OO-652: solve escaping issue, in red screen too

9752944d · srosse · e5383c37 · 9752944d · 9752944d · 9752944d
Commit 9752944d authored 11 years ago by srosse
--- a/pom.xml
+++ b/pom.xml
@@ -1647,12 +1647,12 @@
 		<dependency>
 			<groupId>net.sourceforge.nekohtml</groupId>
 			<artifactId>nekohtml</artifactId>
-			<version>1.9.14</version>
+			<version>1.9.16</version>
 		</dependency>
 		<dependency>
 			<groupId>org.owasp.antisamy</groupId>
 			<artifactId>antisamy</artifactId>
-			<version>1.4.4</version>
+			<version>1.5.2</version>
 		</dependency>
 		<dependency>
 			<groupId>org.w3c.css</groupId>

--- a/src/main/java/org/olat/core/_i18n/LocalStrings_de.properties
+++ b/src/main/java/org/olat/core/_i18n/LocalStrings_de.properties
@@ -14,6 +14,7 @@ edit=Editieren
 error.header=Fehler
 error.jpbwrapper.renderfailed=Die Komponente kann nicht mehr dargestellt werden. Bitte rufen Sie die Komponente erneut auf.
 error.noformpostdata=Achtung\! Durch ein Problem Ihres Browsers wurden nicht alle Daten hochgeladen. Dr\u00FCcken Sie bitte den Zur\u00FCck-Knopf und versuchen Sie es nochmals.
+error.post.method.mandatory=Benutzt ein Browser
 expand=Vergr\u00F6ssern
 finish=Fertigstellen
 form.checkall=Alle ausw\u00E4hlen

--- a/src/main/java/org/olat/core/_i18n/LocalStrings_en.properties
+++ b/src/main/java/org/olat/core/_i18n/LocalStrings_en.properties
@@ -14,6 +14,7 @@ edit=Edit
 error.header=Error
 error.jpbwrapper.renderfailed=This component cannot be displayed anymore. Please start component again.
 error.noformpostdata=Attention\! Due to problems concerning your browser some data could not be transferred. Please use the "Back" button and try again.
+error.post.method.mandatory=Use a browser!
 expand=Expand
 finish=Finish
 form.checkall=Select all

--- a/src/main/java/org/olat/core/gui/components/form/flexible/impl/elements/AbstractTextElement.java
+++ b/src/main/java/org/olat/core/gui/components/form/flexible/impl/elements/AbstractTextElement.java
@@ -129,7 +129,7 @@ public abstract class AbstractTextElement extends FormItemImpl implements TextEl
 	 * @see org.olat.core.gui.components.form.flexible.elements.TextElement#getValue()
 	 */
 	public String getValue() {
-		Filter xssFilter = FilterFactory.getXSSFilter(value.length() + 1);
+		Filter xssFilter = FilterFactory.getXSSFilterForTextField(value.length() + 1);
 		return getValue(xssFilter);
 	}

--- a/src/main/java/org/olat/core/logging/OLATRuntimeException.java
+++ b/src/main/java/org/olat/core/logging/OLATRuntimeException.java
@@ -19,6 +19,9 @@
 */ 
 package org.olat.core.logging;
+import org.olat.core.util.filter.FilterFactory;
 /**
 *  Description:<br />
 *	 Thrown if an unrecoverable error occurs. These Exceptions get caught by the Servlet. The user
@@ -89,7 +92,7 @@ public class OLATRuntimeException extends RuntimeException {
 	 * @param th
 	 * @return HTML fragment.
 	 */
-	public static StringBuilder throwableToHtml(Throwable th) {
+	public static String throwableToHtml(Throwable th) {
 		StringBuilder sb = new StringBuilder("<br />");
 		if (th == null) {
 			sb.append("n/a");
@@ -107,7 +110,7 @@ public class OLATRuntimeException extends RuntimeException {
 				ca = ca.getCause();	
 			}
 		}
-		return sb;
+		return FilterFactory.getXSSFilter(10000).filter(sb.toString());
 	}
 	private static void toHtml(StringBuilder sb, Throwable th) {

--- a/src/main/java/org/olat/core/util/filter/FilterFactory.java
+++ b/src/main/java/org/olat/core/util/filter/FilterFactory.java
@@ -80,6 +80,16 @@ public class FilterFactory {
 		// currently the XSS filter is statefull
 		return new OWASPAntiSamyXSSFilter(maxLength, false);
 	}
+	/**
+	 * 
+	 * @param maxLength
+	 * @return
+	 */
+	public static Filter getXSSFilterForTextField(int maxLength) {
+		// currently the XSS filter is statefull
+		return new OWASPAntiSamyXSSFilter(maxLength, false, false);
+	}
 	/**
 	 * Get a filter to add a mapper base url to relative media links in HTML

--- a/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
+++ b/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
@@ -57,14 +57,20 @@ public class OWASPAntiSamyXSSFilter extends LogDelegator implements Filter {
 	private static boolean jUnitDebug;
 	private CleanResults cr;
 	private final int maxLength;
+	private final boolean entityEncodeIntlChars;
 	/**
 	 * @param maxLength
 	 * @param junitDebug
 	 */
 	public OWASPAntiSamyXSSFilter(int maxLength, boolean junitDebug){
+		this(maxLength, true, junitDebug);
+	}
+	public OWASPAntiSamyXSSFilter(int maxLength, boolean entityEncodeIntlChars, boolean junitDebug){
 		OWASPAntiSamyXSSFilter.jUnitDebug = junitDebug;
 		this.maxLength = maxLength;
+		this.entityEncodeIntlChars = entityEncodeIntlChars;
 	}
 	/**
@@ -110,7 +116,10 @@ public class OWASPAntiSamyXSSFilter extends LogDelegator implements Filter {
 			InputStream inStream = this.getClass().getResourceAsStream(fPath);
 			policy = Policy.getInstance(inStream);
 			if(maxLength > 0) {
-				policy.setDirective("maxInputSize", Integer.toString(maxLength));
+				policy = policy.cloneWithDirective("maxInputSize", Integer.toString(maxLength));
+			}
+			if(!entityEncodeIntlChars) {
+				policy = policy.cloneWithDirective("entityEncodeIntlChars", "false");
 			}
 		} catch (PolicyException e) {
 			if (jUnitDebug) System.err.println("Policy file not found/readable/valid!");
@@ -157,6 +166,4 @@ public class OWASPAntiSamyXSSFilter extends LogDelegator implements Filter {
 		}
 		return errors;
 	}
 }
--- a/src/main/java/org/olat/core/util/filter/impl/_resources/antisamy-tinymce.xml
+++ b/src/main/java/org/olat/core/util/filter/impl/_resources/antisamy-tinymce.xml
@@ -14,6 +14,8 @@
 		<directive name="embedStyleSheets" value="false" />
 		<directive name="useXHTML" value="true" />
 		<directive name="formatOutput" value="false" />
+		<directive name="entityEncodeIntlChars" value="true" />
+		<directive name="preserveSpace" value="true" />
 	</directives>
 	<common-regexps>

--- a/src/main/java/org/olat/login/auth/OLATAuthentcationForm.java
+++ b/src/main/java/org/olat/login/auth/OLATAuthentcationForm.java
@@ -63,8 +63,14 @@ public class OLATAuthentcationForm extends FormBasicController {
 	@Override
 	public boolean validateFormLogic(UserRequest ureq) {
 		boolean valid = true;
-		valid = valid && !login.isEmpty("lf.error.loginempty");
+		login.clearError();
-		valid = valid && !pass.isEmpty("lf.error.passempty");
+		//only POST is allowed
+		if(!"POST".equals(ureq.getHttpReq().getMethod())) {
+			login.setErrorKey("error.post.method.mandatory", null);
+			valid = false;
+		}
+		valid &= !login.isEmpty("lf.error.loginempty");
+		valid &= !pass.isEmpty("lf.error.passempty");
 		return valid;
 	}

--- a/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
+++ b/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
@@ -58,7 +58,11 @@ public class XSSFilterTest {
 	}
 	private void t(String input, String result) {
-		String filterRes = vFilter.filter(input);
+		t(input, result, vFilter);
+	}
+	private void t(String input, String result, Filter f) {
+		String filterRes = f.filter(input);
 		if (filterRes == result || filterRes.equals(result)){
 			counter ++;
 			System.out.println("------------------------------------------------");
@@ -252,7 +256,18 @@ public class XSSFilterTest {
 		String input = "<br>";
 		String output = "<br />";
 		t(input,output);
+	}
+	@Test
+	public void test_rawText() {
+		OWASPAntiSamyXSSFilter intlFilter = new OWASPAntiSamyXSSFilter(-1, false, true);
+		t("Stéphane Rossé", "Stéphane Rossé", intlFilter);
+	}
+	@Test
+	public void test_rawTextAttaqu() {
+		OWASPAntiSamyXSSFilter intlFilter = new OWASPAntiSamyXSSFilter(-1, false, true);
+		t("&lt;script&gt;alert('hello');&lt;//script&gt;", "&lt;script&gt;alert('hello');&lt;//script&gt;", intlFilter);
 	}
 }