Adding render time filtering of script elements to avoid javascript based security exploits. NIHVIVO-2678

webapp/src/edu/cornell/mannlib/vitro/webapp/web/AntiScript.java

@@ -4,6 +4,7 @@ package edu.cornell.mannlib.vitro.webapp.web;
 
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.Map;
 
 import javax.servlet.ServletContext;
 
@@ -36,11 +37,11 @@ public class AntiScript {
      * will be returned instead of the HTML.  This might not be ideal so
      * consider changing it once we see how this works. Other options include
      * returning an empty string or some other error message.  Returning 
-     * the unscanned HTML is not a secure option as it may contain scripts.
+     * the un-scanned HTML is not a secure option as it may contain scripts.
      * 
      * This will return null if dirtyInput is null.
      */
-    public static String cleanHtml( String dirtyInput, ServletContext context){
+    public static String cleanText( String dirtyInput, ServletContext context){
         if( dirtyInput == null )
             return null;
         
@@ -58,10 +59,20 @@ public class AntiScript {
     }
     
     /**
-     * Method to clean a URL or URI.  Might do the same thing as cleanHTML().
+     * Method to clean a URL or URI.  
      */
     public static String cleanURI( String dirtyInput, ServletContext context){
-        return cleanHtml(dirtyInput,context);
+        return cleanText(dirtyInput,context);
+    }
+    
+    /**
+     * Method to clean all of the values in a map where the values are of
+     * type String.
+     */
+    public static <T> void cleanMapValues( Map<T,String> map, ServletContext context){
+        for( T key : map.keySet() ){            
+            map.put(key, cleanText(map.get(key), context));
+        }        
     }
     
     /**

webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java

@@ -2,12 +2,13 @@
 
 package edu.cornell.mannlib.vitro.webapp.web.templatemodels;
 
+import java.util.Map;
+
 import javax.servlet.ServletContext;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder.ParamMap;
 import edu.cornell.mannlib.vitro.webapp.web.AntiScript;
@@ -46,7 +47,15 @@ public abstract class BaseTemplateModel {
      * Currently this only checks for XSS exploits.
      */
     protected String cleanTextForDisplay( String dirty){
-        return AntiScript.cleanHtml(dirty, getServletContext());
+        return AntiScript.cleanText(dirty, getServletContext());
+    }
+    
+    /**
+     * Used to do any processing for display of values in
+     * a map.  Map may be modified. 
+     */
+    protected <T> void cleanMapValuesForDisplay( Map<T,String> map){
+        AntiScript.cleanMapValues(map, getServletContext());
     }
     
     public static ServletContext getServletContext() {

webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java

@@ -34,8 +34,9 @@ public class ObjectPropertyStatementTemplateModel extends PropertyStatementTempl
             Map<String, String> data, EditingPolicyHelper policyHelper, String templateName, VitroRequest vreq) {
         super(subjectUri, propertyUri, policyHelper, vreq);
         
+        cleanMapValuesForDisplay( data );
         this.data = data;
-        this.objectUri = cleanURIForDisplay( data.get(objectKey) );
+        this.objectUri = data.get(objectKey);        
         this.templateName = templateName;
         setEditAccess(policyHelper);
     }