From 999cd8a9b67e5e55cdd2552e3df29af5e4613a5b Mon Sep 17 00:00:00 2001 From: briancaruso Date: Mon, 5 Dec 2011 22:07:36 +0000 Subject: [PATCH] Adding anti XSS NIHVIVO-3379 --- .../AddAssociatedConceptGenerator.java | 4 +++ ...AuthorsToInformationResourceGenerator.java | 3 ++ .../AddEditWebpageFormGenerator.java | 3 ++ .../AddGrantRoleToPersonGenerator.java | 8 ++++-- .../AddRoleToPersonTwoStageGenerator.java | 6 +++- .../AddUserDefinedConceptGenerator.java | 5 +++- .../ManageWebpagesForIndividualGenerator.java | 28 +++++++++---------- .../NewIndividualFormGenerator.java | 3 ++ ...ganizationHasPositionHistoryGenerator.java | 3 ++ .../PersonHasEducationalTraining.java | 5 +++- .../PersonHasPositionHistoryGenerator.java | 4 ++- 11 files changed, 52 insertions(+), 20 deletions(-) diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddAssociatedConceptGenerator.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddAssociatedConceptGenerator.java index 4d802d86..7302bdb9 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddAssociatedConceptGenerator.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddAssociatedConceptGenerator.java @@ -48,6 +48,7 @@ import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.Field; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.generators.AddAuthorsToInformationResourceGenerator.AuthorshipInfo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.preprocessors.AddAssociatedConceptsPreprocessor; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.preprocessors.RoleToActivityPredicatePreprocessor; +import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.validators.AntiXssValidation; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.processEdit.RdfLiteralHash; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditN3GeneratorVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.SelectListGeneratorVTwo; @@ -129,6 +130,9 @@ public class AddAssociatedConceptGenerator extends VivoBaseGenerator implements //Adding term should return to this same page, not the subject //Return takes the page back to the individual form editConfiguration.setUrlPatternToReturnTo(EditConfigurationUtils.getFormUrlWithoutContext(vreq)); + + editConfiguration.addValidator(new AntiXssValidation()); + //prepare prepare(vreq, editConfiguration); return editConfiguration; diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddAuthorsToInformationResourceGenerator.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddAuthorsToInformationResourceGenerator.java index 3c217c94..e6e2fa7a 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddAuthorsToInformationResourceGenerator.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddAuthorsToInformationResourceGenerator.java @@ -24,6 +24,7 @@ import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.DateTimeIntervalVali import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationUtils; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.FieldVTwo; +import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.validators.AntiXssValidation; /** * This is a slightly unusual generator that is used by Manage Authors on @@ -77,6 +78,8 @@ public class AddAuthorsToInformationResourceGenerator extends VivoBaseGenerator //Adding additional data, specifically edit mode addFormSpecificData(editConfiguration, vreq); + editConfiguration.addValidator(new AntiXssValidation()); + //NOITCE this generator does not run prepare() since it //is never an update and has no SPARQL for existing diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddEditWebpageFormGenerator.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddEditWebpageFormGenerator.java index 6c177904..1e37f714 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddEditWebpageFormGenerator.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddEditWebpageFormGenerator.java @@ -17,6 +17,7 @@ import edu.cornell.mannlib.vitro.webapp.dao.jena.QueryUtils; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationUtils; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.FieldVTwo; +import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.validators.AntiXssValidation; /** Custom form for adding or editing a webpage associated with an individual. The primary page, @@ -90,6 +91,8 @@ public class AddEditWebpageFormGenerator extends BaseEditConfigurationGenerator EditConfigurationUtils.getSubjectUri(vreq), vreq ) + 1 ); + config.addValidator(new AntiXssValidation()); + //might be null config.addFormSpecificData("subjectName", getName( config, vreq)); prepare(vreq, config); diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddGrantRoleToPersonGenerator.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddGrantRoleToPersonGenerator.java index 98cab059..d49822b5 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddGrantRoleToPersonGenerator.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddGrantRoleToPersonGenerator.java @@ -30,6 +30,7 @@ import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationUti import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditN3GeneratorVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.FieldVTwo; +import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.validators.AntiXssValidation; import edu.cornell.mannlib.vitro.webapp.utils.FrontEndEditingUtils; import edu.cornell.mannlib.vitro.webapp.utils.FrontEndEditingUtils.EditMode; import edu.cornell.mannlib.vitro.webapp.utils.generators.EditModeUtils; @@ -104,8 +105,11 @@ public class AddGrantRoleToPersonGenerator implements EditConfigurationGenerator setTemplate(editConfiguration, vreq); //Set edit key setEditKey(editConfiguration, vreq); - //Add validator - editConfiguration.addValidator(new DateTimeIntervalValidationVTwo("startField","endField") ); + + //Add validators + editConfiguration.addValidator(new DateTimeIntervalValidationVTwo("startField","endField") ); + editConfiguration.addValidator(new AntiXssValidation()); + //no preprocessors required here //Adding additional data, specifically edit mode addFormSpecificData(editConfiguration, vreq); diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddRoleToPersonTwoStageGenerator.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddRoleToPersonTwoStageGenerator.java index bae46197..fc145792 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddRoleToPersonTwoStageGenerator.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddRoleToPersonTwoStageGenerator.java @@ -32,6 +32,7 @@ import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationUti import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.FieldVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.preprocessors.RoleToActivityPredicatePreprocessor; +import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.validators.AntiXssValidation; import edu.cornell.mannlib.vitro.webapp.utils.FrontEndEditingUtils.EditMode; import edu.cornell.mannlib.vitro.webapp.utils.generators.EditModeUtils; /** @@ -163,11 +164,14 @@ public abstract class AddRoleToPersonTwoStageGenerator extends BaseEditConfigura editConfiguration.setTemplate(getTemplate()); //Add validator - editConfiguration.addValidator(new DateTimeIntervalValidationVTwo("startField","endField") ); + editConfiguration.addValidator(new DateTimeIntervalValidationVTwo("startField","endField") ); + editConfiguration.addValidator(new AntiXssValidation()); + //Add preprocessors addPreprocessors(editConfiguration, vreq.getWebappDaoFactory()); //Adding additional data, specifically edit mode addFormSpecificData(editConfiguration, vreq); + //prepare prepare(vreq, editConfiguration); return editConfiguration; diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddUserDefinedConceptGenerator.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddUserDefinedConceptGenerator.java index 25a7e4dd..e27b3192 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddUserDefinedConceptGenerator.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/AddUserDefinedConceptGenerator.java @@ -42,6 +42,7 @@ import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.Field; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.preprocessors.RoleToActivityPredicatePreprocessor; +import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.validators.AntiXssValidation; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.processEdit.RdfLiteralHash; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditN3GeneratorVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.SelectListGeneratorVTwo; @@ -109,7 +110,9 @@ public class AddUserDefinedConceptGenerator extends VivoBaseGenerator implement setTemplate(editConfiguration, vreq); - //No validators required here + + editConfiguration.addValidator(new AntiXssValidation()); + //Add preprocessors addPreprocessors(editConfiguration, vreq.getWebappDaoFactory()); //Adding additional data, specifically edit mode diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/ManageWebpagesForIndividualGenerator.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/ManageWebpagesForIndividualGenerator.java index f5c69103..1f7cf4d1 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/ManageWebpagesForIndividualGenerator.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/ManageWebpagesForIndividualGenerator.java @@ -35,41 +35,41 @@ public class ManageWebpagesForIndividualGenerator extends BaseEditConfigurationG @Override public EditConfigurationVTwo getEditConfiguration(VitroRequest vreq, HttpSession session) { - + EditConfigurationVTwo config = new EditConfigurationVTwo(); config.setTemplate("manageWebpagesForIndividual.ftl"); - + initBasics(config, vreq); initPropertyParameters(vreq, session, config); initObjectPropForm(config, vreq); - + config.setSubjectUri(EditConfigurationUtils.getSubjectUri(vreq)); config.setEntityToReturnTo( EditConfigurationUtils.getSubjectUri(vreq)); - + List> webpages = getWebpages(config.getSubjectUri(), vreq); config.addFormSpecificData("webpages",webpages); config.addFormSpecificData("rankPredicate", "http://vivoweb.org/ontology/core#rank" ); config.addFormSpecificData("reorderUrl", "/edit/reorder" ); config.addFormSpecificData("deleteWebpageUrl", "/edit/primitiveDelete"); - - ParamMap paramMap = new ParamMap(); - paramMap.put("subjectUri", config.getSubjectUri()); - paramMap.put("editForm", AddEditWebpageFormGenerator.class.getName()); - paramMap.put("view", "form"); - String path = UrlBuilder.getUrl( UrlBuilder.Route.EDIT_REQUEST_DISPATCH ,paramMap); - + + ParamMap paramMap = new ParamMap(); + paramMap.put("subjectUri", config.getSubjectUri()); + paramMap.put("editForm", AddEditWebpageFormGenerator.class.getName()); + paramMap.put("view", "form"); + String path = UrlBuilder.getUrl( UrlBuilder.Route.EDIT_REQUEST_DISPATCH ,paramMap); + config.addFormSpecificData("baseEditWebpageUrl", path); - + paramMap = new ParamMap(); paramMap.put("subjectUri", config.getSubjectUri()); paramMap.put("predicateUri", config.getPredicateUri()); paramMap.put("editForm" , AddEditWebpageFormGenerator.class.getName() ); paramMap.put("cancelTo", "manage"); path = UrlBuilder.getUrl( UrlBuilder.Route.EDIT_REQUEST_DISPATCH ,paramMap); - + config.addFormSpecificData("showAddFormUrl", path); - + Individual subject = vreq.getWebappDaoFactory().getIndividualDao().getIndividualByURI(config.getSubjectUri()); if( subject != null && subject.getName() != null ){ config.addFormSpecificData("subjectName", subject.getName()); diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/NewIndividualFormGenerator.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/NewIndividualFormGenerator.java index 0f7715f9..129c606e 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/NewIndividualFormGenerator.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/NewIndividualFormGenerator.java @@ -21,6 +21,7 @@ import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationUti import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.FieldVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.preprocessors.FoafNameToRdfsLabelPreprocessor; +import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.validators.AntiXssValidation; /** * Generates the edit configuration for a default property form. @@ -69,6 +70,8 @@ public class NewIndividualFormGenerator extends BaseEditConfigurationGenerator i addFormSpecificData(config, vreq); + config.addValidator(new AntiXssValidation()); + //This combines the first and last name into the rdfs:label config.addModelChangePreprocessor(new FoafNameToRdfsLabelPreprocessor()); diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/OrganizationHasPositionHistoryGenerator.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/OrganizationHasPositionHistoryGenerator.java index 6e479db7..10604e0f 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/OrganizationHasPositionHistoryGenerator.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/OrganizationHasPositionHistoryGenerator.java @@ -14,6 +14,7 @@ import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.DateTimeIntervalVali import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.DateTimeWithPrecisionVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.FieldVTwo; +import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.validators.AntiXssValidation; public class OrganizationHasPositionHistoryGenerator extends VivoBaseGenerator implements EditConfigurationGenerator { @@ -220,8 +221,10 @@ public class OrganizationHasPositionHistoryGenerator extends VivoBaseGenerator conf.addField(endField.setEditElement(new DateTimeWithPrecisionVTwo( endField, URI_PRECISION_YEAR, URI_PRECISION_NONE))); + conf.addValidator(new AntiXssValidation()); conf.addValidator(new DateTimeIntervalValidationVTwo("startField", "endField")); + prepare(vreq, conf); return conf; } diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/PersonHasEducationalTraining.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/PersonHasEducationalTraining.java index 7e92ddba..ea5bdb9d 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/PersonHasEducationalTraining.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/PersonHasEducationalTraining.java @@ -17,6 +17,7 @@ import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.DateTimeIntervalVali import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.DateTimeWithPrecisionVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.FieldVTwo; +import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.validators.AntiXssValidation; import edu.cornell.mannlib.vitro.webapp.utils.FrontEndEditingUtils.EditMode; import edu.cornell.mannlib.vitro.webapp.utils.generators.EditModeUtils; @@ -177,7 +178,9 @@ public class PersonHasEducationalTraining extends VivoBaseGenerator implements VitroVocabulary.Precision.NONE.uri()))); //Add validator conf.addValidator(new DateTimeIntervalValidationVTwo("startField","endField")); - //Adding additional data, specifically edit mode + conf.addValidator(new AntiXssValidation()); + + //Adding additional data, specifically edit mode addFormSpecificData(conf, vreq); prepare(vreq, conf); return conf; diff --git a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/PersonHasPositionHistoryGenerator.java b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/PersonHasPositionHistoryGenerator.java index 8a421154..6f7c6f7c 100644 --- a/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/PersonHasPositionHistoryGenerator.java +++ b/src/edu/cornell/mannlib/vitro/webapp/edit/n3editing/configuration/generators/PersonHasPositionHistoryGenerator.java @@ -18,6 +18,7 @@ import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.DateTimeIntervalVali import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.DateTimeWithPrecisionVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.EditConfigurationVTwo; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.VTwo.FieldVTwo; +import edu.cornell.mannlib.vitro.webapp.edit.n3editing.configuration.validators.AntiXssValidation; import edu.cornell.mannlib.vitro.webapp.utils.FrontEndEditingUtils.EditMode; import edu.cornell.mannlib.vitro.webapp.utils.generators.EditModeUtils; @@ -155,7 +156,8 @@ public class PersonHasPositionHistoryGenerator extends VivoBaseGenerator impleme ); conf.addValidator(new DateTimeIntervalValidationVTwo("startField","endField")); - + conf.addValidator(new AntiXssValidation()); + //Adding additional data, specifically edit mode addFormSpecificData(conf, vreq); prepare(vreq, conf);