Commit 8bdd0a6e authored by Arild.Grimstveit's avatar Arild.Grimstveit
Browse files

Merge branch 'xss' into 'master'

Task 2 - Cross Site Scripting (XSS)

See merge request !4
parents 55cd0c73 36f9a7ab
......@@ -29,7 +29,7 @@
.idea/mongoSettings.xml
## Database files:
/production.db
production.db
*.db
## File-based project format:
......
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="CompilerConfiguration">
<annotationProcessing>
<profile name="Maven default annotation processors profile" enabled="true">
<sourceOutputDir name="target/generated-sources/annotations" />
<sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
<outputRelativeToContentRoot value="true" />
<module name="inchat" />
</profile>
</annotationProcessing>
</component>
<component name="JavacSettings">
<option name="ADDITIONAL_OPTIONS_OVERRIDE">
<module name="inchat" options="-Xlint:all,-options,-path" />
</option>
</component>
</project>
\ No newline at end of file
......@@ -47,6 +47,16 @@
<artifactId>scrypt</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder-jsp</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.2.3</version>
</dependency>
</dependencies>
<build>
......
......@@ -28,6 +28,7 @@ import java.time.Instant;
import inf226.storage.*;
import inf226.inchat.*;
import inf226.util.*;
import org.owasp.encoder.Encode;
/**
* The Hanlder class handles all HTTP and HTML components.
......@@ -92,8 +93,8 @@ public class Handler extends AbstractHandler
// Try to register a new user:
System.err.println("User registration.");
try {
String username = (new Maybe<String>
(request.getParameter("username"))).get();
String username = Encode.forHtml((new Maybe<String>
(request.getParameter("username"))).get());
String password = (new Maybe<String>
(request.getParameter("password"))).get();
System.err.println("Registering user: \"" + username
......@@ -162,8 +163,8 @@ public class Handler extends AbstractHandler
if(request.getParameter("newmessage") != null) {
String message = (new Maybe<String>
(request.getParameter("message"))).get();
String message = Encode.forHtml((new Maybe<String>
(request.getParameter("message"))).get());
channel = inchat.postMessage(account,channel,message).get();
}
......@@ -174,8 +175,8 @@ public class Handler extends AbstractHandler
channel = inchat.deleteEvent(channel, message);
}
if(request.getParameter("editmessage") != null) {
String message = (new Maybe<String>
(request.getParameter("content"))).get();
String message = Encode.forHtml((new Maybe<String>
(request.getParameter("content"))).get());
UUID messageId =
UUID.fromString(Maybe.just(request.getParameter("message")).get());
Stored<Channel.Event> event = inchat.getEvent(messageId).get();
......@@ -333,8 +334,8 @@ public class Handler extends AbstractHandler
// Try to create a new channel
System.err.println("Channel creation.");
try {
String channelName = (new Maybe<String>
(request.getParameter("channelname"))).get();
String channelName = Encode.forHtml((new Maybe<String>
(request.getParameter("channelname"))).get());
Stored<Channel> channel
= inchat.createChannel(account,channelName).get();
......@@ -406,7 +407,7 @@ public class Handler extends AbstractHandler
out.println("<style type=\"text/css\">code{white-space: pre;}</style>");
out.println("<link rel=\"stylesheet\" href=\"/style.css\">");
out.println("<title>" + title + "</title>");
out.println("<title>" + Encode.forHtml(title) + "</title>");
out.println("</head>");
}
......@@ -414,7 +415,7 @@ public class Handler extends AbstractHandler
* Print the standard top with actions.
*/
private void printStandardTop(PrintWriter out, String topic) {
out.println("<h1 class=\"topic\"><a style=\"color: black;\" href=\"/\">"+ topic + "</a></h1>");
out.println("<h1 class=\"topic\"><a style=\"color: black;\" href=\"/\">"+ Encode.forHtmlAttribute(topic) + "</a></h1>");
out.println("<div class=\"actionbar\">");
out.println("<a class=\"action\" href=\"/create\">Create a channel!</a>");
out.println("<a class=\"action\" href=\"/joinChannel\">Join a channel!</a>");
......@@ -430,7 +431,7 @@ public class Handler extends AbstractHandler
out.println("<p>Your channels:</p>");
out.println("<ul class=\"chanlist\">");
account.channels.forEach( entry -> {
out.println("<li> <a href=\"/channel/" + entry.first + "\">" + entry.first + "</a></li>");
out.println("<li> <a href=\"/channel/" + Encode.forHtmlAttribute(entry.first) + "\">" + Encode.forHtml(entry.first) + "</a></li>");
});
out.println("</ul>");
out.println("</aside>");
......@@ -446,9 +447,9 @@ public class Handler extends AbstractHandler
out.println("<main id=\"channel\" role=\"main\" class=\"channel\">");
printChannelEvents(out,channel, token);
out.println("<script src=\"/script.js\"></script>");
out.println("<script>subscribe(\"" + channel.identity +"\",\"" + channel.version + "\");</script>");
out.println("<script>subscribe(\"" + Encode.forJavaScript(String.valueOf(channel.identity)) +"\",\"" + Encode.forJavaScript(String.valueOf(channel.version)) + "\");</script>");
out.println("<form class=\"entry\" action=\"/channel/" + alias + "\" method=\"post\">");
out.println("<form class=\"entry\" action=\"/channel/" + Encode.forHtmlAttribute(alias) + "\" method=\"post\">");
out.println(" <div class=\"user\">You</div>");
out.println(" <input type=\"hidden\" name=\"newmessage\" value=\"Send\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
......@@ -463,10 +464,10 @@ public class Handler extends AbstractHandler
out.println("</main>");
// Print out the aside:
out.println("<aside class=\"chanmenu\">");
out.println("<h4>Channel ID:</h4><br>" + channel.identity +"<br>");
out.println("<p><a href=\"/join?channelid=" + channel.identity + "\">Join link</a></p>");
out.println("<h4>Channel ID:</h4><br>" + Encode.forHtml(String.valueOf(channel.identity)) +"<br>");
out.println("<p><a href=\"/join?channelid=" + Encode.forUriComponent(String.valueOf(channel.identity)) + "\">Join link</a></p>");
out.println("<h4>Set permissions</h4><form action=\"/channel/" + alias + "\" method=\"post\">");
out.println("<h4>Set permissions</h4><form action=\"/channel/" + Encode.forHtmlAttribute(alias) + "\" method=\"post\">");
out.println("<input style=\"width: 8em;\" type=\"text\" placeholder=\"User name\" name=\"username\">");
out.println("<select name=\"role\" required=\"required\">");
out.println("<option value=\"owner\">Owner</option>");
......@@ -503,26 +504,26 @@ public class Handler extends AbstractHandler
switch(e.value.type) {
case message:
out.println("<div class=\"entry\">");
out.println(" <div class=\"user\">" + e.value.sender + "</div>");
out.println(" <div class=\"text\">" + e.value.message);
out.println(" <div class=\"user\">" + Encode.forHtmlAttribute(e.value.sender) + "</div>");
out.println(" <div class=\"text\">" + Encode.forHtml(e.value.message));
out.println(" </div>");
out.println(" <div class=\"messagecontrols\">");
out.println(" <form style=\"grid-area: delete;\" action=\"/channel/" + channel.value.name + "\" method=\"POST\">");
out.println(" <input type=\"hidden\" name=\"message\" value=\""+ e.identity + "\">");
out.println(" <form style=\"grid-area: delete;\" action=\"/channel/" + Encode.forHtmlAttribute(channel.value.name) + "\" method=\"POST\">");
out.println(" <input type=\"hidden\" name=\"message\" value=\""+ Encode.forHtmlAttribute(String.valueOf(e.identity)) + "\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
out.println(" <input type=\"submit\" name=\"deletemessage\" value=\"Delete\">");
out.println(" </form><form style=\"grid-area: edit;\" action=\"/editMessage\" method=\"POST\">");
out.println(" ");
out.println(" <input type=\"hidden\" name=\"message\" value=\""+ e.identity + "\">");
out.println(" <input type=\"hidden\" name=\"channelname\" value=\""+ channel.value.name + "\">");
out.println(" <input type=\"hidden\" name=\"originalcontent\" value=\""+ e.value.message + "\">");
out.println(" <input type=\"hidden\" name=\"message\" value=\""+ Encode.forHtmlAttribute(String.valueOf(e.identity)) + "\">");
out.println(" <input type=\"hidden\" name=\"channelname\" value=\""+ Encode.forHtmlAttribute(channel.value.name) + "\">");
out.println(" <input type=\"hidden\" name=\"originalcontent\" value=\""+ Encode.forHtmlAttribute(e.value.message) + "\">");
out.println(" <input type=\"submit\" name=\"editmessage\" value=\"Edit\">");
out.println(" </form>");
out.println(" </div>");
out.println("</div>");
return;
case join:
out.println("<p>" + formatter.format(e.value.time) + " " + e.value.sender + " has joined!</p>");
out.println("<p>" + formatter.format(e.value.time) + " " + Encode.forHtml(e.value.sender) + " has joined!</p>");
return;
}
});
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment