diff options
Diffstat (limited to 'id')
31 files changed, 220 insertions, 178 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java index 17d3d9e50..f2c95f391 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/servlets/SLOBackChannelServlet.java @@ -33,6 +33,7 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; @@ -144,19 +145,19 @@ public class SLOBackChannelServlet extends SLOBasicServlet { } catch (MessageDecodingException | SecurityException | NoSuchAlgorithmException | ConfigurationException | ValidationException e) { log.error("SLO message processing FAILED." , e); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); + response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (CertificateException e) { log.error("SLO message processing FAILED." , e); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); + response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (KeyStoreException e) { log.error("SLO message processing FAILED." , e); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); + response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (MessageEncodingException e) { log.error("SLO message processing FAILED." , e); - response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage()); + response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, StringEscapeUtils.escapeHtml(e.getMessage())); } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java index 5ee2ee6a7..b3f7c1f79 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java @@ -352,10 +352,10 @@ public class FormularCustomization implements IOnlineApplicationData { //validate aditionalAuthBlockText check = getAditionalAuthBlockText(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("AditionalAuthBlockText contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.general.aditionalauthblocktext", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java index b2cd18c26..bac69cf34 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java @@ -203,10 +203,10 @@ public class OABPKEncryption implements IOnlineApplicationData { errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyStorePassword.empty", request)); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("bPK decryption keystore password contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyStorePassword.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } @@ -217,20 +217,20 @@ public class OABPKEncryption implements IOnlineApplicationData { errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyAlias.empty", request)); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("bPK decryption key alias contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyAlias.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } check = getKeyPassword(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("bPK decryption key password contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.bPKDec.keyPassword.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java index 4cb7eba2d..c51513193 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java @@ -117,10 +117,10 @@ public class OAGeneralConfig implements IOnlineApplicationData{ //check OA FriendlyName check = getFriendlyName(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("OAFriendlyName contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.general.oafriendlyname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } else { log.info("OA friendlyName is empty"); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index 4fecd89c1..df1786402 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -159,10 +159,10 @@ public class IndexAction extends BasicAction { String key = null; if (MiscUtil.isNotEmpty(username)) { - if (ValidationHelper.containsPotentialCSSCharacter(username, false)) { + if (ValidationHelper.containsNotValidCharacter(username, false)) { log.warn("Username contains potentail XSS characters: " + username); addActionError(LanguageHelper.getErrorString("validation.edituser.username.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); return Constants.STRUTS_ERROR; } } else { @@ -614,10 +614,10 @@ public class IndexAction extends BasicAction { if (!sessionform.isIsmandateuser()) { check = user.getInstitut(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("Organisation contains potentail XSS characters: " + check); addActionError(LanguageHelper.getErrorString("validation.edituser.institut.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } else { log.warn("Organisation is empty"); @@ -630,7 +630,7 @@ public class IndexAction extends BasicAction { if (!ValidationHelper.isEmailAddressFormat(check)) { log.warn("Mailaddress is not valid: " + check); addActionError(LanguageHelper.getErrorString("validation.edituser.mail.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } else { log.warn("Mailaddress is empty"); @@ -642,7 +642,7 @@ public class IndexAction extends BasicAction { if (!ValidationHelper.validatePhoneNumber(check)) { log.warn("No valid Phone Number: " + check); addActionError(LanguageHelper.getErrorString("validation.edituser.phone.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } else { log.warn("Phonenumber is empty"); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java index c6b0965fe..ca018d5b0 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ListOAsAction.java @@ -132,10 +132,10 @@ public class ListOAsAction extends BasicAction { return Constants.STRUTS_SUCCESS; } else { - if (ValidationHelper.containsPotentialCSSCharacter(friendlyname, false)) { + if (ValidationHelper.containsNotValidCharacter(friendlyname, false)) { log.warn("SearchOA textfield contains potential XSS characters"); addActionError(LanguageHelper.getErrorString("validation.general.oafriendlyname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request)); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request)); return Constants.STRUTS_SUCCESS; } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/FormularCustomizationValitator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/FormularCustomizationValitator.java index c9a174813..4ef4bc762 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/FormularCustomizationValitator.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/FormularCustomizationValitator.java @@ -94,10 +94,10 @@ public class FormularCustomizationValitator { check = form.getHeader_text(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("HeaderText contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.general.form.header.text", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } @@ -144,10 +144,10 @@ public class FormularCustomizationValitator { check = form.getFontType(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, true)) { + if (ValidationHelper.containsNotValidCharacter(check, true)) { log.warn("FontType contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.general.form.fonttype", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(true)}, request )); } } @@ -156,7 +156,7 @@ public class FormularCustomizationValitator { if (!ValidationHelper.validateNumber(check)) { log.warn("Applet height "+ check + " is no valid number"); errors.add(LanguageHelper.getErrorString("validation.general.form.applet.height", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(true)}, request )); } } @@ -165,7 +165,7 @@ public class FormularCustomizationValitator { if (!ValidationHelper.validateNumber(check)) { log.warn("Applet width "+ check + " is no valid number"); errors.add(LanguageHelper.getErrorString("validation.general.form.applet.width", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(true)}, request )); } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java index 44afd0599..f0594c38d 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java @@ -62,10 +62,10 @@ public class UserDatabaseFormValidator { if (!isPVP2Generated) { check = form.getGivenName(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("GivenName contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.edituser.givenname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } else { log.warn("GivenName is empty"); @@ -75,10 +75,10 @@ public class UserDatabaseFormValidator { check = form.getFamilyName(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("FamilyName contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.edituser.familyname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } else { log.warn("FamilyName is empty"); @@ -89,10 +89,10 @@ public class UserDatabaseFormValidator { if (!isMandateUser) { check = form.getInstitut(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("Organisation contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.edituser.institut.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } else { log.warn("Organisation is empty"); @@ -105,7 +105,7 @@ public class UserDatabaseFormValidator { if (!ValidationHelper.isEmailAddressFormat(check)) { log.warn("Mailaddress is not valid: " + check); errors.add(LanguageHelper.getErrorString("validation.edituser.mail.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } else { log.warn("Mailaddress is empty"); @@ -114,10 +114,10 @@ public class UserDatabaseFormValidator { check = form.getPhone(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("Phonenumber contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.edituser.phone.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } else { log.warn("Phonenumber is empty"); @@ -127,10 +127,10 @@ public class UserDatabaseFormValidator { if (form.isIsusernamepasswordallowed()) { check = form.getUsername(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("Username contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.edituser.username.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } else { UserDatabase dbuser = newConfigRead.getUserWithUserName(check); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java index 70c43d9b4..717a0c827 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/MOAConfigValidator.java @@ -55,10 +55,10 @@ public class MOAConfigValidator { String check = form.getSaml1SourceID(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("SAML1 SourceID contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.general.SAML1SourceID", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } @@ -217,10 +217,10 @@ public class MOAConfigValidator { log.info("Empty MOA-SP/SS Authblock TrustProfile"); errors.add(LanguageHelper.getErrorString("validation.general.moasp.auth.trustprofile.empty", request)); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("Authblock TrustProfile is not valid: " +check); errors.add(LanguageHelper.getErrorString("validation.general.moasp.auth.trustprofile.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } @@ -229,10 +229,10 @@ public class MOAConfigValidator { log.info("Empty MOA-SP/SS IdentityLink TrustProfile"); errors.add(LanguageHelper.getErrorString("validation.general.moasp.idl.trustprofile.empty", request)); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("IdentityLink TrustProfile is not valid: " +check); errors.add(LanguageHelper.getErrorString("validation.general.moasp.idl.trustprofile.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } @@ -241,10 +241,10 @@ public class MOAConfigValidator { log.info("Empty MOA-SP/SS Test-Authblock TrustProfile"); errors.add(LanguageHelper.getErrorString("validation.general.moasp.auth.trustprofile.test.empty", request)); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("Test-Authblock TrustProfile is not valid: " +check); errors.add(LanguageHelper.getErrorString("validation.general.moasp.auth.trustprofile.test.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } @@ -253,10 +253,10 @@ public class MOAConfigValidator { log.info("Empty MOA-SP/SS Test-IdentityLink TrustProfile"); errors.add(LanguageHelper.getErrorString("validation.general.moasp.idl.trustprofile.test.empty", request)); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("Test-IdentityLink TrustProfile is not valid: " +check); errors.add(LanguageHelper.getErrorString("validation.general.moasp.idl.trustprofile.test.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } @@ -271,28 +271,28 @@ public class MOAConfigValidator { check = form.getPvp2IssuerName(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("PVP2 IssuerName is not valid: " + check); errors.add(LanguageHelper.getErrorString("validation.general.protocol.pvp2.issuername.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } check = form.getPvp2OrgDisplayName(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("PVP2 organisation display name is not valid: " + check); errors.add(LanguageHelper.getErrorString("validation.general.protocol.pvp2.org.displayname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } check = form.getPvp2OrgName(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("PVP2 organisation name is not valid: " + check); errors.add(LanguageHelper.getErrorString("validation.general.protocol.pvp2.org.name.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } @@ -347,10 +347,10 @@ public class MOAConfigValidator { check = form.getSsoFriendlyName(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("SSO friendlyname is not valid: " + check); errors.add(LanguageHelper.getErrorString("validation.general.sso.friendlyname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } @@ -373,10 +373,10 @@ public class MOAConfigValidator { check = form.getSsoSpecialText(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, true)) { + if (ValidationHelper.containsNotValidCharacter(check, true)) { log.info("SSO SpecialText is not valid: " + check); errors.add(LanguageHelper.getErrorString("validation.general.sso.specialauthtext.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)} , request)); + new Object[] {ValidationHelper.getNotValidCharacter(true)} , request)); } } @@ -388,10 +388,10 @@ public class MOAConfigValidator { } else { if (!ValidationHelper.isValidAdminTarget(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("IdentificationNumber contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.general.sso.target.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } String num = check.replaceAll(" ", ""); @@ -440,7 +440,7 @@ public class MOAConfigValidator { String filename = form.getFileUploadFileName().get(i); if (MiscUtil.isNotEmpty(filename)) { - if (ValidationHelper.containsPotentialCSSCharacter(filename, false)) { + if (ValidationHelper.containsNotValidCharacter(filename, false)) { log.info("SL Transformation Filename is not valid"); errors.add(LanguageHelper.getErrorString("validation.general.slrequest.filename.valid", request)); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/PVP2ContactValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/PVP2ContactValidator.java index e4a091c7e..f7edbee71 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/PVP2ContactValidator.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/PVP2ContactValidator.java @@ -52,28 +52,28 @@ public class PVP2ContactValidator { String check = contact.getCompany(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("PVP2 Contact: Company is not valid: " + check); errors.add(LanguageHelper.getErrorString("validation.general.protocol.pvp2.contact.company.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } check = contact.getGivenname(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("PVP2 Contact: GivenName is not valid: " + check); errors.add(LanguageHelper.getErrorString("validation.general.protocol.pvp2.contact.givenname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } check = contact.getSurname(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("PVP2 Contact: SureName is not valid: " + check); errors.add(LanguageHelper.getErrorString("validation.general.protocol.pvp2.contact.surename.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java index fbd2f3bb3..41fce8e60 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/moaconfig/StorkConfigValidator.java @@ -38,10 +38,10 @@ public class StorkConfigValidator { // check country code String check = current.getCountryCode(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("CPEPS config countrycode contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.cc", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } if(!check.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z,0-9]*)")) { log.warn("CPEPS config countrycode does not comply to ISO 3166-2 : " + check); @@ -95,10 +95,10 @@ public class StorkConfigValidator { for(StorkAttribute check : form.getAttributes()) { if (check != null && MiscUtil.isNotEmpty(check.getName())) { String tmp = check.getName().replace("eidas/attributes/", ""); // since eIDaS attributes come with a "/", we need to exclude them from validation. TODO Or should we require the admin to escape them in the UI? - if (ValidationHelper.containsPotentialCSSCharacter(tmp, true)) { + if (ValidationHelper.containsNotValidCharacter(tmp, true)) { log.warn("default attributes contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.stork.requestedattributes", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(true)}, request )); } if(!tmp.toLowerCase().matches("^[A-Za-z]*$")) { log.warn("default attributes do not match the requested format : " + check); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java index 7e6396b75..a758088b1 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java @@ -140,10 +140,10 @@ public class OAAuthenticationDataValidation { errors.add(LanguageHelper.getErrorString("validation.general.mandate.usemandate", request)); } - if (ValidationHelper.containsPotentialCSSCharacter(check, true)) { + if (ValidationHelper.containsNotValidCharacter(check, true)) { log.warn("MandateProfiles contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.general.mandate.profiles", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(true)}, request )); } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAFileUploadValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAFileUploadValidation.java index d2dac3b28..2011a07f1 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAFileUploadValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAFileUploadValidation.java @@ -66,7 +66,7 @@ public class OAFileUploadValidation { String filename = fileName.get(i); if (MiscUtil.isNotEmpty(filename)) { - if (ValidationHelper.containsPotentialCSSCharacter(filename, false)) { + if (ValidationHelper.containsNotValidCharacter(filename, false)) { log.info("Filename is not valid"); errors.add(LanguageHelper.getErrorString(errorMsgPreFix + ".filename.valid", request)); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OATargetConfigValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OATargetConfigValidation.java index 0062beb96..ca0231577 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OATargetConfigValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OATargetConfigValidation.java @@ -64,10 +64,10 @@ public class OATargetConfigValidation { errors.add(LanguageHelper.getErrorString("validation.general.identificationnumber.empty", request)); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("IdentificationNumber contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.general.identificationnumber.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } if (form.getIdentificationType().equals(Constants.IDENIFICATIONTYPE_FN)) { @@ -129,10 +129,10 @@ public class OATargetConfigValidation { //check targetFrindlyName(); check = form.getTargetFriendlyName(); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("TargetFriendlyName contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.general.targetfriendlyname", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}, request )); } } diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java index e229b6ef4..c9ad63121 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralMOAIDConfigurationTask.java @@ -106,13 +106,13 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme String check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_SAML1_SOURCEID, getKeyPrefix())); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("SAML1 SourceID contains potentail XSS characters: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_PROTOCOLS_SAML1_SOURCEID, "SAML1 - SourceID", LanguageHelper.getErrorString("validation.general.SAML1SourceID", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); + new Object[] {ValidationHelper.getNotValidCharacter(false)}))); } } @@ -293,13 +293,13 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme "MOA-SP - AuthBlocktransformation", LanguageHelper.getErrorString("validation.general.moasp.auth.transformation.empty"))); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("IdentityLinkSigners is not valid: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_MOASP_AUTHBLOCK_TRANSFORM, "MOA-SP - AuthBlocktransformationx", LanguageHelper.getErrorString("validation.general.moasp.auth.transformation.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} ))); + new Object[] {ValidationHelper.getNotValidCharacter(false)} ))); } } @@ -312,13 +312,13 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme "MOA-SP - TrustProfile AuthBlock", LanguageHelper.getErrorString("validation.general.moasp.auth.trustprofile.empty"))); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("Authblock TrustProfile is not valid: " +check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_MOASP_TRUSTPROFILE_AUTHBLOCK_PROD, "MOA-SP - TrustProfile AuthBlock", LanguageHelper.getErrorString("validation.general.moasp.auth.trustprofile.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}) )); } } @@ -330,13 +330,13 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme "MOA-SP - TrustProfile IdL", LanguageHelper.getErrorString("validation.general.moasp.idl.trustprofile.empty"))); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("IdentityLink TrustProfile is not valid: " +check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_MOASP_TRUSTPROFILE_IDL_PROD, "MOA-SP - TrustProfile IdL", LanguageHelper.getErrorString("validation.general.moasp.idl.trustprofile.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}) )); } } @@ -348,13 +348,13 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme "MOA-SP - Test-TrustProfile AuthBlock", LanguageHelper.getErrorString("validation.general.moasp.auth.trustprofile.test.empty"))); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("Authblock Test-TrustProfile is not valid: " +check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_MOASP_TRUSTPROFILE_AUTHBLOCK_PROD, "MOA-SP - Test-TrustProfile AuthBlock", LanguageHelper.getErrorString("validation.general.moasp.auth.trustprofile.test.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}) )); } } @@ -366,13 +366,13 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme "MOA-SP - Test-TrustProfile IdL", LanguageHelper.getErrorString("validation.general.moasp.idl.trustprofile.test.empty"))); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("IdentityLink Test-TrustProfile is not valid: " +check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_MOASP_TRUSTPROFILE_IDL_PROD, "MOA-SP - Test-TrustProfile IdL", LanguageHelper.getErrorString("validation.general.moasp.idl.trustprofile.test.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}) )); } } @@ -430,25 +430,25 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_AUTH_SSO_SERVICENAME, getKeyPrefix())); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.info("SSO friendlyname is not valid: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_SSO_SERVICENAME, "SSO - Servicename", LanguageHelper.getErrorString("validation.general.sso.friendlyname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}) )); } } check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_AUTH_SSO_AUTHBLOCK_TEXT, getKeyPrefix())); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, true)) { + if (ValidationHelper.containsNotValidCharacter(check, true)) { log.info("SSO SpecialText is not valid: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_SSO_AUTHBLOCK_TEXT, "SSO - AuthBlocktext", LanguageHelper.getErrorString("validation.general.sso.specialauthtext.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)} ))); + new Object[] {ValidationHelper.getNotValidCharacter(true)} ))); } } @@ -465,13 +465,13 @@ public class GeneralMOAIDConfigurationTask extends AbstractTaskValidator impleme //TODO: maybe store full bPK target (incl. prefix) if (!ValidationHelper.isValidAdminTarget(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("IdentificationNumber contains potentail XSS characters: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_SSO_TARGET, "SSO - Target", LanguageHelper.getErrorString("validation.general.sso.target.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}) )); } String num = check.replaceAll(" ", ""); diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralPVP2XConfigurationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralPVP2XConfigurationTask.java index a593b5461..cdd2a7ce2 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralPVP2XConfigurationTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralPVP2XConfigurationTask.java @@ -90,35 +90,35 @@ public class GeneralPVP2XConfigurationTask extends AbstractTaskValidator impleme String check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_SERVICENAMME, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL)); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { logger.info("PVP2 IssuerName is not valid: " + check); errors.add(new ValidationObjectIdentifier(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_SERVICENAMME, "Service Name", LanguageHelper.getErrorString("validation.general.protocol.pvp2.issuername.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); + new Object[] {ValidationHelper.getNotValidCharacter(false)}))); } } check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_ORG_FULLNAME, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL)); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { logger.info("PVP2 organisation display name is not valid: " + check); errors.add(new ValidationObjectIdentifier(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_ORG_FULLNAME, "Organisation - Full name", LanguageHelper.getErrorString("validation.general.protocol.pvp2.org.displayname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); + new Object[] {ValidationHelper.getNotValidCharacter(false)}))); } } check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_ORG_SHORTNAME, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL)); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { logger.info("PVP2 organisation name is not valid: " + check); errors.add(new ValidationObjectIdentifier(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_ORG_SHORTNAME, "Organisation - Short name", LanguageHelper.getErrorString("validation.general.protocol.pvp2.org.name.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); + new Object[] {ValidationHelper.getNotValidCharacter(false)}))); } } @@ -135,34 +135,34 @@ public class GeneralPVP2XConfigurationTask extends AbstractTaskValidator impleme check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_CONTACT_COMPANY, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL)); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { logger.info("PVP2 Contact: Company is not valid: " + check); errors.add(new ValidationObjectIdentifier(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_CONTACT_COMPANY, "Contact - Company", LanguageHelper.getErrorString("validation.general.protocol.pvp2.contact.company.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); + new Object[] {ValidationHelper.getNotValidCharacter(false)}))); } } check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_CONTACT_GIVENNAME, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL)); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { logger.info("PVP2 Contact: GivenName is not valid: " + check); errors.add(new ValidationObjectIdentifier(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_CONTACT_GIVENNAME, "Contact - GivenName", LanguageHelper.getErrorString("validation.general.protocol.pvp2.contact.givenname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); + new Object[] {ValidationHelper.getNotValidCharacter(false)}))); } } check = input.get(KeyValueUtils.removePrefixFromKey(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_CONTACT_FAMLIYNAME, MOAIDConfigurationConstants.PREFIX_MOAID_GENERAL)); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { logger.info("PVP2 Contact: SureName is not valid: " + check); errors.add(new ValidationObjectIdentifier(MOAIDConfigurationConstants.GENERAL_PROTOCOLS_PVP2X_METADATA_CONTACT_FAMLIYNAME, "Contact - FamilyName", LanguageHelper.getErrorString("validation.general.protocol.pvp2.contact.surename.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); + new Object[] {ValidationHelper.getNotValidCharacter(false)}))); } } diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java index df67ca2f1..309e0745b 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/GeneralSTORKConfigurationTask.java @@ -116,14 +116,14 @@ public static final List<String> KEYWHITELIST; log.trace("Extract C-PEPS for country: " + cc + " with URL:" + url); if (!validatedCPeps.containsKey(cc)) { if (MiscUtil.isNotEmpty(cc)) { - if (ValidationHelper.containsPotentialCSSCharacter(cc, false)) { + if (ValidationHelper.containsNotValidCharacter(cc, false)) { log.warn("CPEPS config countrycode contains potentail XSS characters: " + cc); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_STORK_CPEPS_LIST + "." + cpepsKey, "STORK - CPEPS Country", LanguageHelper.getErrorString("validation.stork.cpeps.cc", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); + new Object[] {ValidationHelper.getNotValidCharacter(false)}))); } if(!cc.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z,0-9]*)")) { log.warn("CPEPS config countrycode does not comply to ISO 3166-2 : " + cc); @@ -215,13 +215,13 @@ public static final List<String> KEYWHITELIST; String value = attributeList.get(key); value = value.replace("eidas/attributes/", ""); // since eIDaS attributes come with a "/", we need to exclude them from validation. TODO Or should we require the admin to escape them in the UI? if (!validatedAttributes.contains(value)) { - if (ValidationHelper.containsPotentialCSSCharacter(value, true)) { + if (ValidationHelper.containsNotValidCharacter(value, true)) { log.warn("default attributes contains potentail XSS characters: " + value); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.GENERAL_AUTH_STORK_QAA, "STORK - Attributes", LanguageHelper.getErrorString("validation.stork.requestedattributes", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}))); + new Object[] {ValidationHelper.getNotValidCharacter(true)}))); } if(!value.toLowerCase().matches("^[A-Za-z]*$")) { log.warn("default attributes do not match the requested format : " + value); diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesAuthenticationInformationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesAuthenticationInformationTask.java index 05467c3bc..25855dcb6 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesAuthenticationInformationTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesAuthenticationInformationTask.java @@ -220,13 +220,13 @@ public class ServicesAuthenticationInformationTask extends AbstractTaskValidator String checkUseMandate = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_USE); if (MiscUtil.isNotEmpty(checkUseMandate) && Boolean.parseBoolean(checkUseMandate)) { check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_PROFILES); - if (ValidationHelper.containsPotentialCSSCharacter(check, true)) { + if (ValidationHelper.containsNotValidCharacter(check, true)) { log.warn("MandateProfiles contains potentail XSS characters: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_PROFILES, "Mandates - Profiles", LanguageHelper.getErrorString("validation.general.mandate.profiles", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(true)}) )); } } diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java index f8ce21c99..83e6cb234 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesBKUSelectionTask.java @@ -153,13 +153,13 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I //validate aditionalAuthBlockText String check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_AUTHBLOCKTEXT); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("AditionalAuthBlockText contains potentail XSS characters: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_BKU_AUTHBLOCKTEXT, "AuthBlock - Addition AuthBlocktext", LanguageHelper.getErrorString("validation.general.aditionalauthblocktext", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); + new Object[] {ValidationHelper.getNotValidCharacter(false)}))); } } @@ -172,7 +172,7 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I try { String bkuSelectTemplateUploadedFileName = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_FILENAME); if (MiscUtil.isNotEmpty(bkuSelectTemplateUploadedFileName)) { - if (ValidationHelper.containsPotentialCSSCharacter(bkuSelectTemplateUploadedFileName, false)) { + if (ValidationHelper.containsNotValidCharacter(bkuSelectTemplateUploadedFileName, false)) { log.info("BKU Selection Filename is not valid"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_BKUSELECTION_FILENAME, @@ -221,7 +221,7 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I try { String sendAssertionTemplateUploadedFileName = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SENDASSERTION_FILENAME); if (MiscUtil.isNotEmpty(sendAssertionTemplateUploadedFileName)) { - if (ValidationHelper.containsPotentialCSSCharacter(sendAssertionTemplateUploadedFileName, false)) { + if (ValidationHelper.containsNotValidCharacter(sendAssertionTemplateUploadedFileName, false)) { log.info("Send Assertion Filename is not valid"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_SENDASSERTION_FILENAME, @@ -342,13 +342,13 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_HEADERTEXT); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("HeaderText contains potentail XSS characters: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_HEADERTEXT, "Templates - Header Text", LanguageHelper.getErrorString("validation.general.form.header.text", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}) )); } } @@ -407,13 +407,13 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_FONTTYPE); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, true)) { + if (ValidationHelper.containsNotValidCharacter(check, true)) { log.warn("FontType contains potentail XSS characters: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_FONTTYPE, "Templates - Font Type", LanguageHelper.getErrorString("validation.general.form.fonttype", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(true)}) )); } } @@ -425,7 +425,7 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETHEIGHT, "Templates - Applet Height", LanguageHelper.getErrorString("validation.general.form.applet.height", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(true)}) )); } } @@ -437,7 +437,7 @@ public class ServicesBKUSelectionTask extends AbstractTaskValidator implements I MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETWIDTH, "Templates - Applet Width", LanguageHelper.getErrorString("validation.general.form.applet.width", - new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(true)}) )); } } diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesGeneralInformationTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesGeneralInformationTask.java index 86d047c74..5ff157b3b 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesGeneralInformationTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesGeneralInformationTask.java @@ -107,13 +107,13 @@ public class ServicesGeneralInformationTask extends AbstractTaskValidator implem String check = input.get(MOAIDConfigurationConstants.SERVICE_FRIENDLYNAME); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("OAFriendlyName contains potentail XSS characters: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_FRIENDLYNAME, "FriendlyName", LanguageHelper.getErrorString("validation.general.oafriendlyname.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}))); + new Object[] {ValidationHelper.getNotValidCharacter(false)}))); } } else { log.info("OA friendlyName is empty"); diff --git a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesTargetTask.java b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesTargetTask.java index 5d23a60f6..e8d49a391 100644 --- a/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesTargetTask.java +++ b/id/moa-id-webgui/src/main/java/at/gv/egovernment/moa/id/config/webgui/validation/task/impl/ServicesTargetTask.java @@ -113,13 +113,13 @@ public class ServicesTargetTask extends AbstractTaskValidator implements ITaskVa LanguageHelper.getErrorString("validation.general.identificationnumber.empty"))); } else { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("IdentificationNumber contains potentail XSS characters: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_VALUE, "BusinessService - Value", LanguageHelper.getErrorString("validation.general.identificationnumber.valid", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}) )); } if (input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_BUSINESS_TYPE) @@ -142,13 +142,13 @@ public class ServicesTargetTask extends AbstractTaskValidator implements ITaskVa if (MiscUtil.isNotEmpty(useOwnTarget) && Boolean.parseBoolean(useOwnTarget)) { check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME); if (MiscUtil.isNotEmpty(check)) { - if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + if (ValidationHelper.containsNotValidCharacter(check, false)) { log.warn("TargetFriendlyName contains potentail XSS characters: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_TARGET_PUBLIC_OWN_NAME, "Own Target - FriendlyName", LanguageHelper.getErrorString("validation.general.targetfriendlyname", - new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}) )); + new Object[] {ValidationHelper.getNotValidCharacter(false)}) )); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java index 67611dd72..dcf337213 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/AbstractController.java @@ -91,7 +91,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { resp.setContentType(MediaType.HTML_UTF_8.toString()); resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal Server Error!" + "(Errorcode=9199" - +" | Description="+ exception.getMessage() + ")"); + +" | Description="+ StringEscapeUtils.escapeHtml(exception.getMessage()) + ")"); return; } @@ -318,7 +318,7 @@ public abstract class AbstractController extends MOAIDAuthConstants { if (e instanceof ProtocolNotActiveException) { resp.getWriter().write(e.getMessage()); resp.setContentType(MediaType.HTML_UTF_8.toString()); - resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getMessage()); + resp.sendError(HttpServletResponse.SC_FORBIDDEN, StringEscapeUtils.escapeHtml(e.getMessage())); } else if (e instanceof AuthnRequestValidatorException) { AuthnRequestValidatorException ex = (AuthnRequestValidatorException)e; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java index 2976dc420..c8c6c1fb5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/interceptor/WebFrontEndSecurityInterceptor.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.servlet.interceptor; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; @@ -76,7 +77,7 @@ public class WebFrontEndSecurityInterceptor implements HandlerInterceptor { Logger.info(errorMsg); response.sendError( HttpServletResponse.SC_FORBIDDEN, - errorMsg); + StringEscapeUtils.escapeHtml(errorMsg)); return false; } else { diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java index 01ae2a354..0a0c4b06d 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/ValidationHelper.java @@ -22,11 +22,6 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.commons.validation; -import iaik.asn1.ObjectID; -import iaik.utils.Util; -import iaik.x509.X509Certificate; -import iaik.x509.X509ExtensionInitException; - import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; @@ -45,6 +40,10 @@ import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import at.gv.egovernment.moa.logging.Logger; +import iaik.asn1.ObjectID; +import iaik.utils.Util; +import iaik.x509.X509Certificate; +import iaik.x509.X509ExtensionInitException; public class ValidationHelper { @@ -322,7 +321,7 @@ public class ValidationHelper { return "; % \" ' ` , < > \\"; } - public static boolean containsPotentialCSSCharacter(String param, boolean commaallowed) { + public static boolean containsNotValidCharacter(String param, boolean commaallowed) { if (param == null) { return false; @@ -340,7 +339,7 @@ public class ValidationHelper { param.indexOf("/") != -1; } - public static String getPotentialCSSCharacter(boolean commaallowed) { + public static String getNotValidCharacter(boolean commaallowed) { if (commaallowed) return "; % \" ' ` < > \\ /"; diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java index 52c1f0f97..d57834192 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java @@ -70,7 +70,8 @@ public abstract class AbstractGUIFormBuilderConfiguration implements IGUIBuilder /** - * Define the parameters, which should be evaluated in the template + * Define the parameters, which should be evaluated in the template <br> + * <b>IMPORTANT:</b> external HTML escapetion is required, because it is NOT done internally during the building process * * @return Map of parameters, which should be added to template */ diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java index 15bc92a54..ad068ac49 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java @@ -65,6 +65,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration protected IRequest pendingReq = null; protected String templateClasspahtDir = null; + private Map<String, Object> customParameters = null; /** * @param authURL PublicURLPrefix of the IDP but never null @@ -91,11 +92,29 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration } + /** + * Add a key/value pair into Velocity context.<br> + * Parameter values get escaped internally + * + * @param key velocity context key + * @param value of this key + */ + public void putCustomParameter(String key, Object value) { + if (customParameters == null) + customParameters = new HashMap<String, Object>(); + + if (value instanceof String) + customParameters.put(key, StringEscapeUtils.escapeHtml((String)value)); + else + customParameters.put(key, StringEscapeUtils.escapeHtml(value.toString())); + + } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters() */ @Override - public Map<String, Object> getSpecificViewParameters() { + public final Map<String, Object> getSpecificViewParameters() { Map<String, Object> params = new HashMap<String, Object>(); params.put(PARAM_BKU_ONLINE, IOAAuthParameters.THIRDBKU); params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU); @@ -107,7 +126,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration //add service-provider specific GUI parameters IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); if (oaParam != null) { - params.put(PARAM_OANAME, oaParam.getFriendlyName()); + params.put(PARAM_OANAME, StringEscapeUtils.escapeHtml(oaParam.getFriendlyName())); //set BKU URLs if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.LOCALBKU))) @@ -138,6 +157,10 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration } + //add additional custom parameters + if (customParameters != null) + params.putAll(customParameters); + return params; } diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java index 0c07ad3fb..901dbae53 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java @@ -77,13 +77,31 @@ public class DefaultGUIFormBuilderConfiguration extends AbstractGUIFormBuilderCo * @param key velocity context key * @param value of this key */ - public void putCustomParameter(String key, Object value) { + public void putCustomParameterWithOutEscaption(String key, Object value) { if (customParameters == null) customParameters = new HashMap<String, Object>(); customParameters.put(key, value); } + /** + * Add a key/value pair into Velocity context.<br> + * All parameters get escaped internally + * + * @param key velocity context key + * @param value of this key + */ + public void putCustomParameter(String key, Object value) { + if (customParameters == null) + customParameters = new HashMap<String, Object>(); + + if (value instanceof String) + customParameters.put(key, StringEscapeUtils.escapeHtml((String)value)); + else + customParameters.put(key, StringEscapeUtils.escapeHtml(value.toString())); + + } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters() */ diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java index 13d8d3bb7..0215afc41 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java @@ -56,7 +56,7 @@ public class SPSpecificGUIBuilderConfigurationWithDBLoad extends AbstractService super(pendingReq, viewName, formSubmitEndpoint); } - + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String) */ diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html index 261e19a33..f54484307 100644 --- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html +++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html @@ -9,7 +9,6 @@ bkuport = (bkuprot == "https:" ? 3496 : 3495); bkupath = "https-security-layer-request"; bkuurl = bkuprot + "//" + bkuhost + ":" + bkuport + "/" + bkupath; - baseurl = location.href.substr(0, location.href.lastIndexOf("/")); //--> </script> </head> @@ -20,7 +19,7 @@ parent.setBKUAvailable(false); document.write('<form name="bkudetectform" method="POST" target="bkudetect" action="' + bkuurl + '" enctype="application/x-www-form-urlencoded">'); document.write('<input type="hidden" name="XMLRequest" value="<?xml version="1.0" encoding="UTF-8"?><NullOperationRequest xmlns="http://www.buergerkarte.at/namespaces/securitylayer/1.2#"/>" />'); - document.write('<input type="hidden" name="RedirectURL" value="' + baseurl + '/iframeLBKUdetected.html"/>'); + document.write('<input type="hidden" name="RedirectURL" value="' + $contextPath + '/iframeLBKUdetected.html"/>'); document.write('</form>'); try { document.bkudetectform.submit(); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java index a37beac70..dc55df05b 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java @@ -160,15 +160,15 @@ public class SSOTransferServlet{ } catch (MOAIDException | MOADatabaseException e) { e.printStackTrace(); - resp.sendError(500, e.getMessage()); + resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (NoSuchAlgorithmException | InvalidParameterSpecException e) { e.printStackTrace(); - resp.sendError(500, e.getMessage()); + resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (Exception e) { e.printStackTrace(); - resp.sendError(500, e.getMessage()); + resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage())); } } @@ -221,51 +221,51 @@ public class SSOTransferServlet{ } catch (OperatorCreationException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (CredentialsNotAvailableException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (PKCSException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (CertificateException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (InvalidKeyException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (NoSuchAlgorithmException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (InvalidKeySpecException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (SessionDataStorageException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (ParseException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (IllegalBlockSizeException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (BadPaddingException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (NoSuchPaddingException e) { Logger.warn("Device inpersonisation FAILED: " + e.getMessage(), e); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } @@ -323,50 +323,50 @@ public class SSOTransferServlet{ } catch (OperatorCreationException e) { // TODO Auto-generated catch block e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (CredentialsNotAvailableException e) { // TODO Auto-generated catch block e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (PKCSException e) { // TODO Auto-generated catch block e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (CertificateException e) { // TODO Auto-generated catch block e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (InvalidKeyException e) { // TODO Auto-generated catch block e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (InvalidKeySpecException e) { // TODO Auto-generated catch block e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (SessionDataStorageException e) { e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (IllegalBlockSizeException e) { e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (BadPaddingException e) { e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (NoSuchPaddingException e) { e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + resp.sendError(HttpServletResponse.SC_BAD_REQUEST, StringEscapeUtils.escapeHtml(e.getMessage())); } @@ -423,15 +423,15 @@ public class SSOTransferServlet{ } catch (MOAIDException | MOADatabaseException e) { e.printStackTrace(); - resp.sendError(500, e.getMessage()); + resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (NoSuchAlgorithmException | InvalidParameterSpecException e) { e.printStackTrace(); - resp.sendError(500, e.getMessage()); + resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage())); } catch (Exception e) { e.printStackTrace(); - resp.sendError(500, e.getMessage()); + resp.sendError(500, StringEscapeUtils.escapeHtml(e.getMessage())); } } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java index 13a278d1d..fe164c514 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java @@ -105,7 +105,7 @@ public class GUIUtils { config.putCustomParameter("QRImage", base64EncodedImage); config.putCustomParameter("successMsg", "Select the SSO Session in your <i>SSO-Transfer App</i> and scan the QR-Code to start the process."); - config.putCustomParameter("timeoutURL", containerURL); + config.putCustomParameterWithOutEscaption("timeoutURL", containerURL); config.putCustomParameter("timeout", REFESH_TIMEOUT); guiBuilder.build(response, config, "SSO-Transfer-Module"); |