encoding improvement for my frontend.

jvorhauer · Feb 22, 2024 · 5c17306 · 5c17306
1 parent 729004a
commit 5c17306
Show file tree

Hide file tree

Showing 9 changed files with 24 additions and 20 deletions.
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -71,7 +71,6 @@ dependencies {
 
   implementation("io.hypersistence:hypersistence-tsid:2.1.1")
   implementation("io.netty:netty-all:4.1.106.Final")
-  implementation("org.owasp.encoder:encoder:1.2.3")
   implementation("io.github.microutils:kotlin-logging-jvm:3.0.5")
   implementation("ch.qos.logback:logback-classic:1.4.14")
   implementation("io.sentry:sentry:7.2.0")

diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
@@ -12,7 +12,7 @@ spec:
     spec:
       containers:
         - name: konomas
-          image: ghcr.io/jvorhauer/konomas:1.0.12
+          image: ghcr.io/jvorhauer/konomas:1.0.13
           env:
             - name: ASTRA_USERNAME
               valueFrom:

diff --git a/src/main/kotlin/blog/model/Note.kt b/src/main/kotlin/blog/model/Note.kt
@@ -7,7 +7,6 @@ import akka.actor.typed.ActorRef
 import akka.actor.typed.Scheduler
 import akka.actor.typed.javadsl.AskPattern
 import akka.pattern.StatusReply
-import org.owasp.encoder.Encode
 import io.hypersistence.tsid.TSID
 import io.ktor.http.*
 import io.ktor.server.application.*
@@ -19,11 +18,11 @@ import kotlinx.coroutines.future.await
 import blog.read.Reader
 
 data class CreateNoteRequest(val title: String, val body: String) {
-  fun toCommand(user: String, replyTo: ActorRef<StatusReply<NoteResponse>>) = CreateNote(user, Encode.forHtml(title), Encode.forHtml(body), replyTo)
+  fun toCommand(user: String, replyTo: ActorRef<StatusReply<NoteResponse>>) = CreateNote(user, title.encode(), body.encode(), replyTo)
 }
 
 data class UpdateNoteRequest(val id: String, val title: String?, val body: String?) {
-  fun toCommand(user: String, rt: ActorRef<StatusReply<NoteResponse>>) = UpdateNote(user, id, title.encode(), body.encode(), rt)
+  fun toCommand(user: String, rt: ActorRef<StatusReply<NoteResponse>>) = UpdateNote(user, id, title.mencode(), body.mencode(), rt)
 }
 
 data class CreateNote(

diff --git a/src/main/kotlin/blog/model/Task.kt b/src/main/kotlin/blog/model/Task.kt
@@ -8,7 +8,6 @@ import akka.actor.typed.ActorRef
 import akka.actor.typed.Scheduler
 import akka.actor.typed.javadsl.AskPattern.ask
 import akka.pattern.StatusReply
-import org.owasp.encoder.Encode
 import io.hypersistence.tsid.TSID
 import io.ktor.http.*
 import io.ktor.server.application.*
@@ -49,11 +48,11 @@ data class Task(
 }
 
 data class CreateTaskRequest(val title: String, val body: String, val due: LocalDateTime): Request {
-  fun toCommand(user: String, replyTo: ActorRef<StatusReply<TaskResponse>>) = CreateTask(user, Encode.forHtml(title), Encode.forHtml(body), due, replyTo)
+  fun toCommand(user: String, replyTo: ActorRef<StatusReply<TaskResponse>>) = CreateTask(user, title.encode(), body.encode(), due, replyTo)
 }
 
 data class UpdateTaskRequest(val id: String, val title: String?, val body: String?, val due: LocalDateTime?, val status: TaskStatus?): Request {
-  fun toCommand(user: String, replyTo: ActorRef<StatusReply<TaskResponse>>) = UpdateTask(user, id, title.encode(), body.encode(), due, status, replyTo)
+  fun toCommand(user: String, replyTo: ActorRef<StatusReply<TaskResponse>>) = UpdateTask(user, id, title.mencode(), body.mencode(), due, status, replyTo)
 }
 
 

diff --git a/src/main/kotlin/blog/model/User.kt b/src/main/kotlin/blog/model/User.kt
@@ -10,7 +10,6 @@ import akka.actor.typed.javadsl.AskPattern.ask
 import akka.pattern.StatusReply
 import com.auth0.jwt.JWT
 import com.auth0.jwt.algorithms.Algorithm
-import org.owasp.encoder.Encode
 import io.hypersistence.tsid.TSID
 import io.ktor.http.*
 import io.ktor.http.HttpStatusCode.Companion.BadRequest
@@ -44,7 +43,7 @@ data class CreateUser(
 ) : Command {
   constructor(rur: RegisterUserRequest, replyTo: ActorRef<StatusReply<User>>) : this(rur.email, rur.name, rur.password, replyTo)
 
-  fun toEvent() = UserCreated(id, Encode.forHtml(email), Encode.forHtml(name), password.hashed())
+  fun toEvent() = UserCreated(id, email, name.encode(), password.hashed())
 }
 
 // Events

diff --git a/src/main/kotlin/blog/model/model.kt b/src/main/kotlin/blog/model/model.kt
@@ -9,7 +9,6 @@ import java.time.Duration
 import java.time.LocalDateTime
 import java.time.format.DateTimeFormatter
 import java.util.Locale
-import org.owasp.encoder.Encode
 import io.hypersistence.tsid.TSID
 import io.ktor.server.application.*
 import io.ktor.server.auth.*
@@ -44,7 +43,10 @@ fun nextId(): String = idFactory.generate().toString()
 fun slugify(s: String): String = s.trim().replace("  ", " ").lowercase().replace("[^ a-z0-9]".toRegex(), "").replace(' ', '-')
 
 fun String.hashed() = Hasher.hash(this)
-fun String?.encode(): String? = if (this == null) null else Encode.forHtml(this)
+fun doEncode(str: String): String = str.replace('<', '[').replace('>', ']')
+fun doMEncode(str: String?): String? = if (str != null) doEncode(str) else null
+fun String.encode(): String = doEncode(this)
+fun String?.mencode(): String? = doMEncode(this)
 
 data class Counts(
   val users: Int,

diff --git a/src/test/kotlin/blog/ApiTests.kt b/src/test/kotlin/blog/ApiTests.kt
@@ -245,7 +245,6 @@ class ApiTests {
       assertThat(response.status).isEqualTo(HttpStatusCode.OK)
       val ur = response.body<UserResponse>()
       assertThat(ur.tasks).hasSize(1)
-      println("ur: $ur")
 
       response = client.get("http://localhost:8181/info/counts")
       println(response.body<Counts>())

diff --git a/src/test/kotlin/blog/MainTest.kt b/src/test/kotlin/blog/MainTest.kt
@@ -28,6 +28,7 @@ import io.ktor.server.routing.*
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.api.Test
 import java.util.UUID
+import blog.model.encode
 
 object MainTest {
 
@@ -100,4 +101,16 @@ class MainTests {
     assertThat(kfg.server.host).isEqualTo("localhost")
     println("kfg: $kfg")
   }
+
+  @Test
+  fun testEncoding() {
+    var str = "Test with <h1>html tags</h1>"
+    assertThat(str.encode()).doesNotContain("<").doesNotContain(">")
+
+    str = "Test with \" and & and '"
+    assertThat(str.encode()).isEqualTo(str)
+
+    str = "and now with [h1]square brackets[/h1]"
+    assertThat(str.encode()).isEqualTo(str)
+  }
 }
diff --git a/src/test/kotlin/blog/model/NoteTests.kt b/src/test/kotlin/blog/model/NoteTests.kt
@@ -1,12 +1,11 @@
 package blog.model
 
+import java.util.UUID
 import akka.Done
 import akka.actor.testkit.typed.javadsl.TestKitJunitResource
 import akka.pattern.StatusReply
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.jupiter.api.Test
-import java.util.UUID
-import org.owasp.encoder.Encode
 
 class NoteTests {
 
@@ -66,11 +65,6 @@ class NoteTests {
     assertThat(updated.user).isEqualTo(userId)
     assertThat(updated.title).isEqualTo(run.title)
     assertThat(updated.body).isEqualTo(run.body)
-
-    var str = Encode.forHtml("")
-    assertThat(str).isEmpty()
-    str = Encode.forHtml(null)
-    assertThat(str).isNotNull();
   }
 
   @Test