add String escaping on same methods

3 files changed, 3 insertions, 373 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
index 0f9b615a4..aebcf372e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/ProtocolFinalizationController.java
@@ -27,6 +27,7 @@ import java.io.IOException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -51,7 +52,7 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
 	public void finalizeAuthProtocol(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException, IOException {
 		
 		//read pendingRequest from http request
-		Object idObject = req.getParameter(PARAM_TARGET_PENDINGREQUESTID);
+		Object idObject = StringEscapeUtils.escapeHtml(req.getParameter(PARAM_TARGET_PENDINGREQUESTID));
 		IRequest pendingReq = null;
 		String pendingRequestID = null;
 		if (idObject != null && (idObject instanceof String)) {
@@ -61,7 +62,7 @@ public class ProtocolFinalizationController extends AbstractAuthProtocolModulCon
 		}
  				
 		//receive an authentication error
-		String errorid = req.getParameter(ERROR_CODE_PARAM);
+		String errorid = StringEscapeUtils.escapeHtml(req.getParameter(ERROR_CODE_PARAM));
 		if (errorid != null) {
 			try {				
 				//load stored exception from database
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java
deleted file mode 100644
index d715b8b7b..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/Digester.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
-package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
-
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-
-public class Digester {
-	public static String byteArrayToHexString(byte[] b) {
-		  String result = "";
-		  for (int i=0; i < b.length; i++) {
-		    result +=
-		          Integer.toString( ( b[i] & 0xff ) + 0x100, 16).substring( 1 );
-		  }
-		  return result;
-		}
-	
-	public static String toSHA1(byte[] convertme) {
-	    MessageDigest md = null;
-	    try {
-	        md = MessageDigest.getInstance("SHA-1");
-	    }
-	    catch(NoSuchAlgorithmException e) {
-	        e.printStackTrace();
-	    } 
-	    return byteArrayToHexString(md.digest(convertme));
-	}
-}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java
deleted file mode 100644
index c40731576..000000000
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java
+++ /dev/null
@@ -1,323 +0,0 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- * 
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- * 
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- ******************************************************************************/
-package at.gv.egovernment.moa.id.protocols.pvp2x.utils;
-
-import java.io.*;
-import javax.xml.parsers.*;
-import javax.xml.transform.*;
-import javax.xml.transform.dom.*;
-import javax.xml.transform.stream.*;
-
-import org.w3c.dom.Document;
-
-import org.xml.sax.*;
-import org.xml.sax.helpers.*;
-
-
-/**
-This class "pretty prints" an XML stream to something more human-readable.
-It duplicates the character content with some modifications to whitespace, 
-restoring line breaks and a simple pattern of indenting child elements.
-
-This version of the class acts as a SAX 2.0 <code>DefaultHandler</code>,
-so to provide the unformatted XML just pass a new instance to a SAX parser.
-Its output is via the {@link #toString toString} method.
-
-One major limitation:  we gather character data for elements in a single
-buffer, so mixed-content documents will lose a lot of data!  This works
-best with data-centric documents where elements either have single values
-or child elements, but not both.
-
-@author Will Provost
-*/
-/*
-Copyright 2002-2003 by Will Provost.
-All rights reserved.
-*/
-public class PrettyPrinter
-    extends DefaultHandler
-{
-    /**
-    Convenience method to wrap pretty-printing SAX pass over existing content.
-    */
-    public static String prettyPrint (byte[] content)
-    {
-        try
-        {
-            PrettyPrinter pretty = new PrettyPrinter ();
-            SAXParserFactory factory = SAXParserFactory.newInstance ();
-            factory.setFeature
-                ("http://xml.org/sax/features/namespace-prefixes", true);
-            factory.newSAXParser ().parse 
-                (new ByteArrayInputStream (content), pretty);
-            return pretty.toString ();
-        }
-        catch (Exception ex)
-        {
-            ex.printStackTrace ();
-            return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" +
-                ex.getMessage () + "\"";
-        }
-    }
-    
-    /**
-    Convenience method to wrap pretty-printing SAX pass over existing content.
-    */
-    public static String prettyPrint (String content)
-    {
-        try
-        {
-            PrettyPrinter pretty = new PrettyPrinter ();
-            SAXParserFactory factory = SAXParserFactory.newInstance ();
-            factory.setFeature
-                ("http://xml.org/sax/features/namespace-prefixes", true);
-            factory.newSAXParser ().parse (content, pretty);
-            return pretty.toString ();
-        }
-        catch (Exception ex)
-        {
-            ex.printStackTrace ();
-            return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" +
-                ex.getMessage () + "\"";
-        }
-    }
-    
-    /**
-    Convenience method to wrap pretty-printing SAX pass over existing content.
-    */
-    public static String prettyPrint (InputStream content)
-    {
-        try
-        {
-            PrettyPrinter pretty = new PrettyPrinter ();
-            SAXParserFactory factory = SAXParserFactory.newInstance ();
-            factory.setFeature
-                ("http://xml.org/sax/features/namespace-prefixes", true);
-            factory.newSAXParser ().parse (content, pretty);
-            return pretty.toString ();
-        }
-        catch (Exception ex)
-        {
-            ex.printStackTrace ();
-            return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" +
-                ex.getMessage () + "\"";
-        }
-    }
-
-    /**
-    Convenience method to wrap pretty-printing SAX pass over existing content.
-    */
-    public static String prettyPrint (Document doc)
-        throws TransformerException
-    {
-        try
-        {
-            ByteArrayOutputStream buffer = new ByteArrayOutputStream ();
-            TransformerFactory.newInstance ().newTransformer()
-                .transform (new DOMSource (doc), new StreamResult (buffer));
-            byte[] rawResult = buffer.toByteArray ();
-            buffer.close ();
-            
-            return prettyPrint (rawResult);
-        }
-        catch (Exception ex)
-        {
-            ex.printStackTrace ();
-            return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" +
-                ex.getMessage () + "\"";
-        }
-    }
-    
-    public static class StreamAdapter
-        extends OutputStream
-    {
-        public StreamAdapter (Writer finalDestination)
-        {
-            this.finalDestination = finalDestination;
-        }
-        
-        public void write (int b)
-        {
-            out.write (b);
-        }
-        
-        public void flushPretty ()
-            throws IOException
-        {
-            PrintWriter finalPrinter = new PrintWriter (finalDestination);
-            finalPrinter.println 
-                (PrettyPrinter.prettyPrint (out.toByteArray ()));
-            finalPrinter.close ();
-            out.close ();
-        }
-        
-        private ByteArrayOutputStream out = new ByteArrayOutputStream ();
-        Writer finalDestination;
-    }
-    
-    /**
-    Call this to get the formatted XML post-parsing.
-    */
-    public String toString ()
-    {
-        return output.toString ();
-    }
-    
-    /**
-    Prints the XML declaration.
-    */
-    public void startDocument () 
-        throws SAXException 
-    {
-        output.append ("<?xml version=\"1.0\" encoding=\"UTF-8\" ?>")
-              .append (endLine);
-    }
-    
-    /**
-    Prints a blank line at the end of the reformatted document.
-    */
-    public void endDocument () throws SAXException 
-    {
-        output.append (endLine);
-    }
-
-    /**
-    Writes the start tag for the element.
-    Attributes are written out, one to a text line.  Starts gathering
-    character data for the element.
-    */
-    public void startElement 
-            (String URI, String name, String qName, Attributes attributes) 
-        throws SAXException 
-    {
-        if (justHitStartTag)
-            output.append ('>');
-
-        output.append (endLine)
-              .append (indent)
-              .append ('<')
-              .append (qName);
-
-        int length = attributes.getLength ();        
-        for (int a = 0; a < length; ++a)
-            output.append (endLine)
-                  .append (indent)
-                  .append (standardIndent)
-                  .append (attributes.getQName (a))
-                  .append ("=\"")
-                  .append (attributes.getValue (a))
-                  .append ('\"');
-                  
-        if (length > 0)
-            output.append (endLine)
-                  .append (indent);
-            
-        indent += standardIndent;
-        currentValue = new StringBuffer ();
-        justHitStartTag = true;
-    }
-    
-    /**
-    Checks the {@link #currentValue} buffer to gather element content.
-    Writes this out if it is available.  Writes the element end tag.
-    */
-    public void endElement (String URI, String name, String qName) 
-        throws SAXException 
-    {
-        indent = indent.substring 
-            (0, indent.length () - standardIndent.length ());
-        
-        if (currentValue == null)
-            output.append (endLine)
-                  .append (indent)
-                  .append ("</")
-                  .append (qName)
-                  .append ('>');
-        else if (currentValue.length () != 0)
-            output.append ('>')
-                  .append (currentValue.toString ())
-                  .append ("</")
-                  .append (qName)
-                  .append ('>');
-        else
-            output.append ("/>");
-              
-        currentValue = null;
-        justHitStartTag = false;
-    }
-        
-    /**
-    When the {@link #currentValue} buffer is enabled, appends character
-    data into it, to be gathered when the element end tag is encountered.
-    */
-    public void characters (char[] chars, int start, int length) 
-        throws SAXException 
-    {
-        if (currentValue != null)
-            currentValue.append (escape (chars, start, length));
-    }
-
-    /**
-    Filter to pass strings to output, escaping <b>&lt;</b> and <b>&amp;</b>
-    characters to &amp;lt; and &amp;amp; respectively.
-    */
-    private static String escape (char[] chars, int start, int length)
-    {
-        StringBuffer result = new StringBuffer ();
-        for (int c = start; c < start + length; ++c)
-            if (chars[c] == '<')
-                result.append ("&lt;");
-            else if (chars[c] == '&')
-                result.append ("&amp;");
-            else
-                result.append (chars[c]);
-                
-        return result.toString ();
-    }
-    
-    /**
-    This whitespace string is expanded and collapsed to manage the output
-    indenting.
-    */
-    private String indent = "";
-
-    /**
-    A buffer for character data.  It is &quot;enabled&quot; in 
-    {@link #startElement startElement} by being initialized to a 
-    new <b>StringBuffer</b>, and then read and reset to 
-    <code>null</code> in {@link #endElement endElement}.
-    */
-    private StringBuffer currentValue = null;
-
-    /**
-    The primary buffer for accumulating the formatted XML.
-    */
-    private StringBuffer output = new StringBuffer ();    
-    
-    private boolean justHitStartTag;
-    
-    private static final String standardIndent = "  ";
-    private static final String endLine = 
-        System.getProperty ("line.separator");
-}
-