Skip to content

Commit

Permalink
Merge pull request #63 from rightsstatements/develop
Browse files Browse the repository at this point in the history 
Escape additional parameters to prevent XSS
  • Loading branch information
@anarchivist
anarchivist authored Jan 25, 2018
2 parents 31998b5 + 166fbd6 commit a971bc1
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 4 deletions.
3 changes: 2 additions & 1 deletion app/controllers/Application.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import com.hp.hpl.jena.rdf.model.Model;
import com.hp.hpl.jena.rdf.model.ModelFactory;

import org.apache.commons.lang3.StringEscapeUtils;
import play.Logger;
import play.Play;
import play.api.http.MediaRange;
Expand Down Expand Up @@ -436,7 +437,7 @@ private HashMap<String, String> getParameters(Http.Request request, String id) {
for (String validParameter : validParameters.split(" ")) {
String suppliedParameter = request.getQueryString(validParameter);
if (suppliedParameter != null) {
parameters.put(validParameter, request.getQueryString(validParameter));
parameters.put(validParameter, StringEscapeUtils.escapeHtml4(request.getQueryString(validParameter)));
}
}
}
Expand Down
7 changes: 4 additions & 3 deletions test/controllers/ApplicationTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,12 +286,13 @@ public void testGetStatementPage() {
running(fakeApplication, new Runnable() {
@Override
public void run() {
Result result = route(fakeRequest(routes.Application.getStatementPage("InC", "1.0", "en"))
.header("Accept", "text/html"));
Result result = route(fakeRequest("GET", routes.Application.getStatementPage("InC-OW-EU", "1.0", "en").url()
.concat("&relatedURL=%22%3E%3Cscript%3Ewindow.location%20=%22http://www.google.com%22%3C/script%3E")));
assertEquals(200, result.status());
assertEquals("text/html", result.contentType());
assertEquals("<http://null/page/InC/1.0/>; rel=derivedfrom", result.header("Link"));
assertEquals("<http://null/page/InC-OW-EU/1.0/>; rel=derivedfrom", result.header("Link"));
assertEquals("en", result.header("Content-Language"));
assertEquals(-1, contentAsString(result).indexOf("<script>window.location =\"http://www.google.com\"</script>"));
//FIXME: re-enable once templates are finalized
//assertEquals(getResource("page/InC/1.0"), contentAsString(result));
}
Expand Down

0 comments on commit a971bc1

Please sign in to comment.