From cf13f13eb33b4acde2a8eb0fa2ed295cf7d07589 Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Thu, 3 Oct 2013 15:21:26 +0200
Subject: [PATCH] OO-689: scan wiki search input

---
 .../flexible/impl/FormBasicController.java    |  1 -
 .../impl/FormWrapperContainerRenderer.java    |  5 +--
 .../java/org/olat/core/util/StringHelper.java |  6 ++++
 .../filter/impl/OWASPAntiSamyXSSFilter.java   |  7 ++++
 .../modules/wiki/WikiArticleSearchForm.java   | 32 +++++++++++++------
 .../olat/modules/wiki/WikiMainController.java |  7 ++--
 .../modules/wiki/_content/articleSearch.html  |  1 +
 7 files changed, 45 insertions(+), 14 deletions(-)

diff --git a/src/main/java/org/olat/core/gui/components/form/flexible/impl/FormBasicController.java b/src/main/java/org/olat/core/gui/components/form/flexible/impl/FormBasicController.java
index c66a2673ed4..2274ce8da6b 100644
--- a/src/main/java/org/olat/core/gui/components/form/flexible/impl/FormBasicController.java
+++ b/src/main/java/org/olat/core/gui/components/form/flexible/impl/FormBasicController.java
@@ -306,7 +306,6 @@ public abstract class FormBasicController extends BasicController {
 	 *      org.olat.core.gui.components.Component,
 	 *      org.olat.core.gui.control.Event)
 	 */
-	@SuppressWarnings("unused")
 	@Override
 	public void event(UserRequest ureq, Component source, Event event) {
 		if (source == mainForm.getInitialComponent()) {
diff --git a/src/main/java/org/olat/core/gui/components/form/flexible/impl/FormWrapperContainerRenderer.java b/src/main/java/org/olat/core/gui/components/form/flexible/impl/FormWrapperContainerRenderer.java
index aec5a331ef4..08add6ddf37 100644
--- a/src/main/java/org/olat/core/gui/components/form/flexible/impl/FormWrapperContainerRenderer.java
+++ b/src/main/java/org/olat/core/gui/components/form/flexible/impl/FormWrapperContainerRenderer.java
@@ -62,7 +62,7 @@ class FormWrapperContainerRenderer implements ComponentRenderer {
 	 *      org.olat.core.gui.translator.Translator,
 	 *      org.olat.core.gui.render.RenderResult, java.lang.String[])
 	 */
-	@SuppressWarnings("unused")
+	@Override
 	public void render(Renderer renderer, StringOutput sb, Component source, URLBuilder ubu, Translator translator,
 			RenderResult renderResult, String[] args) {
 		FormWrapperContainer formC = (FormWrapperContainer) source;
@@ -135,6 +135,7 @@ class FormWrapperContainerRenderer implements ComponentRenderer {
 	 *      org.olat.core.gui.components.Component,
 	 *      org.olat.core.gui.render.RenderingState)
 	 */
+	@Override
 	public void renderBodyOnLoadJSFunctionCall(Renderer renderer, StringOutput sb, Component source, RenderingState rstate) {
 		FormWrapperContainer formC = (FormWrapperContainer) source;
 		Container toRender = formC.getFormLayout();
@@ -151,7 +152,7 @@ class FormWrapperContainerRenderer implements ComponentRenderer {
 	 *      org.olat.core.gui.translator.Translator,
 	 *      org.olat.core.gui.render.RenderingState)
 	 */
-	@SuppressWarnings("unused")
+	@Override
 	public void renderHeaderIncludes(Renderer renderer, StringOutput sb, Component source, URLBuilder ubu, Translator translator,
 			RenderingState rstate) {
 		FormWrapperContainer formC = (FormWrapperContainer) source;
diff --git a/src/main/java/org/olat/core/util/StringHelper.java b/src/main/java/org/olat/core/util/StringHelper.java
index 63e499abab2..1df68d2a6fe 100644
--- a/src/main/java/org/olat/core/util/StringHelper.java
+++ b/src/main/java/org/olat/core/util/StringHelper.java
@@ -358,6 +358,12 @@ public class StringHelper {
 		return new OWASPAntiSamyXSSFilter().filter(str);
 	}
 	
+	public static final boolean xssScanForErrors(String str) {
+		OWASPAntiSamyXSSFilter filter = new OWASPAntiSamyXSSFilter();
+		filter.filter(str);
+		return filter.getNumOfErrors() > 0;
+	}
+	
 	public static final String escapeJavaScript(String str) {
 		return StringEscapeUtils.escapeJavaScript(str);
 	}
diff --git a/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java b/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
index b93860573da..464f9d2726b 100644
--- a/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
+++ b/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
@@ -164,6 +164,13 @@ public class OWASPAntiSamyXSSFilter implements Filter {
 		
 		return output;
 	}
+	
+	public int getNumOfErrors() {
+		if (cr != null) {
+			return cr.getNumberOfErrors();
+		}
+		return -1;
+	}
 
 	/**
 	 * get Errors/Messages from filter. 
diff --git a/src/main/java/org/olat/modules/wiki/WikiArticleSearchForm.java b/src/main/java/org/olat/modules/wiki/WikiArticleSearchForm.java
index 0d8e428a263..da50a2f7cf3 100644
--- a/src/main/java/org/olat/modules/wiki/WikiArticleSearchForm.java
+++ b/src/main/java/org/olat/modules/wiki/WikiArticleSearchForm.java
@@ -28,10 +28,10 @@ import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.form.flexible.FormItemContainer;
 import org.olat.core.gui.components.form.flexible.elements.TextElement;
 import org.olat.core.gui.components.form.flexible.impl.FormBasicController;
-import org.olat.core.gui.components.form.flexible.impl.elements.FormSubmit;
 import org.olat.core.gui.control.Controller;
 import org.olat.core.gui.control.Event;
 import org.olat.core.gui.control.WindowControl;
+import org.olat.core.util.StringHelper;
 
 /**
  * Description:<br>
@@ -47,7 +47,7 @@ public class WikiArticleSearchForm extends FormBasicController {
 
 	public WikiArticleSearchForm(UserRequest ureq, WindowControl control) {
 		super(ureq, control, "articleSearch");
-		initForm(this.flc, this, ureq);
+		initForm(ureq);
 	}
 
 	/**
@@ -67,20 +67,34 @@ public class WikiArticleSearchForm extends FormBasicController {
 	/**
 	 * @see org.olat.core.gui.components.form.flexible.impl.FormBasicController#initForm(org.olat.core.gui.components.form.flexible.FormItemContainer, org.olat.core.gui.control.Controller, org.olat.core.gui.UserRequest)
 	 */
-	@SuppressWarnings("unused") 
 	@Override
 	protected void initForm(FormItemContainer formLayout, Controller listener, UserRequest ureq) {
 		searchQuery = uifactory.addTextElement("search", null, 250, null, formLayout);
 		searchQuery.setDisplaySize(40);
 		
-		FormSubmit submit = new FormSubmit("subm", "navigation.create.article");
-		formLayout.add(submit);
+		uifactory.addFormSubmitButton("subm", "navigation.create.article", formLayout);
 	}
-	
+
+	@Override
+	protected boolean validateFormLogic(UserRequest ureq) {
+		boolean allOk = true;
+		
+		String val = searchQuery.getValue();
+		searchQuery.clearError();
+		if(!StringHelper.containsNonWhitespace(val)) {
+			searchQuery.setErrorKey("form.legende.mandatory", null);
+			allOk = false;
+		} else if(StringHelper.xssScanForErrors(val)) {
+			searchQuery.setErrorKey("form.legende.mandatory", null);
+			searchQuery.setValue("");
+			allOk = false;
+		}
+
+		return allOk & super.validateFormLogic(ureq);
+	}
+
 	public String getQuery() {
 		String query = searchQuery.getValue();
-		searchQuery.setValue(null);
 		return query;
 	}
-
-}
+}
\ No newline at end of file
diff --git a/src/main/java/org/olat/modules/wiki/WikiMainController.java b/src/main/java/org/olat/modules/wiki/WikiMainController.java
index d0bccb9ec7d..8a69b3c5217 100644
--- a/src/main/java/org/olat/modules/wiki/WikiMainController.java
+++ b/src/main/java/org/olat/modules/wiki/WikiMainController.java
@@ -73,6 +73,7 @@ import org.olat.core.logging.Tracing;
 import org.olat.core.logging.activity.LearningResourceLoggingAction;
 import org.olat.core.logging.activity.OlatResourceableType;
 import org.olat.core.logging.activity.ThreadLocalUserActivityLogger;
+import org.olat.core.util.StringHelper;
 import org.olat.core.util.coordinate.CoordinatorManager;
 import org.olat.core.util.coordinate.LockResult;
 import org.olat.core.util.notifications.ContextualSubscriptionController;
@@ -409,7 +410,7 @@ public class WikiMainController extends BasicController implements CloneableCont
 		if (!(event instanceof RequestNewPageEvent) && !(event instanceof RequestMediaEvent) && !(event instanceof RequestImageEvent)) {
 			page = wiki.getPage(pageId, true);
 			//set recent page id to the page currently used
-			if (page != null) this.pageId = page.getPageId();
+			if (page != null) pageId = page.getPageId();
 		}
 		
 		if (source == content) {
@@ -807,7 +808,9 @@ public class WikiMainController extends BasicController implements CloneableCont
 
 		else if (source == searchOrCreateArticleForm) {
 			String query = searchOrCreateArticleForm.getQuery();
-			if (query == null) query = WikiPage.WIKI_INDEX_PAGE;
+			if (!StringHelper.containsNonWhitespace(query)) {
+				query = WikiPage.WIKI_INDEX_PAGE;
+			}
 			page = wiki.findPage(query);
 			pageId = page.getPageId();
 			if (page.getPageName().equals(Wiki.NEW_PAGE)) setTabsEnabled(false);
diff --git a/src/main/java/org/olat/modules/wiki/_content/articleSearch.html b/src/main/java/org/olat/modules/wiki/_content/articleSearch.html
index 2f49be025ff..a8883a0b3c0 100644
--- a/src/main/java/org/olat/modules/wiki/_content/articleSearch.html
+++ b/src/main/java/org/olat/modules/wiki/_content/articleSearch.html
@@ -1,4 +1,5 @@
 $r.render("search")
+$r.render("search_ERROR")
 <div class="b_button_group o_sel_wiki_search">
 	$r.render("subm")
 </div>
\ No newline at end of file
-- 
GitLab