escape html entities of changesets to fix possible xss

2025-11-12 00:15:44 +01:00 · 2012-04-24 21:04:17 +02:00
parent 945dbba396
commit f5ab7aa931
2 changed files with 121 additions and 6 deletions
--- a/scm-core/src/main/java/sonia/scm/repository/ChangesetViewerUtil.java
+++ b/scm-core/src/main/java/sonia/scm/repository/ChangesetViewerUtil.java
@@ -35,8 +35,11 @@ package sonia.scm.repository;

 //~--- non-JDK imports --------------------------------------------------------

+import com.google.common.collect.Lists;
 import com.google.inject.Inject;

+import org.apache.commons.lang.StringEscapeUtils;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

@@ -51,6 +54,7 @@ import sonia.scm.util.Util;
 import java.io.IOException;

 import java.util.Arrays;
+import java.util.List;
 import java.util.Set;

 /**
@@ -136,8 +140,7 @@ public class ChangesetViewerUtil extends PartCacheClearHook

      if (changeset != null)
      {
-        callPreProcessors(changeset);
-        callPreProcessorFactories(repository, changeset);
+        prepareForReturn(repository, changeset);
        result = new ChangesetPagingResult(1, Arrays.asList(changeset));
        cache.put(key, result);
      }
@@ -301,8 +304,7 @@ public class ChangesetViewerUtil extends PartCacheClearHook
      {
        if (Util.isNotEmpty(result.getChangesets()))
        {
-          callPreProcessors(result);
-          callPreProcessorFactories(repository, result);
+          prepareForReturn(repository, result);
        }

        cache.put(key, result);
@@ -365,8 +367,7 @@ public class ChangesetViewerUtil extends PartCacheClearHook
      {
        if (Util.isNotEmpty(result.getChangesets()))
        {
-          callPreProcessors(result);
-          callPreProcessorFactories(repository, result);
+          prepareForReturn(repository, result);
        }

        cache.put(key, result);
@@ -470,6 +471,109 @@ public class ChangesetViewerUtil extends PartCacheClearHook
    }
  }

+  /**
+   * Method description
+   *
+   *
+   * @param changeset
+   */
+  private void escape(Changeset changeset)
+  {
+    changeset.setDescription(escape(changeset.getDescription()));
+
+    Person person = changeset.getAuthor();
+
+    if (person != null)
+    {
+      person.setName(escape(person.getName()));
+      person.setMail(escape(person.getMail()));
+    }
+
+    changeset.setBranches(escapeList(changeset.getBranches()));
+    changeset.setTags(escapeList(changeset.getTags()));
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param result
+   */
+  private void escape(ChangesetPagingResult result)
+  {
+    for (Changeset c : result)
+    {
+      escape(c);
+    }
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param value
+   *
+   * @return
+   */
+  private String escape(String value)
+  {
+    return StringEscapeUtils.escapeHtml(value);
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param values
+   *
+   * @return
+   */
+  private List<String> escapeList(List<String> values)
+  {
+    if (Util.isNotEmpty(values))
+    {
+      List<String> newList = Lists.newArrayList();
+
+      for (String v : values)
+      {
+        newList.add(StringEscapeUtils.escapeHtml(v));
+      }
+
+      values = newList;
+    }
+
+    return values;
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param repository
+   * @param result
+   */
+  private void prepareForReturn(Repository repository,
+                                ChangesetPagingResult result)
+  {
+    escape(result);
+    callPreProcessors(result);
+    callPreProcessorFactories(repository, result);
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param repository
+   * @param changeset
+   */
+  private void prepareForReturn(Repository repository, Changeset changeset)
+  {
+    escape(changeset);
+    callPreProcessors(changeset);
+    callPreProcessorFactories(repository, changeset);
+  }
+
  //~--- inner classes --------------------------------------------------------

  /**