From f6b3562bc61ab091c24f0c031433ba659dfa96aa Mon Sep 17 00:00:00 2001 From: j2blake Date: Wed, 30 Nov 2011 21:46:23 +0000 Subject: [PATCH] NIHVIVO-3311 Provide a way to get URLs from the ObjectPropertyStatmentTemplateModel without them being stepped on by AntiSamy. --- .../web/templatemodels/BaseTemplateModel.java | 18 ++++++++++++++---- .../ObjectPropertyStatementTemplateModel.java | 7 ++++--- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java index cee818328..2ade9e81d 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/BaseTemplateModel.java @@ -16,6 +16,9 @@ import edu.cornell.mannlib.vitro.webapp.web.AntiScript; public abstract class BaseTemplateModel { private static final Log log = LogFactory.getLog(BaseTemplateModel.class); + + private static final String URI_CHARACTERS = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~:/?#[]@!$&'()*+,;="; protected static ServletContext servletContext; @@ -36,10 +39,19 @@ public abstract class BaseTemplateModel { /** * Used to do any processing for display of URIs or URLs. - * Currently this only checks for XSS exploits. + * + * If we used AntiSami on a URI it would escape any ampersands as & + * and perhaps do other nastiness as well. Instead we delete any character + * that shouldn't be in a URI. */ protected String cleanURIForDisplay( String dirty ){ - return AntiScript.cleanURI(dirty, getServletContext()); + StringBuilder clean = new StringBuilder(dirty.length()); + for (char ch: dirty.toCharArray()) { + if (URI_CHARACTERS.indexOf(ch) != -1) { + clean.append(ch); + } + } + return clean.toString(); } /** @@ -65,7 +77,5 @@ public abstract class BaseTemplateModel { public static void setServletContext(ServletContext context) { servletContext = context; } - - /* Template properties */ } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java index da89f8caa..ed9d2c9e9 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/web/templatemodels/individual/ObjectPropertyStatementTemplateModel.java @@ -2,10 +2,8 @@ package edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual; -import java.util.HashMap; import java.util.Map; -import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -35,7 +33,6 @@ public class ObjectPropertyStatementTemplateModel extends PropertyStatementTempl Map data, EditingPolicyHelper policyHelper, String templateName, VitroRequest vreq) { super(subjectUri, propertyUri, policyHelper, vreq); - cleanMapValuesForDisplay( data ); this.data = data; this.objectUri = data.get(objectKey); this.templateName = templateName; @@ -125,4 +122,8 @@ public class ObjectPropertyStatementTemplateModel extends PropertyStatementTempl return cleanTextForDisplay( data.get(key) ); } + public String uri(String key) { + return cleanURIForDisplay(data.get(key)); + } + }