Skip to content
Permalink
Browse files Browse the repository at this point in the history
NMS-13123: Prevent HTML markup in notification wizard
  • Loading branch information
christianpape committed Mar 12, 2021
1 parent 607151e commit 66c1f62
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 18 deletions.
Expand Up @@ -36,6 +36,7 @@
%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn"%>
<%@ taglib uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" prefix="e"%>

<jsp:include page="/includes/bootstrap.jsp" flush="false" >
<jsp:param name="title" value="Event Notifications" />
Expand Down Expand Up @@ -109,31 +110,31 @@
<c:forEach items="${notifications}" var="notification">
<tr>
<td>
<input type="button" class="btn btn-secondary" value="Edit" onclick="javascript:editNotice('${notification.escapedName}')"/>
<input type="button" class="btn btn-secondary" value="Edit" onclick="javascript:editNotice('${e:forJavaScript(notification.escapedName)}')"/>
</td>
<td>
<input type="button" class="btn btn-secondary" value="Delete" onclick="javascript:deleteNotice('${notification.escapedName}')"/>
<input type="button" class="btn btn-secondary" value="Delete" onclick="javascript:deleteNotice('${e:forJavaScript(notification.escapedName)}')"/>
</td>
<td>
<c:choose>
<c:when test="${notification.isOn}">
<input type="radio" value="Off" onclick="javascript:setStatus('${notification.escapedName}','off')"/>Off
<input type="radio" value="On" CHECKED onclick="javascript:setStatus('${notification.escapedName}','on')"/>On
<input type="radio" value="Off" onclick="javascript:setStatus('${e:forJavaScript(notification.escapedName)}','off')"/>Off
<input type="radio" value="On" CHECKED onclick="javascript:setStatus('${e:forJavaScript(notification.escapedName)}','on')"/>On
</c:when>
<c:otherwise>
<input type="radio" value="Off" CHECKED onclick="javascript:setStatus('${notification.escapedName}','off')"/>Off
<input type="radio" value="On" onclick="javascript:setStatus('${notification.escapedName}','on')"/>On
<input type="radio" value="Off" CHECKED onclick="javascript:setStatus('${e:forJavaScript(notification.escapedName)}','off')"/>Off
<input type="radio" value="On" onclick="javascript:setStatus('${e:forJavaScript(notification.escapedName)}','on')"/>On
</c:otherwise>
</c:choose>
</td>
<td>
${notification.name}
${fn:escapeXml(notification.name)}
</td>
<td>
${notification.eventLabel}
${fn:escapeXml(notification.eventLabel)}
</td>
<td>
${notification.displayUei}
${fn:escapeXml(notification.displayUei)}
</td>
</tr>
</c:forEach>
Expand Down
Expand Up @@ -39,6 +39,10 @@
org.opennms.netmgt.config.*
"
%>
<%@ page import="org.opennms.core.utils.WebSecurityUtils" %>

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn"%>


<%!
public void init() throws ServletException {
Expand Down Expand Up @@ -116,7 +120,7 @@
</script>

<h2><%=(newNotice.getName()!=null ? "Editing notice: " + newNotice.getName() + "<br/>" : "")%></h2>
<h2><%=(newNotice.getName()!=null ? "Editing notice: " + WebSecurityUtils.sanitizeString(newNotice.getName()) + "<br/>" : "")%></h2>

<form method="post" name="info"
action="admin/notification/noticeWizard/notificationWizard">
Expand All @@ -135,15 +139,15 @@
<label>Name:</label>
</td>
<td valign="top" align="left">
<input type="text" class="form-control" name="name" value='<%=(newNotice.getName()!=null ? newNotice.getName() : "")%>'/>
<input type="text" class="form-control" name="name" value='<%=(newNotice.getName()!=null ? WebSecurityUtils.sanitizeString(newNotice.getName()) : "")%>'/>
</td>
</tr>
<tr>
<td width="10%" valign="top" align="left">
<label>Description:</label>
</td>
<td valign="top" align="left">
<input type="text" class="form-control" name="description" value='<%=newNotice.getDescription().orElse("")%>'/>
<input type="text" class="form-control" name="description" value='<%=WebSecurityUtils.sanitizeString(newNotice.getDescription().orElse(""))%>'/>
</td>
</tr>
<tr>
Expand All @@ -153,10 +157,10 @@
<td valign="top" align="left">
<div class="row">
<div class="col-md-6">
<label>Name:</label> <input type="text" class="form-control" size="30" name="varbindName" value='<%=varbindName%>'/>
<label>Name:</label> <input type="text" class="form-control" size="30" name="varbindName" value='<%=WebSecurityUtils.sanitizeString(varbindName)%>'/>
</div>
<div class="col-md-6">
<label>Value:</label> <input class="form-control" type="text" size="30" name="varbindValue" value='<%=varbindValue%>'/>
<label>Value:</label> <input class="form-control" type="text" size="30" name="varbindValue" value='<%=WebSecurityUtils.sanitizeString(varbindValue)%>'/>
</div>
</div>
</td>
Expand All @@ -174,23 +178,23 @@
<label>Text Message:</label>
</td>
<td valign="top" align="left">
<textarea rows="3" class="form-control" name="textMsg"><%=(newNotice.getTextMessage()!=null ? newNotice.getTextMessage() : "")%></textarea>
<textarea rows="3" class="form-control" name="textMsg"><%=(newNotice.getTextMessage()!=null ? WebSecurityUtils.sanitizeString(newNotice.getTextMessage()) : "")%></textarea>
</td>
</tr>
<tr>
<td width="10%" valign="top" align="left">
<label>Short Message:</label>
</td>
<td valign="top" align="left">
<textarea rows="1" class="form-control" name="numMsg"><%=newNotice.getNumericMessage().orElse("")%></textarea>
<textarea rows="1" class="form-control" name="numMsg"><%=WebSecurityUtils.sanitizeString(newNotice.getNumericMessage().orElse(""))%></textarea>
</td>
</tr>
<tr>
<td width="10%" valign="top" align="left">
<label>Email Subject:</label>
</td>
<td valign="top" align="left">
<input type="text" class="form-control" name="subject" value='<%=newNotice.getSubject().orElse("")%>'/>
<input type="text" class="form-control" name="subject" value='<%=WebSecurityUtils.sanitizeString(newNotice.getSubject().orElse(""))%>'/>
</td>
</tr>
<tr>
Expand Down
Expand Up @@ -29,15 +29,26 @@
package org.opennms.smoketest;

import static org.junit.Assert.assertEquals;
import static org.openqa.selenium.support.ui.ExpectedConditions.visibilityOfElementLocated;

import java.time.Duration;
import java.time.temporal.ChronoUnit;

import org.junit.Before;
import org.junit.FixMethodOrder;
import org.junit.Test;
import org.junit.runners.MethodSorters;
import org.openqa.selenium.Alert;
import org.openqa.selenium.By;
import org.openqa.selenium.support.ui.ExpectedConditions;
import org.openqa.selenium.support.ui.Select;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class NotificationsPageIT extends OpenNMSSeleniumIT {
private static final Logger LOG = LoggerFactory.getLogger(NotificationsPageIT.class);

@Before
public void setUp() throws Exception {
notificationsPage();
Expand Down Expand Up @@ -86,5 +97,4 @@ public void testAllLinks() {
findElementByLink("Respond Time");
assertElementDoesNotHaveText(By.xpath("//span[@class='label label-default']"), "admin was notified [-]");
}

}

0 comments on commit 66c1f62

Please sign in to comment.