NIHVIVO-3311 Provide a way to get URLs from the ObjectPropertyStatmentTemplateModel without them being stepped on by AntiSamy.

2011-11-30 21:46:23 +00:00 · 2011-11-30 21:46:23 +00:00 · f6b3562bc6
commit f6b3562bc6
parent e99114ce44
2 changed files with 18 additions and 7 deletions
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java
@ -16,6 +16,9 @@ import edu.cornell.mannlib.vitro.webapp.web.AntiScript;
 public abstract class BaseTemplateModel {

    private static final Log log = LogFactory.getLog(BaseTemplateModel.class);
+
+	private static final String URI_CHARACTERS = 
+			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~:/?#[]@!$&'()*+,;=";
    
    protected static ServletContext servletContext;
    
@ -36,10 +39,19 @@ public abstract class BaseTemplateModel {

    /**
     * Used to do any processing for display of URIs or URLs.  
-     * Currently this only checks for XSS exploits.
+     * 
+     * If we used AntiSami on a URI it would escape any ampersands as &amp;
+     * and perhaps do other nastiness as well. Instead we delete any character 
+     * that shouldn't be in a URI.
     */
    protected String cleanURIForDisplay( String dirty ){
-        return AntiScript.cleanURI(dirty, getServletContext());
+    	StringBuilder clean = new StringBuilder(dirty.length());
+    	for (char ch: dirty.toCharArray()) {
+    		if (URI_CHARACTERS.indexOf(ch) != -1) {
+    			clean.append(ch);
+    		}
+    	}
+        return clean.toString();
    }
    
    /**
@ -65,7 +77,5 @@ public abstract class BaseTemplateModel {
    public static void setServletContext(ServletContext context) {
        servletContext = context;
    }
- 
-    /* Template properties */
    
 }
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java
@ -2,10 +2,8 @@

 package edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual;

-import java.util.HashMap;
 import java.util.Map;

-import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;

@ -35,7 +33,6 @@ public class ObjectPropertyStatementTemplateModel extends PropertyStatementTempl
            Map<String, String> data, EditingPolicyHelper policyHelper, String templateName, VitroRequest vreq) {
        super(subjectUri, propertyUri, policyHelper, vreq);
        
-        cleanMapValuesForDisplay( data );
        this.data = data;
        this.objectUri = data.get(objectKey);        
        this.templateName = templateName;
@ -125,4 +122,8 @@ public class ObjectPropertyStatementTemplateModel extends PropertyStatementTempl
        return cleanTextForDisplay( data.get(key) );
    }
  
+    public String uri(String key) {
+    	return cleanURIForDisplay(data.get(key));
+    }
+  
 }