From e2fb765dbffd10b0b06fb0ce37dfa77211a5bc66 Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Mon, 19 Aug 2013 08:27:05 +0200
Subject: [PATCH] OO-652: replace escaping of some descriptions fields with
 antisamy

---
 .../services/mark/ui/BookmarksController.java |  3 +-
 .../olat/core/gui/components/EscapeMode.java  | 34 +++++++++++++++++++
 .../table/DefaultColumnDescriptor.java        | 31 ++++++++++++-----
 .../main/AdminBusinessGroupsController.java   |  5 ++-
 .../EPMultipleArtefactsAsTableController.java |  3 +-
 5 files changed, 64 insertions(+), 12 deletions(-)
 create mode 100644 src/main/java/org/olat/core/gui/components/EscapeMode.java

diff --git a/src/main/java/org/olat/core/commons/services/mark/ui/BookmarksController.java b/src/main/java/org/olat/core/commons/services/mark/ui/BookmarksController.java
index 57806faf1e1..88af8ba11cb 100644
--- a/src/main/java/org/olat/core/commons/services/mark/ui/BookmarksController.java
+++ b/src/main/java/org/olat/core/commons/services/mark/ui/BookmarksController.java
@@ -39,6 +39,7 @@ import org.olat.core.commons.services.mark.Mark;
 import org.olat.core.commons.services.mark.MarkManager;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.Component;
+import org.olat.core.gui.components.EscapeMode;
 import org.olat.core.gui.components.table.DefaultColumnDescriptor;
 import org.olat.core.gui.components.table.DefaultTableDataModel;
 import org.olat.core.gui.components.table.StaticColumnDescriptor;
@@ -95,7 +96,7 @@ public class BookmarksController extends BasicController {
 		tableCtr.addColumnDescriptor(new DefaultColumnDescriptor("table.bm.title", 0, "choose", getLocale()));
 		tableCtr.addColumnDescriptor(new DefaultColumnDescriptor("table.bm.resource", 1, null, getLocale()));
 		DefaultColumnDescriptor descCol = new DefaultColumnDescriptor("table.bm.description", 2, null, getLocale());
-		descCol.setEscapeHtml(false);
+		descCol.setEscapeHtml(EscapeMode.antisamy);
 		tableCtr.addColumnDescriptor(descCol);
 		tableCtr.addColumnDescriptor(new StaticColumnDescriptor("delete", "table.header.delete", translate("action.delete")));
 		listenTo(tableCtr);
diff --git a/src/main/java/org/olat/core/gui/components/EscapeMode.java b/src/main/java/org/olat/core/gui/components/EscapeMode.java
new file mode 100644
index 00000000000..5a2948cea6a
--- /dev/null
+++ b/src/main/java/org/olat/core/gui/components/EscapeMode.java
@@ -0,0 +1,34 @@
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+package org.olat.core.gui.components;
+
+/**
+ * List different escaping strategy
+ * 
+ * Initial date: 16.08.2013<br>
+ * @author srosse, stephane.rosse@frentix.com, http://www.frentix.com
+ *
+ */
+public enum EscapeMode {
+	none,
+	html,
+	antisamy
+
+}
diff --git a/src/main/java/org/olat/core/gui/components/table/DefaultColumnDescriptor.java b/src/main/java/org/olat/core/gui/components/table/DefaultColumnDescriptor.java
index 500f6594b29..976b0aaf312 100644
--- a/src/main/java/org/olat/core/gui/components/table/DefaultColumnDescriptor.java
+++ b/src/main/java/org/olat/core/gui/components/table/DefaultColumnDescriptor.java
@@ -31,10 +31,12 @@ import java.text.Collator;
 import java.util.Date;
 import java.util.Locale;
 
+import org.olat.core.gui.components.EscapeMode;
 import org.olat.core.gui.render.Renderer;
 import org.olat.core.gui.render.StringOutput;
 import org.olat.core.util.Formatter;
 import org.olat.core.util.StringHelper;
+import org.olat.core.util.filter.impl.OWASPAntiSamyXSSFilter;
 
 
 /**
@@ -57,7 +59,7 @@ public class DefaultColumnDescriptor implements ColumnDescriptor {
 	protected Collator collator; 
 	protected Table table; 
 	protected int dataColumn;
-	private boolean escapeHtml = true;
+	private EscapeMode escapeHtml = EscapeMode.html;
 	private boolean translateHeaderKey = true; 
 
 	/**
@@ -106,7 +108,7 @@ public class DefaultColumnDescriptor implements ColumnDescriptor {
 		this.translateHeaderKey = translateHeaderKey;
 	}
 	
-	public void setEscapeHtml(boolean escape) {
+	public void setEscapeHtml(EscapeMode escape) {
 		this.escapeHtml = escape;
 	}
 
@@ -131,14 +133,25 @@ public class DefaultColumnDescriptor implements ColumnDescriptor {
 			String res =  formatter.formatDateAndTime((Date)val);
 			sb.append(res);
 		} else if(val instanceof String) {
-			if(escapeHtml) {
-				StringHelper.escapeHtml(sb, (String)val);
-			} else {
-				sb.append((String)val);
-			}
+			renderString(sb, (String)val);
 		} else {
-			String res = val.toString();
-			sb.append(res);
+			renderString(sb, val.toString());
+		}
+	}
+	
+	private void renderString(StringOutput sb, String val) {
+		switch(escapeHtml) {
+			case none:
+				sb.append((String)val);
+				break;
+			case html:
+				StringHelper.escapeHtml(sb, (String)val);
+				break;
+			case antisamy:
+				System.out.println(val);
+				sb.append(new OWASPAntiSamyXSSFilter().filter(val));
+				break;
+			default : StringHelper.escapeHtml(sb, (String)val);
 		}
 	}
 
diff --git a/src/main/java/org/olat/group/ui/main/AdminBusinessGroupsController.java b/src/main/java/org/olat/group/ui/main/AdminBusinessGroupsController.java
index 0a91e16a2de..58ccb25f934 100644
--- a/src/main/java/org/olat/group/ui/main/AdminBusinessGroupsController.java
+++ b/src/main/java/org/olat/group/ui/main/AdminBusinessGroupsController.java
@@ -22,6 +22,7 @@ package org.olat.group.ui.main;
 import java.util.List;
 
 import org.olat.core.gui.UserRequest;
+import org.olat.core.gui.components.EscapeMode;
 import org.olat.core.gui.components.table.BooleanColumnDescriptor;
 import org.olat.core.gui.components.table.ColumnDescriptor;
 import org.olat.core.gui.components.table.CustomCellRenderer;
@@ -76,7 +77,9 @@ public class AdminBusinessGroupsController extends AbstractBusinessGroupListCont
 		if(groupModule.isManagedBusinessGroups()) {
 			groupListCtr.addColumnDescriptor(false, new DefaultColumnDescriptor(Cols.externalId.i18n(), Cols.externalId.ordinal(), null, getLocale()));
 		}
-		groupListCtr.addColumnDescriptor(false, new DefaultColumnDescriptor(Cols.description.i18n(), Cols.description.ordinal(), null, getLocale()));
+		DefaultColumnDescriptor descriptionCol = new DefaultColumnDescriptor(Cols.description.i18n(), Cols.description.ordinal(), null, getLocale());
+		descriptionCol.setEscapeHtml(EscapeMode.antisamy);
+		groupListCtr.addColumnDescriptor(false, descriptionCol);
 		groupListCtr.addColumnDescriptor(new ResourcesColumnDescriptor(this, mainVC, getTranslator()));
 		CustomCellRenderer acRenderer = new BGAccessControlledCellRenderer();
 		groupListCtr.addColumnDescriptor(new CustomRenderColumnDescriptor(Cols.accessTypes.i18n(), Cols.accessTypes.ordinal(), null, getLocale(), ColumnDescriptor.ALIGNMENT_LEFT, acRenderer));
diff --git a/src/main/java/org/olat/portfolio/ui/artefacts/view/EPMultipleArtefactsAsTableController.java b/src/main/java/org/olat/portfolio/ui/artefacts/view/EPMultipleArtefactsAsTableController.java
index bdbc4ea3805..fd5138122f4 100644
--- a/src/main/java/org/olat/portfolio/ui/artefacts/view/EPMultipleArtefactsAsTableController.java
+++ b/src/main/java/org/olat/portfolio/ui/artefacts/view/EPMultipleArtefactsAsTableController.java
@@ -24,6 +24,7 @@ import java.util.List;
 import org.olat.core.CoreSpringFactory;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.Component;
+import org.olat.core.gui.components.EscapeMode;
 import org.olat.core.gui.components.table.ColumnDescriptor;
 import org.olat.core.gui.components.table.CustomRenderColumnDescriptor;
 import org.olat.core.gui.components.table.DefaultColumnDescriptor;
@@ -127,7 +128,7 @@ public class EPMultipleArtefactsAsTableController extends BasicController implem
 		artefactListTblCtrl.addColumnDescriptor(descr);
 		
 		descr = new DefaultColumnDescriptor("artefact.description", 1, null, getLocale());
-		descr.setEscapeHtml(false);
+		descr.setEscapeHtml(EscapeMode.antisamy);
 		artefactListTblCtrl.addColumnDescriptor(true, descr);
 		
 		descr = new DefaultColumnDescriptor("artefact.date", 2, null, getLocale());
-- 
GitLab