From e392f06a8e1920e4404f11f74c8f51795ad590a6 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 27 Nov 2017 15:33:37 +0100
Subject: add some more escaptions

---
 .../configuration/struts/action/IndexAction.java   | 32 +++++-----------------
 1 file changed, 7 insertions(+), 25 deletions(-)

(limited to 'id/ConfigWebTool')

diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
index df1786402..bf75a3068 100644
--- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
+++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java
@@ -39,7 +39,6 @@ import org.apache.log4j.Logger;
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLObject;
 import org.opensaml.common.binding.BasicSAMLMessageContext;
-import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.decoding.HTTPPostDecoder;
 import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.core.AttributeStatement;
@@ -51,34 +50,18 @@ import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.core.Subject;
 import org.opensaml.saml2.encryption.Decrypter;
 import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
-import org.opensaml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.security.MetadataCredentialResolver;
-import org.opensaml.security.MetadataCredentialResolverFactory;
-import org.opensaml.security.MetadataCriteria;
-import org.opensaml.security.SAMLSignatureProfileValidator;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
 import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
 import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
 import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
 import org.opensaml.xml.parse.BasicParserPool;
-import org.opensaml.xml.security.CriteriaSet;
-import org.opensaml.xml.security.credential.UsageType;
-import org.opensaml.xml.security.criteria.EntityIDCriteria;
-import org.opensaml.xml.security.criteria.UsageCriteria;
-import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver;
-import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver;
-import org.opensaml.xml.security.keyinfo.KeyInfoProvider;
 import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
-import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider;
-import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider;
-import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider;
 import org.opensaml.xml.security.x509.KeyStoreX509CredentialAdapter;
 import org.opensaml.xml.security.x509.X509Credential;
 import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine;
 
-import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication;
 import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase;
+import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication;
 import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
 import at.gv.egovernment.moa.id.commons.validation.ValidationHelper;
 import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException;
@@ -86,7 +69,6 @@ import at.gv.egovernment.moa.id.configuration.Constants;
 import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser;
 import at.gv.egovernment.moa.id.configuration.auth.AuthenticationManager;
 import at.gv.egovernment.moa.id.configuration.auth.pvp2.PVP2Utils;
-import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider;
 import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom;
 import at.gv.egovernment.moa.id.configuration.exception.BasicActionException;
 import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper;
@@ -160,7 +142,7 @@ public class IndexAction extends BasicAction {
 		
 		if (MiscUtil.isNotEmpty(username)) {
 			if (ValidationHelper.containsNotValidCharacter(username, false)) {
-				log.warn("Username contains potentail XSS characters: " + username);
+				log.warn("Username contains potentail XSS characters: " + StringEscapeUtils.escapeHtml(username));
 				addActionError(LanguageHelper.getErrorString("validation.edituser.username.valid", 
 						new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
 				return Constants.STRUTS_ERROR;
@@ -197,13 +179,13 @@ public class IndexAction extends BasicAction {
 				dbuser.setIsUsernamePasswordAllowed(true);
 			
 			if (!dbuser.isIsActive() || !dbuser.isIsUsernamePasswordAllowed()) {
-				log.warn("Username " + dbuser.getUsername() + " is not active or Username/Password login is not allowed");
+				log.warn("Username " + StringEscapeUtils.escapeHtml(dbuser.getUsername()) + " is not active or Username/Password login is not allowed");
 				addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed", request));
 				return Constants.STRUTS_ERROR;
 			}
 						
 			if (!dbuser.getPassword().equals(key)) {
-				log.warn("Username " + dbuser.getUsername() + " use a false password");
+				log.warn("Username " + StringEscapeUtils.escapeHtml(dbuser.getUsername()) + " use a false password");
 				addActionError(LanguageHelper.getErrorString("webpages.index.login.notallowed", request));
 				return Constants.STRUTS_ERROR;
 			}
@@ -615,7 +597,7 @@ public class IndexAction extends BasicAction {
 				check = user.getInstitut();
 				if (MiscUtil.isNotEmpty(check)) {
 					if (ValidationHelper.containsNotValidCharacter(check, false)) {
-						log.warn("Organisation contains potentail XSS characters: " + check);
+						log.warn("Organisation contains potentail XSS characters: " + StringEscapeUtils.escapeHtml(check));
 						addActionError(LanguageHelper.getErrorString("validation.edituser.institut.valid", 
 								new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
 					}
@@ -628,7 +610,7 @@ public class IndexAction extends BasicAction {
 			check = user.getMail();
 			if (MiscUtil.isNotEmpty(check)) {
 				if (!ValidationHelper.isEmailAddressFormat(check)) {
-					log.warn("Mailaddress is not valid: " + check);
+					log.warn("Mailaddress is not valid: " + StringEscapeUtils.escapeHtml(check));
 					addActionError(LanguageHelper.getErrorString("validation.edituser.mail.valid", 
 							new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
 				}
@@ -640,7 +622,7 @@ public class IndexAction extends BasicAction {
 			check = user.getPhone();
 			if (MiscUtil.isNotEmpty(check)) {
 				if (!ValidationHelper.validatePhoneNumber(check)) {
-					log.warn("No valid Phone Number: " + check);
+					log.warn("No valid Phone Number: " + StringEscapeUtils.escapeHtml(check));
 					addActionError(LanguageHelper.getErrorString("validation.edituser.phone.valid", 
 							new Object[] {ValidationHelper.getNotValidCharacter(false)}, request ));
 				}
-- 
cgit v1.2.3