Skip to content

Improve the XSS fix in user notification and web messages #876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 10, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -24,6 +24,7 @@

package org.silverpeas.components.blog.notification;

import org.owasp.encoder.Encode;
import org.silverpeas.components.blog.model.Category;
import org.silverpeas.components.blog.model.PostDetail;
import org.silverpeas.core.admin.user.model.User;
@@ -54,7 +55,7 @@ protected void performTemplateData(final String language, final PostDetail resou
defaultStringIfNotDefined(getTitle(language), getTitle()),
"");
template.setAttribute("blog", resource);
template.setAttribute("blogName", resource.getPublication().getName(language));
template.setAttribute("blogName", Encode.forHtml(resource.getPublication().getName(language)));
template.setAttribute("blogDate", DateUtil.getOutputDate(resource.getDateEvent(), language));
final Category categorie = resource.getCategory();
String categorieName = null;
Original file line number Diff line number Diff line change
@@ -23,6 +23,7 @@
*/
package org.silverpeas.components.blog.notification;

import org.owasp.encoder.Encode;
import org.silverpeas.components.blog.model.PostDetail;
import org.silverpeas.core.admin.user.model.UserDetail;
import org.silverpeas.core.comment.model.Comment;
@@ -89,16 +90,11 @@ protected void performTemplateData(final String language, final PostDetail resou
template.setAttribute("comment", comment);
String commentMessage = null;
if (comment != null) {
commentMessage = comment.getMessage();
commentMessage = Encode.forHtml(comment.getMessage());
}
template.setAttribute("commentMessage", commentMessage);
}

@Override
protected boolean stopWhenNoUserToNotify() {
return true;
}

@Override
protected NotifAction getAction() {
return action;
Original file line number Diff line number Diff line change
@@ -23,6 +23,7 @@
*/
package org.silverpeas.components.classifieds.notification;

import org.owasp.encoder.Encode;
import org.silverpeas.components.classifieds.ClassifiedUtil;
import org.silverpeas.components.classifieds.model.ClassifiedDetail;
import org.silverpeas.core.admin.user.model.User;
@@ -55,7 +56,7 @@ protected void performTemplateData(final String language, final ClassifiedDetail
final SilverpeasTemplate template) {
getNotificationMetaData().addLanguage(language, getTitle(), "");
template.setAttribute("classified", resource);
template.setAttribute("classifiedName", resource.getTitle());
template.setAttribute("classifiedName", Encode.forHtml(resource.getTitle()));
template.setAttribute("senderName", User.getById(getSender()).getDisplayedName());
}

Original file line number Diff line number Diff line change
@@ -26,6 +26,7 @@
import java.util.Collection;
import java.util.Collections;

import org.owasp.encoder.Encode;
import org.silverpeas.components.classifieds.model.ClassifiedDetail;
import org.silverpeas.core.template.SilverpeasTemplate;
import org.silverpeas.core.notification.user.client.constant.NotifAction;
@@ -78,7 +79,7 @@ protected void perform(final ClassifiedDetail resource) {
protected void performTemplateData(final String language, final ClassifiedDetail resource,
final SilverpeasTemplate template) {
super.performTemplateData(language, resource, template);
template.setAttribute("refusalMotive", refusalMotive);
template.setAttribute("refusalMotive", Encode.forHtml(refusalMotive));
}

@Override
Original file line number Diff line number Diff line change
@@ -311,7 +311,7 @@ private String getSpaceName(final CommunityOfUsers community) {
*/
private void successMessage(String messageKey, Object... params) {
final String userLanguage = getUserLanguage();
getMessager().addSuccess(getMessagesIn(userLanguage).getStringWithParams(messageKey, params));
getMessager().addSuccess(getMessagesIn(userLanguage).getString(messageKey), params);
}

private String getUserLanguage() {
Original file line number Diff line number Diff line change
@@ -24,6 +24,7 @@

package org.silverpeas.components.delegatednews.notification;

import org.owasp.encoder.Encode;
import org.silverpeas.components.delegatednews.model.DelegatedNews;
import org.silverpeas.core.admin.user.model.User;
import org.silverpeas.core.contribution.publication.model.PublicationDetail;
@@ -55,7 +56,7 @@ protected void performTemplateData(final String language, final DelegatedNews re
final String title = defaultStringIfNotDefined(getTitle(language), getTitle());
getNotificationMetaData().addLanguage(language, title, "");
template.setAttribute("publicationId", publication.getId());
template.setAttribute("publicationName", publication.getName(language));
template.setAttribute("publicationName", Encode.forHtml(publication.getName(language)));
template.setAttribute("senderName", (user != null ? user.getDisplayedName() : ""));
}

Original file line number Diff line number Diff line change
@@ -23,14 +23,15 @@
*/
package org.silverpeas.components.delegatednews.notification;

import org.owasp.encoder.Encode;
import org.silverpeas.components.delegatednews.model.DelegatedNews;
import org.silverpeas.core.admin.user.model.User;
import org.silverpeas.core.notification.user.client.constant.NotifAction;
import org.silverpeas.core.template.SilverpeasTemplate;

public class DelegatedNewsDeniedNotification extends AbstractDelegatedNewsUserNotification {

private String reasonForRefusal;
private final String reasonForRefusal;

public DelegatedNewsDeniedNotification(final DelegatedNews delegatedNews, final User user,
String reasonForRefusal) {
@@ -63,6 +64,6 @@ protected void perform(final DelegatedNews resource) {
protected void performTemplateData(final String language, final DelegatedNews resource,
final SilverpeasTemplate template) {
super.performTemplateData(language, resource, template);
template.setAttribute("refusalMotive", reasonForRefusal);
template.setAttribute("refusalMotive", Encode.forHtml(reasonForRefusal));
}
}
Original file line number Diff line number Diff line change
@@ -23,6 +23,7 @@
*/
package org.silverpeas.components.formsonline.notification;

import org.owasp.encoder.Encode;
import org.silverpeas.components.formsonline.model.FormInstance;
import org.silverpeas.core.notification.user.client.constant.NotifAction;
import org.silverpeas.core.template.SilverpeasTemplate;
@@ -79,7 +80,7 @@ protected void performTemplateData(final String language, final FormInstance res
final SilverpeasTemplate template) {
super.performTemplateData(language, resource, template);
getResource().getValidations().getLatestValidation()
.ifPresent(v -> template.setAttribute("comment", v.getComment()));
.ifPresent(v -> template.setAttribute("comment", Encode.forHtml(v.getComment())));
}

@Override
Original file line number Diff line number Diff line change
@@ -23,6 +23,7 @@
*/
package org.silverpeas.components.forums.notification;

import org.owasp.encoder.Encode;
import org.silverpeas.components.forums.model.ForumDetail;
import org.silverpeas.core.notification.user.client.constant.NotifAction;
import org.silverpeas.core.notification.user.model.NotificationResourceData;
@@ -32,18 +33,14 @@
import java.util.MissingResourceException;

/**
* User: Yohann Chastagnier
* @author Yohann Chastagnier
* Date: 10/06/13
*/
public abstract class AbstractForumsForumUserNotification
extends AbstractForumsUserNotification<ForumDetail> {

private NotifAction action = null;
private final NotifAction action;

/**
* Default constructor.
* @param resource
*/
public AbstractForumsForumUserNotification(final ForumDetail resource, final NotifAction action) {
super(resource);
this.action = action;
@@ -66,7 +63,7 @@ protected void performTemplateData(final String language, final ForumDetail reso
title = getTitle();
}
getNotificationMetaData().addLanguage(language, title, "");
template.setAttribute("title", resource.getName());
template.setAttribute("title", Encode.forHtml(resource.getName()));
}

@Override
Original file line number Diff line number Diff line change
@@ -23,6 +23,7 @@
*/
package org.silverpeas.components.forums.notification;

import org.owasp.encoder.Encode;
import org.silverpeas.components.forums.model.Message;
import org.silverpeas.core.notification.user.client.constant.NotifAction;
import org.silverpeas.core.notification.user.model.NotificationResourceData;
@@ -35,25 +36,18 @@
import java.util.MissingResourceException;

/**
* User: Yohann Chastagnier
* @author Yohann Chastagnier
* Date: 10/06/13
*/
public abstract class AbstractForumsMessageUserNotification
extends AbstractForumsUserNotification<Message> {

private NotifAction action = null;

/**
* @param resource
*/
public AbstractForumsMessageUserNotification(final Message resource) {
super(resource);
}

/**
* @param resource
* @param action
*/
public AbstractForumsMessageUserNotification(final Message resource, final NotifAction action) {
super(resource);
this.action = action;
@@ -71,8 +65,8 @@ protected void performTemplateData(final String language, final Message resource
}
getNotificationMetaData().addLanguage(language, title, "");
template.setAttribute("isSubject", resource.isSubject());
template.setAttribute("title", resource.getTitle());
template.setAttribute("text", resource.getText());
template.setAttribute("title", Encode.forHtml(resource.getTitle()));
template.setAttribute("text", Encode.forHtml(resource.getText()));
template.setAttribute("originTitle", getForumsService()
.getMessageTitle(getForumsService().getMessageParentId(getResource().getId())));
}
@@ -82,7 +76,7 @@ protected void performNotificationResource(final String language, final Message
final NotificationResourceData notificationResourceData) {
notificationResourceData.setFeminineGender(false);
notificationResourceData.setResourceId(resource.getId());
notificationResourceData.setResourceType(resource.getResourceType());
notificationResourceData.setResourceType(Message.getResourceType());
notificationResourceData.setResourceName(resource.getTitle());
}

@@ -107,7 +101,7 @@ protected String getResourceURL(final Message resource) {

/**
* Gets the bundle key prefix according to the resource if it is a subject or a message.
* @return
* @return the bundle key prefix
*/
protected String getNotificationBundleKeyPrefix() {
StringBuilder bundleKeyPrefix = new StringBuilder("forums.");
Original file line number Diff line number Diff line change
@@ -23,6 +23,7 @@
*/
package org.silverpeas.components.forums.notification;

import org.owasp.encoder.Encode;
import org.silverpeas.core.template.SilverpeasTemplate;
import org.silverpeas.core.notification.user.client.constant.NotifAction;
import org.silverpeas.components.forums.model.Message;
@@ -33,29 +34,18 @@
import static org.silverpeas.kernel.util.StringUtil.isDefined;

/**
* User: Yohann Chastagnier
* @author Yohann Chastagnier
* Date: 10/06/13
*/
public class ForumsMessageValidationUserNotification extends AbstractForumsMessageUserNotification {

private final String moderatorId;
private final String refusalMotive;

/**
* Default constructor.
* @param resource
* @param moderatorId
*/
public ForumsMessageValidationUserNotification(final Message resource, final String moderatorId) {
this(resource, moderatorId, null);
}

/**
* Default constructor.
* @param resource
* @param moderatorId
* @param refusalMotive
*/
public ForumsMessageValidationUserNotification(final Message resource, final String moderatorId,
final String refusalMotive) {
super(resource);
@@ -92,7 +82,7 @@ protected void perform(final Message resource) {
protected void performTemplateData(final String language, final Message resource,
final SilverpeasTemplate template) {
super.performTemplateData(language, resource, template);
template.setAttribute("refusalMotive", refusalMotive);
template.setAttribute("refusalMotive", Encode.forHtml(refusalMotive));
}

@Override
Original file line number Diff line number Diff line change
@@ -26,12 +26,11 @@
import org.silverpeas.components.forums.control.ForumsSessionController;
import org.silverpeas.components.forums.model.Forum;
import org.silverpeas.components.forums.model.Message;
import org.silverpeas.components.forums.service.ForumsException;
import org.silverpeas.core.notification.message.MessageNotifier;
import org.silverpeas.core.web.http.HttpRequest;
import org.silverpeas.kernel.bundle.LocalizationBundle;
import org.silverpeas.kernel.util.StringUtil;
import org.silverpeas.kernel.logging.SilverLogger;
import org.silverpeas.core.web.http.HttpRequest;
import org.silverpeas.kernel.util.StringUtil;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.jsp.JspWriter;
@@ -68,40 +67,18 @@ public class ForumActionHelper {
private ForumActionHelper() {
}

/**
* Handles the invocation of the create or update forum action
* @param request
* @param fsc
* @throws ForumsException
*/
public static void createForumAction(HttpServletRequest request, ForumsSessionController fsc) {
Invoker invoker = new Invoker(fsc.getUserId(), fsc.isAdmin(), true);
actionManagement(CREATE_FORUM, -1, (HttpRequest) request, invoker, fsc.getMultilang(), null,
fsc);
}

/**
* Handles the invocation of the create or update forum action
* @param request
* @param fsc
* @throws ForumsException
*/
public static void updateForumAction(HttpServletRequest request, ForumsSessionController fsc) {
Invoker invoker = new Invoker(fsc.getUserId(), fsc.isAdmin(), true);
actionManagement(UPDATE_FORUM, -1, (HttpRequest) request, invoker, fsc.getMultilang(), null,
fsc);
}

/**
* Method invoked from JSP (yes, this is bad ... this has to change)
* @param request
* @param isAdmin
* @param isModerator
* @param userId
* @param resource
* @param out
* @param fsc
*/
public static void actionManagement(HttpServletRequest request, boolean isAdmin,
boolean isModerator, String userId, LocalizationBundle resource, JspWriter out,
ForumsSessionController fsc) {
@@ -224,29 +201,29 @@ private static void subscribeThread(final int params, final LocalizationBundle r
Message message = fsc.subscribeMessage(params);
String bundleKey = message.isSubject() ? "forums.subject.subscribe.success" :
"forums.message.subscribe.success";
MessageNotifier.addSuccess(resource.getStringWithParams(bundleKey, message.getTitle()));
MessageNotifier.addSuccess(resource.getString(bundleKey), message.getTitle());
}

private static void unsubscribeThread(final int params, final LocalizationBundle resource,
final ForumsSessionController fsc) {
Message message = fsc.unsubscribeMessage(params);
String bundleKey = message.isSubject() ? "forums.subject.unsubscribe.success" :
"forums.message.unsubscribe.success";
MessageNotifier.addSuccess(resource.getStringWithParams(bundleKey, message.getTitle()));
MessageNotifier.addSuccess(resource.getString(bundleKey), message.getTitle());
}

private static void subscribeForum(final int params, final LocalizationBundle resource,
final ForumsSessionController fsc) {
Forum forum = fsc.subscribeForum(params);
MessageNotifier.addSuccess(
resource.getStringWithParams("forums.forum.subscribe.success", forum.getName()));
resource.getString("forums.forum.subscribe.success"), forum.getName());
}

private static void unsubscribeForum(final int params, final LocalizationBundle resource,
final ForumsSessionController fsc) {
Forum forum = fsc.unsubscribeForum(params);
MessageNotifier.addSuccess(
resource.getStringWithParams("forums.forum.unsubscribe.success", forum.getName()));
resource.getString("forums.forum.unsubscribe.success"), forum.getName());
}

private static void printOutScript(final LocalizationBundle resource, final JspWriter out)
Loading
Oops, something went wrong.