Commit 8f3f6bb

committed

Prevent XSS injection through user metadata

1 parent 5573057 commit 8f3f6bbCopy full SHA for 8f3f6bb

File tree

2 files changed

+26

-2

lines changed

logicaldoc-core/src
- main/java/com/logicaldoc/core/security/user
  - HibernateUserDAO.java
- test/java/com/logicaldoc/core/security/user
  - HibernateUserDAOTest.java

2 files changed

+26

-2

lines changed

`‎logicaldoc-core/src/main/java/com/logicaldoc/core/security/user/HibernateUserDAO.java‎`

Lines changed: 23 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@`
`31`	`31`	`import com.logicaldoc.i18n.I18N;`
`32`	`32`	`import com.logicaldoc.util.StringUtil;`
`33`	`33`	`import com.logicaldoc.util.config.ContextProperties;`
	`34`	`+import com.logicaldoc.util.html.HTMLSanitizer;`
`34`	`35`	`import com.logicaldoc.util.security.PasswordCriteria;`
`35`	`36`	`import com.logicaldoc.util.security.PasswordValidator;`
`36`	`37`	`import com.logicaldoc.util.spring.Context;`
`@@ -210,6 +211,8 @@ public void store(User user, UserHistory transaction) throws PasswordAlreadyUsed`
`210`	`211`
`211`	`212`	`validateUsernameUniquenes(user, newUser);`
`212`	`213`
	`214`	`+ sanitize(user);`
	`215`	`+`
`213`	`216`	`if (user.getType() == UserType.SYSTEM)`
`214`	`217`	`user.setType(UserType.DEFAULT);`
`215`	`218`
`@@ -272,6 +275,26 @@ public void store(User user, UserHistory transaction) throws PasswordAlreadyUsed`
`272`	`275`	`saveEnabledOrDisabledHistory(user, transaction, enabledStatusChanged);`
`273`	`276`	`}`
`274`	`277`
	`278`	`+ /**`
	`279`	`+ * Sanitizes the text properties of a user`
	`280`	`+ *`
	`281`	`+ * @param user the user to sanitize`
	`282`	`+ */`
	`283`	`+ private void sanitize(User user) {`
	`284`	`+ user.setName(HTMLSanitizer.sanitizeSimpleText(user.getName()));`
	`285`	`+ user.setFirstName(HTMLSanitizer.sanitizeSimpleText(user.getFirstName()));`
	`286`	`+ user.setCity(HTMLSanitizer.sanitizeSimpleText(user.getCity()));`
	`287`	`+ user.setBuilding(HTMLSanitizer.sanitizeSimpleText(user.getBuilding()));`
	`288`	`+ user.setCompany(HTMLSanitizer.sanitizeSimpleText(user.getCompany()));`
	`289`	`+ user.setCountry(HTMLSanitizer.sanitizeSimpleText(user.getCountry()));`
	`290`	`+ user.setDepartment(HTMLSanitizer.sanitizeSimpleText(user.getDepartment()));`
	`291`	`+ user.setPostalcode(HTMLSanitizer.sanitizeSimpleText(user.getPostalcode()));`
	`292`	`+ user.setState(HTMLSanitizer.sanitizeSimpleText(user.getState()));`
	`293`	`+ user.setStreet(HTMLSanitizer.sanitizeSimpleText(user.getStreet()));`
	`294`	`+ user.setTelephone(HTMLSanitizer.sanitizeSimpleText(user.getTelephone()));`
	`295`	`+ user.setTelephone2(HTMLSanitizer.sanitizeSimpleText(user.getTelephone2()));`
	`296`	`+ }`
	`297`	`+`
`275`	`298`	`private void validateUsernameUniquenes(User user, boolean newUser) throws PersistenceException {`
`276`	`299`	`if (newUser && findByUsernameIgnoreCase(user.getUsername()) != null)`
`277`	`300`	`throw new PersistenceException(String.format(`

`‎logicaldoc-core/src/test/java/com/logicaldoc/core/security/user/HibernateUserDAOTest.java‎`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -198,13 +198,12 @@ public void testFindByUserNameAndName() throws PersistenceException {`
`198`	`198`
`199`	`199`	`@Test`
`200`	`200`	`public void testStore() throws PersistenceException, NoSuchAlgorithmException {`
`201`		`-`
`202`	`201`	`String pswd = PasswordGenerator.generate(12, 2, 2, 2, 2, 2, 2);`
`203`	`202`	`User user = new User();`
`204`	`203`	`user.setUsername("xxx");`
`205`	`204`	`user.setDecodedPassword(pswd);`
`206`	`205`	`user.setName("claus");`
`207`		`- user.setFirstName("valca");`
	`206`	`+ user.setFirstName("<h1>valca</h1>");`
`208`	`207`	`user.setEmail("valca@acme.com");`
`209`	`208`
`210`	`209`	`WorkingTime wt = new WorkingTime(1, 5, 30);`
`@@ -217,6 +216,8 @@ public void testStore() throws PersistenceException, NoSuchAlgorithmException {`
`217`	`216`	`testSubject.store(user, transaction);`
`218`	`217`	`assertNotNull(groupDao.findByName(user.getUserGroupName(), 1));`
`219`	`218`
	`219`	`+ assertEquals("valca", user.getFirstName());`
	`220`	`+`
`220`	`221`	`user = testSubject.findById(user.getId());`
`221`	`222`	`testSubject.initialize(user);`
`222`	`223`	`user.addGroup(groupDao.findById(1L));`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 8f3f6bb

File tree

2 files changed

2 files changed

`‎logicaldoc-core/src/main/java/com/logicaldoc/core/security/user/HibernateUserDAO.java‎`

`‎logicaldoc-core/src/test/java/com/logicaldoc/core/security/user/HibernateUserDAOTest.java‎`

0 commit comments