-Fa-f0-9]{6}$/', $proposedColorString))
+    {
+        $validColorString = $proposedColorString;
+    }
+    return $validColorString;
+}
+
+function GetParameter($params, $paramName)
+{
+	$paramValue = "";
+
+	if(isset($params[$paramName]))
+	{
+		$paramValue = $params[$paramName];
+	}
+	return $paramValue;
+}
+
+function GetIntParameter($params, $paramName)
+{
+	$paramValue = 0;
+	if(isset($params[$paramName]) && is_numeric($params[$paramName]))
+	{
+		$paramValue = intval($params[$paramName]);
+	}
+	return $paramValue;
+}
+
+function GetDoubleParameter($params, $paramName)
+{
+	$paramValue = 0.0;
+	if(isset($params[$paramName]) && is_numeric($params[$paramName]))
+	{
+		$paramValue = doubleval($params[$paramName]);
+	}
+	return $paramValue;
+}
+
 ?>

Modified: trunk/MgDev/Web/src/mapviewerphp/gettingstarted.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/gettingstarted.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/gettingstarted.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -91,15 +91,11 @@
 {
     global $sessionId, $webLayout, $pageName, $dwf, $locale;
 
-    $sessionId = $params['SESSION'];
-    $webLayout = $params['WEBLAYOUT'];
-    if(isset($params['PAGE']))
-        $pageName = $params['PAGE'];
-    $dwf = $params['DWF'] == "1";
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-    else
-        $locale = GetDefaultLocale();
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $webLayout = ValidateResourceId(GetParameter($params, 'WEBLAYOUT'));
+    $dwf = (GetIntParameter($params, 'DWF') == 1);
+    $pageName = GetParameter($params, 'PAGE');
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/legend.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/legend.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/legend.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -55,7 +55,6 @@
     $sessionId = "";
     $summary = false;
     $layerCount = 0;
-    $layerIds = array();
     $intermediateVar = 0;
 
     GetRequestParameters();
@@ -409,20 +408,15 @@
 
 function GetParameters($params)
 {
-    global $mapName, $sessionId, $summary, $layerCount, $layerIds;
+    global $mapName, $sessionId, $summary, $layerCount;
 
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
     if(isset($params['SUMMARY']))
         $summary = true;
     else
     {
-        $layerCount = $params['LC'];
-        if($layerCount > 0)
-        {
-            $layers = $params['LAYERS'];
-            $layerIds = explode(",", $layers);
-        }
+        $layerCount = GetIntParameter($params, 'LC');
     }
 }
 

Modified: trunk/MgDev/Web/src/mapviewerphp/legendctrl.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/legendctrl.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/legendctrl.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -41,13 +41,13 @@
 {
     global $mapName, $sessionId, $mapFrame, $locale;
 
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
     if(isset($params['MAPFRAME']))
-        $mapFrame = $params['MAPFRAME'];
+        $mapFrame = ValidateFrameName(GetParameter($params, 'MAPFRAME'));
     else
         $mapFrame = "parent";
-    $locale = $params['LOCALE'];
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/legendui.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/legendui.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/legendui.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -32,7 +32,7 @@
 {
     global $locale;
 
-    $locale = $params['LOCALE'];
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/mainframe.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/mainframe.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/mainframe.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -168,7 +168,7 @@
         //
         $srcToolbar = $showToolbar? ('src="' . $vpath . 'toolbar.php?LOCALE=' . $locale . '"'): '';
         $srcStatusbar = $showStatusbar? ('src="' . $vpath . 'statusbar.php?LOCALE=' . $locale . '"') : "";
-        $srcTaskFrame = $showTaskPane? ('src="' . $vpath . 'taskframe.php?TASK=' . $taskPaneUrl . '&WEBLAYOUT=' . urlencode($webLayoutDefinition) . '&DWF=' . ($forDwf? "1": "0") . '&SESSION=' . ($sessionId != ""? $sessionId: "") . '&LOCALE=' . $locale . '"') : '';
+        $srcTaskFrame = $showTaskPane? ('src="' . $vpath . 'taskframe.php?WEBLAYOUT=' . urlencode($webLayoutDefinition) . '&DWF=' . ($forDwf? "1": "0") . '&SESSION=' . ($sessionId != ""? $sessionId: "") . '&LOCALE=' . $locale . '"') : '';
         $srcTaskBar = 'src="' . $vpath . 'taskbar.php?LOCALE=' . $locale . '"';
 
         //view center
@@ -581,25 +581,21 @@
     global $debug, $webLayoutDefinition;
     global $sessionId, $username, $password, $orgSessionId, $locale;
 
-    $webLayoutDefinition = $params['WEBLAYOUT'];
+	$sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $webLayoutDefinition = ValidateResourceId(GetParameter($params, 'WEBLAYOUT'));
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-    else
-        $locale = GetDefaultLocale();
-
     if(isset($params['SESSION']))
     {
-        $sessionId = $params['SESSION'];
         $orgSessionId = $sessionId;
     }
     else
     {
         if(isset($params['USERNAME']))
         {
-            $username = $params['USERNAME'];
+            $username = GetParameter($params, 'USERNAME');
             if(isset($params['PASSWORD']))
-                $password = $params['PASSWORD'];
+                $password = GetParameter($params, 'PASSWORD');
             return;
         }
 

Modified: trunk/MgDev/Web/src/mapviewerphp/mapframe.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/mapframe.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/mapframe.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -35,9 +35,6 @@
 
 GetRequestParameters();
 
-if($locale == "")
-    $locale = GetDefaultLocale();
-
 SetLocalizedFilesPath(GetLocalizationPath());
 
 if($type == "DWF")
@@ -170,30 +167,17 @@
     global $infoWidth, $showLegend, $showProperties, $sessionId;
     global $locale, $hlTgt, $hlTgtName, $showSlider;
 
-    $type = $params['TYPE'];
-    $hlTgt = $params['HLTGT'];
-    $hlTgtName = $params['HLTGTNAME'];
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-
-    if(isset($params['INFOWIDTH']))
-        $infoWidth = $params['INFOWIDTH'];
-
-    if(isset($params['SHOWLEGEND']))
-        $showLegend = $params['SHOWLEGEND'];
-
-    if(isset($params['SHOWPROP']))
-        $showProperties = $params['SHOWPROP'];
-
-    if(isset($params['MAPDEFINITION']))
-        $mapDefinition = $params['MAPDEFINITION'];
-
-    if(isset($params['SESSION']))
-        $sessionId = $params['SESSION'];
-
-    if(isset($params['SHOWSLIDER']))
-        $showSlider = $params['SHOWSLIDER'] == "1";
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $hlTgt = ValidateHyperlinkTargetValue(GetParameter($params, 'HLTGT'));
+    $hlTgtName = ValidateFrameName(GetParameter($params, 'HLTGTNAME'));
+    $mapDefinition = ValidateResourceId(GetParameter($params, 'MAPDEFINITION'));
+	$showLegend = (GetIntParameter($params, 'SHOWLEGEND') == 1);
+    $showProperties = (GetIntParameter($params, 'SHOWPROP') == 1);
+    $showSlider = (GetIntParameter($params, 'SHOWSLIDER') == 1);
+    $infoWidth = GetIntParameter($params, 'INFOWIDTH');
+    $type = GetParameter($params, 'TYPE');
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/measure.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/measure.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/measure.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -285,23 +285,23 @@
     global $mapName, $sessionId, $x1, $y1, $x2, $y2, $popup;
     global $total, $clear, $us, $segId, $target, $locale;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $target = $params['TGT'];
-    $popup = $params['POPUP'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
+
+    $target = GetIntParameter($params, 'TGT');
+    $popup = GetIntParameter($params, 'POPUP');
     if(isset($params['CLEAR']))
         $clear = true;
     else
     {
-        $x1 = $params['X1'];
-        $y1 = $params['Y1'];
-        $x2 = $params['X2'];
-        $y2 = $params['Y2'];
-        $total = $params['TOTAL'];
-        $us = $params['US'];
-        $segId = $params['SEGID'];
+        $us = GetIntParameter($params, 'US');
+        $segId = GetIntParameter($params, 'SEGID');
+        $x1 = GetDoubleParameter($params, 'X1');
+        $y1 = GetDoubleParameter($params, 'Y1');
+        $x2 = GetDoubleParameter($params, 'X2');
+        $y2 = GetDoubleParameter($params, 'Y2');
+        $total = GetDoubleParameter($params, 'TOTAL');
     }
 }
 

Modified: trunk/MgDev/Web/src/mapviewerphp/measureui.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/measureui.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/measureui.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -22,8 +22,8 @@
     $target = 0;
     $locale = "";
     $popup = 0;
-    $cmdIndex = "";
-    $clientWidth = "";
+    $cmdIndex = 0;
+    $clientWidth = 0;
     $mapName = "";
     $sessionId = "";
     $total = 0;
@@ -42,15 +42,14 @@
 {
     global $target, $cmdIndex, $clientWidth, $mapName, $sessionId, $total, $popup, $locale;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-    $target = $params['TGT'];
-    $popup = $params['POPUP'];
-    $cmdIndex = $params['CMDINDEX'];
-    $clientWidth = $params['WIDTH'];
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $total = $params['TOTAL'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));    
+	$target = GetIntParameter($params, 'TGT');
+    $popup = GetIntParameter($params, 'POPUP');
+    $cmdIndex = GetIntParameter($params, 'CMDINDEX');
+    $clientWidth = GetIntParameter($params, 'WIDTH');
+    $total = GetDoubleParameter($params, 'TOTAL');
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/printablepage.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/printablepage.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/printablepage.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -23,14 +23,14 @@
     $locale = "";
     $mapName = "";
     $sessionId = "";
-    $isTitle = "";
-    $isLegend = "";
-    $isArrow = "";
+    $isTitle = 0;
+    $isLegend = 0;
+    $isArrow = 0;
     $title = "";
-    $scale = "";
-    $centerX = "";
-    $centerY = "";
-    $dpi = "";
+    $scale = 0;
+    $centerX = 0;
+    $centerY = 0;
+    $dpi = 0;
 
     GetRequestParameters();
 
@@ -50,7 +50,7 @@
                   $isTitle,
                   $isLegend,
                   $isArrow,
-                  $isTitle == "1"? $title: "",
+                  $isTitle == 1 ? EscapeForHtml($title) : "",
                   $agent,
                   $mapName,
                   $sessionId
@@ -62,18 +62,17 @@
     global $scale, $centerX, $centerY, $dpi;
     global $isTitle, $isLegend, $isArrow;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $isTitle = $params['ISTITLE'];
-    $isLegend = $params['ISLEGEND'];
-    $isArrow = $params['ISARROW'];
-    $title = $params['TITLE'];
-    $scale = $params['SCALE'];
-    $centerX = $params['CENTERX'];
-    $centerY = $params['CENTERY'];
-    $dpi = $params['DPI'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
+    $isTitle = GetIntParameter($params, 'ISTITLE');
+    $isLegend = GetIntParameter($params, 'ISLEGEND');
+    $isArrow = GetIntParameter($params, 'ISARROW');
+    $dpi = GetIntParameter($params, 'DPI');
+    $scale = GetDoubleParameter($params, 'SCALE');
+    $centerX = GetDoubleParameter($params, 'CENTERX');
+    $centerY = GetDoubleParameter($params, 'CENTERY');
+    $title = GetParameter($params, 'TITLE');
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/printablepageui.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/printablepageui.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/printablepageui.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -22,14 +22,14 @@
 
     $locale = "";
     $popup = 0;
-    $clientWidth = "";
+    $clientWidth = 0;
     $layerId = "";
     $mapName = "";
     $sessionId = "";
     $scale = "";
     $centerX = "";
     $centerY = "";
-    $dpi = "";
+    $dpi = 0;
 
     GetRequestParameters();
 
@@ -54,16 +54,15 @@
     global $mapName, $sessionId;
     global $scale, $centerX, $centerY, $dpi;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-    $popup = $params['POPUP'];
-    $clientWidth = $params['WIDTH'];
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $scale = $params['SCALE'];
-    $centerX = $params['CENTERX'];
-    $centerY = $params['CENTERY'];
-    $dpi = $params['DPI'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));    
+	$popup = GetIntParameter($params, 'POPUP');
+    $clientWidth = GetIntParameter($params, 'WIDTH');
+    $dpi = GetIntParameter($params, 'DPI');
+    $scale = GetDoubleParameter($params, 'SCALE');
+    $centerX = GetDoubleParameter($params, 'CENTERX');
+    $centerY = GetDoubleParameter($params, 'CENTERY');
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/propertyctrl.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/propertyctrl.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/propertyctrl.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -34,10 +34,9 @@
 {
     global $locale, $mapFrame;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
     if(isset($params['MAPFRAME']))
-        $mapFrame = $params['MAPFRAME'];
+        $mapFrame = ValidateFrameName(GetParameter($params, 'MAPFRAME'));
     else
         $mapFrame = "parent";
 }

Modified: trunk/MgDev/Web/src/mapviewerphp/search.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/search.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/search.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -1,7 +1,7 @@
 <?php
 
 //
-//  Copyright (C) 2004-2010 by Autodesk, Inc.
+//  Copyright (C) 2004-2009 by Autodesk, Inc.
 //
 //  This library is free software; you can redistribute it and/or
 //  modify it under the terms of version 2.1 of the GNU Lesser
@@ -34,7 +34,7 @@
 
     $locale = "";
     $userInput = "";
-    $target = "";
+    $target = 0;
     $popup = 0;
     $layerName = "";
     $mapName = "";
@@ -42,7 +42,7 @@
     $filter = "";
     $resNames = array();
     $resProps = array();
-    $matchLimit = "";
+    $matchLimit = 0;
 
     GetRequestParameters();
     SetLocalizedFilesPath(GetLocalizationPath());
@@ -273,25 +273,24 @@
     global $userInput, $target, $layerName, $popup, $locale;
     global $mapName, $sessionId, $filter, $resNames, $resProps, $matchLimit;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-    $userInput = $params['USERINPUT'];
-    $target = $params['TGT'];
-    $popup = $params['POPUP'];
-    $layerName = $params['LAYER'];
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $filter = $params['FILTER'];
-    $matchLimit = $params['MR'];
-    $colCount = $params['COLS'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
+    $target = GetIntParameter($params, 'TGT');
+    $popup = GetIntParameter($params, 'POPUP');
+    $matchLimit = GetIntParameter($params, 'MR');
+    $colCount = GetIntParameter($params, 'COLS');
     if($colCount > 0)
     {
         for($i = 0; $i < $colCount; $i++)
         {
-            array_push($resNames, $params['CN' . $i]);
-            array_push($resProps, $params['CP' . $i]);
+            array_push($resNames, GetParameter($params, 'CN' . $i));
+            array_push($resProps, GetParameter($params, 'CP' . $i));
         }
     }
+    $userInput = GetParameter($params, 'USERINPUT');
+    $layerName = GetParameter($params, 'LAYER');
+    $filter = GetParameter($params, 'FILTER');
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/searchprompt.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/searchprompt.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/searchprompt.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -21,15 +21,15 @@
     include 'constants.php';
 
     $locale = "";
-    $cmdIndex = "";
+    $cmdIndex = 0;
     $target = 0;
     $popup = 0;
-    $clientWidth = "";
+    $clientWidth = 0;
     $layerId = "";
     $mapName = "";
     $sessionId = "";
     $filter = "";
-    $matchLimit = "";
+    $matchLimit = 0;
 
     GetRequestParameters();
 
@@ -46,7 +46,7 @@
                   $cmdIndex,
                   $target,
                   $popup,
-                  $layerId,
+                  EscapeForHtml($layerId),
                   $mapName,
                   $sessionId,
                   EscapeForHtml($filter),
@@ -57,17 +57,16 @@
     global $cmdIndex, $target, $clientWidth, $layerId, $popup, $locale;
     global $mapName, $sessionId, $filter, $matchLimit;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-    $cmdIndex = $params['CMDINDEX'];
-    $target = $params['TGT'];
-    $popup = $params['POPUP'];
-    $clientWidth = $params['WIDTH'];
-    $layerId = $params['LAYER'];
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $filter = $params['FILTER'];
-    $matchLimit = $params['MR'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
+    $cmdIndex = GetIntParameter($params, 'CMDINDEX');
+    $target = GetIntParameter($params, 'TGT');
+    $popup = GetIntParameter($params, 'POPUP');
+    $clientWidth = GetIntParameter($params, 'WIDTH');
+    $matchLimit = GetIntParameter($params, 'MR');
+    $layerId = GetParameter($params, 'LAYER');
+    $filter = GetParameter($params, 'FILTER');
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/selectwithin.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/selectwithin.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/selectwithin.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -24,7 +24,7 @@
     $sessionId = "";
     $inputSel = "";
     $layers = null;
-    $dwf = "";
+    $dwf = 0;
 
     GetRequestParameters();
 
@@ -145,11 +145,12 @@
 {
     global $inputSel, $layers, $mapName, $sessionId, $dwf;
 
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $inputSel = UnescapeMagicQuotes($params['SELECTION']);
-    $layers = $params['LAYERS'];
-    $dwf = $params['DWF'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
+    $dwf = GetIntParameter($params, 'DWF');
+    
+	$inputSel = UnescapeMagicQuotes(GetParameter($params, 'SELECTION'));
+    $layers = GetParameter($params, 'LAYERS');
 }
 
 function UnescapeMagicQuotes($str)

Modified: trunk/MgDev/Web/src/mapviewerphp/selectwithinui.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/selectwithinui.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/selectwithinui.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -24,7 +24,7 @@
     $popup = 0;
     $mapName = "";
     $sessionId = "";
-    $dwf = "";
+    $dwf = 0;
 
     GetRequestParameters();
 
@@ -38,12 +38,12 @@
 {
     global $mapName, $sessionId, $dwf, $locale;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
-    $popup = $params['POPUP'];
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $dwf = $params['DWF'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
+
+    $popup = GetIntParameter($params, 'POPUP');
+    $dwf = GetIntParameter($params, 'DWF');
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/setselection.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/setselection.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/setselection.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -97,11 +97,12 @@
 {
     global $mapName, $sessionId, $selText, $queryInfo;
 
-    $mapName = $params['MAPNAME'];
-    $sessionId = $params['SESSION'];
-    $selText = UnescapeMagicQuotes($params['SELECTION']);
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $mapName = ValidateMapName(GetParameter($params, 'MAPNAME'));
     if(isset($params['QUERYINFO']))
-        $queryInfo = $params['QUERYINFO'] == "1";
+        $queryInfo = (GetIntParameter($params, 'QUERYINFO') == 1);
+
+    $selText = UnescapeMagicQuotes(GetParameter($params, 'SELECTION'));
 }
 
 function UnescapeMagicQuotes($str)

Modified: trunk/MgDev/Web/src/mapviewerphp/statusbar.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/statusbar.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/statusbar.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -40,8 +40,7 @@
 {
     global $locale;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/taskbar.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/taskbar.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/taskbar.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -42,8 +42,7 @@
 {
     global $locale;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/taskframe.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/taskframe.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/taskframe.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -1,7 +1,7 @@
 <?php
 
 //
-//  Copyright (C) 2004-2010 by Autodesk, Inc.
+//  Copyright (C) 2004-2009 by Autodesk, Inc.
 //
 //  This library is free software; you can redistribute it and/or
 //  modify it under the terms of version 2.1 of the GNU Lesser
@@ -18,36 +18,71 @@
 //
 
 include 'common.php';
+include 'constants.php';
 
-$taskPane = "";
-$session = "";
-$webLayout = "";
-$dwf = "";
+$sessionId = "";
+$webLayoutId = "";
+$dwf = 0;
 $locale = "";
 
 GetRequestParameters();
+SetLocalizedFilesPath(GetLocalizationPath());
 
-//If there is an initial url, it will be encoded, so parse the decoded url.
-$comp = parse_url(urldecode($taskPane));
+try
+{
+	InitializeWebTier();
 
-//If there is a query component to the initial url, append it to the end of the full url string
-if(!isset($comp["query"]) || strlen($comp["query"]) == 0)
-    $url = sprintf("%s?SESSION=%s&WEBLAYOUT=%s&DWF=%s&LOCALE=%s", $comp["path"], $session, urlencode($webLayout), $dwf, $locale);
-else
-    $url = sprintf("%s?SESSION=%s&WEBLAYOUT=%s&DWF=%s&LOCALE=%s&%s", $comp["path"], $session, urlencode($webLayout), $dwf, $locale, $comp["query"]);
+	$cred = new MgUserInformation($sessionId);
+	$cred->SetClientIp(GetClientIp());
+	$cred->SetClientAgent(GetClientAgent());
 
-$templ = file_get_contents("../viewerfiles/taskframe.templ");
-print sprintf($templ, GetSurroundVirtualPath()."tasklist.php", $locale, $url);
+	//Connect to the site
+	$site = new MgSiteConnection();
+	$site->Open($cred);
 
+	//Get the MgWebLayout object
+	$resourceSrvc = $site->CreateService(MgServiceType::ResourceService);
+	$webLayoutResId = new MgResourceIdentifier($webLayoutId);
+	$webLayout = new MgWebLayout($resourceSrvc, $webLayoutResId);
+	$taskPane = $webLayout->GetTaskPane();
+	$taskPaneUrl = $taskPane->GetInitialTaskUrl();
+	$vpath = GetSurroundVirtualPath();
+	if ($taskPaneUrl == null || strlen($taskPaneUrl) == 0)
+	{
+		$taskPaneUrl = "gettingstarted.php";
+	}
+
+    //If there is an initial url, it will be encoded, so parse the decoded url.
+    $comp = parse_url(urldecode($taskPaneUrl));
+
+    //If there is a query component to the initial url, append it to the end of the full url string
+    if(!isset($comp["query"]) || strlen($comp["query"]) == 0)
+        $url = sprintf("%s?SESSION=%s&WEBLAYOUT=%s&DWF=%s&LOCALE=%s", $comp["path"], $sessionId, urlencode($webLayoutId), $dwf, $locale);
+    else
+        $url = sprintf("%s?SESSION=%s&WEBLAYOUT=%s&DWF=%s&LOCALE=%s&%s", $comp["path"], $sessionId, urlencode($webLayoutId), $dwf, $locale, $comp["query"]);
+
+    $templ = file_get_contents("../viewerfiles/taskframe.templ");
+    print sprintf($templ, $vpath ."tasklist.php", $locale, $url);
+}
+catch(MgException $e)
+{
+    OnError(GetLocalizedString( "TASKS", $locale ), $e->GetDetails());
+    return;
+}
+catch(Exception $ne)
+{
+    OnError(GetLocalizedString( "TASKS", $locale ), $ne->getMessage());
+    return;
+}
+
 function GetParameters($params)
 {
-    global $taskPane, $session, $webLayout, $dwf, $locale;
+    global $taskPane, $sessionId, $webLayoutId, $dwf, $locale;
 
-    $taskPane = $params['TASK'];
-    $session = $params['SESSION'];
-    $webLayout = $params['WEBLAYOUT'];
-    $locale = $params['LOCALE'];
-    $dwf = $params['DWF'];
+    $sessionId = ValidateSessionId(GetParameter($params, 'SESSION'));
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $webLayoutId = ValidateResourceId(GetParameter($params, 'WEBLAYOUT'));
+    $dwf = GetIntParameter($params, 'DWF');
 }
 
 function GetRequestParameters()
@@ -58,4 +93,11 @@
         GetParameters($_GET);
 }
 
+function OnError($title, $msg)
+{
+    global $target;
+    $templ = Localize(file_get_contents("../viewerfiles/errorpage.templ"), $locale, GetClientOS());
+    print sprintf($templ, "0", $title, $msg);
+}
+
 ?>

Modified: trunk/MgDev/Web/src/mapviewerphp/tasklist.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/tasklist.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/tasklist.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -29,8 +29,7 @@
 {
     global $locale;
 
-    if(isset($params['LOCALE']))
-        $locale = $params['LOCALE'];
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
 }
 
 function GetRequestParameters()

Modified: trunk/MgDev/Web/src/mapviewerphp/viewoptions.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/viewoptions.php	2010-04-06 15:54:19 UTC (rev 4743)
+++ trunk/MgDev/Web/src/mapviewerphp/viewoptions.php	2010-04-06 15:56:33 UTC (rev 4744)
@@ -35,10 +35,10 @@
 {
     global $tgt, $popup, $dwf, $locale;
 
-    $tgt = $params['TGT'];
-    $popup = $params['POPUP'];
-    $dwf = $params['DWF'];
-    $locale = $params['LOCALE'];
+    $locale = ValidateLocaleString(GetParameter($params, 'LOCALE'));
+    $tgt = GetIntParameter($params, 'TGT');
+    $popup = GetIntParameter($params, 'POPUP');
+    $dwf = GetIntParameter($params, 'DWF');
 }
 
 function GetRequestParameters()



More information about the mapguide-commits mailing list