Skip to content
Snippets Groups Projects
Commit e50dcb59 authored by srosse's avatar srosse
Browse files

OO-4238: special case media/...

parent b6d89d48
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/main/java/org/olat/core/util/filter/impl/OpenOLATPolicy.java
+ 15
17
View file @ e50dcb59
...@@ -22,6 +22,7 @@ package org.olat.core.util.filter.impl; ...@@ -22,6 +22,7 @@ package org.olat.core.util.filter.impl;
import java.util.List; import java.util.List;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import org.olat.core.util.CodeHelper;
import org.owasp.html.HtmlPolicyBuilder; import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.HtmlStreamEventProcessor; import org.owasp.html.HtmlStreamEventProcessor;
import org.owasp.html.HtmlStreamEventReceiver; import org.owasp.html.HtmlStreamEventReceiver;
...@@ -40,29 +41,20 @@ import com.google.common.base.Predicate; ...@@ -40,29 +41,20 @@ import com.google.common.base.Predicate;
* *
*/ */
public class OpenOLATPolicy { public class OpenOLATPolicy {
private static final String MEDIA_HOST = "http://my" + CodeHelper.getForeverUniqueID() + "localhost:8123/";
private static final Pattern PARAGRAPH = Pattern.compile("([\\p{L}\\p{N},'\\.\\s\\-_\\(\\)]|&[0-9]{2};)*"); private static final Pattern PARAGRAPH = Pattern.compile("([\\p{L}\\p{N},'\\.\\s\\-_\\(\\)]|&[0-9]{2};)*");
//private static final Pattern POSITIVELENGTH = Pattern.compile("((\\+)?0|(\\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))");
private static final Pattern COLORNAME = Pattern.compile("(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)"); private static final Pattern COLORNAME = Pattern.compile("(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)");
private static final Pattern OFFSITEURL = Pattern.compile("(\\s)*((ht)tp(s?)://|mailto:)[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\(\\)]*(\\s)*"); private static final Pattern OFFSITEURL = Pattern.compile("(\\s)*((ht)tp(s?)://|mailto:)[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\(\\)]*(\\s)*");
//private static final Pattern RELATIVE_SIZE = Pattern.compile("(larger|smaller)");
//private static final Pattern SYSTEMCOLOR = Pattern.compile("(activeborder|activecaption|appworkspace|background|buttonface|buttonhighlight|buttonshadow|buttontext|captiontext|graytext|highlight|highlighttext|inactiveborder|inactivecaption|inactivecaptiontext|infobackground|infotext|menu|menutext|scrollbar|threeddarkshadow|threedface|threedhighlight|threedlightshadow|threedshadow|window|windowframe|windowtext)");
private static final Pattern HTMLCLASS = Pattern.compile("[a-zA-Z0-9\\s,-_]+"); private static final Pattern HTMLCLASS = Pattern.compile("[a-zA-Z0-9\\s,-_]+");
//private static final Pattern LENGTH = Pattern.compile("((-|\\+)?0|(-|\\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))");
//private static final Pattern ABSOLUTE_SIZE = Pattern.compile("(xx-small|x-small|small|medium|large|x-large|xx-large)");
//private static final Pattern POSITIVEPERCENTAGE = Pattern.compile("(\\+)?([0-9]+(.[0-9]+)?)%");
private static final Pattern ANYTHING = Pattern.compile(".*"); private static final Pattern ANYTHING = Pattern.compile(".*");
private static final Pattern ONSITEURL = Pattern.compile("([\\p{L}\\p{N}\\p{Zs}/\\.\\?=&\\-~_]|ccrep:)+"); private static final Pattern ONSITEURL = Pattern.compile("([\\p{L}\\p{N}\\p{Zs}/\\.\\?=&\\-~_]|ccrep:)+");
private static final Pattern NUMBER = Pattern.compile("[0-9]+"); private static final Pattern NUMBER = Pattern.compile("[0-9]+");
private static final Pattern HTMLTITLE = Pattern.compile("[a-zA-Z0-9\\s-_',:\\[\\]!\\./\\\\\\(\\)%&;\\+#]*"); private static final Pattern HTMLTITLE = Pattern.compile("[a-zA-Z0-9\\s-_',:\\[\\]!\\./\\\\\\(\\)%&;\\+#]*");
//private static final Pattern CSSONSITEURI = Pattern.compile("url\\(([\\p{L}\\p{N}\\\\/\\.\\?=\\#&;\\-_~]+|\\#(\\w)+)\\)");
//private static final Pattern RGBCODE = Pattern.compile("rgb\\(([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]),([1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\\)");
//private static final Pattern PERCENTAGE = Pattern.compile("(-|\\+)?([0-9]+(.[0-9]+)?)%");
private static final Pattern OLATINTERNALURL = Pattern.compile("javascript:parent\\.gotonode\\(\\d+\\)"); private static final Pattern OLATINTERNALURL = Pattern.compile("javascript:parent\\.gotonode\\(\\d+\\)");
private static final Pattern NUMBERORPERCENT = Pattern.compile("(\\d)+(%{0,1})"); private static final Pattern NUMBERORPERCENT = Pattern.compile("(\\d)+(%{0,1})");
private static final Pattern COLORCODE = Pattern.compile("(#([0-9a-fA-F]{6}|[0-9a-fA-F]{3}))"); private static final Pattern COLORCODE = Pattern.compile("(#([0-9a-fA-F]{6}|[0-9a-fA-F]{3}))");
//private static final Pattern CSSOFFSITEURI = Pattern.compile("url\\((\\s)*(http(s?)://)[\\p{L}\\p{N}]+[~\\p{L}\\p{N}\\p{Zs}\\-_\\.@#$%&;:,\\?=/\\+!]*(\\s)*\\)");
public static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder() public static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
.allowStyling() .allowStyling()
...@@ -302,7 +294,10 @@ public class OpenOLATPolicy { ...@@ -302,7 +294,10 @@ public class OpenOLATPolicy {
&& attrs.get(i+1).startsWith("javascript:parent.goto") && attrs.get(i+1).startsWith("javascript:parent.goto")
&& OLATINTERNALURL.matcher(attrs.get(i + 1)).matches()) { && OLATINTERNALURL.matcher(attrs.get(i + 1)).matches()) {
attrs.set(i, "onclick"); attrs.set(i, "onclick");
} } else if("href".equals(attr) && i+1 < numOfAttrs
&& attrs.get(i+1).startsWith("media/")) {
attrs.set(i + 1, MEDIA_HOST + attrs.get(i+1));
}
} }
} }
super.openTag(elementName, attrs); super.openTag(elementName, attrs);
...@@ -313,13 +308,13 @@ public class OpenOLATPolicy { ...@@ -313,13 +308,13 @@ public class OpenOLATPolicy {
@Override @Override
public HtmlStreamEventReceiver wrap(HtmlStreamEventReceiver sink) { public HtmlStreamEventReceiver wrap(HtmlStreamEventReceiver sink) {
return new OpenOLATostReceiver(sink); return new OpenOLATPostReceiver(sink);
} }
} }
private static class OpenOLATostReceiver extends HtmlStreamEventReceiverWrapper { private static class OpenOLATPostReceiver extends HtmlStreamEventReceiverWrapper {
public OpenOLATostReceiver(HtmlStreamEventReceiver sink) { public OpenOLATPostReceiver(HtmlStreamEventReceiver sink) {
super(sink); super(sink);
} }
...@@ -333,6 +328,9 @@ public class OpenOLATPolicy { ...@@ -333,6 +328,9 @@ public class OpenOLATPolicy {
&& attrs.get(i+1).startsWith("javascript:parent.goto") && attrs.get(i+1).startsWith("javascript:parent.goto")
&& OLATINTERNALURL.matcher(attrs.get(i + 1)).matches()) { && OLATINTERNALURL.matcher(attrs.get(i + 1)).matches()) {
attrs.set(i, "href"); attrs.set(i, "href");
} else if("href".equals(attr) && i+1 < numOfAttrs
&& attrs.get(i+1).startsWith(MEDIA_HOST)) {
attrs.set(i + 1, attrs.get(i+1).substring(MEDIA_HOST.length()));
} }
} }
} }
...@@ -354,7 +352,7 @@ public class OpenOLATPolicy { ...@@ -354,7 +352,7 @@ public class OpenOLATPolicy {
// java.util.function.Predicate. // java.util.function.Predicate.
// For some reason the default test method implementation that calls // For some reason the default test method implementation that calls
// through to apply is not assumed here. // through to apply is not assumed here.
@SuppressWarnings("unused") @Override
public boolean test(String s) { public boolean test(String s) {
return apply(s); return apply(s);
} }
...@@ -387,7 +385,7 @@ public class OpenOLATPolicy { ...@@ -387,7 +385,7 @@ public class OpenOLATPolicy {
// java.util.function.Predicate. // java.util.function.Predicate.
// For some reason the default test method implementation that calls // For some reason the default test method implementation that calls
// through to apply is not assumed here. // through to apply is not assumed here.
@SuppressWarnings("unused") @Override
public boolean test(String s) { public boolean test(String s) {
return apply(s); return apply(s);
} }
......
src/main/java/org/olat/modules/webFeed/RSSFeed.java
+ 1
1
View file @ e50dcb59
...@@ -62,7 +62,7 @@ public class RSSFeed extends SyndFeedImpl { ...@@ -62,7 +62,7 @@ public class RSSFeed extends SyndFeedImpl {
setFeedType("rss_2.0"); setFeedType("rss_2.0");
setEncoding(PersonalRSSServlet.DEFAULT_ENCODING); setEncoding(PersonalRSSServlet.DEFAULT_ENCODING);
setTitle(feed.getTitle()); setTitle(feed.getTitle() == null ? "-" : feed.getTitle());
// According to the rss specification, the feed channel description is not // According to the rss specification, the feed channel description is not
// (explicitly) allowed to contain html tags. // (explicitly) allowed to contain html tags.
String strippedDescription = FilterFactory.getHtmlTagsFilter().filter(feed.getDescription()); String strippedDescription = FilterFactory.getHtmlTagsFilter().filter(feed.getDescription());
......
src/main/java/org/olat/modules/webFeed/SyndFeedMediaResource.java
+ 5
1
View file @ e50dcb59
...@@ -26,8 +26,10 @@ import java.util.Date; ...@@ -26,8 +26,10 @@ import java.util.Date;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.Logger;
import org.olat.core.commons.services.notifications.PersonalRSSServlet; import org.olat.core.commons.services.notifications.PersonalRSSServlet;
import org.olat.core.gui.media.MediaResource; import org.olat.core.gui.media.MediaResource;
import org.olat.core.logging.Tracing;
import com.rometools.rome.feed.synd.SyndFeed; import com.rometools.rome.feed.synd.SyndFeed;
import com.rometools.rome.io.FeedException; import com.rometools.rome.io.FeedException;
...@@ -42,6 +44,8 @@ import com.rometools.rome.io.SyndFeedOutput; ...@@ -42,6 +44,8 @@ import com.rometools.rome.io.SyndFeedOutput;
* @author gwassmann * @author gwassmann
*/ */
public class SyndFeedMediaResource implements MediaResource { public class SyndFeedMediaResource implements MediaResource {
private static final Logger log = Tracing.createLoggerFor(SyndFeedMediaResource.class);
private SyndFeed feed; private SyndFeed feed;
private String feedString; private String feedString;
...@@ -55,7 +59,7 @@ public class SyndFeedMediaResource implements MediaResource { ...@@ -55,7 +59,7 @@ public class SyndFeedMediaResource implements MediaResource {
SyndFeedOutput output = new SyndFeedOutput(); SyndFeedOutput output = new SyndFeedOutput();
feedString = output.outputString(feed); feedString = output.outputString(feed);
} catch (FeedException e) { } catch (FeedException e) {
// cannot convert feed to string or something log.error("", e);
} }
} }
......
src/test/java/org/olat/core/util/filter/impl/XSSFilterParamTest.java
+ 3
0
View file @ e50dcb59
...@@ -185,6 +185,9 @@ public class XSSFilterParamTest { ...@@ -185,6 +185,9 @@ public class XSSFilterParamTest {
"<img src=\"/olat/edusharing/preview?objectUrl&#61;ccrep://OpenOLAT/d5130470-14b4-4ad4-88b7-dfb3ebe943da&amp;version&#61;1.0\" data-es_identifier=\"2083dbe64f00b07232b11608ec0842fc\" data-es_objecturl=\"ccrep://OpenOLAT/d5130470-14b4-4ad4-88b7-dfb3ebe943da\" data-es_version=\"1.0\" data-es_version_current=\"1.0\" data-es_mediatype=\"i23\" data-es_mimetype=\"image/png\" data-es_width=\"1000\" data-es_height=\"446\" data-es_first_edit=\"false\" class=\"edusharing\" alt=\"Bildschirmfoto 2018-11-07 um 16.09.49.png\" title=\"Bildschirmfoto 2018-11-07 um 16.09.49.png\" width=\"1000\" height=\"446\" />" "<img src=\"/olat/edusharing/preview?objectUrl&#61;ccrep://OpenOLAT/d5130470-14b4-4ad4-88b7-dfb3ebe943da&amp;version&#61;1.0\" data-es_identifier=\"2083dbe64f00b07232b11608ec0842fc\" data-es_objecturl=\"ccrep://OpenOLAT/d5130470-14b4-4ad4-88b7-dfb3ebe943da\" data-es_version=\"1.0\" data-es_version_current=\"1.0\" data-es_mediatype=\"i23\" data-es_mimetype=\"image/png\" data-es_width=\"1000\" data-es_height=\"446\" data-es_first_edit=\"false\" class=\"edusharing\" alt=\"Bildschirmfoto 2018-11-07 um 16.09.49.png\" title=\"Bildschirmfoto 2018-11-07 um 16.09.49.png\" width=\"1000\" height=\"446\" />"
}, },
{ "<a href=\"javascript:parent.gotonode(100055283652712)\">Test</a>", "<a href=\"javascript:parent.gotonode(100055283652712)\">Test</a>" }, { "<a href=\"javascript:parent.gotonode(100055283652712)\">Test</a>", "<a href=\"javascript:parent.gotonode(100055283652712)\">Test</a>" },
{ "<a href=\"media/LTT ZUJ SCM 09.09.2019.pdf\">doc</a>", "<a href=\"media/LTT%20ZUJ%20SCM%2009.09.2019.pdf\">doc</a>" },
{ "<a href=\"media/LTT%20ZUJ%20SCM%2009.09.2019.pdf\">doc</a>", "<a href=\"media/LTT%20ZUJ%20SCM%2009.09.2019.pdf\">doc</a>" },
{ "<p><img class=\"b_float_left\" src=\"media/IMG 1484.jpg\" width=\"74\" height=\"74\" /></p>", "<p><img class=\"b_float_left\" src=\"media/IMG%201484.jpg\" width=\"74\" height=\"74\" /></p>" },
{ null, "" } // be tolerant { null, "" } // be tolerant
}); });
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment