From 765a7e791fe3879acefd0ac6b466432b2921fdc5 Mon Sep 17 00:00:00 2001 From: Steve Ikeoka Date: Tue, 10 Oct 2023 09:31:41 -0700 Subject: [PATCH] [GWC-1171] Improve handling special characters in the GWC Demos Page --- .../geowebcache/GeoWebCacheDispatcher.java | 12 +- .../main/java/org/geowebcache/demo/Demo.java | 63 +++++---- .../test/java/org/geowebcache/DemoTest.java | 125 +++++++++++++++++- 3 files changed, 168 insertions(+), 32 deletions(-) diff --git a/geowebcache/core/src/main/java/org/geowebcache/GeoWebCacheDispatcher.java b/geowebcache/core/src/main/java/org/geowebcache/GeoWebCacheDispatcher.java index b8a5a3758..3d155116f 100644 --- a/geowebcache/core/src/main/java/org/geowebcache/GeoWebCacheDispatcher.java +++ b/geowebcache/core/src/main/java/org/geowebcache/GeoWebCacheDispatcher.java @@ -14,6 +14,8 @@ */ package org.geowebcache; +import static org.apache.commons.text.StringEscapeUtils.escapeHtml4; + import java.io.File; import java.io.IOException; import java.io.InputStream; @@ -473,7 +475,7 @@ private void handleFrontPage(HttpServletRequest request, HttpServletResponse res baseUrl = ""; } else { String[] strs = request.getRequestURL().toString().split("/"); - baseUrl = strs[strs.length - 1] + "/"; + baseUrl = escapeHtml4(strs[strs.length - 1]) + "/"; } StringBuilder str = new StringBuilder(); @@ -576,10 +578,10 @@ private void appendStorageLocations(StringBuilder str) { LOG.log(Level.SEVERE, "Could not find local cache location", ex); } str.append("Config file:") - .append(configLoc) + .append(escapeHtml4(configLoc)) .append(""); str.append("Local Storage:") - .append(localStorageLoc) + .append(escapeHtml4(localStorageLoc)) .append(""); str.append(""); if (!blobStoreLocations.isEmpty()) { @@ -587,9 +589,9 @@ private void appendStorageLocations(StringBuilder str) { str.append("Blob Stores"); for (Map.Entry e : blobStoreLocations.entrySet()) { str.append("") - .append(e.getKey()) + .append(escapeHtml4(e.getKey())) .append(":") - .append(e.getValue()) + .append(escapeHtml4(e.getValue())) .append(""); } str.append(""); diff --git a/geowebcache/core/src/main/java/org/geowebcache/demo/Demo.java b/geowebcache/core/src/main/java/org/geowebcache/demo/Demo.java index b341f8924..f5d4c9a81 100644 --- a/geowebcache/core/src/main/java/org/geowebcache/demo/Demo.java +++ b/geowebcache/core/src/main/java/org/geowebcache/demo/Demo.java @@ -14,6 +14,9 @@ */ package org.geowebcache.demo; +import static org.apache.commons.text.StringEscapeUtils.escapeHtml4; +import static org.owasp.encoder.Encode.forJavaScript; + import java.io.IOException; import java.util.ArrayList; import java.util.Arrays; @@ -25,10 +28,12 @@ import java.util.Set; import java.util.TreeMap; import java.util.TreeSet; +import java.util.logging.Level; +import java.util.logging.Logger; import java.util.stream.Collectors; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.commons.text.StringEscapeUtils; +import org.geotools.util.logging.Logging; import org.geowebcache.GeoWebCacheException; import org.geowebcache.filter.parameters.FloatParameterFilter; import org.geowebcache.filter.parameters.ParameterFilter; @@ -45,10 +50,13 @@ import org.geowebcache.mime.MimeType; import org.geowebcache.mime.XMLMime; import org.geowebcache.util.ServletUtils; +import org.owasp.encoder.Encode; import org.springframework.util.Assert; public class Demo { + private static Logger LOGGER = Logging.getLogger(Demo.class.getName()); + public static void makeMap( TileLayerDispatcher tileLayerDispatcher, GridSetBroker gridSetBroker, @@ -97,7 +105,7 @@ public static void makeMap( response.sendRedirect( response.encodeRedirectURL(reqUri.substring(0, reqUri.length() - 1))); } catch (IOException e) { - e.printStackTrace(); + LOGGER.log(Level.WARNING, "Error sending redirect response", e); } return; } else { @@ -181,11 +189,12 @@ private static void tableRows( if (!layer.isAdvertised()) { continue; } + String escapedLayerName = escapeHtml4(layer.getName()); buf.append("") - .append(layer.getName()) + .append(escapedLayerName) .append("
\n"); buf.append("Seed this layer\n"); buf.append("").append(layer.isEnabled()).append(""); buf.append(""); @@ -196,6 +205,7 @@ private static void tableRows( if (gridSetName.length() > 20) { gridSetName = gridSetName.substring(0, 20) + "..."; } + gridSetName = escapeHtml4(gridSetName); buf.append("
").append(gridSetName); buf.append("OpenLayers: ["); @@ -205,8 +215,8 @@ private static void tableRows( .map( type -> generateDemoUrl( - layer.getName(), - gridSubset.getName(), + escapedLayerName, + escapeHtml4(gridSubset.getName()), type)) .collect(Collectors.joining(", "))); @@ -239,12 +249,12 @@ private static void outputKMLSupport(StringBuffer buf, TileLayer layer) { if (type == XMLMime.kmz) { return String.format( "kmz", - prefix, layer.getName()); + prefix, escapeHtml4(layer.getName())); } else { return String.format( "%s", prefix, - layer.getName(), + escapeHtml4(layer.getName()), type.getFileExtension(), type.getFileExtension()); } @@ -287,9 +297,9 @@ private static String generateHTML(TileLayer layer, String gridSetStr, String fo buf.append("\n"); buf.append("\n" + "") - .append(layerName); - buf.append(" ").append(gridSubset.getName()); - buf.append(" ").append(formatStr); + .append(escapeHtml4(layerName)); + buf.append(" ").append(escapeHtml4(gridSubset.getName())); + buf.append(" ").append(escapeHtml4(formatStr)); buf.append("\n"); buf.append( "