Commit 6b4a814e authored by vehjelmtvedt's avatar vehjelmtvedt
Browse files

merge with master

parents 8ce88492 9f7d3f39
......@@ -29,7 +29,7 @@
.idea/mongoSettings.xml
## Database files:
/production.db
production.db
*.db
## File-based project format:
......
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="CompilerConfiguration">
<annotationProcessing>
<profile name="Maven default annotation processors profile" enabled="true">
<sourceOutputDir name="target/generated-sources/annotations" />
<sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
<outputRelativeToContentRoot value="true" />
<module name="inchat" />
</profile>
</annotationProcessing>
</component>
<component name="JavacSettings">
<option name="ADDITIONAL_OPTIONS_OVERRIDE">
<module name="inchat" options="-Xlint:all,-options,-path" />
</option>
</component>
</project>
\ No newline at end of file
......@@ -47,6 +47,16 @@
<artifactId>scrypt</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder-jsp</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.2.3</version>
</dependency>
</dependencies>
<build>
......
......@@ -26,6 +26,7 @@ import java.time.Instant;
import inf226.storage.*;
import inf226.inchat.*;
import inf226.util.*;
import org.owasp.encoder.Encode;
/**
* The Hanlder class handles all HTTP and HTML components.
......@@ -90,12 +91,11 @@ public class Handler extends AbstractHandler
// Try to register a new user:
System.err.println("User registration.");
try {
String username = (new Maybe<String>
(request.getParameter("username"))).get();
String username = Encode.forHtml((new Maybe<String>
(request.getParameter("username"))).get());
String password = (new Maybe<String>
(request.getParameter("password"))).get();
System.err.println("Registering user: \"" + username
+ "\" with password \"" + password + "\"");
System.err.println("Registering user: \"" + username);
try {
Password pw = new Password(password);
......@@ -141,6 +141,10 @@ public class Handler extends AbstractHandler
// User is now logged in with a valid sesion.
// We set the session cookie to keep the user logged in:
response.addCookie(new Cookie("session",session.identity.toString()));
// Set X-Frame-Options header
response.setHeader("X-Frame-Options", "SAMEORIGIN");
// Set X-Content-Type-Options header
response.setHeader("X-Content-Type-Options", "nosniff");
final PrintWriter out = response.getWriter();
// Handle a logged in request.
......@@ -159,9 +163,11 @@ public class Handler extends AbstractHandler
if (!session.identity.equals(UUID.fromString(request.getParameter("CSRFToken")))) {return;}
if(request.getParameter("newmessage") != null && hasPermission(inchat.getRole(account, channel).get(), "newmessage")) {
String message = (new Maybe<String>
(request.getParameter("message"))).get();
channel = inchat.postMessage(account,channel,message).get();
}
......@@ -183,6 +189,7 @@ public class Handler extends AbstractHandler
boolean permission = hasPermission(inchat.getRole(account, channel).get(), "editmessage");
String message = (new Maybe<String>
(request.getParameter("content"))).get();
UUID messageId =
UUID.fromString(Maybe.just(request.getParameter("message")).get());
Stored<Channel.Event> event = inchat.getEvent(messageId).get();
......@@ -350,8 +357,8 @@ public class Handler extends AbstractHandler
// Try to create a new channel
System.err.println("Channel creation.");
try {
String channelName = (new Maybe<String>
(request.getParameter("channelname"))).get();
String channelName = Encode.forHtml((new Maybe<String>
(request.getParameter("channelname"))).get());
Stored<Channel> channel
= inchat.createChannel(account,channelName).get();
......@@ -423,7 +430,7 @@ public class Handler extends AbstractHandler
out.println("<style type=\"text/css\">code{white-space: pre;}</style>");
out.println("<link rel=\"stylesheet\" href=\"/style.css\">");
out.println("<title>" + title + "</title>");
out.println("<title>" + Encode.forHtml(title) + "</title>");
out.println("</head>");
}
......@@ -431,7 +438,7 @@ public class Handler extends AbstractHandler
* Print the standard top with actions.
*/
private void printStandardTop(PrintWriter out, String topic) {
out.println("<h1 class=\"topic\"><a style=\"color: black;\" href=\"/\">"+ topic + "</a></h1>");
out.println("<h1 class=\"topic\"><a style=\"color: black;\" href=\"/\">"+ Encode.forHtmlAttribute(topic) + "</a></h1>");
out.println("<div class=\"actionbar\">");
out.println("<a class=\"action\" href=\"/create\">Create a channel!</a>");
out.println("<a class=\"action\" href=\"/joinChannel\">Join a channel!</a>");
......@@ -447,7 +454,7 @@ public class Handler extends AbstractHandler
out.println("<p>Your channels:</p>");
out.println("<ul class=\"chanlist\">");
account.channels.forEach( entry -> {
out.println("<li> <a href=\"/channel/" + entry.first + "\">" + entry.first + "</a></li>");
out.println("<li> <a href=\"/channel/" + Encode.forHtmlAttribute(entry.first) + "\">" + Encode.forHtml(entry.first) + "</a></li>");
});
out.println("</ul>");
out.println("</aside>");
......@@ -463,9 +470,9 @@ public class Handler extends AbstractHandler
out.println("<main id=\"channel\" role=\"main\" class=\"channel\">");
printChannelEvents(out,channel, token);
out.println("<script src=\"/script.js\"></script>");
out.println("<script>subscribe(\"" + channel.identity +"\",\"" + channel.version + "\");</script>");
out.println("<script>subscribe(\"" + Encode.forJavaScript(String.valueOf(channel.identity)) +"\",\"" + Encode.forJavaScript(String.valueOf(channel.version)) + "\");</script>");
out.println("<form class=\"entry\" action=\"/channel/" + alias + "\" method=\"post\">");
out.println("<form class=\"entry\" action=\"/channel/" + Encode.forHtmlAttribute(alias) + "\" method=\"post\">");
out.println(" <div class=\"user\">You</div>");
out.println(" <input type=\"hidden\" name=\"newmessage\" value=\"Send\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
......@@ -480,10 +487,10 @@ public class Handler extends AbstractHandler
out.println("</main>");
// Print out the aside:
out.println("<aside class=\"chanmenu\">");
out.println("<h4>Channel ID:</h4><br>" + channel.identity +"<br>");
out.println("<p><a href=\"/join?channelid=" + channel.identity + "\">Join link</a></p>");
out.println("<h4>Channel ID:</h4><br>" + Encode.forHtml(String.valueOf(channel.identity)) +"<br>");
out.println("<p><a href=\"/join?channelid=" + Encode.forUriComponent(String.valueOf(channel.identity)) + "\">Join link</a></p>");
out.println("<h4>Set permissions</h4><form action=\"/channel/" + alias + "\" method=\"post\">");
out.println("<h4>Set permissions</h4><form action=\"/channel/" + Encode.forHtmlAttribute(alias) + "\" method=\"post\">");
out.println("<input style=\"width: 8em;\" type=\"text\" placeholder=\"User name\" name=\"username\">");
out.println("<select name=\"role\" required=\"required\">");
out.println("<option value=\"owner\">Owner</option>");
......@@ -520,26 +527,26 @@ public class Handler extends AbstractHandler
switch(e.value.type) {
case message:
out.println("<div class=\"entry\">");
out.println(" <div class=\"user\">" + e.value.sender + "</div>");
out.println(" <div class=\"text\">" + e.value.message);
out.println(" <div class=\"user\">" + Encode.forHtmlAttribute(e.value.sender) + "</div>");
out.println(" <div class=\"text\">" + Encode.forHtml(e.value.message));
out.println(" </div>");
out.println(" <div class=\"messagecontrols\">");
out.println(" <form style=\"grid-area: delete;\" action=\"/channel/" + channel.value.name + "\" method=\"POST\">");
out.println(" <input type=\"hidden\" name=\"message\" value=\""+ e.identity + "\">");
out.println(" <form style=\"grid-area: delete;\" action=\"/channel/" + Encode.forHtmlAttribute(channel.value.name) + "\" method=\"POST\">");
out.println(" <input type=\"hidden\" name=\"message\" value=\""+ Encode.forHtmlAttribute(String.valueOf(e.identity)) + "\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
out.println(" <input type=\"submit\" name=\"deletemessage\" value=\"Delete\">");
out.println(" </form><form style=\"grid-area: edit;\" action=\"/editMessage\" method=\"POST\">");
out.println(" ");
out.println(" <input type=\"hidden\" name=\"message\" value=\""+ e.identity + "\">");
out.println(" <input type=\"hidden\" name=\"channelname\" value=\""+ channel.value.name + "\">");
out.println(" <input type=\"hidden\" name=\"originalcontent\" value=\""+ e.value.message + "\">");
out.println(" <input type=\"hidden\" name=\"message\" value=\""+ Encode.forHtmlAttribute(String.valueOf(e.identity)) + "\">");
out.println(" <input type=\"hidden\" name=\"channelname\" value=\""+ Encode.forHtmlAttribute(channel.value.name) + "\">");
out.println(" <input type=\"hidden\" name=\"originalcontent\" value=\""+ Encode.forHtmlAttribute(e.value.message) + "\">");
out.println(" <input type=\"submit\" name=\"editmessage\" value=\"Edit\">");
out.println(" </form>");
out.println(" </div>");
out.println("</div>");
return;
case join:
out.println("<p>" + formatter.format(e.value.time) + " " + e.value.sender + " has joined!</p>");
out.println("<p>" + formatter.format(e.value.time) + " " + Encode.forHtml(e.value.sender) + " has joined!</p>");
return;
}
});
......
......@@ -240,10 +240,10 @@ public class InChat {
if (updatedChannels.equals(account.value.channels)) {
if (updatedChannels.equals(targetAccount.value.channels)) {
updatedChannels.add(new Triple<>(channel.value.name, channel, targetRole));
}
accountStore.update(targetAccount, new Account(account.value.user, updatedChannels, account.value.hashedPassword));
accountStore.update(targetAccount, new Account(targetAccount.value.user, updatedChannels, targetAccount.value.hashedPassword));
result.accept(channel);
});
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment