[Ils-source] r1563 - in trunk: src/com/resolutions/ils/data webapp

[scribe at crosswire.org]

Author: scribe
Date: 2018-01-05 07:50:35 -0700 (Fri, 05 Jan 2018)
New Revision: 1563

Modified:
   trunk/src/com/resolutions/ils/data/UserProfile.java
   trunk/webapp/admin_profile.jsp
Log:
Added XSS sanitation for UserProfile string user input


Modified: trunk/src/com/resolutions/ils/data/UserProfile.java
===================================================================
--- trunk/src/com/resolutions/ils/data/UserProfile.java	2018-01-05 14:24:34 UTC (rev 1562)
+++ trunk/src/com/resolutions/ils/data/UserProfile.java	2018-01-05 14:50:35 UTC (rev 1563)
@@ -30,7 +30,10 @@
 import com.resolutions.ils.Utils;
 import java.util.HashMap;
 import java.io.StringWriter;
+import org.owasp.html.HtmlPolicyBuilder;       
+import org.owasp.html.PolicyFactory; 
 
+
 public class UserProfile extends DataObject {
 	
 	public static final int STATUS_ACTIVE = 1;
@@ -115,6 +118,25 @@
         return new UserProfile();
     }
 
+	static PolicyFactory sanitizer = new HtmlPolicyBuilder()
+		.allowElements("a")
+		.allowUrlProtocols("https")
+		.allowAttributes("href").onElements("a")
+		.requireRelNofollowOnLinks()
+		.toFactory();
+
+	public static String sanitize(String val) {
+		return sanitizer.sanitize(val);
+	}
+
+	// perform sanitation
+	public void setValue(String key, Object val) {
+		if (val instanceof String) {
+			val = sanitize((String)val);
+		}
+		super.setValue(key, val);
+	}
+
     static public int deleteUserProfile(ILSSession session, int userProfileID) {
         UserProfile filter = new UserProfile();
         filter.setCompanyID(session.getCompanyID());

Modified: trunk/webapp/admin_profile.jsp
===================================================================
--- trunk/webapp/admin_profile.jsp	2018-01-05 14:24:34 UTC (rev 1562)
+++ trunk/webapp/admin_profile.jsp	2018-01-05 14:50:35 UTC (rev 1563)
@@ -132,11 +132,16 @@
           }
         }
         if ((!"dfhdfgfgsf".equals(passwd1) || !"dfhdfgfgsf".equals(passwd2)) && (passwd1 != null)) {
-            if (passwd1.equals(passwd2)) {
+            if (passwd1.equals(UserProfile.sanitize(passwd2))) {
                 current.setUserProfilePasswd(passwd1);
             }
 	    else validError = "Passwords do not match.";
         }
+	// sanitize after we check or else we might match two sanitized passwords and then
+	// the user won't know to what their password has been set
+	passwd1 = UserProfile.sanitize(passwd1);
+	passwd2 = UserProfile.sanitize(passwd2);
+
         val = request.getParameter("statusID");
         if (val != null) current.setUserProfileStatusID(Integer.parseInt(val));
         val = request.getParameter("accessLevel");