clean html in data and templates (SORMAS-Foundation#2906)

Author: syntakker

sormas-backend/src/main/java/de/symeda/sormas/backend/docgeneration/CleanHtmlReference.java

@@ -0,0 +1,28 @@
+/*
+ * SORMAS® - Surveillance Outbreak Response Management & Analysis System
+ * Copyright © 2016-2021 Helmholtz-Zentrum für Infektionsforschung GmbH (HZI)
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package de.symeda.sormas.backend.docgeneration;
+
+import org.apache.velocity.app.event.ReferenceInsertionEventHandler;
+
+import de.symeda.sormas.api.utils.HtmlHelper;
+
+public class CleanHtmlReference implements ReferenceInsertionEventHandler {
+
+	@Override
+	public Object referenceInsert(String s, Object o) {
+		return o == null ? null : HtmlHelper.cleanHtml(o.toString(), HtmlHelper.EVENTACTION_WHITELIST);
+	}
+}

sormas-backend/src/main/java/de/symeda/sormas/backend/docgeneration/TemplateEngine.java

@@ -43,13 +43,17 @@
 import org.apache.velocity.util.introspection.SecureUberspector;
 import org.docx4j.openpackaging.exceptions.Docx4JException;
 import org.docx4j.openpackaging.packages.WordprocessingMLPackage;
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document.OutputSettings;
+import org.jsoup.safety.Whitelist;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import de.symeda.sormas.api.docgeneneration.DocumentTemplateException;
 import de.symeda.sormas.api.docgeneneration.DocumentVariables;
 import de.symeda.sormas.api.i18n.I18nProperties;
 import de.symeda.sormas.api.i18n.Strings;
+import de.symeda.sormas.api.utils.HtmlHelper;
 import fr.opensagres.xdocreport.core.XDocReportException;
 import fr.opensagres.xdocreport.document.IXDocReport;
 import fr.opensagres.xdocreport.document.registry.XDocReportRegistry;
@@ -63,9 +67,11 @@
 public class TemplateEngine {
 
 	private static final Pattern VARIABLE_PATTERN = Pattern.compile("([{] *(!)? *([A-Za-z0-9._]+) *[}]| *(!)? *([A-Za-z0-9._]+) *)");
+	private static final Whitelist HTML_TEMPLATE_WHITELIST =
+		HtmlHelper.EVENTACTION_WHITELIST.addAttributes("div", "class").addAttributes("span", "class").addAttributes("table", "class");
 	private static final Logger logger = LoggerFactory.getLogger(TemplateEngine.class);
 
-	private Properties xdocVelocityProperties;
+	private final Properties xdocVelocityProperties;
 
 	public TemplateEngine() {
 		xdocVelocityProperties = new Properties();
@@ -136,6 +142,9 @@ public String generateDocumentTxt(Properties properties, File templateFile) {
 		velocityEngine.setProperty(RuntimeConstants.UBERSPECT_CLASSNAME, SecureUberspector.class.getCanonicalName());
 		// Disable Includes
 		velocityEngine.setProperty(RuntimeConstants.EVENTHANDLER_INCLUDE, NoIncludesEventHandler.class.getCanonicalName());
+		// Clean Html
+		velocityEngine.setProperty(RuntimeConstants.EVENTHANDLER_REFERENCEINSERTION, CleanHtmlReference.class.getCanonicalName());
+
 		velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "file");
 		velocityEngine.setProperty(RuntimeConstants.FILE_RESOURCE_LOADER_PATH, FilenameUtils.getFullPathNoEndSeparator(templateFile.getPath()));
 		Template template = velocityEngine.getTemplate(templateFile.getName());
@@ -152,7 +161,9 @@ public String generateDocumentTxt(Properties properties, File templateFile) {
 
 		StringWriter stringWriter = new StringWriter();
 		template.merge(velocityContext, stringWriter);
-		return stringWriter.toString();
+		OutputSettings outputSettings = new OutputSettings();
+		outputSettings.prettyPrint(false);
+		return Jsoup.clean(stringWriter.toString(), "", HTML_TEMPLATE_WHITELIST, outputSettings);
 	}
 
 	public void validateTemplateDocx(InputStream templateInputStream) throws DocumentTemplateException {

sormas-backend/src/main/resources/docgeneration/sormasStyle.html

@@ -35,6 +35,9 @@
         div.actions {
           margin-top: 35px;
         }
+        .red {
+          color: #f00;
+        }
     </style>
 </header>
 <body>

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandout.cmp

@@ -35,6 +35,9 @@
         div.actions {
           margin-top: 35px;
         }
+        .red {
+          color: #f00;
+        }
     </style>
 </header>
 <body>
@@ -44,18 +47,18 @@
 <p>...where people meet</p>
 
 <table>
-    <tr><th>Disease</th><th>Status</th><th>Event Date</th><th>Report Date</th></tr>
+    <tbody><tr><th>Disease</th><th>Status</th><th>Event Date</th><th>Report Date</th></tr>
     <tr><td>COVID-19</td><td>Signal</td><td>11/12/2020</td><td>11/13/2020</td></tr>
-</table>
+</tbody></table>
 
 <h2>Event Participants</h2>
 
 <table>
-    <tr><th>First Name</th><th>Last Name</th><th>Phone</th><th>Contacted</th></tr>
+    <tbody><tr><th>First Name</th><th>Last Name</th><th>Phone</th><th>Contacted</th></tr>
         <tr><td>Georges</td><td>Bataille</td><td>+49 681 8901</td><td>[ ]</td></tr>
         <tr><td>Guy</td><td>Debord</td><td>+49 681 4567</td><td>[ ]</td></tr>
         <tr><td>Isidore</td><td>Isou</td><td>+49 681 1234</td><td>[ ]</td></tr>
-    </table>
+    </tbody></table>
 
 
 <div class="actions">
@@ -68,7 +71,7 @@
     <h2>Another action</h2>
     <p>11/15/2020</p>
     <div> This action hast no reply </div>
-    <div> <span style="color:#f00">*</span> </div>
+    <div> <span class="red">*</span> </div>
 </div>
 
 </body>

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandout.html

@@ -23,6 +23,6 @@ <h2>Event Participants</h2>
     <h2>$action.title</h2>
     <p>$F.format($action.getDate())</p>
     <div>#if($action.getDescription()) $action.getDescription() #else <span style="color:#f00">*</span> #end</div>
-    <div>#if($action.reply) $action.reply #else <span style="color:#f00">*</span> #end</div>
+    <div>#if($action.reply) $action.reply #else <span class="red">*</span> #end</div>
 </div>
 #end

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandoutError.cmp

@@ -35,6 +35,9 @@
         div.actions {
           margin-top: 35px;
         }
+        .red {
+          color: #f00;
+        }
     </style>
 </header>
 <body>

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandoutNullableVariables.cmp

@@ -35,6 +35,9 @@
         div.actions {
           margin-top: 35px;
         }
+        .red {
+          color: #f00;
+        }
     </style>
 </header>
 <body>

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandoutPreformatting.cmp

@@ -35,6 +35,9 @@
         div.actions {
           margin-top: 35px;
         }
+        .red {
+          color: #f00;
+        }
     </style>
 </header>
 <body>
@@ -44,18 +47,18 @@
 <p>...where people meet</p>
 
 <table>
-    <tr><th>Disease</th><th>Status</th><th>Event Date</th><th>Report Date</th><th>User</th></tr>
+    <tbody><tr><th>Disease</th><th>Status</th><th>Event Date</th><th>Report Date</th><th>User</th></tr>
     <tr><td>COVID-19</td><td>Signal</td><td>11/12/2020</td><td>11/13/2020</td><td>Surv Sup</td></tr>
-</table>
+</tbody></table>
 
 <h2>Event Participants</h2>
 
 <table>
-    <tr><th>First Name</th><th>Last Name</th><th>Phone</th><th>Contacted</th></tr>
+    <tbody><tr><th>First Name</th><th>Last Name</th><th>Phone</th><th>Contacted</th></tr>
         <tr><td>Georges</td><td>Bataille</td><td>+49 681 8901</td><td>[ ]</td></tr>
         <tr><td>Guy</td><td>Debord</td><td>+49 681 4567</td><td>[ ]</td></tr>
         <tr><td>Isidore</td><td>Isou</td><td>+49 681 1234</td><td>[ ]</td></tr>
-    </table>
+    </tbody></table>
 
 
 <div class="actions">
@@ -68,7 +71,7 @@
     <h2>Another action</h2>
     <p>11/15/2020</p>
     <div> This action hast no reply </div>
-    <div> <span style="color:#f00">*</span> </div>
+    <div> <span class="red">*</span> </div>
 </div>
 
 </body>

sormas-backend/src/test/resources/docgeneration/eventHandout/EventHandoutPreformatting.html

@@ -23,6 +23,6 @@ <h2>Event Participants</h2>
     <h2>$action.title</h2>
     <p>$F.format($action.getDate())</p>
     <div>#if($action.getDescription()) $action.getDescription() #else <span style="color:#f00">*</span> #end</div>
-    <div>#if($action.reply) $action.reply #else <span style="color:#f00">*</span> #end</div>
+    <div>#if($action.reply) $action.reply #else <span class="red">*</span> #end</div>
 </div>
 #end

sormas-backend/src/test/resources/docgeneration/testcasesTxt/CleanHtml.cmp

@@ -0,0 +1 @@
+This is a test: