From bc7164bc5547970fd12d073ad3cdb6f7749f4be9 Mon Sep 17 00:00:00 2001
From: briancaruso <briancaruso@440791e1-c2bf-4c1e-ad7c-caf3f8b0ebe8>
Date: Wed, 13 Jul 2011 16:35:32 +0000
Subject: [PATCH] Adding render time filtering of script elements to avoid
 javascript based security exploits. NIHVIVO-2678

---
 .../mannlib/vitro/webapp/web/AntiScript.java  | 19 +++++++++++++++----
 .../web/templatemodels/BaseTemplateModel.java | 13 +++++++++++--
 .../ObjectPropertyStatementTemplateModel.java |  3 ++-
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/AntiScript.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/AntiScript.java
index b85fe4e32..01bf93bc9 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/AntiScript.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/AntiScript.java
@@ -4,6 +4,7 @@ package edu.cornell.mannlib.vitro.webapp.web;
 
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.util.Map;
 
 import javax.servlet.ServletContext;
 
@@ -36,11 +37,11 @@ public class AntiScript {
      * will be returned instead of the HTML.  This might not be ideal so
      * consider changing it once we see how this works. Other options include
      * returning an empty string or some other error message.  Returning 
-     * the unscanned HTML is not a secure option as it may contain scripts.
+     * the un-scanned HTML is not a secure option as it may contain scripts.
      * 
      * This will return null if dirtyInput is null.
      */
-    public static String cleanHtml( String dirtyInput, ServletContext context){
+    public static String cleanText( String dirtyInput, ServletContext context){
         if( dirtyInput == null )
             return null;
         
@@ -58,10 +59,20 @@ public class AntiScript {
     }
     
     /**
-     * Method to clean a URL or URI.  Might do the same thing as cleanHTML().
+     * Method to clean a URL or URI.  
      */
     public static String cleanURI( String dirtyInput, ServletContext context){
-        return cleanHtml(dirtyInput,context);
+        return cleanText(dirtyInput,context);
+    }
+    
+    /**
+     * Method to clean all of the values in a map where the values are of
+     * type String.
+     */
+    public static <T> void cleanMapValues( Map<T,String> map, ServletContext context){
+        for( T key : map.keySet() ){            
+            map.put(key, cleanText(map.get(key), context));
+        }        
     }
     
     /**
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java
index 0cb8422b9..ad0eabb86 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java
@@ -2,12 +2,13 @@
 
 package edu.cornell.mannlib.vitro.webapp.web.templatemodels;
 
+import java.util.Map;
+
 import javax.servlet.ServletContext;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder;
 import edu.cornell.mannlib.vitro.webapp.controller.freemarker.UrlBuilder.ParamMap;
 import edu.cornell.mannlib.vitro.webapp.web.AntiScript;
@@ -46,7 +47,15 @@ public abstract class BaseTemplateModel {
      * Currently this only checks for XSS exploits.
      */
     protected String cleanTextForDisplay( String dirty){
-        return AntiScript.cleanHtml(dirty, getServletContext());
+        return AntiScript.cleanText(dirty, getServletContext());
+    }
+    
+    /**
+     * Used to do any processing for display of values in
+     * a map.  Map may be modified. 
+     */
+    protected <T> void cleanMapValuesForDisplay( Map<T,String> map){
+        AntiScript.cleanMapValues(map, getServletContext());
     }
     
     public static ServletContext getServletContext() {
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java
index 718a4599c..d61e1a47f 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java
@@ -34,8 +34,9 @@ public class ObjectPropertyStatementTemplateModel extends PropertyStatementTempl
             Map<String, String> data, EditingPolicyHelper policyHelper, String templateName, VitroRequest vreq) {
         super(subjectUri, propertyUri, policyHelper, vreq);
         
+        cleanMapValuesForDisplay( data );
         this.data = data;
-        this.objectUri = cleanURIForDisplay( data.get(objectKey) );
+        this.objectUri = data.get(objectKey);        
         this.templateName = templateName;
         setEditAccess(policyHelper);
     }