NIHVIVO-3311 Provide a way to get URLs from the ObjectPropertyStatmentTemplateModel without them being stepped on by AntiSamy.
This commit is contained in:
j2blake
parent
e99114ce44
commit
f6b3562bc6
2 changed files with 18 additions and 7 deletions
|
|
@ -17,6 +17,9 @@ public abstract class BaseTemplateModel {
|
||||||
|
|
||||||
private static final Log log = LogFactory.getLog(BaseTemplateModel.class);
|
private static final Log log = LogFactory.getLog(BaseTemplateModel.class);
|
||||||
|
|
||||||
|
private static final String URI_CHARACTERS =
|
||||||
|
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~:/?#[]@!$&'()*+,;=";
|
||||||
|
|
||||||
protected static ServletContext servletContext;
|
protected static ServletContext servletContext;
|
||||||
|
|
||||||
// Convenience method so subclasses can call getUrl(path)
|
// Convenience method so subclasses can call getUrl(path)
|
||||||
|
|
@ -36,10 +39,19 @@ public abstract class BaseTemplateModel {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Used to do any processing for display of URIs or URLs.
|
* Used to do any processing for display of URIs or URLs.
|
||||||
* Currently this only checks for XSS exploits.
|
*
|
||||||
|
* If we used AntiSami on a URI it would escape any ampersands as &
|
||||||
|
* and perhaps do other nastiness as well. Instead we delete any character
|
||||||
|
* that shouldn't be in a URI.
|
||||||
*/
|
*/
|
||||||
protected String cleanURIForDisplay( String dirty ){
|
protected String cleanURIForDisplay( String dirty ){
|
||||||
return AntiScript.cleanURI(dirty, getServletContext());
|
StringBuilder clean = new StringBuilder(dirty.length());
|
||||||
|
for (char ch: dirty.toCharArray()) {
|
||||||
|
if (URI_CHARACTERS.indexOf(ch) != -1) {
|
||||||
|
clean.append(ch);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return clean.toString();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -66,6 +78,4 @@ public abstract class BaseTemplateModel {
|
||||||
servletContext = context;
|
servletContext = context;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Template properties */
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,10 +2,8 @@
|
||||||
|
|
||||||
package edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual;
|
package edu.cornell.mannlib.vitro.webapp.web.templatemodels.individual;
|
||||||
|
|
||||||
import java.util.HashMap;
|
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
import org.apache.commons.lang.StringUtils;
|
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
|
@ -35,7 +33,6 @@ public class ObjectPropertyStatementTemplateModel extends PropertyStatementTempl
|
||||||
Map<String, String> data, EditingPolicyHelper policyHelper, String templateName, VitroRequest vreq) {
|
Map<String, String> data, EditingPolicyHelper policyHelper, String templateName, VitroRequest vreq) {
|
||||||
super(subjectUri, propertyUri, policyHelper, vreq);
|
super(subjectUri, propertyUri, policyHelper, vreq);
|
||||||
|
|
||||||
cleanMapValuesForDisplay( data );
|
|
||||||
this.data = data;
|
this.data = data;
|
||||||
this.objectUri = data.get(objectKey);
|
this.objectUri = data.get(objectKey);
|
||||||
this.templateName = templateName;
|
this.templateName = templateName;
|
||||||
|
|
@ -125,4 +122,8 @@ public class ObjectPropertyStatementTemplateModel extends PropertyStatementTempl
|
||||||
return cleanTextForDisplay( data.get(key) );
|
return cleanTextForDisplay( data.get(key) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public String uri(String key) {
|
||||||
|
return cleanURIForDisplay(data.get(key));
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue