aboutsummaryrefslogtreecommitdiff
path: root/id/server/moa-id-frontend-resources
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-11-27 12:11:45 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-11-27 15:45:21 +0100
commit366c463274f3ca06d500c59c0839feb225b4e0b5 (patch)
tree8130bfea98bf99a36f172f4aa89c8a1ff843c52d /id/server/moa-id-frontend-resources
parent868d6e587cb262683a658fdbd56bb752913638b4 (diff)
downloadmoa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.tar.gz
moa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.tar.bz2
moa-id-spss-366c463274f3ca06d500c59c0839feb225b4e0b5.zip
add escaping on some places
Diffstat (limited to 'id/server/moa-id-frontend-resources')
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java3
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java27
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java20
-rw-r--r--id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java2
-rw-r--r--id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html3
5 files changed, 48 insertions, 7 deletions
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java
index 52c1f0f97..d57834192 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java
@@ -70,7 +70,8 @@ public abstract class AbstractGUIFormBuilderConfiguration implements IGUIBuilder
/**
- * Define the parameters, which should be evaluated in the template
+ * Define the parameters, which should be evaluated in the template <br>
+ * <b>IMPORTANT:</b> external HTML escapetion is required, because it is NOT done internally during the building process
*
* @return Map of parameters, which should be added to template
*/
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
index 15bc92a54..ad068ac49 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java
@@ -65,6 +65,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
protected IRequest pendingReq = null;
protected String templateClasspahtDir = null;
+ private Map<String, Object> customParameters = null;
/**
* @param authURL PublicURLPrefix of the IDP but never null
@@ -91,11 +92,29 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
}
+ /**
+ * Add a key/value pair into Velocity context.<br>
+ * Parameter values get escaped internally
+ *
+ * @param key velocity context key
+ * @param value of this key
+ */
+ public void putCustomParameter(String key, Object value) {
+ if (customParameters == null)
+ customParameters = new HashMap<String, Object>();
+
+ if (value instanceof String)
+ customParameters.put(key, StringEscapeUtils.escapeHtml((String)value));
+ else
+ customParameters.put(key, StringEscapeUtils.escapeHtml(value.toString()));
+
+ }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters()
*/
@Override
- public Map<String, Object> getSpecificViewParameters() {
+ public final Map<String, Object> getSpecificViewParameters() {
Map<String, Object> params = new HashMap<String, Object>();
params.put(PARAM_BKU_ONLINE, IOAAuthParameters.THIRDBKU);
params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU);
@@ -107,7 +126,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
//add service-provider specific GUI parameters
IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration();
if (oaParam != null) {
- params.put(PARAM_OANAME, oaParam.getFriendlyName());
+ params.put(PARAM_OANAME, StringEscapeUtils.escapeHtml(oaParam.getFriendlyName()));
//set BKU URLs
if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.LOCALBKU)))
@@ -138,6 +157,10 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration
}
+ //add additional custom parameters
+ if (customParameters != null)
+ params.putAll(customParameters);
+
return params;
}
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
index 0c07ad3fb..901dbae53 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java
@@ -77,13 +77,31 @@ public class DefaultGUIFormBuilderConfiguration extends AbstractGUIFormBuilderCo
* @param key velocity context key
* @param value of this key
*/
- public void putCustomParameter(String key, Object value) {
+ public void putCustomParameterWithOutEscaption(String key, Object value) {
if (customParameters == null)
customParameters = new HashMap<String, Object>();
customParameters.put(key, value);
}
+ /**
+ * Add a key/value pair into Velocity context.<br>
+ * All parameters get escaped internally
+ *
+ * @param key velocity context key
+ * @param value of this key
+ */
+ public void putCustomParameter(String key, Object value) {
+ if (customParameters == null)
+ customParameters = new HashMap<String, Object>();
+
+ if (value instanceof String)
+ customParameters.put(key, StringEscapeUtils.escapeHtml((String)value));
+ else
+ customParameters.put(key, StringEscapeUtils.escapeHtml(value.toString()));
+
+ }
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters()
*/
diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
index 13d8d3bb7..0215afc41 100644
--- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
+++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java
@@ -56,7 +56,7 @@ public class SPSpecificGUIBuilderConfigurationWithDBLoad extends AbstractService
super(pendingReq, viewName, formSubmitEndpoint);
}
-
+
/* (non-Javadoc)
* @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String)
*/
diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
index 261e19a33..f54484307 100644
--- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
+++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html
@@ -9,7 +9,6 @@
bkuport = (bkuprot == "https:" ? 3496 : 3495);
bkupath = "https-security-layer-request";
bkuurl = bkuprot + "//" + bkuhost + ":" + bkuport + "/" + bkupath;
- baseurl = location.href.substr(0, location.href.lastIndexOf("/"));
//-->
</script>
</head>
@@ -20,7 +19,7 @@
parent.setBKUAvailable(false);
document.write('<form name="bkudetectform" method="POST" target="bkudetect" action="' + bkuurl + '" enctype="application/x-www-form-urlencoded">');
document.write('<input type="hidden" name="XMLRequest" value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;&lt;NullOperationRequest xmlns=&quot;http://www.buergerkarte.at/namespaces/securitylayer/1.2#&quot;/&gt;" />');
- document.write('<input type="hidden" name="RedirectURL" value="' + baseurl + '/iframeLBKUdetected.html"/>');
+ document.write('<input type="hidden" name="RedirectURL" value="' + $contextPath + '/iframeLBKUdetected.html"/>');
document.write('</form>');
try {
document.bkudetectform.submit();