Removed manual text escaping for the dmp and self-submission fields a…

…s this is now being handled by OWASP
redbox-mint · Jul 4, 2018 · d76590b · d76590b
1 parent dedab06
commit d76590b
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 40 deletions.
diff --git a/...ig/src/main/config/portal/dashboard/dashboard/display/package-dmpt/detail/preview/body.vm b/...ig/src/main/config/portal/dashboard/dashboard/display/package-dmpt/detail/preview/body.vm
@@ -9,7 +9,7 @@
     #set($v = $metadata.get("$key"))
     <dd>
     #if ($v)
-		$page.escapeHtml($!v)
+		$!v
     #else
 		#noInformation()
     </dd>

diff --git a/...onfig/portal/dashboard/dashboard/display/package-dmpt/detail/preview/sections/overview.vm b/...onfig/portal/dashboard/dashboard/display/package-dmpt/detail/preview/sections/overview.vm
@@ -18,16 +18,16 @@
     #if ($items && $items.size() > 0)
 		#set($i = 0)
 #foreach($item in $items)
-#if($i > 0),#else #set($i = 1) #end $page.escapeHtml($!item)#end
+#if($i > 0),#else #set($i = 1) #end $!item#end
     #else
 		#noInformation()
-	#end	
+	#end
 #end
 
 #macro(getSingleValue $key)
  #set($v = $metadata.get("$key"))
     #if ($v)
-		$page.escapeHtml($v)
+		$v
     #else
 		#noInformation()
     #end
@@ -49,12 +49,12 @@
           $!label
         #else
     	  #noInformation()
-      #end 
+      #end
     </td>
     </tr>
 #end
 
-## display a list in a row 
+## display a list in a row
 #macro(displayRowList $label $baseKey $subKey)
 <tr>
 <td>$label</td>
@@ -68,12 +68,12 @@
 #set($item = $forList.get($key))
 #if($i > 0), #else #set($i = 1) #end
 #set($subv = $item.get("$subKey"))
-$page.escapeHtml($!subv)#end#end
+$!subv#end#end
 </td>
 </tr>
 #end
 
-## Special treat for Grant Numbers 
+## Special treat for Grant Numbers
 #macro(displayGrantNumbers $label $baseKey)
 <tr>
 <td>$label</td>
@@ -88,7 +88,7 @@ $page.escapeHtml($!subv)#end#end
 #if($i > 0), #else #set($i = 1) #end
   #set($subv = $item.get("skos:prefLabel"))
 #if ("$!subv" != "")$!subv#else
-#set($subv = $item.get("redbox:grantNumber"))$page.escapeHtml($!subv)#end    
+#set($subv = $item.get("redbox:grantNumber"))$!subv#end    
 #end
 #end
 </td>
@@ -112,5 +112,5 @@ $page.escapeHtml($!subv)#end#end
         #displayRowList("#displayMessage('dmpt.field.label.dc-subject.dc-subject.anzsrc-seo')" "dc:subject.anzsrc:seo" "skos:prefLabel")
     </table>
     <h4>#displayMessage('dmpt.field.label.dc-description')</h4>
-	<p>#if($metadata.get('dc:description')) $page.escapeHtml($metadata.get('dc:description')) #else #noInformation() #end</p>
+	<p>#if($metadata.get('dc:description')) $metadata.get('dc:description')) #else #noInformation( #end</p>
 </section>
diff --git a/.../config/portal/dashboard/dashboard/display/package-dmpt/detail/preview/sections/people.vm b/.../config/portal/dashboard/dashboard/display/package-dmpt/detail/preview/sections/people.vm
@@ -11,8 +11,8 @@
 		#set($familyName = $metadata.get("$key:familyName"))
 		#set($email = $metadata.get("$key:email"))
     #if ($familyName || $givenName)
-    	$page.escapeHtml($!title) $page.escapeHtml($!givenName) $page.escapeHtml($!familyName)
-    	#if ( $!email != "") [ $page.escapeHtml($email) ] #end
+    	$!title $!givenName $!familyName
+    	#if ( $!email != "") [ $email ] #end
     #else
     ##if ($items && $items.size > 0)
 		##set($i = 0)
@@ -33,7 +33,7 @@
 #macro(displayKey $map $key $required)
 #set ($value = $map.get($key))
 #if ("$!value" != "")
-$page.escapeHtml($!value)
+$!value
 #else
     #if ($required)
 #missing($key)

diff --git a/.../config/portal/dashboard/dashboard/display/package-self-submission/detail/preview/body.vm b/.../config/portal/dashboard/dashboard/display/package-self-submission/detail/preview/body.vm
@@ -9,7 +9,7 @@
     #set($v = $metadata.get("$key"))
     <dd>
     #if ($v)
-		$page.escapeHtml($!v)
+		$!v
     #else
 		#noInformation()
     </dd>
@@ -27,7 +27,7 @@
 			<dd>
             #set($item = $forList.get($key))            
             #set($subv = $item.get("$subKey"))
-            $page.escapeHtml($!subv)
+            $!subv
 			</dd>
         #end
     #end
@@ -48,7 +48,7 @@
 #foreach($subKey in $subKeys)
 #if($i>0)$sep #end 
 #set($subv = $item.get("$subKey"))
-#set($i = $i+1)$page.escapeHtml($!subv)#end
+#set($i = $i+1)$!subv#end
 			</li>
 		#end
 		</ol>

diff --git a/...l/dashboard/dashboard/display/package-self-submission/detail/preview/sections/overview.vm b/...l/dashboard/dashboard/display/package-self-submission/detail/preview/sections/overview.vm
@@ -15,7 +15,7 @@
 #macro(getSingleValue $key)
     #set($v = $metadata.get("$key"))
     #if ($v && "$!v" != "")
-		$page.escapeHtml($v)
+		$v
     #else
 		#noInformation()
     #end
@@ -26,7 +26,7 @@
     #if ($items && $items.size() > 0)
 		#set($i = 0)
 #foreach($item in $items)
-#if($i > 0),#else #set($i = 1) #end	$page.escapeHtml($item)#end
+#if($i > 0),#else #set($i = 1) #end	$item#end
     #else
 		#noInformation()
 	#end	
@@ -66,7 +66,7 @@ $value
 	#set($i = 0)
 #foreach($key in $forList.keySet())
 #set($item = $forList.get($key))
-#if($i > 0), #else #set($i = 1) #end $page.escapeHtml($item.get("$subKey"))#end
+#if($i > 0), #else #set($i = 1) #end $item.get("$subKey")#end
 #end
 </td>
 </tr>

diff --git a/...tal/dashboard/dashboard/display/package-self-submission/detail/preview/sections/people.vm b/...tal/dashboard/dashboard/display/package-self-submission/detail/preview/sections/people.vm
@@ -1,8 +1,8 @@
-##    locrel:rth.foaf:Person.foaf:title 
-##    locrel:rth.foaf:Person.foaf:givenName 
-##    locrel:rth.foaf:Person.foaf:familyName 
-##    locrel:rth.foaf:Person.foaf:email    
-    
+##    locrel:rth.foaf:Person.foaf:title
+##    locrel:rth.foaf:Person.foaf:givenName
+##    locrel:rth.foaf:Person.foaf:familyName
+##    locrel:rth.foaf:Person.foaf:email
+
 #macro(displayPerson $key $name)
     <dt>$name</dt>
     <dd>
@@ -11,8 +11,8 @@
 		#set($familyName = $metadata.get("$key:familyName"))
 		#set($email = $metadata.get("$key:email"))
     #if ($familyName || $givenName)
-    	$page.escapeHtml($!title) $page.escapeHtml($!givenName) $page.escapeHtml($!familyName) $page.escapeHtml($!email)
-    #else	
+    	$!title $!givenName $!familyName $!email
+    #else
     ##if ($items && $items.size > 0)
 		##set($i = 0)
 		##foreach($item in $items)
@@ -32,7 +32,7 @@
 #macro(displayKey $map $key $required)
 #set ($value = $map.get($key))
 #if ("$!value" != "")
-$page.escapeHtml($value)
+$value
 #else
     #if ($required)
 #missing($key)
@@ -61,7 +61,7 @@ $page.escapeHtml($value)
 
 	#displayPerson("dc:creator.foaf:Person.foaf" "Principal investigator")
     #displayPerson("locrel:prc.foaf:Person.foaf" "Data manager")
-    
+
     <dt>Collaborators</dt>
     #set($personList = $self.getList("dc:contributor.locrel:clb"))
     #if ($personList.isEmpty())
@@ -88,6 +88,6 @@ $page.escapeHtml($value)
     #end
 
     #displayPerson("swrc:supervisor.foaf:Person.foaf" "Supervisor")
-        
+
     </dl>
 </div>
diff --git a/config/src/main/config/portal/dashboard/dashboard/home/dmpt/mydatasets.vm b/config/src/main/config/portal/dashboard/dashboard/home/dmpt/mydatasets.vm
@@ -45,9 +45,17 @@ function draftsMapFn(mod, rawdata) {
     data[i]["detailUrl"] = '$portalPath/detail/' + data[i].id;
   	data[i]["create_timestamp"] = formatDate(data[i]["date_object_created"]);
   	data[i]["last_modified"] = formatDate(data[i]["date_object_modified"]);
+    data[i]["dc_title"] = htmlDecode(data[i]["dc_title"]);
   	mod.rows.push(data[i]);
   }
 };
+
+htmlDecode = function(input)
+{
+  var doc = new DOMParser().parseFromString(input, "text/html");
+  return doc.documentElement.textContent;
+}
+
 var draftFuncFn = {};
 draftFuncFn['manageAccess'] = function(item) { manage_access(item.id); };
 </script>

diff --git a/config/src/main/config/portal/dashboard/dashboard/home/dmpt/myplans.vm b/config/src/main/config/portal/dashboard/dashboard/home/dmpt/myplans.vm
@@ -24,30 +24,37 @@
       	    <td data-bind=${q}text: create_timestamp${q}/>
       	    <td data-bind=${q}text: last_modified${q} />
               <td>
-              <a data-bind=${q}attr: {href:editUrl}${q}>					
+              <a data-bind=${q}attr: {href:editUrl}${q}>
   			<img title=${q}#displayMessage('researcher-dashboard.home.myplans.manage.edit')${q} alt=${q}#displayMessage('researcher-dashboard.home.myplans.manage.edit')'${q} src=${q}$portalPath/images/icons/workflow_edit.png${q}>
   		</a>
             <a data-bind=${q}if: planPdfUrl, attr:{href: planPdfUrl}${q} target=${q}_blank${q} title=${q}#displayMessage('researcher-dashboard.home.myplans.manage.pdf')${q}><img alt=${q}#displayMessage('researcher-dashboard.home.myplans.manage.pdf')${q} src=${q}$portalPath/images/icons/mimetype/application/pdf/icon.png${q}></a>
-  		<a data-bind=${q}if: currentUser!='admin', click:$parent.changeOwner${q} href=${q}#${q} title=${q}#displayMessage('researcher-dashboard.home.myplans.manage.delete')${q}><img alt=${q}#displayMessage('researcher-dashboard.home.myplans.manage.delete')${q} src=${q}$portalPath/images/icons/delete.png${q}></a> 
+  		<a data-bind=${q}if: currentUser!='admin', click:$parent.changeOwner${q} href=${q}#${q} title=${q}#displayMessage('researcher-dashboard.home.myplans.manage.delete')${q}><img alt=${q}#displayMessage('researcher-dashboard.home.myplans.manage.delete')${q} src=${q}$portalPath/images/icons/delete.png${q}></a>
   		<a href=${q}#${q} data-bind=${q}click: $parent.manageAccess${q} title=${q}#displayMessage('researcher-dashboard.home.myplans.manage.access')${q}><img alt=${q}#displayMessage('researcher-dashboard.home.myplans.manage.access')${q} src=${q}$portalPath/images/icons/application_key.png${q}></a>
   		</td>
-          </tr>				
-  </tbody>    
+          </tr>
+  </tbody>
 ")
 <script>
 var currentUser = "$currentUser";
 function plansMapFn(mod, rawdata) {
-  var data = rawdata.response.docs;  
+  var data = rawdata.response.docs;
   for(var i=0; i < data.length; i++) {
     data[i]["detailUrl"] = '$portalPath/detail/' + data[i].id;
   	data[i]["create_timestamp"] = formatDate(data[i]["date_object_created"]);
   	data[i]["last_modified"] = formatDate(data[i]["date_object_modified"]);
   	data[i]["editUrl"] = '$portalPath/workflow/' + data[i].id;
     data[i]["planPdfUrl"] = data[i].hasPlanPdf ? '$portalPath/download/'+ data[i].id + '/DataManagementPlan.pdf' : null;
-    data[i]["currentUser"] = currentUser; 
+    data[i]["currentUser"] = currentUser;
+    data[i]["dc_title"] = htmlDecode(data[i]["dc_title"]);
   	mod.rows.push(data[i]);
   }
 };
+htmlDecode = function(input)
+{
+  var doc = new DOMParser().parseFromString(input, "text/html");
+  return doc.documentElement.textContent;
+}
+
 var plansFuncFn = {};
 plansFuncFn['manageAccess'] = function(item) { manage_access(item.id); };
 plansFuncFn['changeOwner'] = function(item) { change_owner(item.id); };
@@ -76,24 +83,24 @@ plansFuncFn['changeOwner'] = function(item) { change_owner(item.id); };
             <th>#displayMessage('researcher-dashboard.home.myplans.table.pdf')</th>
         </tr>
     </thead>
-     <tbody data-bind=${q}foreach: rows${q}>          
+     <tbody data-bind=${q}foreach: rows${q}>
         <tr>
       		<td><a data-bind=${q}attr: {href: detailUrl}, text: dc_title${q}></a></td>
       	    <td data-bind=${q}text: create_timestamp${q}/>
       	    <td data-bind=${q}text: last_modified${q} />
             <td>
             <a data-bind=${q}if: planPdfUrl, attr:{href: planPdfUrl}${q} target=${q}_blank${q} title=${q}#displayMessage('researcher-dashboard.home.myplans.manage.pdf')${q}><img alt=${q}#displayMessage('researcher-dashboard.home.myplans.manage.pdf')${q} src=${q}$portalPath/images/icons/mimetype/application/pdf/icon.png${q}></a>
             </td>
-          </tr>				
-  </tbody>    
+          </tr>
+  </tbody>
 ")
 <script>
 function sharedPlansMapFn(mod, rawdata) {
-  var data = rawdata.response.docs;  
+  var data = rawdata.response.docs;
   for(var i=0; i < data.length; i++) {
     data[i]["detailUrl"] = '$portalPath/detail/' + data[i].id;
   	data[i]["create_timestamp"] = formatDate(data[i]["date_object_created"]);
-  	data[i]["last_modified"] = formatDate(data[i]["date_object_modified"]);  	
+  	data[i]["last_modified"] = formatDate(data[i]["date_object_modified"]);
     data[i]["planPdfUrl"] = data[i].hasPlanPdf ? '$portalPath/download/'+ data[i].id + '/DataManagementPlan.pdf' : null;
   	mod.rows.push(data[i]);
   }