From 166fbd61ad5817715656bf29e097cc28ed721386 Mon Sep 17 00:00:00 2001 From: Felix Ostrowski Date: Wed, 24 Jan 2018 15:45:25 +0100 Subject: [PATCH] Escape additional parameters to prevent XSS Fixes rightsstatements/rightsstatements.github.io#112 --- app/controllers/Application.java | 3 ++- test/controllers/ApplicationTest.java | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/app/controllers/Application.java b/app/controllers/Application.java index da08c58..1f282ae 100644 --- a/app/controllers/Application.java +++ b/app/controllers/Application.java @@ -9,6 +9,7 @@ import com.hp.hpl.jena.rdf.model.Model; import com.hp.hpl.jena.rdf.model.ModelFactory; +import org.apache.commons.lang3.StringEscapeUtils; import play.Logger; import play.Play; import play.api.http.MediaRange; @@ -436,7 +437,7 @@ private HashMap getParameters(Http.Request request, String id) { for (String validParameter : validParameters.split(" ")) { String suppliedParameter = request.getQueryString(validParameter); if (suppliedParameter != null) { - parameters.put(validParameter, request.getQueryString(validParameter)); + parameters.put(validParameter, StringEscapeUtils.escapeHtml4(request.getQueryString(validParameter))); } } } diff --git a/test/controllers/ApplicationTest.java b/test/controllers/ApplicationTest.java index bda2af1..8d1ecc6 100644 --- a/test/controllers/ApplicationTest.java +++ b/test/controllers/ApplicationTest.java @@ -286,12 +286,13 @@ public void testGetStatementPage() { running(fakeApplication, new Runnable() { @Override public void run() { - Result result = route(fakeRequest(routes.Application.getStatementPage("InC", "1.0", "en")) - .header("Accept", "text/html")); + Result result = route(fakeRequest("GET", routes.Application.getStatementPage("InC-OW-EU", "1.0", "en").url() + .concat("&relatedURL=%22%3E%3Cscript%3Ewindow.location%20=%22http://www.google.com%22%3C/script%3E"))); assertEquals(200, result.status()); assertEquals("text/html", result.contentType()); - assertEquals("; rel=derivedfrom", result.header("Link")); + assertEquals("; rel=derivedfrom", result.header("Link")); assertEquals("en", result.header("Content-Language")); + assertEquals(-1, contentAsString(result).indexOf("")); //FIXME: re-enable once templates are finalized //assertEquals(getResource("page/InC/1.0"), contentAsString(result)); }