Skip to content

GitLab

A
appinventor-sources
Unverified Commit 09eaab39 authored by Jeffrey I. Schiller's avatar Jeffrey I. Schiller
Browse files
Options

Fix more XSS issues 

Fix some XSS issues on the server side.

Change-Id: I5f0b2a1da87666ef56b4d83c1414d66d8f1d3eb6
parent 7d21acba
Hide whitespace changes
Inline Side-by-side
Showing with 18 additions and 12 deletions
appinventor/appengine/build.xml
View file @ 09eaab39
......@@ -192,6 +192,8 @@
<copy todir="${build.war.dir}/WEB-INF/lib" file="${gwt.sdk}/gwt-servlet-deps.jar" />
<!-- Protocol Buffers -->
<copy todir="${build.war.dir}/WEB-INF/lib" file="${lib.dir}/protobuf/protobuf-2.6.1.jar" />
<!-- OWASP -->
<copy todir="${build.war.dir}/WEB-INF/lib" file="${lib.dir}/owasp/owasp-java-html-sanitizer-20160628.1.jar" />
<!-- Add any additional server libs that need to be copied -->
<copy todir="${build.war.dir}/WEB-INF/lib" flatten="true">
<fileset dir="${appengine.sdk}/lib/user" includes="**/*.jar"/>
......
appinventor/appengine/src/com/google/appinventor/server/FeedbackServlet.java
View file @ 09eaab39
......@@ -6,28 +6,23 @@
package com.google.appinventor.server;
import com.google.appinventor.server.encryption.EncryptionException;
import com.google.appinventor.server.project.utils.Security;
import com.google.appinventor.server.LocalUser;
import com.google.appinventor.shared.rpc.user.User;
import com.google.appinventor.shared.rpc.RpcResult;
import com.google.appinventor.shared.rpc.user.UserInfoProvider;
import com.google.appinventor.server.storage.StorageIo;
import com.google.appinventor.server.storage.StorageIoInstanceHolder;
import com.google.appinventor.shared.storage.StorageUtil;
import com.google.common.io.ByteStreams;
import com.google.appinventor.server.project.youngandroid.YoungAndroidProjectService;
import com.google.appinventor.shared.rpc.user.User;
import com.google.appinventor.shared.rpc.user.UserInfoProvider;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.logging.Logger;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;
/**
* Servlet to record feedback when an error occurs in the client.
*
......@@ -44,6 +39,8 @@ public class FeedbackServlet extends OdeServlet {
@Override
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("p").toFactory();
String query = req.getQueryString();
String notes = req.getParameter("notes");
String foundIn = req.getParameter("foundIn");
......@@ -53,6 +50,9 @@ public class FeedbackServlet extends OdeServlet {
if (foundIn == null) foundIn = "";
if (faultData == null) faultData = "";
if (projectId == null) projectId = "-1";
notes = policy.sanitize(notes);
foundIn = policy.sanitize(foundIn);
projectId = policy.sanitize(projectId);
PrintWriter out = new PrintWriter(resp.getWriter());
out.println(String.format(template, notes, foundIn, faultData, projectId));
}
......
appinventor/appengine/src/com/google/appinventor/server/LoginServlet.java
View file @ 09eaab39
......@@ -45,6 +45,9 @@ import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;
/**
* LoginServlet -- Handle logging someone in using an email address for a login
* name and a password, which is stored hashed (and salted). Facilities are
......@@ -68,6 +71,7 @@ public class LoginServlet extends HttpServlet {
private static final Flag<Boolean> useGoogle = Flag.createFlag("auth.usegoogle", true);
private static final Flag<Boolean> useLocal = Flag.createFlag("auth.uselocal", false);
private static final UserService userService = UserServiceFactory.getUserService();
private final PolicyFactory sanitizer = new HtmlPolicyBuilder().allowElements("p").toFactory();
public void init(ServletConfig config) throws ServletException {
super.init(config);
......@@ -383,7 +387,7 @@ public class LoginServlet extends HttpServlet {
}
private void fail(HttpServletRequest req, HttpServletResponse resp, String error) throws IOException {
resp.sendRedirect("/login/?error=" + error);
resp.sendRedirect("/login/?error=" + sanitizer.sanitize(error));
return;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment