OO-652: replace escaping of some descriptions fields with antisamy

e2fb765d · srosse · 08548d22 · e2fb765d · e2fb765d · e2fb765d
Commit e2fb765d authored 11 years ago by srosse
--- a/src/main/java/org/olat/core/commons/services/mark/ui/BookmarksController.java
+++ b/src/main/java/org/olat/core/commons/services/mark/ui/BookmarksController.java
@@ -39,6 +39,7 @@ import org.olat.core.commons.services.mark.Mark;
 import org.olat.core.commons.services.mark.MarkManager;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.Component;
+import org.olat.core.gui.components.EscapeMode;
 import org.olat.core.gui.components.table.DefaultColumnDescriptor;
 import org.olat.core.gui.components.table.DefaultTableDataModel;
 import org.olat.core.gui.components.table.StaticColumnDescriptor;
@@ -95,7 +96,7 @@ public class BookmarksController extends BasicController {
 		tableCtr.addColumnDescriptor(new DefaultColumnDescriptor("table.bm.title", 0, "choose", getLocale()));
 		tableCtr.addColumnDescriptor(new DefaultColumnDescriptor("table.bm.resource", 1, null, getLocale()));
 		DefaultColumnDescriptor descCol = new DefaultColumnDescriptor("table.bm.description", 2, null, getLocale());
-		descCol.setEscapeHtml(false);
+		descCol.setEscapeHtml(EscapeMode.antisamy);
 		tableCtr.addColumnDescriptor(descCol);
 		tableCtr.addColumnDescriptor(new StaticColumnDescriptor("delete", "table.header.delete", translate("action.delete")));
 		listenTo(tableCtr);

--- a/src/main/java/org/olat/core/gui/components/EscapeMode.java
+++ b/src/main/java/org/olat/core/gui/components/EscapeMode.java
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+package org.olat.core.gui.components;
+/**
+ * List different escaping strategy
+ * 
+ * Initial date: 16.08.2013<br>
+ * @author srosse, stephane.rosse@frentix.com, http://www.frentix.com
+ *
+ */
+public enum EscapeMode {
+	none,
+	html,
+	antisamy
+}
--- a/src/main/java/org/olat/core/gui/components/table/DefaultColumnDescriptor.java
+++ b/src/main/java/org/olat/core/gui/components/table/DefaultColumnDescriptor.java
@@ -31,10 +31,12 @@ import java.text.Collator;
 import java.util.Date;
 import java.util.Locale;
+import org.olat.core.gui.components.EscapeMode;
 import org.olat.core.gui.render.Renderer;
 import org.olat.core.gui.render.StringOutput;
 import org.olat.core.util.Formatter;
 import org.olat.core.util.StringHelper;
+import org.olat.core.util.filter.impl.OWASPAntiSamyXSSFilter;
 /**
@@ -57,7 +59,7 @@ public class DefaultColumnDescriptor implements ColumnDescriptor {
 	protected Collator collator; 
 	protected Table table; 
 	protected int dataColumn;
-	private boolean escapeHtml = true;
+	private EscapeMode escapeHtml = EscapeMode.html;
 	private boolean translateHeaderKey = true; 
 	/**
@@ -106,7 +108,7 @@ public class DefaultColumnDescriptor implements ColumnDescriptor {
 		this.translateHeaderKey = translateHeaderKey;
 	}
-	public void setEscapeHtml(boolean escape) {
+	public void setEscapeHtml(EscapeMode escape) {
 		this.escapeHtml = escape;
 	}
@@ -131,14 +133,25 @@ public class DefaultColumnDescriptor implements ColumnDescriptor {
 			String res =  formatter.formatDateAndTime((Date)val);
 			sb.append(res);
 		} else if(val instanceof String) {
-			if(escapeHtml) {
+			renderString(sb, (String)val);
-				StringHelper.escapeHtml(sb, (String)val);
-			} else {
-				sb.append((String)val);
-			}
 		} else {
-			String res = val.toString();
+			renderString(sb, val.toString());
-			sb.append(res);
+		}
+	}
+	private void renderString(StringOutput sb, String val) {
+		switch(escapeHtml) {
+			case none:
+				sb.append((String)val);
+				break;
+			case html:
+				StringHelper.escapeHtml(sb, (String)val);
+				break;
+			case antisamy:
+				System.out.println(val);
+				sb.append(new OWASPAntiSamyXSSFilter().filter(val));
+				break;
+			default : StringHelper.escapeHtml(sb, (String)val);
 		}
 	}

--- a/src/main/java/org/olat/group/ui/main/AdminBusinessGroupsController.java
+++ b/src/main/java/org/olat/group/ui/main/AdminBusinessGroupsController.java
@@ -22,6 +22,7 @@ package org.olat.group.ui.main;
 import java.util.List;
 import org.olat.core.gui.UserRequest;
+import org.olat.core.gui.components.EscapeMode;
 import org.olat.core.gui.components.table.BooleanColumnDescriptor;
 import org.olat.core.gui.components.table.ColumnDescriptor;
 import org.olat.core.gui.components.table.CustomCellRenderer;
@@ -76,7 +77,9 @@ public class AdminBusinessGroupsController extends AbstractBusinessGroupListCont
 		if(groupModule.isManagedBusinessGroups()) {
 			groupListCtr.addColumnDescriptor(false, new DefaultColumnDescriptor(Cols.externalId.i18n(), Cols.externalId.ordinal(), null, getLocale()));
 		}
-		groupListCtr.addColumnDescriptor(false, new DefaultColumnDescriptor(Cols.description.i18n(), Cols.description.ordinal(), null, getLocale()));
+		DefaultColumnDescriptor descriptionCol = new DefaultColumnDescriptor(Cols.description.i18n(), Cols.description.ordinal(), null, getLocale());
+		descriptionCol.setEscapeHtml(EscapeMode.antisamy);
+		groupListCtr.addColumnDescriptor(false, descriptionCol);
 		groupListCtr.addColumnDescriptor(new ResourcesColumnDescriptor(this, mainVC, getTranslator()));
 		CustomCellRenderer acRenderer = new BGAccessControlledCellRenderer();
 		groupListCtr.addColumnDescriptor(new CustomRenderColumnDescriptor(Cols.accessTypes.i18n(), Cols.accessTypes.ordinal(), null, getLocale(), ColumnDescriptor.ALIGNMENT_LEFT, acRenderer));

--- a/src/main/java/org/olat/portfolio/ui/artefacts/view/EPMultipleArtefactsAsTableController.java
+++ b/src/main/java/org/olat/portfolio/ui/artefacts/view/EPMultipleArtefactsAsTableController.java
@@ -24,6 +24,7 @@ import java.util.List;
 import org.olat.core.CoreSpringFactory;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.Component;
+import org.olat.core.gui.components.EscapeMode;
 import org.olat.core.gui.components.table.ColumnDescriptor;
 import org.olat.core.gui.components.table.CustomRenderColumnDescriptor;
 import org.olat.core.gui.components.table.DefaultColumnDescriptor;
@@ -127,7 +128,7 @@ public class EPMultipleArtefactsAsTableController extends BasicController implem
 		artefactListTblCtrl.addColumnDescriptor(descr);
 		descr = new DefaultColumnDescriptor("artefact.description", 1, null, getLocale());
-		descr.setEscapeHtml(false);
+		descr.setEscapeHtml(EscapeMode.antisamy);
 		artefactListTblCtrl.addColumnDescriptor(true, descr);
 		descr = new DefaultColumnDescriptor("artefact.date", 2, null, getLocale());