Commit 4e4ad6c4 authored by arild2g's avatar arild2g
Browse files

Encodes untrusted data (title, topic, alias)

Ref #5
parent dad1f7c6
......@@ -28,6 +28,7 @@ import java.time.Instant;
import inf226.storage.*;
import inf226.inchat.*;
import inf226.util.*;
import org.owasp.encoder.Encode;
/**
* The Hanlder class handles all HTTP and HTML components.
......@@ -406,7 +407,7 @@ public class Handler extends AbstractHandler
out.println("<style type=\"text/css\">code{white-space: pre;}</style>");
out.println("<link rel=\"stylesheet\" href=\"/style.css\">");
out.println("<title>" + title + "</title>");
out.println("<title>" + Encode.forHtml(title) + "</title>");
out.println("</head>");
}
......@@ -414,7 +415,7 @@ public class Handler extends AbstractHandler
* Print the standard top with actions.
*/
private void printStandardTop(PrintWriter out, String topic) {
out.println("<h1 class=\"topic\"><a style=\"color: black;\" href=\"/\">"+ topic + "</a></h1>");
out.println("<h1 class=\"topic\"><a style=\"color: black;\" href=\"/\">"+ Encode.forHtml(topic) + "</a></h1>");
out.println("<div class=\"actionbar\">");
out.println("<a class=\"action\" href=\"/create\">Create a channel!</a>");
out.println("<a class=\"action\" href=\"/joinChannel\">Join a channel!</a>");
......@@ -448,7 +449,7 @@ public class Handler extends AbstractHandler
out.println("<script src=\"/script.js\"></script>");
out.println("<script>subscribe(\"" + channel.identity +"\",\"" + channel.version + "\");</script>");
out.println("<form class=\"entry\" action=\"/channel/" + alias + "\" method=\"post\">");
out.println("<form class=\"entry\" action=\"/channel/" + Encode.forHtml(alias) + "\" method=\"post\">");
out.println(" <div class=\"user\">You</div>");
out.println(" <input type=\"hidden\" name=\"newmessage\" value=\"Send\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
......@@ -466,7 +467,7 @@ public class Handler extends AbstractHandler
out.println("<h4>Channel ID:</h4><br>" + channel.identity +"<br>");
out.println("<p><a href=\"/join?channelid=" + channel.identity + "\">Join link</a></p>");
out.println("<h4>Set permissions</h4><form action=\"/channel/" + alias + "\" method=\"post\">");
out.println("<h4>Set permissions</h4><form action=\"/channel/" + Encode.forHtml(alias) + "\" method=\"post\">");
out.println("<input style=\"width: 8em;\" type=\"text\" placeholder=\"User name\" name=\"username\">");
out.println("<select name=\"role\" required=\"required\">");
out.println("<option value=\"owner\">Owner</option>");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment