From 366c463274f3ca06d500c59c0839feb225b4e0b5 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 27 Nov 2017 12:11:45 +0100 Subject: add escaping on some places --- .../AbstractGUIFormBuilderConfiguration.java | 3 ++- ...roviderSpecificGUIFormBuilderConfiguration.java | 27 ++++++++++++++++++++-- .../DefaultGUIFormBuilderConfiguration.java | 20 +++++++++++++++- ...PSpecificGUIBuilderConfigurationWithDBLoad.java | 2 +- .../main/resources/mainGUI/iframeLBKUdetect.html | 3 +-- 5 files changed, 48 insertions(+), 7 deletions(-) (limited to 'id/server/moa-id-frontend-resources') diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java index 52c1f0f97..d57834192 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java @@ -70,7 +70,8 @@ public abstract class AbstractGUIFormBuilderConfiguration implements IGUIBuilder /** - * Define the parameters, which should be evaluated in the template + * Define the parameters, which should be evaluated in the template
+ * IMPORTANT: external HTML escapetion is required, because it is NOT done internally during the building process * * @return Map of parameters, which should be added to template */ diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java index 15bc92a54..ad068ac49 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractServiceProviderSpecificGUIFormBuilderConfiguration.java @@ -65,6 +65,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration protected IRequest pendingReq = null; protected String templateClasspahtDir = null; + private Map customParameters = null; /** * @param authURL PublicURLPrefix of the IDP but never null @@ -91,11 +92,29 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration } + /** + * Add a key/value pair into Velocity context.
+ * Parameter values get escaped internally + * + * @param key velocity context key + * @param value of this key + */ + public void putCustomParameter(String key, Object value) { + if (customParameters == null) + customParameters = new HashMap(); + + if (value instanceof String) + customParameters.put(key, StringEscapeUtils.escapeHtml((String)value)); + else + customParameters.put(key, StringEscapeUtils.escapeHtml(value.toString())); + + } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters() */ @Override - public Map getSpecificViewParameters() { + public final Map getSpecificViewParameters() { Map params = new HashMap(); params.put(PARAM_BKU_ONLINE, IOAAuthParameters.THIRDBKU); params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU); @@ -107,7 +126,7 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration //add service-provider specific GUI parameters IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); if (oaParam != null) { - params.put(PARAM_OANAME, oaParam.getFriendlyName()); + params.put(PARAM_OANAME, StringEscapeUtils.escapeHtml(oaParam.getFriendlyName())); //set BKU URLs if (MiscUtil.isNotEmpty(oaParam.getBKUURL(IOAAuthParameters.LOCALBKU))) @@ -138,6 +157,10 @@ public abstract class AbstractServiceProviderSpecificGUIFormBuilderConfiguration } + //add additional custom parameters + if (customParameters != null) + params.putAll(customParameters); + return params; } diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java index 0c07ad3fb..901dbae53 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java @@ -77,13 +77,31 @@ public class DefaultGUIFormBuilderConfiguration extends AbstractGUIFormBuilderCo * @param key velocity context key * @param value of this key */ - public void putCustomParameter(String key, Object value) { + public void putCustomParameterWithOutEscaption(String key, Object value) { if (customParameters == null) customParameters = new HashMap(); customParameters.put(key, value); } + /** + * Add a key/value pair into Velocity context.
+ * All parameters get escaped internally + * + * @param key velocity context key + * @param value of this key + */ + public void putCustomParameter(String key, Object value) { + if (customParameters == null) + customParameters = new HashMap(); + + if (value instanceof String) + customParameters.put(key, StringEscapeUtils.escapeHtml((String)value)); + else + customParameters.put(key, StringEscapeUtils.escapeHtml(value.toString())); + + } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters() */ diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java index 13d8d3bb7..0215afc41 100644 --- a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/SPSpecificGUIBuilderConfigurationWithDBLoad.java @@ -56,7 +56,7 @@ public class SPSpecificGUIBuilderConfigurationWithDBLoad extends AbstractService super(pendingReq, viewName, formSubmitEndpoint); } - + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String) */ diff --git a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html index 261e19a33..f54484307 100644 --- a/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html +++ b/id/server/moa-id-frontend-resources/src/main/resources/mainGUI/iframeLBKUdetect.html @@ -9,7 +9,6 @@ bkuport = (bkuprot == "https:" ? 3496 : 3495); bkupath = "https-security-layer-request"; bkuurl = bkuprot + "//" + bkuhost + ":" + bkuport + "/" + bkupath; - baseurl = location.href.substr(0, location.href.lastIndexOf("/")); //--> @@ -20,7 +19,7 @@ parent.setBKUAvailable(false); document.write('
'); document.write(''); - document.write(''); + document.write(''); document.write('
'); try { document.bkudetectform.submit(); -- cgit v1.2.3