Index: scripting.jsp
===================================================================
--- scripting.jsp	(revisi�n: 7735)
+++ scripting.jsp	(revisi�n: 8207)
@@ -1,7 +1,11 @@
 <%@ page import="com.openkm.servlet.admin.BaseServlet" %>
+<%@ page import="com.openkm.util.UserActivity"%>
+<%@ page import="com.openkm.util.SecureStore"%>
+<%@ page import="com.openkm.util.WebUtils"%>
 <%@ page import="bsh.Interpreter"%>
 <%@ page import="java.io.ByteArrayOutputStream"%>
 <%@ page import="java.io.PrintStream"%>
+<%@ page import="java.util.UUID"%>
 <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
 <?xml version="1.0" encoding="UTF-8" ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@@ -41,33 +45,45 @@
 <%
 	if (BaseServlet.isMultipleInstancesAdmin(request)) {
 		request.setCharacterEncoding("UTF-8");
-		String script = request.getParameter("script");
+		String script = WebUtils.getString(request, "script");
+		String reqCsrft = (String) session.getAttribute("csrft");
 		StringBuffer scriptOutput = new StringBuffer();
 		Object scriptResult = null;
 		Exception scriptError = null;
 		
-		if (script != null) {
-			script = new String(script.getBytes("ISO-8859-1"), "UTF-8");
-			ByteArrayOutputStream baos = new ByteArrayOutputStream();
-			PrintStream pout = new PrintStream(baos);
-			Interpreter bsh = new Interpreter(null, pout, pout, false);
-			
-			// set up interpreter
-			bsh.set("bsh.httpServletRequest", request);
-			bsh.set("bsh.httpServletResponse", response);
-			
-			try {
-				scriptResult = bsh.eval(script);
-			} catch (Exception e) {
-				scriptError = e;
+		if (!script.equals("")) {
+			if (WebUtils.getString(request, "csrft").equals(reqCsrft)) {
+				ByteArrayOutputStream baos = new ByteArrayOutputStream();
+				PrintStream pout = new PrintStream(baos);
+				Interpreter bsh = new Interpreter(null, pout, pout, false);
+				
+				// set up interpreter
+				bsh.set("bsh.httpServletRequest", request);
+				bsh.set("bsh.httpServletResponse", response);
+				
+				try {
+					scriptResult = bsh.eval(script);
+				} catch (Exception e) {
+					scriptError = e;
+				}
+				
+				pout.flush();
+				scriptOutput.append(baos.toString());
+				
+				// Activity log
+				UserActivity.log(request.getRemoteUser(), "SCRIPTING", null, request.getRemoteHost() + ", " + script);
+			} else {
+				out.println("<div class=\"error\"><h3>Security risk detected</h3></div>");
+				
+				// Activity log
+				UserActivity.log(request.getRemoteUser(), "SECURITY_RISK", null, request.getRemoteHost() + ", " + script);
 			}
-			
-			pout.flush();
-			scriptOutput.append(baos.toString());
 		} else {
 			script = "print(\"Hola, mundo!\");";		
 		}
 		
+		String genCsrft = SecureStore.md5Encode(UUID.randomUUID().toString().getBytes());
+		session.setAttribute("csrft", genCsrft);
 		out.println("<h1>Scripting</h1>");
 		out.println("<h2>Results</h2>");
 		out.println("<table class=\"results\" width=\"95%\">");
@@ -77,6 +93,7 @@
 		out.println("</table>");
 		out.println("<hr>");
 		out.println("<form action=\"scripting.jsp\" method=\"post\">");
+		out.println("<input type=\"hidden\" name=\"csrft\" value=\"" + genCsrft + "\">");
 		out.println("<table class=\"form\" align=\"center\">");
 		out.println("<tr><td><textarea cols=\"80\" rows=\"25\" name=\"script\" id=\"script\">"+script+"</textarea></td></tr>");
 		out.println("<tr><td align=\"right\"><input type=\"submit\" value=\"Evaluate\"></td></tr>");

