Skip to content
Permalink
Browse files Browse the repository at this point in the history
RA-1865: Fix possible xss in account setup (#57)
  • Loading branch information
isears committed Nov 23, 2020
1 parent 32cb17c commit 702fbfd
Showing 1 changed file with 7 additions and 7 deletions.
Expand Up @@ -95,7 +95,7 @@ public void get(PageModel model, @MethodParam("getAccount") Account account,

setModelAttributes(model, account, null, accountService, administrationService, providerManagementService, uu, appFrameworkService);
if (account.getPerson().getPersonId() == null) {
setJsonFormData(model, account, null);
setJsonFormData(model, account, null, uu);
}
}

Expand Down Expand Up @@ -222,7 +222,7 @@ public String post(PageModel model, @MethodParam("getAccount") @BindParams Accou
sendErrorMessage(errors, model, messageSourceService, request);

if (account.getPerson().getPersonId() == null) {
setJsonFormData(model, account, otherAccountData);
setJsonFormData(model, account, otherAccountData, uu);
}

return "systemadmin/accounts/account";
Expand Down Expand Up @@ -410,21 +410,21 @@ private void sendErrorMessage(Errors errors, PageModel model, MessageSourceServi
request.getSession().setAttribute(UiCommonsConstants.SESSION_ATTRIBUTE_ERROR_MESSAGE, errorMessage.toString());
}

private void setJsonFormData(PageModel model, Account account, OtherAccountData otherAccountData) throws IOException {
private void setJsonFormData(PageModel model, Account account, OtherAccountData otherAccountData, UiUtils uu) throws IOException {

ObjectMapper mapper = new ObjectMapper();
SimpleObject simplePerson = new SimpleObject();
simplePerson.put("familyName", account.getFamilyName());
simplePerson.put("givenName", account.getGivenName());
simplePerson.put("gender", account.getGender() != null ? account.getGender() : "");
simplePerson.put("familyName", uu.encodeHtml(account.getFamilyName()));
simplePerson.put("givenName", uu.encodeHtml(account.getGivenName()));
simplePerson.put("gender", uu.encodeHtml(account.getGender()) != null ? uu.encodeHtml(account.getGender()) : "");
model.addAttribute("personJson", mapper.writeValueAsString(simplePerson));

SimpleObject simpleUser = new SimpleObject();
SimpleObject simpleProvider = new SimpleObject();
if (otherAccountData != null) {
if (otherAccountData.getAddUserAccount()) {
User u = account.getUserAccounts().get(0);
simpleUser.put("username", u.getUsername());
simpleUser.put("username", uu.encodeHtml(u.getUsername()));
simpleUser.put("privilegeLevel", account.getPrivilegeLevel(u).getUuid());
SimpleObject userProperties = new SimpleObject();
userProperties
Expand Down

0 comments on commit 702fbfd

Please sign in to comment.