This is an automated email from the ASF dual-hosted git repository.
snoopdave pushed a commit to branch validate-tz
in repository https://gitbox.apache.org/repos/asf/roller.git
The following commit(s) were added to refs/heads/validate-tz by this push:
new 806f7ba63 Validations for things not covered by Struts Validator.
806f7ba63 is described below
commit 806f7ba63cb33762365bbb34c49193b5db9b317b
Author: David M. Johnson <[email protected]>
AuthorDate: Sun Jan 28 16:58:43 2024 -0500
Validations for things not covered by Struts Validator.
---
.../business/jpa/JPABookmarkManagerImpl.java | 14 +++++++------
.../weblogger/business/jpa/JPAUserManagerImpl.java | 6 ++++--
.../org/apache/roller/weblogger/pojos/User.java | 24 ++++++++++++++--------
.../roller/weblogger/pojos/WeblogBookmark.java | 10 ++++++++-
.../weblogger/pojos/WeblogBookmarkFolder.java | 6 ++++++
.../roller/weblogger/ui/struts2/core/Profile.java | 23 ++++++++++++++++++++-
.../weblogger/ui/struts2/editor/BookmarkEdit.java | 1 -
.../apache/roller/weblogger/util/URLUtilities.java | 9 ++++++++
.../main/resources/ApplicationResources.properties | 2 ++
9 files changed, 75 insertions(+), 20 deletions(-)
diff --git
a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java
b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java
index bde6dc0ea..6abaf54f9 100644
---
a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java
+++
b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java
@@ -104,6 +104,7 @@ public class JPABookmarkManagerImpl implements
BookmarkManager {
@Override
public void saveFolder(WeblogBookmarkFolder folder) throws
WebloggerException {
+ folder.sanitize();
// If new folder make sure name is unique
if ((folder.getId() == null || this.getFolder(folder.getId()) == null)
&& isDuplicateFolderName(folder)) {
@@ -148,15 +149,15 @@ public class JPABookmarkManagerImpl implements
BookmarkManager {
WeblogBookmarkFolder newFolder = getFolder(website, folderName);
if (newFolder == null) {
- newFolder = new WeblogBookmarkFolder(
- folderName, website);
+ newFolder = new WeblogBookmarkFolder(folderName, website);
+ newFolder.sanitize();
this.strategy.store(newFolder);
}
// Iterate through children of OPML body, importing each
Element body = doc.getRootElement().getChild("body");
- for (Object elem : body.getChildren()) {
- importOpmlElement((Element) elem, newFolder );
+ for (Element elem : body.getChildren()) {
+ importOpmlElement(elem, newFolder );
}
} catch (Exception ex) {
throw new WebloggerException(ex);
@@ -211,13 +212,14 @@ public class JPABookmarkManagerImpl implements
BookmarkManager {
url,
xmlUrl,
null);
+ bd.sanitize();
folder.addBookmark(bd);
this.strategy.store(bd);
}
} else {
// Import suboutline's children into folder
- for (Object subelem : elem.getChildren("outline")) {
- importOpmlElement((Element) subelem, folder );
+ for (Element subelem : elem.getChildren("outline")) {
+ importOpmlElement(subelem, folder );
}
}
}
diff --git
a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java
b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java
index 0ccdcb8fb..0bfa3b718 100644
---
a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java
+++
b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java
@@ -67,8 +67,9 @@ public class JPAUserManagerImpl implements UserManager {
//--------------------------------------------------------------- user CRUD
@Override
- public void saveUser(User data) throws WebloggerException {
- this.strategy.store(data);
+ public void saveUser(User user) throws WebloggerException {
+ user.sanitize();
+ this.strategy.store(user);
}
@@ -113,6 +114,7 @@ public class JPAUserManagerImpl implements UserManager {
throw new WebloggerException("error.add.user.userNameInUse");
}
+ newUser.sanitize();
this.strategy.store(newUser);
grantRole("editor", newUser);
diff --git a/app/src/main/java/org/apache/roller/weblogger/pojos/User.java
b/app/src/main/java/org/apache/roller/weblogger/pojos/User.java
index 5e6214632..0904e9ef5 100644
--- a/app/src/main/java/org/apache/roller/weblogger/pojos/User.java
+++ b/app/src/main/java/org/apache/roller/weblogger/pojos/User.java
@@ -28,6 +28,7 @@ import org.apache.roller.weblogger.WebloggerException;
import org.apache.roller.util.UUIDGenerator;
import org.apache.roller.weblogger.business.WebloggerFactory;
import org.apache.roller.weblogger.ui.core.RollerContext;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
import org.springframework.security.crypto.password.PasswordEncoder;
@@ -36,7 +37,7 @@ import
org.springframework.security.crypto.password.PasswordEncoder;
*/
public class User implements Serializable {
- public static final long serialVersionUID = -6354583200913127874L;
+ private static final long serialVersionUID = -6354583200913127874L;
private String id = UUIDGenerator.generateUUID();
private String userName;
@@ -91,7 +92,7 @@ public class User implements Serializable {
}
public void setUserName( String userName ) {
- this.userName = userName;
+ this.userName = HTMLSanitizer.conditionallySanitize(userName);
}
/**
@@ -128,7 +129,7 @@ public class User implements Serializable {
}
public void setOpenIdUrl(String openIdUrl) {
- this.openIdUrl = openIdUrl;
+ this.openIdUrl = HTMLSanitizer.conditionallySanitize(openIdUrl);
}
/**
@@ -139,7 +140,7 @@ public class User implements Serializable {
}
public void setScreenName( String screenName ) {
- this.screenName = screenName;
+ this.screenName = HTMLSanitizer.conditionallySanitize(screenName);
}
/**
@@ -150,7 +151,7 @@ public class User implements Serializable {
}
public void setFullName( String fullName ) {
- this.fullName = fullName;
+ this.fullName = HTMLSanitizer.conditionallySanitize(fullName);
}
/**
@@ -161,7 +162,7 @@ public class User implements Serializable {
}
public void setEmailAddress( String emailAddress ) {
- this.emailAddress = emailAddress;
+ this.emailAddress = HTMLSanitizer.conditionallySanitize(emailAddress);
}
@@ -192,7 +193,7 @@ public class User implements Serializable {
}
public void setLocale(String locale) {
- this.locale = locale;
+ this.locale = HTMLSanitizer.conditionallySanitize(locale);
}
/**
@@ -203,7 +204,7 @@ public class User implements Serializable {
}
public void setTimeZone(String timeZone) {
- this.timeZone = timeZone;
+ this.timeZone = HTMLSanitizer.conditionallySanitize(timeZone);
}
@@ -223,7 +224,7 @@ public class User implements Serializable {
}
public void setActivationCode(String activationCode) {
- this.activationCode = activationCode;
+ this.activationCode =
HTMLSanitizer.conditionallySanitize(activationCode);
}
@@ -239,6 +240,11 @@ public class User implements Serializable {
return false;
}
}
+
+ public void sanitize() {
+ setFullName(HTMLSanitizer.conditionallySanitize(getFullName()));
+ setScreenName(HTMLSanitizer.conditionallySanitize(getScreenName()));
+ }
//------------------------------------------------------- Good citizenship
diff --git
a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java
b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java
index ebb06f9e8..733a7a887 100644
--- a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java
+++ b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java
@@ -18,10 +18,12 @@
package org.apache.roller.weblogger.pojos;
-import java.io.Serializable;
import org.apache.commons.lang3.builder.EqualsBuilder;
import org.apache.commons.lang3.builder.HashCodeBuilder;
import org.apache.roller.util.UUIDGenerator;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
+
+import java.io.Serializable;
/**
@@ -143,6 +145,12 @@ public class WeblogBookmark implements Serializable,
Comparable<WeblogBookmark>
public void setFeedUrl(String feedUrl) {
this.feedUrl = feedUrl;
}
+
+ public void sanitize() {
+ // Conditionally sanitize fields not validated by Struts Validator
+ setName(HTMLSanitizer.conditionallySanitize(this.name));
+ setDescription(this.description == null ? "" :
HTMLSanitizer.conditionallySanitize(this.description));
+ }
//---------------------------------------------------------- Relationships
diff --git
a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java
b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java
index a4425471a..5d35fad7d 100644
---
a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java
+++
b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java
@@ -28,6 +28,7 @@ import org.apache.roller.weblogger.WebloggerException;
import org.apache.roller.weblogger.business.BookmarkManager;
import org.apache.roller.weblogger.business.WebloggerFactory;
import org.apache.roller.util.UUIDGenerator;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
/**
@@ -188,4 +189,9 @@ public class WeblogBookmarkFolder implements Serializable,
Comparable<WeblogBook
return bmgr.getBookmarks(this);
}
+ public void sanitize() {
+ // Conditionally sanitize fields not validated by Struts Validator
+ setName(HTMLSanitizer.conditionallySanitize(getName()));
+ }
+
}
diff --git
a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java
b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java
index 198ce2b43..fc392123c 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java
@@ -22,14 +22,18 @@ import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.roller.weblogger.WebloggerException;
-import org.apache.roller.weblogger.business.WebloggerFactory;
import org.apache.roller.weblogger.business.UserManager;
+import org.apache.roller.weblogger.business.WebloggerFactory;
import org.apache.roller.weblogger.config.AuthMethod;
import org.apache.roller.weblogger.config.WebloggerConfig;
import org.apache.roller.weblogger.pojos.User;
import org.apache.roller.weblogger.ui.struts2.util.UIAction;
import org.apache.struts2.interceptor.validation.SkipValidation;
+import java.util.Arrays;
+import java.util.Locale;
+import java.util.Optional;
+import java.util.TimeZone;
/**
* Allows user to edit his/her profile.
@@ -150,6 +154,23 @@ public class Profile extends UIAction {
addError("generic.error.check.logs");
}
}
+
+ // validate that bean's timeZone field is a valid time zone
+ if (!StringUtils.isEmpty(getBean().getTimeZone())) {
+ final Optional<String> first =
Arrays.stream(TimeZone.getAvailableIDs())
+ .filter(id ->
id.equals(getBean().getTimeZone())).findFirst();
+ if (first.isEmpty()) {
+ addError("error.add.user.invalid.timezone");
+ }
+ }
+
+ // validate that bean's locale field is a valid locale
+ if (!StringUtils.isEmpty(getBean().getLocale())) {
+ Locale locale = Locale.forLanguageTag(bean.getLocale());
+ if (locale == null || "".equals(locale.getDisplayName())) {
+ addError("error.add.user.invalid.locale");
+ }
+ }
}
public String getAuthMethod() {
diff --git
a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java
b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java
index 9e556504a..ebb068c72 100644
---
a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java
+++
b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java
@@ -27,7 +27,6 @@ import org.apache.roller.weblogger.business.WebloggerFactory;
import org.apache.roller.weblogger.pojos.WeblogBookmark;
import org.apache.roller.weblogger.ui.struts2.util.UIAction;
import org.apache.roller.weblogger.util.cache.CacheManager;
-import org.apache.struts2.convention.annotation.AllowedMethods;
import org.apache.struts2.interceptor.validation.SkipValidation;
diff --git
a/app/src/main/java/org/apache/roller/weblogger/util/URLUtilities.java
b/app/src/main/java/org/apache/roller/weblogger/util/URLUtilities.java
index 5a121d7e1..79b859017 100644
--- a/app/src/main/java/org/apache/roller/weblogger/util/URLUtilities.java
+++ b/app/src/main/java/org/apache/roller/weblogger/util/URLUtilities.java
@@ -113,6 +113,15 @@ public final class URLUtilities {
sb.append(encode(path));
return sb.toString();
}
+
+ public static boolean isValid(String url) {
+ try {
+ new java.net.URI(url);
+ return true;
+ } catch (java.net.URISyntaxException e) {
+ return false;
+ }
+ }
}
diff --git a/app/src/main/resources/ApplicationResources.properties
b/app/src/main/resources/ApplicationResources.properties
index d62710630..b318ff328 100644
--- a/app/src/main/resources/ApplicationResources.properties
+++ b/app/src/main/resources/ApplicationResources.properties
@@ -453,6 +453,8 @@ error.add.user.openIdInUse=Open ID already in use with
another account.
error.add.user.missingUserName=You must specify a username.
error.add.user.badUserName=Invalid user name (must be alpha-numerics only).
error.add.user.missingPassword=You must specify a password.
+error.add.user.invalid.timezone=Invalid timezone.
+error.add.user.invalid.locale=Invalid locale.
error.upload.dirmax=You cannot exceed the maximum directory size of {0} MB.
error.upload.disabled=File Upload has been turned off
error.upload.file=No file selected
