RHPAM-4723: Creating a branch via BC UI can lead to XSS (#3815)

kie-wb-common-services/kie-wb-common-services-backend/src/main/java/org/kie/workbench/common/services/backend/validation/ValidationServiceImpl.java

@@ -39,6 +39,8 @@
 import org.uberfire.backend.vfs.Path;
 import org.uberfire.ext.editor.commons.backend.validation.ValidationUtils;
 
+import static org.guvnor.structure.backend.InputEscapeUtils.escapeHtmlInput;
+
 /**
  * Implementation of validation Service for file names
  */
@@ -107,7 +109,7 @@ public boolean isFileNameValid(String fileName) {
     @Override
     public boolean isBranchNameValid(final String branchName) {
         final Matcher branchNameMatcher = branchNameValidator.matcher(branchName);
-        return branchNameMatcher.matches();
+        return branchNameMatcher.matches() && branchName.equals(escapeHtmlInput(branchName));
     }
 
     @Override

kie-wb-common-services/kie-wb-common-services-backend/src/test/java/org/kie/workbench/common/services/backend/validation/ValidationServiceImplTest.java

@@ -138,7 +138,7 @@ public void testValidateBranchName() {
         assertTrue(validationService.isBranchNameValid("test!"));
         assertTrue(validationService.isBranchNameValid("test-"));
         assertTrue(validationService.isBranchNameValid("test_"));
-        assertTrue(validationService.isBranchNameValid("test&"));
+        assertFalse(validationService.isBranchNameValid("test&"));
         assertTrue(validationService.isBranchNameValid("test%"));
 
         assertFalse(validationService.isBranchNameValid("@test"));
@@ -223,5 +223,6 @@ public void testValidateBranchName() {
         assertTrue(validationService.isBranchNameValid("te-st"));
         assertTrue(validationService.isBranchNameValid("test-"));
 
+        assertFalse(validationService.isBranchNameValid("<img/src/onerror=alert(document.cookie)>"));
     }
 }