From 95f96b07611261430238b0e27e758ab2b9c9fbbd Mon Sep 17 00:00:00 2001 From: Harald Pehl Date: Thu, 21 Nov 2024 15:54:54 +0100 Subject: [PATCH] Make custom URL safe --- .../ConfigurationChangeDisplay.java | 4 ++-- .../subsystem/jaxrs/RestResourcePreview.java | 10 ++++------ .../subsystem/undertow/DeploymentPreview.java | 4 +--- .../hal/core/runtime/server/ServerActions.java | 15 ++++++--------- .../jboss/hal/core/runtime/server/ServerUrl.java | 7 +++++-- 5 files changed, 18 insertions(+), 22 deletions(-) diff --git a/app/src/main/java/org/jboss/hal/client/runtime/configurationchanges/ConfigurationChangeDisplay.java b/app/src/main/java/org/jboss/hal/client/runtime/configurationchanges/ConfigurationChangeDisplay.java index 9f32edffd6..92afbcaf6b 100644 --- a/app/src/main/java/org/jboss/hal/client/runtime/configurationchanges/ConfigurationChangeDisplay.java +++ b/app/src/main/java/org/jboss/hal/client/runtime/configurationchanges/ConfigurationChangeDisplay.java @@ -25,7 +25,6 @@ import org.jboss.hal.dmr.ResourceAddress; import org.jboss.hal.resources.Ids; import org.jboss.hal.resources.Resources; - import com.google.gwt.safehtml.shared.SafeHtml; import com.google.gwt.safehtml.shared.SafeHtmlBuilder; import com.google.gwt.safehtml.shared.SafeHtmlUtils; @@ -109,8 +108,9 @@ public SafeHtml getDescriptionHtml() { boolean allowedProperties = !(prop.getName().equals(OPERATION) || prop.getName() .equals(ADDRESS) || prop.getName().equals(OPERATION_HEADERS)); if (allowedProperties) { + String safeValue = SafeHtmlUtils.htmlEscape(prop.getValue().asString()); html.append(SafeHtmlUtils.fromTrustedString( - "    " + prop.getName() + COLON + prop.getValue() + "
")); + "    " + prop.getName() + COLON + safeValue + "
")); } }); }); diff --git a/app/src/main/java/org/jboss/hal/client/runtime/subsystem/jaxrs/RestResourcePreview.java b/app/src/main/java/org/jboss/hal/client/runtime/subsystem/jaxrs/RestResourcePreview.java index 96446b65ce..38a33a60b8 100644 --- a/app/src/main/java/org/jboss/hal/client/runtime/subsystem/jaxrs/RestResourcePreview.java +++ b/app/src/main/java/org/jboss/hal/client/runtime/subsystem/jaxrs/RestResourcePreview.java @@ -43,7 +43,6 @@ import org.jboss.hal.resources.Ids; import org.jboss.hal.resources.Names; import org.jboss.hal.resources.Resources; - import com.google.common.base.Splitter; import com.google.common.base.Strings; import com.google.gwt.user.client.rpc.AsyncCallback; @@ -54,13 +53,12 @@ import elemental2.dom.CSSProperties.MarginBottomUnionType; import elemental2.dom.HTMLElement; -import static java.util.stream.Collectors.groupingBy; -import static java.util.stream.Collectors.joining; -import static java.util.stream.Collectors.toList; - import static com.google.gwt.safehtml.shared.SafeHtmlUtils.fromSafeConstant; import static elemental2.dom.DomGlobal.document; import static elemental2.dom.DomGlobal.window; +import static java.util.stream.Collectors.groupingBy; +import static java.util.stream.Collectors.joining; +import static java.util.stream.Collectors.toList; import static org.jboss.elemento.Elements.a; import static org.jboss.elemento.Elements.asHtmlElement; import static org.jboss.elemento.Elements.br; @@ -262,7 +260,7 @@ public void onSuccess(ServerUrl url) { Elements.removeChildrenFrom(linkContainer); // noinspection UnstableApiUsage linkContainer.appendChild(a().css(clickable) - .on(click, e -> specifyParameters(url.getUrl(), link, Splitter.on(',') + .on(click, e -> specifyParameters(url.getUrl().asString(), link, Splitter.on(',') .splitToList(linkContainer.dataset.get(LINK)))) .textContent(link).element()); } diff --git a/app/src/main/java/org/jboss/hal/client/runtime/subsystem/undertow/DeploymentPreview.java b/app/src/main/java/org/jboss/hal/client/runtime/subsystem/undertow/DeploymentPreview.java index 1b7e42573a..3c258fe1af 100644 --- a/app/src/main/java/org/jboss/hal/client/runtime/subsystem/undertow/DeploymentPreview.java +++ b/app/src/main/java/org/jboss/hal/client/runtime/subsystem/undertow/DeploymentPreview.java @@ -50,14 +50,12 @@ import org.jboss.hal.resources.Ids; import org.jboss.hal.resources.Names; import org.jboss.hal.resources.Resources; - import com.google.gwt.user.client.rpc.AsyncCallback; import com.gwtplatform.mvp.shared.proxy.PlaceRequest; import elemental2.dom.HTMLElement; import static java.util.stream.Collectors.toList; - import static org.jboss.elemento.Elements.a; import static org.jboss.elemento.Elements.asHtmlElement; import static org.jboss.elemento.Elements.h; @@ -278,7 +276,7 @@ public void onSuccess(ServerUrl url) { for (HTMLElement linkContainer : linkContainers) { String link = linkContainer.textContent; Elements.removeChildrenFrom(linkContainer); - linkContainer.appendChild(a(url.getUrl() + link) + linkContainer.appendChild(a(url.getUrl().asString() + link) .apply(a -> a.target = Ids.hostServer(host, server)) .textContent(link).element()); } diff --git a/core/src/main/java/org/jboss/hal/core/runtime/server/ServerActions.java b/core/src/main/java/org/jboss/hal/core/runtime/server/ServerActions.java index 2cc1e9eab2..23cf4b93a9 100644 --- a/core/src/main/java/org/jboss/hal/core/runtime/server/ServerActions.java +++ b/core/src/main/java/org/jboss/hal/core/runtime/server/ServerActions.java @@ -26,7 +26,6 @@ import javax.inject.Inject; import javax.inject.Provider; - import org.jboss.elemento.Elements; import org.jboss.hal.ballroom.Alert; import org.jboss.hal.ballroom.dialog.BlockingDialog; @@ -71,7 +70,6 @@ import org.jboss.hal.spi.MessageEvent; import org.slf4j.Logger; import org.slf4j.LoggerFactory; - import com.google.common.base.Strings; import com.google.gwt.safehtml.shared.SafeHtml; import com.google.gwt.user.client.rpc.AsyncCallback; @@ -80,9 +78,8 @@ import elemental2.dom.HTMLElement; import elemental2.promise.Promise; -import static java.util.Collections.emptyList; - import static elemental2.dom.DomGlobal.setTimeout; +import static java.util.Collections.emptyList; import static org.jboss.elemento.Elements.a; import static org.jboss.elemento.Elements.p; import static org.jboss.elemento.Elements.span; @@ -389,7 +386,7 @@ public void suspend(Server server) { } metadataProcessor.lookup(serverConfigTemplate(server), progress.get()).then(metadata -> { - String id = Ids.build(SUSPEND, server.getName(), Ids.FORM); + String id = Ids.build(SUSPEND, server.getName(), FORM); Form form = new OperationFormBuilder<>(id, metadata, SUSPEND).build(); Dialog dialog = DialogFactory.buildConfirmation( @@ -457,7 +454,7 @@ public void resume(Server server) { public void stop(Server server) { metadataProcessor.lookup(serverConfigTemplate(server), progress.get()) .then(metadata -> { - String id = Ids.build(STOP, server.getName(), Ids.FORM); + String id = Ids.build(STOP, server.getName(), FORM); Form form = new OperationFormBuilder<>(id, metadata, STOP) .include(SUSPEND_TIMEOUT) .build(); @@ -604,9 +601,9 @@ public void onFailure(Throwable caught) { @Override public void onSuccess(ServerUrl url) { Elements.removeChildrenFrom(element); - element.appendChild(a(url.getUrl()) + element.appendChild(a(url.getUrl().asString()) .apply(a -> a.target = server.getId()) - .textContent(url.getUrl()).element()); + .innerHtml(url.getUrl()).element()); String icon; String tooltip; if (url.isCustom()) { @@ -703,7 +700,7 @@ private void show(ServerUrl serverUrl) { dialog.show(); form.edit(new ModelNode()); if (serverUrl != null) { - urlItem.setValue(serverUrl.getUrl()); + urlItem.setValue(serverUrl.getUrl().asString()); } } }); diff --git a/core/src/main/java/org/jboss/hal/core/runtime/server/ServerUrl.java b/core/src/main/java/org/jboss/hal/core/runtime/server/ServerUrl.java index bca83175f9..5e33934715 100644 --- a/core/src/main/java/org/jboss/hal/core/runtime/server/ServerUrl.java +++ b/core/src/main/java/org/jboss/hal/core/runtime/server/ServerUrl.java @@ -15,6 +15,9 @@ */ package org.jboss.hal.core.runtime.server; +import com.google.gwt.safehtml.shared.SafeHtml; +import com.google.gwt.safehtml.shared.SafeHtmlUtils; + public class ServerUrl { private final String url; @@ -30,8 +33,8 @@ public String toString() { return "ServerUrl(" + url + '\'' + ", custom=" + custom + ')'; } - public String getUrl() { - return url; + public SafeHtml getUrl() { + return SafeHtmlUtils.fromString(url); } public boolean isCustom() {