SIDP-468 revisited. Do appropriate encoding prior to rendering hyperlinks and data...
authorrdw <rdw@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 14 Apr 2011 13:15:56 +0000 (13:15 +0000)
committerrdw <rdw@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 14 Apr 2011 13:15:56 +0000 (13:15 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@3015 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceContactTag.java
src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceDescriptionTag.java
src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceLogoTag.java
src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceNameTag.java
src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceTagSupport.java

index b049927..4c69599 100644 (file)
@@ -29,6 +29,8 @@ import org.opensaml.saml2.metadata.EmailAddress;
 import org.opensaml.saml2.metadata.EntityDescriptor;\r
 import org.opensaml.saml2.metadata.GivenName;\r
 import org.opensaml.saml2.metadata.SurName;\r
+import org.owasp.esapi.ESAPI;\r
+import org.owasp.esapi.Encoder;\r
 import org.slf4j.Logger;\r
 import org.slf4j.LoggerFactory;\r
 \r
@@ -99,13 +101,20 @@ public class ServiceContactTag extends ServiceTagSupport {
             }\r
             return buildHyperLink(email, name);\r
         } else {\r
+            Encoder esapiEncoder = ESAPI.encoder();\r
+\r
             //\r
             // No mail, no href\r
             //\r
             if (log.isDebugEnabled()) {\r
                 log.debug("no email found, using name \"" + name + "\" with no hyperlink");\r
             }\r
-            return name.toString();\r
+\r
+            if (null == name) {\r
+                return name;\r
+            } else {\r
+                return esapiEncoder.encodeForHTML(name);\r
+            }\r
         }\r
         \r
     }\r
index d96493f..36b58b4 100644 (file)
@@ -30,6 +30,8 @@ import org.opensaml.saml2.metadata.RoleDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;\r
 import org.opensaml.saml2.metadata.ServiceDescription;\r
 import org.opensaml.samlext.saml2mdui.Description;\r
+import org.owasp.esapi.ESAPI;\r
+import org.owasp.esapi.Encoder;\r
 import org.slf4j.Logger;\r
 import org.slf4j.LoggerFactory;\r
 \r
@@ -117,6 +119,7 @@ public class ServiceDescriptionTag extends ServiceTagSupport {
     @Override\r
     public int doEndTag() throws JspException {\r
        \r
+        Encoder esapiEncoder = ESAPI.encoder();\r
         String result;\r
         //\r
         // UIInfoirst\r
@@ -140,6 +143,7 @@ public class ServiceDescriptionTag extends ServiceTagSupport {
                     }\r
                 }\r
             } else {\r
+                result = esapiEncoder.encodeForHTML(result);\r
                 pageContext.getOut().print(result);\r
             }\r
         } catch (IOException e) {\r
index db09d30..8000aa8 100644 (file)
 package edu.internet2.middleware.shibboleth.idp.ui;\r
 \r
 import java.io.IOException;\r
+import java.net.URI;\r
+import java.net.URISyntaxException;\r
 \r
 import javax.servlet.jsp.JspException;\r
 import javax.servlet.jsp.JspWriter;\r
 import javax.servlet.jsp.tagext.BodyContent;\r
 \r
 import org.opensaml.samlext.saml2mdui.Logo;\r
+import org.owasp.esapi.ESAPI;\r
+import org.owasp.esapi.Encoder;\r
+import org.owasp.esapi.errors.EncodingException;\r
 import org.slf4j.Logger;\r
 import org.slf4j.LoggerFactory;\r
 \r
@@ -127,13 +132,35 @@ public class ServiceLogoTag extends ServiceTagSupport {
      */\r
     private String getHyperlink() {\r
         String url = getLogoFromUIInfo();\r
+        String encodedURL;\r
         StringBuilder sb;\r
+        Encoder esapiEncoder = ESAPI.encoder();\r
         \r
         if (null == url) {\r
             return null;\r
         }\r
+        \r
+        try {\r
+            URI theUrl = new URI(url);\r
+            String scheme = theUrl.getScheme();\r
+    \r
+            if (!"http".equals(scheme) && !"https".equals(scheme) && !"mailto".equals(scheme)) {\r
+                log.warn("The logo URL " + url + " contained an invalid scheme");\r
+                return null;\r
+            }\r
+        } catch (URISyntaxException e) {\r
+            //\r
+            // Could not encode\r
+            //\r
+            log.warn("The logo URL " + url + " was not a URL " + e.toString());\r
+            return null;\r
+        }\r
+        \r
+        \r
+        encodedURL = esapiEncoder.encodeForHTMLAttribute(url);\r
+\r
         sb = new StringBuilder("<img src=\"");\r
-        sb.append(url).append('"');\r
+        sb.append(encodedURL).append('"');\r
         addClassAndId(sb);\r
         sb.append("/>");\r
         return sb.toString();\r
index 9c5a435..dfb606f 100644 (file)
@@ -32,6 +32,8 @@ import org.opensaml.saml2.metadata.RoleDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;\r
 import org.opensaml.saml2.metadata.ServiceName;\r
 import org.opensaml.samlext.saml2mdui.DisplayName;\r
+import org.owasp.esapi.ESAPI;\r
+import org.owasp.esapi.Encoder;\r
 import org.slf4j.Logger;\r
 import org.slf4j.LoggerFactory;\r
 \r
@@ -194,7 +196,11 @@ public class ServiceNameTag extends ServiceTagSupport {
     public int doStartTag() throws JspException {\r
        \r
         try {\r
-            String serviceName = getServiceName();\r
+            String rawServiceName = getServiceName();\r
+            \r
+            Encoder esapiEncoder = ESAPI.encoder();\r
+            \r
+            String serviceName = esapiEncoder.encodeForHTML(rawServiceName);\r
             \r
             if (null == serviceName) {\r
                 BodyContent bc = getBodyContent();\r
index c695d2d..0ecb581 100644 (file)
@@ -16,6 +16,9 @@
 \r
 package edu.internet2.middleware.shibboleth.idp.ui;\r
 \r
+import java.net.URI;\r
+import java.net.URISyntaxException;\r
+\r
 import javax.servlet.ServletContext;\r
 import javax.servlet.http.HttpServletRequest;\r
 import javax.servlet.jsp.tagext.BodyTagSupport;\r
@@ -26,6 +29,11 @@ import org.opensaml.saml2.metadata.RoleDescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;\r
 import org.opensaml.samlext.saml2mdui.UIInfo;\r
 import org.opensaml.xml.XMLObject;\r
+import org.owasp.esapi.ESAPI;\r
+import org.owasp.esapi.Encoder;\r
+import org.owasp.esapi.errors.EncodingException;\r
+import org.slf4j.Logger;\r
+import org.slf4j.LoggerFactory;\r
 \r
 import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfigurationManager;\r
 import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;\r
@@ -47,6 +55,9 @@ public class ServiceTagSupport extends BodyTagSupport{
      * checkstyle requires this serialization info.\r
      */\r
     private static final long serialVersionUID = 7988646597267865255L;\r
+    \r
+    /** Class logger. */\r
+    private static Logger log = LoggerFactory.getLogger(ServiceTagSupport.class);\r
 \r
     /** Bean storage. class reference*/\r
     private String cssClass;\r
@@ -98,8 +109,28 @@ public class ServiceTagSupport extends BodyTagSupport{
      * @return the hyperlink.\r
      */\r
     protected String buildHyperLink(String url, String text) {\r
+        String encodedUrl;\r
+        Encoder esapiEncoder = ESAPI.encoder();\r
+       \r
+        try {\r
+            URI theUrl = new URI(url);\r
+            String scheme = theUrl.getScheme();\r
+\r
+            if (!"http".equals(scheme) && !"https".equals(scheme) && !"mailto".equals(scheme)) {\r
+                log.warn("The URL " + url + " contained an invalid scheme");\r
+                return "";\r
+            }\r
+            encodedUrl = esapiEncoder.encodeForHTMLAttribute(url);\r
+        } catch (URISyntaxException e) {\r
+            // \r
+            // It wasn't an URI.\r
+            //\r
+            log.warn("The URL " + url + " was invalid: " + e.toString());\r
+            return "";\r
+        }\r
+        \r
         StringBuilder sb = new StringBuilder("<a href=\"");\r
-        sb.append(url).append('"');\r
+        sb.append(encodedUrl).append('"');\r
         addClassAndId(sb);\r
         sb.append(">").append(text).append("</a>");\r
         return sb.toString();\r