fix xss in captcha-skip-param field

Author: jrivard@gmail.com

server/src/main/java/password/pwm/bean/LocalSessionStateBean.java

@@ -66,6 +66,7 @@ public class LocalSessionStateBean implements Serializable
 
     private boolean passwordModified;
     private boolean privateUrlAccessed;
+    private boolean captchaBypassedViaParameter;
 
     private final AtomicInteger intruderAttempts = new AtomicInteger( 0 );
     private final AtomicInteger requestCount = new AtomicInteger( 0 );

server/src/main/java/password/pwm/util/CaptchaUtility.java

@@ -331,13 +331,20 @@ public static void prepareCaptchaDisplay( final PwmRequest pwmRequest ) throws S
     private static boolean checkIfCaptchaParamPresent( final PwmRequest pwmRequest )
             throws PwmUnrecoverableException
     {
+        if ( pwmRequest.getPwmSession().getSessionStateBean().isCaptchaBypassedViaParameter() )
+        {
+            LOGGER.trace( pwmRequest, () -> "valid skipCaptcha value previously received in session, skipping captcha check" );
+            return true;
+        }
+
         final String skipCaptcha = pwmRequest.readParameterAsString( PwmConstants.PARAM_SKIP_CAPTCHA );
         if ( skipCaptcha != null && skipCaptcha.length() > 0 )
         {
             final String configValue = pwmRequest.getConfig().readSettingAsString( PwmSetting.CAPTCHA_SKIP_PARAM );
             if ( configValue != null && configValue.equals( skipCaptcha ) )
             {
                 LOGGER.trace( pwmRequest, () -> "valid skipCaptcha value in request, skipping captcha check for this session" );
+                pwmRequest.getPwmSession().getSessionStateBean().setCaptchaBypassedViaParameter( true );
                 return true;
             }
             else

webapp/src/main/webapp/WEB-INF/jsp/activateuser.jsp

@@ -50,7 +50,6 @@
                 <input type="hidden" name="processAction" value="activate"/>
                 <%@ include file="/WEB-INF/jsp/fragment/cancel-button.jsp" %>
                 <input type="hidden" name="pwmFormID" value="<pwm:FormID/>"/>
-                <input type="hidden" name="skipCaptcha" value="${param.skipCaptcha}"/>
             </div>
         </form>
     </div>

webapp/src/main/webapp/WEB-INF/jsp/forgottenpassword-search.jsp

@@ -58,7 +58,6 @@
                     </button>
                 </pwm:if>
                 <input type="hidden" name="pwmFormID" value="<pwm:FormID/>"/>
-                <input type="hidden" name="skipCaptcha" value="${param.skipCaptcha}"/>
             </div>
         </form>
     </div>

webapp/src/main/webapp/WEB-INF/jsp/forgottenusername-search.jsp

@@ -51,7 +51,6 @@
                 </button>
                 <%@ include file="/WEB-INF/jsp/fragment/cancel-button.jsp" %>
                 <input type="hidden" name="pwmFormID" value="<pwm:FormID/>"/>
-                <input type="hidden" name="skipCaptcha" value="${param.skipCaptcha}"/>
             </div>
         </form>
     </div>

webapp/src/main/webapp/WEB-INF/jsp/login.jsp

@@ -71,7 +71,6 @@
                         <%@ include file="/WEB-INF/jsp/fragment/cancel-button.jsp" %>
                     </pwm:if>
                     <input type="hidden" id="pwmFormID" name="pwmFormID" value="<pwm:FormID/>"/>
-                    <input type="hidden" name="skipCaptcha" value="${param.skipCaptcha}"/>
                 </div>
             </div>
         </form>

webapp/src/main/webapp/WEB-INF/jsp/newuser.jsp

@@ -54,7 +54,6 @@
                     <pwm:display key="Button_Continue"/>
                 </button>
                 <input type="hidden" name="pwmFormID" value="<pwm:FormID/>"/>
-                <input type="hidden" name="skipCaptcha" value="${param.skipCaptcha}"/>
 
                 <% if ((Boolean)JspUtility.getAttribute(pageContext, PwmRequestAttribute.NewUser_FormShowBackButton)) { %>
                 <button type="button" id="button-goBack" name="button-goBack" class="btn" >