diff --git a/src/main/java/org/olat/core/commons/services/mark/ui/BookmarksController.java b/src/main/java/org/olat/core/commons/services/mark/ui/BookmarksController.java
index 57806faf1e1097606419801db785ac3bf9a62774..88af8ba11cb678d81e48548831aa9ac4f424992a 100644
--- a/src/main/java/org/olat/core/commons/services/mark/ui/BookmarksController.java
+++ b/src/main/java/org/olat/core/commons/services/mark/ui/BookmarksController.java
@@ -39,6 +39,7 @@ import org.olat.core.commons.services.mark.Mark;
import org.olat.core.commons.services.mark.MarkManager;
import org.olat.core.gui.UserRequest;
import org.olat.core.gui.components.Component;
+import org.olat.core.gui.components.EscapeMode;
import org.olat.core.gui.components.table.DefaultColumnDescriptor;
import org.olat.core.gui.components.table.DefaultTableDataModel;
import org.olat.core.gui.components.table.StaticColumnDescriptor;
@@ -95,7 +96,7 @@ public class BookmarksController extends BasicController {
tableCtr.addColumnDescriptor(new DefaultColumnDescriptor("table.bm.title", 0, "choose", getLocale()));
tableCtr.addColumnDescriptor(new DefaultColumnDescriptor("table.bm.resource", 1, null, getLocale()));
DefaultColumnDescriptor descCol = new DefaultColumnDescriptor("table.bm.description", 2, null, getLocale());
- descCol.setEscapeHtml(false);
+ descCol.setEscapeHtml(EscapeMode.antisamy);
tableCtr.addColumnDescriptor(descCol);
tableCtr.addColumnDescriptor(new StaticColumnDescriptor("delete", "table.header.delete", translate("action.delete")));
listenTo(tableCtr);
diff --git a/src/main/java/org/olat/core/gui/components/EscapeMode.java b/src/main/java/org/olat/core/gui/components/EscapeMode.java
new file mode 100644
index 0000000000000000000000000000000000000000..5a2948cea6a842ae9d84942823b96651cf9aa20b
--- /dev/null
+++ b/src/main/java/org/olat/core/gui/components/EscapeMode.java
@@ -0,0 +1,34 @@
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+package org.olat.core.gui.components;
+
+/**
+ * List different escaping strategy
+ *
+ * Initial date: 16.08.2013<br>
+ * @author srosse, stephane.rosse@frentix.com, http://www.frentix.com
+ *
+ */
+public enum EscapeMode {
+ none,
+ html,
+ antisamy
+
+}
diff --git a/src/main/java/org/olat/core/gui/components/table/DefaultColumnDescriptor.java b/src/main/java/org/olat/core/gui/components/table/DefaultColumnDescriptor.java
index 500f6594b2999b6316aca33531ffcac5128c8141..976b0aaf312411be3a2ea491dc592e73ec31aaaf 100644
--- a/src/main/java/org/olat/core/gui/components/table/DefaultColumnDescriptor.java
+++ b/src/main/java/org/olat/core/gui/components/table/DefaultColumnDescriptor.java
@@ -31,10 +31,12 @@ import java.text.Collator;
import java.util.Date;
import java.util.Locale;
+import org.olat.core.gui.components.EscapeMode;
import org.olat.core.gui.render.Renderer;
import org.olat.core.gui.render.StringOutput;
import org.olat.core.util.Formatter;
import org.olat.core.util.StringHelper;
+import org.olat.core.util.filter.impl.OWASPAntiSamyXSSFilter;
/**
@@ -57,7 +59,7 @@ public class DefaultColumnDescriptor implements ColumnDescriptor {
protected Collator collator;
protected Table table;
protected int dataColumn;
- private boolean escapeHtml = true;
+ private EscapeMode escapeHtml = EscapeMode.html;
private boolean translateHeaderKey = true;
/**
@@ -106,7 +108,7 @@ public class DefaultColumnDescriptor implements ColumnDescriptor {
this.translateHeaderKey = translateHeaderKey;
}
- public void setEscapeHtml(boolean escape) {
+ public void setEscapeHtml(EscapeMode escape) {
this.escapeHtml = escape;
}
@@ -131,14 +133,25 @@ public class DefaultColumnDescriptor implements ColumnDescriptor {
String res = formatter.formatDateAndTime((Date)val);
sb.append(res);
} else if(val instanceof String) {
- if(escapeHtml) {
- StringHelper.escapeHtml(sb, (String)val);
- } else {
- sb.append((String)val);
- }
+ renderString(sb, (String)val);
} else {
- String res = val.toString();
- sb.append(res);
+ renderString(sb, val.toString());
+ }
+ }
+
+ private void renderString(StringOutput sb, String val) {
+ switch(escapeHtml) {
+ case none:
+ sb.append((String)val);
+ break;
+ case html:
+ StringHelper.escapeHtml(sb, (String)val);
+ break;
+ case antisamy:
+ System.out.println(val);
+ sb.append(new OWASPAntiSamyXSSFilter().filter(val));
+ break;
+ default : StringHelper.escapeHtml(sb, (String)val);
}
}
diff --git a/src/main/java/org/olat/group/ui/main/AdminBusinessGroupsController.java b/src/main/java/org/olat/group/ui/main/AdminBusinessGroupsController.java
index 0a91e16a2de4c5a77a3368b7562fa61b45fcf505..58ccb25f934bfead41f94fe221cc3217b3ab2de9 100644
--- a/src/main/java/org/olat/group/ui/main/AdminBusinessGroupsController.java
+++ b/src/main/java/org/olat/group/ui/main/AdminBusinessGroupsController.java
@@ -22,6 +22,7 @@ package org.olat.group.ui.main;
import java.util.List;
import org.olat.core.gui.UserRequest;
+import org.olat.core.gui.components.EscapeMode;
import org.olat.core.gui.components.table.BooleanColumnDescriptor;
import org.olat.core.gui.components.table.ColumnDescriptor;
import org.olat.core.gui.components.table.CustomCellRenderer;
@@ -76,7 +77,9 @@ public class AdminBusinessGroupsController extends AbstractBusinessGroupListCont
if(groupModule.isManagedBusinessGroups()) {
groupListCtr.addColumnDescriptor(false, new DefaultColumnDescriptor(Cols.externalId.i18n(), Cols.externalId.ordinal(), null, getLocale()));
}
- groupListCtr.addColumnDescriptor(false, new DefaultColumnDescriptor(Cols.description.i18n(), Cols.description.ordinal(), null, getLocale()));
+ DefaultColumnDescriptor descriptionCol = new DefaultColumnDescriptor(Cols.description.i18n(), Cols.description.ordinal(), null, getLocale());
+ descriptionCol.setEscapeHtml(EscapeMode.antisamy);
+ groupListCtr.addColumnDescriptor(false, descriptionCol);
groupListCtr.addColumnDescriptor(new ResourcesColumnDescriptor(this, mainVC, getTranslator()));
CustomCellRenderer acRenderer = new BGAccessControlledCellRenderer();
groupListCtr.addColumnDescriptor(new CustomRenderColumnDescriptor(Cols.accessTypes.i18n(), Cols.accessTypes.ordinal(), null, getLocale(), ColumnDescriptor.ALIGNMENT_LEFT, acRenderer));
diff --git a/src/main/java/org/olat/portfolio/ui/artefacts/view/EPMultipleArtefactsAsTableController.java b/src/main/java/org/olat/portfolio/ui/artefacts/view/EPMultipleArtefactsAsTableController.java
index bdbc4ea38058d1ecc43f6786e89bea0d2f5ece40..fd5138122f49ab44811495821c7d8b10337d0a89 100644
--- a/src/main/java/org/olat/portfolio/ui/artefacts/view/EPMultipleArtefactsAsTableController.java
+++ b/src/main/java/org/olat/portfolio/ui/artefacts/view/EPMultipleArtefactsAsTableController.java
@@ -24,6 +24,7 @@ import java.util.List;
import org.olat.core.CoreSpringFactory;
import org.olat.core.gui.UserRequest;
import org.olat.core.gui.components.Component;
+import org.olat.core.gui.components.EscapeMode;
import org.olat.core.gui.components.table.ColumnDescriptor;
import org.olat.core.gui.components.table.CustomRenderColumnDescriptor;
import org.olat.core.gui.components.table.DefaultColumnDescriptor;
@@ -127,7 +128,7 @@ public class EPMultipleArtefactsAsTableController extends BasicController implem
artefactListTblCtrl.addColumnDescriptor(descr);
descr = new DefaultColumnDescriptor("artefact.description", 1, null, getLocale());
- descr.setEscapeHtml(false);
+ descr.setEscapeHtml(EscapeMode.antisamy);
artefactListTblCtrl.addColumnDescriptor(true, descr);
descr = new DefaultColumnDescriptor("artefact.date", 2, null, getLocale());