hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-07 01:54:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

added coverity security library, used addentities throughout to harden profile form fields in JSPUI

Browse Source
This commit is contained in:
Hardy Pottinger
2013-07-23 11:13:43 -05:00
parent bfbd0586da
commit ebe398fe25
14 changed files with 42 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
dspace-api/pom.xml
View File

@@ -469,6 +469,12 @@
<version>0.18.6</version>
</dependency>
<dependency>
<groupId>com.coverity.security</groupId>
<artifactId>coverity-escapers</artifactId>
<version>1.1.1</version>
</dependency>
<!-- Gson: Java to Json conversion -->
<dependency>
<groupId>com.google.code.gson</groupId>

18
dspace-api/src/main/java/org/dspace/core/Utils.java
View File

@@ -26,7 +26,7 @@ import java.util.Calendar;
import java.util.GregorianCalendar;
import java.text.SimpleDateFormat;
import java.text.ParseException;
import com.coverity.security.Escape;
import org.apache.log4j.Logger;
/**
@@ -280,21 +280,7 @@ public final class Utils
*/
public static String addEntities(String value)
{
if (value==null || value.length() == 0)
{
return value;
}
value = value.replaceAll("&", "&amp;");
value = value.replaceAll("\"", "&quot;");
// actually, &apos; is an XML entity, not in HTML.
// that's why it's commented out.
// value = value.replaceAll("'", "&apos;");
value = value.replaceAll("<", "&lt;");
value = value.replaceAll(">", "&gt;");
return value;
return Escape.html(value);
}
/**

7
dspace-jspui/src/main/webapp/dspace-admin/eperson-browse.jsp
View File

@@ -27,6 +27,7 @@
<%@ taglib uri="http://www.dspace.org/dspace-tags.tld" prefix="dspace" %>
<%@ page import="org.dspace.eperson.EPerson" %>
<%@ page import="org.dspace.core.Utils" %>
<%
EPerson[] epeople =
@@ -115,10 +116,10 @@
<%= (e.getEmail() == null ? "" : e.getEmail()) %>
</td>
<td headers="t3" class="<%= row %>RowOddCol">
<%= (e.getLastName() == null ? "" : e.getLastName()) %>
<%= (e.getLastName() == null ? "" : Utils.addEntities(e.getLastName())) %>
</td>
<td headers="t4" class="<%= row %>RowEvenCol">
<%= (e.getFirstName() == null ? "" : e.getFirstName()) %>
<%= (e.getFirstName() == null ? "" : Utils.addEntities(e.getFirstName())) %>
</td>
<td headers="t5" class="<%= row %>RowOddCol" align="center">
<%= e.canLogIn() ? "yes" : "no" %>
@@ -130,7 +131,7 @@
<%= e.getSelfRegistered() ? "yes" : "no" %>
</td>
<td headers="t8" class="<%= row %>RowEvenCol">
<%= (e.getMetadata("phone") == null ? "" : e.getMetadata("phone")) %>
<%= (e.getMetadata("phone") == null ? "" : Utils.addEntities(e.getMetadata("phone"))) %>
</td>
<td headers="t9" class="<%= row %>RowOddCol">
<input type="hidden" name="eperson_id" value="<%= e.getID() %>"/>

5
dspace-jspui/src/main/webapp/dspace-admin/eperson-confirm-delete.jsp
View File

@@ -20,6 +20,7 @@
prefix="fmt" %>
<%@ page import="org.dspace.eperson.EPerson" %>
<%@ page import="org.dspace.core.Utils" %>
<%@ taglib uri="http://www.dspace.org/dspace-tags.tld" prefix="dspace" %>
@@ -32,9 +33,9 @@
parenttitlekey="jsp.administer"
parentlink="/dspace-admin">
<%-- <h1>Delete e-person: <%= eperson.getFullName() %> (<%= eperson.getEmail() %>)</h1> --%>
<%-- <h1>Delete e-person: <%= Utils.addEntities(eperson.getFullName()) %> (<%= eperson.getEmail() %>)</h1> --%>
<h1><fmt:message key="jsp.dspace-admin.eperson-confirm-delete.heading">
<fmt:param><%= eperson.getFullName() %></fmt:param>
<fmt:param><%= Utils.addEntities(eperson.getFullName()) %></fmt:param>
<fmt:param><%= eperson.getEmail() %></fmt:param>
</fmt:message></h1>

3
dspace-jspui/src/main/webapp/dspace-admin/eperson-deletion-error.jsp
View File

@@ -28,11 +28,12 @@
<%@ page import="org.dspace.eperson.EPerson" %>
<%@ page import="java.util.List" %>
<%@ page import="java.util.Iterator" %>
<%@ page import="org.dspace.core.Utils" %>
<%
EPerson eperson = (EPerson) request.getAttribute("eperson");
List tableList = (List) request.getAttribute("tableList");
String fullName = eperson.getFullName();
String fullName = Utils.addEntities(eperson.getFullName());
Iterator tableIt = tableList.iterator();
%>

3
dspace-jspui/src/main/webapp/dspace-admin/supervise-confirm-remove.jsp
View File

@@ -28,6 +28,7 @@
<%@ page import="org.dspace.eperson.EPerson" %>
<%@ page import="org.dspace.eperson.Group" %>
<%@ page import="org.dspace.content.WorkspaceItem" %>
<%@ page import="org.dspace.core.Utils" %>
<%
// get item and group out of the request
@@ -75,7 +76,7 @@
<br/><br/>
<strong><fmt:message key="jsp.dspace-admin.supervise-confirm-remove.authorheader"/></strong>:
<br/>
<a href="mailto:<%= submitter.getEmail() %>"><%= submitter.getFullName() %></a>
<a href="mailto:<%= submitter.getEmail() %>"><%= Utils.addEntities(submitter.getFullName()) %></a>
<br/><br/>
<strong><fmt:message key="jsp.dspace-admin.supervise-confirm-remove.supervisorgroupheader"/></strong>:
<br/>

3
dspace-jspui/src/main/webapp/dspace-admin/supervise-link.jsp
View File

@@ -28,6 +28,7 @@
<%@ page import="org.dspace.eperson.EPerson" %>
<%@ page import="org.dspace.eperson.Group" %>
<%@ page import="org.dspace.eperson.Supervisor" %>
<%@ page import="org.dspace.core.Utils" %>
<%
// get objects from request
@@ -109,7 +110,7 @@
<%= workspaceItems[i].getID() %>
</td>
<td class="<%= row %>RowEvenCol">
<a href="mailto:<%= submitter.getEmail() %>"><%= submitter.getFullName() %></a>
<a href="mailto:<%= submitter.getEmail() %>"><%= Utils.addEntities(submitter.getFullName()) %></a>
</td>
<td class="<%= row %>RowOddCol">
<%

3
dspace-jspui/src/main/webapp/dspace-admin/supervise-list.jsp
View File

@@ -25,6 +25,7 @@
<%@ page import="org.dspace.content.SupervisedItem" %>
<%@ page import="org.dspace.eperson.EPerson" %>
<%@ page import="org.dspace.eperson.Group" %>
<%@ page import="org.dspace.core.Utils" %>
<%
// get the object array out of the request
@@ -97,7 +98,7 @@
<%= supervisors[j].getName() %>
</td>
<td class="<%= row %>RowOddCol">
<a href="mailto:<%= submitter.getEmail() %>"><%= submitter.getFullName() %></a>
<a href="mailto:<%= submitter.getEmail() %>"><%= Utils.addEntities(submitter.getFullName()) %></a>
</td>
<td class="<%= row %>RowEvenCol">
<%

11
dspace-jspui/src/main/webapp/mydspace/main.jsp
View File

@@ -25,7 +25,6 @@
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt"
prefix="fmt" %>
<%@ taglib uri="http://www.dspace.org/dspace-tags.tld" prefix="dspace" %>
<%@ page import="javax.servlet.jsp.jstl.fmt.LocaleSupport" %>
@@ -78,7 +77,7 @@
<tr>
<td align="left">
<h1>
<fmt:message key="jsp.mydspace"/>: <%= user.getFullName() %>
<fmt:message key="jsp.mydspace"/>: <%= Utils.addEntities(user.getFullName()) %>
</h1>
</td>
<td align="right" class="standard">
@@ -136,7 +135,7 @@
</td>
<td headers="t2" class="<%= row %>RowEvenCol"><%= Utils.addEntities(title) %></td>
<td headers="t3" class="<%= row %>RowOddCol"><%= owned[i].getCollection().getMetadata("name") %></td>
<td headers="t4" class="<%= row %>RowEvenCol"><a href="mailto:<%= submitter.getEmail() %>"><%= submitter.getFullName() %></a></td>
<td headers="t4" class="<%= row %>RowEvenCol"><a href="mailto:<%= submitter.getEmail() %>"><%= Utils.addEntities(submitter.getFullName()) %></a></td>
<!-- <td headers="t5" class="<%= row %>RowOddCol"></td> -->
<td headers="t5" class="<%= row %>RowEvenCol">
<form action="<%= request.getContextPath() %>/mydspace" method="post">
@@ -200,7 +199,7 @@
</td>
<td headers="t7" class="<%= row %>RowEvenCol"><%= Utils.addEntities(title) %></td>
<td headers="t8" class="<%= row %>RowOddCol"><%= pooled[i].getCollection().getMetadata("name") %></td>
<td headers="t9" class="<%= row %>RowEvenCol"><a href="mailto:<%= submitter.getEmail() %>"><%= submitter.getFullName() %></a></td>
<td headers="t9" class="<%= row %>RowEvenCol"><a href="mailto:<%= submitter.getEmail() %>"><%= Utils.addEntities(submitter.getFullName()) %></a></td>
<td class="<%= row %>RowOddCol">
<form action="<%= request.getContextPath() %>/mydspace" method="post">
<input type="hidden" name="step" value="<%= MyDSpaceServlet.MAIN_PAGE %>" />
@@ -285,7 +284,7 @@
</form>
</td>
<td headers="t10" class="<%= row %>RowEvenCol">
<a href="mailto:<%= submitter.getEmail() %>"><%= submitter.getFullName() %></a>
<a href="mailto:<%= submitter.getEmail() %>"><%= Utils.addEntities(submitter.getFullName()) %></a>
</td>
<td headers="t11" class="<%= row %>RowOddCol"><%= Utils.addEntities(title) %></td>
<td headers="t12" class="<%= row %>RowEvenCol"><%= workspaceItems[i].getCollection().getMetadata("name") %></td>
@@ -332,7 +331,7 @@
</form>
</td>
<td class="<%= row %>RowEvenCol">
<a href="mailto:<%= submitter.getEmail() %>"><%= submitter.getFullName() %></a>
<a href="mailto:<%= submitter.getEmail() %>"><%= Utils.addEntities(submitter.getFullName()) %></a>
</td>
<td class="<%= row %>RowOddCol"><%= Utils.addEntities(title) %></td>
<td class="<%= row %>RowEvenCol"><%= supervisedItems[i].getCollection().getMetadata("name") %></td>

5
dspace-jspui/src/main/webapp/register/new-password.jsp
View File

@@ -29,6 +29,7 @@
<%@ page import="org.dspace.app.webui.servlet.RegisterServlet" %>
<%@ page import="org.dspace.eperson.EPerson" %>
<%@ page import="org.dspace.core.Utils" %>
<%
EPerson eperson = (EPerson) request.getAttribute("eperson");
@@ -43,9 +44,9 @@
<%-- <h1>Enter a New Password</h1> --%>
<h1><fmt:message key="jsp.register.new-password.title"/></h1>
<!-- <p>Hello <%= eperson.getFullName() %>,</p> -->
<!-- <p>Hello <%= Utils.addEntities(eperson.getFullName()) %>,</p> -->
<p><fmt:message key="jsp.register.new-password.hello">
<fmt:param><%= eperson.getFullName() %></fmt:param>
<fmt:param><%= Utils.addEntities(eperson.getFullName()) %></fmt:param>
</fmt:message></p>
<%

5
dspace-jspui/src/main/webapp/register/registered.jsp
View File

@@ -25,6 +25,7 @@
<%@ page import="org.dspace.app.webui.servlet.RegisterServlet" %>
<%@ page import="org.dspace.eperson.EPerson" %>
<%@ page import="org.dspace.core.Utils" %>
<%
EPerson eperson = (EPerson) request.getAttribute("eperson");
@@ -35,9 +36,9 @@
<%-- <h1>Registration Complete</h1> --%>
<h1><fmt:message key="jsp.register.registered.title"/></h1>
<%-- <p>Thank you <%= eperson.getFirstName() %>,</p> --%>
<%-- <p>Thank you <%= Utils.addEntities(eperson.getFirstName()) %>,</p> --%>
<p><fmt:message key="jsp.register.registered.thank">
<fmt:param><%= eperson.getFirstName() %></fmt:param>
<fmt:param><%= Utils.addEntities(eperson.getFirstName()) %></fmt:param>
</fmt:message></p>
<%-- <p>You're now registered to use the DSpace system. You can subscribe to

5
dspace-jspui/src/main/webapp/submit/edit-metadata.jsp
View File

@@ -50,6 +50,7 @@
<%@ page import="org.dspace.content.authority.ChoiceAuthorityManager" %>
<%@ page import="org.dspace.content.authority.Choices" %>
<%@ page import="org.dspace.core.ConfigurationManager" %>
<%@ page import="org.dspace.core.Utils" %>
<%@ taglib uri="http://www.dspace.org/dspace-tags.tld" prefix="dspace" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -325,9 +326,9 @@
if (repeatable && !readonly && i < defaults.length)
{
name.setLength(0);
name.append(dpn.getLastName())
name.append(Utils.addEntities(dpn.getLastName()))
.append(' ')
.append(dpn.getFirstNames());
.append(Utils.addEntities(dpn.getFirstNames()));
// put a remove button next to filled in values
sb.append("<td><input type=\"submit\" name=\"submit_")
.append(fieldName)

6
dspace-jspui/src/main/webapp/tools/eperson-list.jsp
View File

@@ -281,7 +281,7 @@ function clearEPeople()
{
EPerson e = epeople[i];
// Make sure no quotes in full name will mess up our Javascript
String fullname = e.getFullName().replace('\'', ' ');
String fullname = Utils.addEntities(e.getFullName().replace('\'', ' '));
%>
<tr>
<td headers="t1" class="<%= row %>RowOddCol">
@@ -291,10 +291,10 @@ function clearEPeople()
<td headers="t2" class="<%= row %>RowEvenCol"><%= e.getID() %></td>
<td headers="t3" class="<%= row %>RowOddCol"><%= e.getEmail() %></td>
<td headers="t4" class="<%= row %>RowEvenCol">
<%= (e.getLastName() == null ? "" : e.getLastName()) %>
<%= (e.getLastName() == null ? "" : Utils.addEntities(e.getLastName())) %>
</td>
<td headers="t5" class="<%= row %>RowOddCol">
<%= (e.getFirstName() == null ? "" : e.getFirstName()) %>
<%= (e.getFirstName() == null ? "" : Utils.addEntities(e.getFirstName())) %>
</td>
<td headers="t6" class="<%= row %>RowOddCol">
<%= (e.getLanguage() == null ? "" : e.getLanguage()) %>

3
dspace-jspui/src/main/webapp/workspace/ws-main.jsp
View File

@@ -26,6 +26,7 @@
<%@ page import="org.dspace.content.WorkspaceItem" %>
<%@ page import="org.dspace.eperson.EPerson" %>
<%@ page import="javax.servlet.jsp.jstl.fmt.LocaleSupport" %>
<%@ page import="org.dspace.core.Utils" %>
<%
// get the workspace item from the request
@@ -73,7 +74,7 @@
}
%>
<p><strong><a href="mailto:<%= submitter.getEmail() %>"><%= submitter.getFullName() %></a></strong></p>
<p><strong><a href="mailto:<%= submitter.getEmail() %>"><%= Utils.addEntities(submitter.getFullName()) %></a></strong></p>
<p><fmt:message key="jsp.workspace.ws-main.submitmsg"/>
<%= workspaceItem.getCollection().getMetadata("name") %></p>