Skip to content
Permalink
Browse files Browse the repository at this point in the history
escape HTML in group name and description (#1155)
  • Loading branch information
cbellone committed Dec 9, 2022
1 parent 21cb286 commit c1ae54a
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 8 deletions.
6 changes: 4 additions & 2 deletions src/main/java/alfio/manager/GroupManager.java
Expand Up @@ -35,6 +35,7 @@
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.apache.commons.text.StringEscapeUtils;
import org.springframework.stereotype.Component;
import org.springframework.transaction.PlatformTransactionManager;
import org.springframework.transaction.TransactionDefinition;
Expand All @@ -49,6 +50,7 @@
import static alfio.model.group.LinkedGroup.MatchType.FULL;
import static alfio.model.group.LinkedGroup.Type.*;
import static java.util.Collections.singletonList;
import static org.apache.commons.text.StringEscapeUtils.escapeHtml4;

@Component
@Log4j2
Expand Down Expand Up @@ -81,7 +83,7 @@ public Result<Integer> createNew(GroupModification input) {
}

Group createNew(String name, String description, int organizationId) {
AffectedRowCountAndKey<Integer> insert = groupRepository.insert(name, description, organizationId);
AffectedRowCountAndKey<Integer> insert = groupRepository.insert(escapeHtml4(name), escapeHtml4(description), organizationId);
return groupRepository.getById(insert.getKey());
}

Expand Down Expand Up @@ -247,7 +249,7 @@ public Optional<GroupModification> update(int listId, GroupModification modifica
throw new DuplicateGroupItemException(error.getDescription());
}
}
groupRepository.update(listId, modification.getName(), modification.getDescription());
groupRepository.update(listId, escapeHtml4(modification.getName()), escapeHtml4(modification.getDescription()));
return loadComplete(listId);
}

Expand Down
6 changes: 5 additions & 1 deletion src/main/java/alfio/repository/GroupRepository.java
Expand Up @@ -28,6 +28,8 @@
import java.util.Optional;
import java.util.UUID;

import static org.apache.commons.text.StringEscapeUtils.escapeHtml4;

@QueryRepository
public interface GroupRepository {

Expand Down Expand Up @@ -66,7 +68,9 @@ AffectedRowCountAndKey<Integer> createConfiguration(@Bind("groupId") int groupId

default int[] insert(int groupId, List<GroupMemberModification> members) {
MapSqlParameterSource[] params = members.stream()
.map(i -> new MapSqlParameterSource("groupId", groupId).addValue("value", i.getValue().toLowerCase()).addValue("description", i.getDescription()))
.map(i -> new MapSqlParameterSource("groupId", groupId)
.addValue("value", i.getValue().toLowerCase())
.addValue("description", escapeHtml4(i.getDescription())))
.toArray(MapSqlParameterSource[]::new);

return getNamedParameterJdbcTemplate().batchUpdate("insert into group_member(a_group_id_fk, value, description) values(:groupId, :value, :description)", params);
Expand Down
16 changes: 11 additions & 5 deletions src/main/webapp/resources/js/admin/service/service.js
Expand Up @@ -622,20 +622,26 @@
};
}]);

baseServices.service("NotificationHandler", ["growl", function (growl) {
baseServices.service("NotificationHandler", ["growl", "$sanitize", function (growl, $sanitize) {
var config = {ttl: 5000, disableCountDown: true};
var sanitize = function(message) {
var sanitized = $sanitize(message);
return sanitized.split(' ').map(function(part) {
return encodeURIComponent(part);
}).join(' ');
};
return {
showSuccess: function (message) {
return growl.success(message, config);
return growl.success(sanitize(message), config);
},
showWarning: function (message) {
return growl.warning(message, config);
return growl.warning(sanitize(message), config);
},
showInfo : function (message) {
return growl.info(message, config);
return growl.info(sanitize(message), config);
},
showError : function (message) {
return growl.error(message, config);
return growl.error(sanitize(message), config);
}
}

Expand Down
26 changes: 26 additions & 0 deletions src/test/java/alfio/manager/GroupManagerIntegrationTest.java
Expand Up @@ -160,4 +160,30 @@ public void testDuplicates() {
assertEquals("value.duplicate", items.getFirstErrorOrNull().getCode());
assertEquals("test@test.ch", items.getFirstErrorOrNull().getDescription());
}

@Test
void testEscape() {
List<TicketCategoryModification> categories = Collections.singletonList(
new TicketCategoryModification(null, "default", TicketCategory.TicketAccessType.INHERIT, 10,
new DateTimeModification(LocalDate.now(ClockProvider.clock()).plusDays(1), LocalTime.now(ClockProvider.clock())),
new DateTimeModification(LocalDate.now(ClockProvider.clock()).plusDays(2), LocalTime.now(ClockProvider.clock())),
DESCRIPTION, BigDecimal.TEN, false, "", false, null, null, null, null, null, 0, null, null, AlfioMetadata.empty()));
Pair<Event, String> pair = initEvent(categories, organizationRepository, userManager, eventManager, eventRepository);
Event event = pair.getKey();
Group group = groupManager.createNew("test > 1", "This is a test < 1", event.getOrganizationId());
assertNotNull(group);
assertEquals("This is a test &lt; 1", group.getDescription());
assertEquals("test &gt; 1", group.getName());
LinkedGroupModification modification = new LinkedGroupModification(null, group.getId(), event.getId(), null, LinkedGroup.Type.ONCE_PER_VALUE, LinkedGroup.MatchType.FULL, null);
LinkedGroup configuration = groupManager.createLink(group.getId(), event.getId(), modification);
assertNotNull(configuration);
Result<Integer> items = groupManager.insertMembers(group.getId(), List.of(new GroupMemberModification(null,"test@test.ch", "description <>")));
assertTrue(items.isSuccess());
var persistedGroup = groupManager.loadComplete(group.getId()).orElseThrow();
assertEquals("description &lt;&gt;", persistedGroup.getItems().get(0).getDescription());
groupManager.update(group.getId(), new GroupModification(group.getId(), "test > 1", "This is a test < 1", event.getOrganizationId(), List.of(new GroupMemberModification(null,"test@test.ch", "description <>"))));
persistedGroup = groupManager.loadComplete(group.getId()).orElseThrow();
assertEquals("This is a test &lt; 1", persistedGroup.getDescription());
assertEquals("test &gt; 1", persistedGroup.getName());
}
}

0 comments on commit c1ae54a

Please sign in to comment.