Fixing problems around user notifications about the sanitation of dat…

…a coming from WEB browser.
Silverpeas · Feb 16, 2024 · 200651a · 200651a
1 parent 4642d0e
commit 200651a
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/...ar/src/main/java/org/silverpeas/web/notificationuser/control/UserNotificationWrapper.java b/...ar/src/main/java/org/silverpeas/web/notificationuser/control/UserNotificationWrapper.java
@@ -1,6 +1,5 @@
 package org.silverpeas.web.notificationuser.control;
 
-import org.owasp.encoder.Encode;
 import org.silverpeas.core.admin.user.model.User;
 import org.silverpeas.core.notification.user.UserNotification;
 import org.silverpeas.core.notification.user.client.GroupRecipient;
@@ -58,7 +57,7 @@ public UserNotificationWrapper setTitle(final String title) {
       final boolean isSimpleContents = metaData.getTemplateContents().isEmpty();
       final Map<String, String> simpleContents = metaData.getSimpleContents();
       for (String lang : DisplayI18NHelper.getLanguages()) {
-        metaData.setTitle(Encode.forHtml(title), lang);
+        metaData.setTitle(title, lang);
         if (isSimpleContents && isNotDefined(simpleContents.get(lang))) {
           final LocalizationBundle bundle = getLocalizationBundle(
               "org.silverpeas.alertUserPeas.multilang.alertUserPeasBundle", lang);

diff --git a/...main/java/org/silverpeas/web/notificationuser/servlets/UserNotificationRequestRouter.java b/...main/java/org/silverpeas/web/notificationuser/servlets/UserNotificationRequestRouter.java
@@ -129,7 +129,14 @@ private NotificationContext getNotificationContext(final HttpRequest request) {
     final HtmlSanitizer htmlSanitizer = HtmlSanitizer.get();
     while (parameters.hasMoreElements()) {
       final String name = parameters.nextElement();
-      context.put(name, htmlSanitizer.sanitize(request.getParameter(name)));
+      final String value = request.getParameter(name);
+      boolean isBase64 = false;
+      try {
+        isBase64 = value != null && StringUtil.fromBase64(value).length > 0;
+      } catch (Exception ignore) {
+        // if not base64 encoded, value can be sanitized
+      }
+      context.put(name, isBase64 ? value : htmlSanitizer.sanitize(value));
     }
     return context;
   }

diff --git a/core-war/src/main/webapp/util/javaScript/silverpeas-user-notification.js b/core-war/src/main/webapp/util/javaScript/silverpeas-user-notification.js
@@ -27,6 +27,8 @@
 Silverpeas plugin which handles the behaviour about the user notification.
  */
 
+//# sourceURL=/util/javaScript/silverpeas-user-notification.js
+
 (function() {
 
   var $window = top.spLayout ? top.window : window;
@@ -232,7 +234,7 @@ Silverpeas plugin which handles the behaviour about the user notification.
         __notificationMonitor.newOne(userNotification);
         try {
           this.notifyOnDesktop(userNotification.sender, {
-            body : userNotification.subject,
+            body : userNotification.subject.unescapeHTML(),
             tag : userNotification.id,
             icon : DESKTOP_USER_NOTIFICATION_ICON_URL
           }, function(desktopNotification) {