Merge branch 'development' into feature-3152-SymptomsReordering

Author: barnabartha

README.md

@@ -27,6 +27,8 @@ SORMAS officially supports and is tested on **Chromium-based browsers** (like Go
 
 #### Is there a ReST API documentation?
 Yes! Please download the [latest release](https://github.com/hzi-braunschweig/SORMAS-Project/releases/latest) and copy the content of /deploy/openapi/sormas-rest.yaml to an editor that generates a visual API documentation (e.g. https://editor.swagger.io/).
+<br/>
+Runtime Swagger documentation of the External Visits Resource (used by external symptom journals such as CLIMEDO or PIA) is also available at ``<<host>>/sormas-rest/visits-external/openapi.json`` or ``<<host>>/sormas-rest/visits-external/openapi.yaml``
 
 <p align="center"><img src="https://user-images.githubusercontent.com/23701005/74659600-ebb8fc00-5194-11ea-836b-a7ca9d682301.png"/></p>
 

sormas-api/pom.xml

@@ -67,6 +67,11 @@
 			<artifactId>simmetrics-core</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>org.jsoup</groupId>
+			<artifactId>jsoup</artifactId>
+		</dependency>
+
 	</dependencies>
 
 </project>

sormas-api/src/main/java/de/symeda/sormas/api/caze/classification/ClassificationHtmlRenderer.java

@@ -17,14 +17,11 @@
  *******************************************************************************/
 package de.symeda.sormas.api.caze.classification;
 
-import static de.symeda.sormas.api.utils.HtmlHelper.escapeAndUnescapeBasicTags;
-import static de.symeda.sormas.api.utils.HtmlHelper.unescapeBasicTags;
-
 import java.util.Date;
 import java.util.List;
 
 import org.apache.commons.lang3.StringUtils;
-import org.apache.commons.text.StringEscapeUtils;
+import org.jsoup.safety.Whitelist;
 
 import de.symeda.sormas.api.Disease;
 import de.symeda.sormas.api.FacadeProvider;
@@ -34,6 +31,7 @@
 import de.symeda.sormas.api.i18n.Strings;
 import de.symeda.sormas.api.utils.DataHelper;
 import de.symeda.sormas.api.utils.DateHelper;
+import de.symeda.sormas.api.utils.HtmlHelper;
 import de.symeda.sormas.api.utils.InfoProvider;
 
 /**
@@ -176,7 +174,7 @@ public static String createHtmlForDownload(String sormasServerUrl, List<Disease>
 		html.append("<h1 style=\"text-align: center; color: #005A9C;\">").append(I18nProperties.getString(Strings.classificationClassificationRules)).append("</h1>");
 		html.append("<h4 style=\"text-align: center;\">")
 				.append(I18nProperties.getString(Strings.classificationGeneratedFor))
-				.append(" ").append(StringEscapeUtils.escapeHtml4(InfoProvider.get().getVersion()))
+				.append(" ").append(HtmlHelper.cleanHtml(InfoProvider.get().getVersion()))
 				.append(StringUtils.wrap(I18nProperties.getString(Strings.on), " "))
 				.append(sormasServerUrl).append(StringUtils.wrap(I18nProperties.getString(Strings.at), " "))
 				.append(DateHelper.formatLocalDateTime(new Date(), language)).append("</h4>");
@@ -241,7 +239,7 @@ private static String buildSubCriteriaDiv(
 		for (ClassificationCriteriaDto subCriteria : ((ClassificationCollectiveCriteria) criteria).getSubCriteria()) {
 			if (!(subCriteria instanceof ClassificationCollectiveCriteria) || subCriteria instanceof ClassificationCompactCriteria) {
 				// For non-collective or compact collective criteria, add the description as a list item
-				subCriteriaSb.append("- " + escapeAndUnescapeBasicTags(subCriteria.buildDescription() + "</br>"));
+				subCriteriaSb.append("- " + HtmlHelper.cleanHtml(subCriteria.buildDescription(), Whitelist.basic()) + "</br>");
 			} else if (subCriteria instanceof ClassificationCollectiveCriteria
 				&& !(subCriteria instanceof ClassificationAllOfCriteriaDto)
 				&& !(subCriteria.getClass() == ClassificationXOfCriteriaDto.class)) {
@@ -273,7 +271,7 @@ private static String createSurroundingDiv(ClassificationCriteriaType criteriaTy
 		//@formatter:off
 		return "<div class='classification-rules'>"
 				+ "<div class='main-criteria main-criteria-"
-				+ StringEscapeUtils.escapeHtml4(criteriaType.toString())
+				+ HtmlHelper.cleanHtml(criteriaType.toString())
 				+ "'>"
 				+ content
 				+ "</div></div>";
@@ -287,7 +285,7 @@ private static String createHeadlineDiv(String headline) {
 
 		//@formatter:off
 		return "<div class='headline'>"
-				+ StringEscapeUtils.escapeHtml4(headline)
+				+ HtmlHelper.cleanHtml(headline, Whitelist.basic())
 				+ "</div>";
 		//@formatter:on
 	}
@@ -296,13 +294,12 @@ private static String createHeadlineDiv(String headline) {
 	 * Creates a div containing an info text.
 	 */
 	private static String createInfoDiv() {
-		return unescapeBasicTags(StringEscapeUtils.escapeHtml4(I18nProperties.getString(Strings.classificationInfoText)));
+		return HtmlHelper.cleanI18nString(I18nProperties.getString(Strings.classificationInfoText));
 	}
 
 	private static String createInfoDiv(int requirementsNumber) {
-		return unescapeBasicTags(
-			StringEscapeUtils.escapeHtml4(
-				String.format(I18nProperties.getString(Strings.classificationInfoNumberText), DataHelper.parseNumberToString(requirementsNumber))));
+		return HtmlHelper.cleanI18nString(
+			String.format(I18nProperties.getString(Strings.classificationInfoNumberText), DataHelper.parseNumberToString(requirementsNumber)));
 	}
 
 	/**
@@ -334,7 +331,7 @@ private static String createSubCriteriaSurroundingDiv(String content) {
 	 * Specific tags are allowed to be contained in i18n strings and are thus unescaped
 	 */
 	private static String createCriteriaItemDiv(String text) {
-		return unescapeBasicTags(StringEscapeUtils.escapeHtml4(text) + "<br>");
+		return (HtmlHelper.cleanHtml(text, Whitelist.basic()) + "<br>");
 	}
 
 	private enum ClassificationCriteriaType {

sormas-api/src/main/java/de/symeda/sormas/api/i18n/Captions.java

@@ -1077,16 +1077,16 @@ public interface Captions {
 	String MaternalHistory_swollenLymphsMonth = "MaternalHistory.swollenLymphsMonth";
 	String MaternalHistory_swollenLymphsOnset = "MaternalHistory.swollenLymphsOnset";
 	String menu = "menu";
-	String Messages_characters = "Messages.characters";
-	String Messages_email = "Messages.email";
-	String Messages_noPhoneNumberForCasePerson = "Messages.noPhoneNumberForCasePerson";
-	String Messages_noSmsSentForCase = "Messages.noSmsSentForCase";
-	String Messages_numberOfMessages = "Messages.numberOfMessages";
-	String Messages_numberOfMissingPhoneNumbers = "Messages.numberOfMissingPhoneNumbers";
-	String Messages_sendingSms = "Messages.sendingSms";
-	String Messages_sendSMS = "Messages.sendSMS";
-	String Messages_sentBy = "Messages.sentBy";
-	String Messages_sms = "Messages.sms";
+	String messagesCharacters = "messagesCharacters";
+	String messagesEmail = "messagesEmail";
+	String messagesNoPhoneNumberForCasePerson = "messagesNoPhoneNumberForCasePerson";
+	String messagesNoSmsSentForCase = "messagesNoSmsSentForCase";
+	String messagesNumberOfMessages = "messagesNumberOfMessages";
+	String messagesNumberOfMissingPhoneNumbers = "messagesNumberOfMissingPhoneNumbers";
+	String messagesSendingSms = "messagesSendingSms";
+	String messagesSendSMS = "messagesSendSMS";
+	String messagesSentBy = "messagesSentBy";
+	String messagesSms = "messagesSms";
 	String moreActions = "moreActions";
 	String name = "name";
 	String nationalHealthId = "nationalHealthId";

sormas-api/src/main/java/de/symeda/sormas/api/i18n/Strings.java

@@ -629,6 +629,7 @@ public interface Strings {
 	String messageDistrictsArchivingNotPossible = "messageDistrictsArchivingNotPossible";
 	String messageDistrictsDearchived = "messageDistrictsDearchived";
 	String messageDistrictsDearchivingNotPossible = "messageDistrictsDearchivingNotPossible";
+	String messageEnterSms = "messageEnterSms";
 	String messageEntryCreated = "messageEntryCreated";
 	String messageEpiDataHint = "messageEpiDataHint";
 	String messageEpidNumberWarning = "messageEpidNumberWarning";
@@ -724,8 +725,6 @@ public interface Strings {
 	String messageRegionsArchived = "messageRegionsArchived";
 	String messageRegionsArchivingNotPossible = "messageRegionsArchivingNotPossible";
 	String messageRegionsDearchived = "messageRegionsDearchived";
-	String Messages_enterSMS = "Messages.enterSMS";
-	String Messages_smsSent = "Messages.smsSent";
 	String messageSampleErrors = "messageSampleErrors";
 	String messageSampleOpened = "messageSampleOpened";
 	String messageSampleSaved = "messageSampleSaved";
@@ -771,6 +770,7 @@ public interface Strings {
 	String notificationLabSampleShippedShort = "notificationLabSampleShippedShort";
 	String notificationLabSampleShippedShortForContact = "notificationLabSampleShippedShortForContact";
 	String notificationLabSampleShippedShortForEventParticipant = "notificationLabSampleShippedShortForEventParticipant";
+	String notificationSmsSent = "notificationSmsSent";
 	String notificationTaskDueGeneral = "notificationTaskDueGeneral";
 	String notificationTaskDueSpecific = "notificationTaskDueSpecific";
 	String notificationTaskStartGeneral = "notificationTaskStartGeneral";

sormas-api/src/main/java/de/symeda/sormas/api/utils/HtmlHelper.java

@@ -1,35 +1,45 @@
+/*******************************************************************************
+ * SORMAS® - Surveillance Outbreak Response Management & Analysis System
+ * Copyright © 2016-2018 Helmholtz-Zentrum für Infektionsforschung GmbH (HZI)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *******************************************************************************/
 package de.symeda.sormas.api.utils;
 
-import org.apache.commons.text.StringEscapeUtils;
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Whitelist;
 
+// This class provides general XSS-Prevention methods using Jsoup.clean
 public class HtmlHelper {
 
-	// unescape specific tags (<b>,<i>,<br>,<li>,<ul>) escaped using StringEscapeUtils.escapeHtml4(String)
-	public static String unescapeBasicTags(String escapedString) {
-		String res = escapedString;
+	public static final Whitelist EventActionWhitelist =
+		Whitelist.relaxed().addTags("hr", "font").addAttributes("font", "size", "face", "color").addAttributes("div", "align");
 
-		// <b> Tags
-		res = res.replaceAll("&lt;b&gt;", "<b>");
-		res = res.replaceAll("&lt;/b&gt;", "</b>");
-		// <i> Tags
-		res = res.replaceAll("&lt;i&gt;", "<i>");
-		res = res.replaceAll("&lt;/i&gt;", "</i>");
-		// <ul> Tags
-		res = res.replaceAll("&lt;ul&gt;", "<ul>");
-		res = res.replaceAll("&lt;/ul&gt;", "</ul>");
-		// <li> Tags
-		res = res.replaceAll("&lt;li&gt;", "<li>");
-		res = res.replaceAll("&lt;/li&gt;", "</li>");
-		// <br> Tags
-		res = res.replaceAll("&lt;br&gt;", "<br>");
-		res = res.replaceAll("&lt;/br&gt;", "<br>");
-		res = res.replaceAll("&lt;br/&gt;", "<br>");
+	public static String cleanHtml(String string) {
+		return (string == null) ? "" : Jsoup.clean(string, Whitelist.none());
+	}
+
+	public static String cleanHtml(String string, Whitelist whitelist) {
+		return (string == null) ? "" : Jsoup.clean(string, whitelist);
+	}
 
-		return res;
+	// this method should be used for i18n-strings and captions so that custom whitelist rules can be added when needed
+	public static String cleanI18nString(String string) {
+		return (string == null) ? "" : Jsoup.clean(string, Whitelist.basic());
 	}
 
-	// escapes html4 and then unescapes specific tags
-	public static String escapeAndUnescapeBasicTags(String text) {
-		return unescapeBasicTags(StringEscapeUtils.escapeHtml4(text));
+	public static String cleanHtmlRelaxed(String string) {
+		return (string == null) ? "" : Jsoup.clean(string, Whitelist.relaxed());
 	}
 }

sormas-api/src/main/resources/captions.properties

@@ -1151,16 +1151,16 @@ LoginSidebar.outbreakResponse=Outbreak Response
 LoginSidebar.poweredBy=Powered By
 
 # Messaging
-Messages.sendSMS=Send SMS
-Messages.sentBy=Sent by
-Messages.noSmsSentForCase=No SMS sent to case person
-Messages.noPhoneNumberForCasePerson=Case person has no phone number
-Messages.sms = SMS
-Messages.email = Email
-Messages.sendingSms = Send new SMS
-Messages.numberOfMissingPhoneNumbers = Number of selected cases without phone number: %s
-Messages.characters = Characters: %d / 160
-Messages.numberOfMessages = Nr. of messages: %d
+messagesSendSMS=Send SMS
+messagesSentBy=Sent by
+messagesNoSmsSentForCase=No SMS sent to case person
+messagesNoPhoneNumberForCasePerson=Case person has no phone number
+messagesSms = SMS
+messagesEmail = Email
+messagesSendingSms = Send new SMS
+messagesNumberOfMissingPhoneNumbers = Number of selected cases without phone number: %s
+messagesCharacters = Characters: %d / 160
+messagesNumberOfMessages = Nr. of messages: %d
 
 # Main Menu
 mainMenuAbout=About

sormas-api/src/main/resources/captions_de-CH.properties

@@ -123,6 +123,7 @@ actionSaveChanges=Änderungen speichern
 actionBackToNationOverview=Zurück zur Nationalübersicht
 actionSettings=Spracheinstellung
 actionNewForm=Neues Formular
+actionOverwrite=Überschreiben
 
 # AdditionalTest
 additionalTestNewTest=Neues Testergebnis
@@ -209,6 +210,7 @@ campaignDashboardSubTabName=Sub-tab name
 campaignDashboardChartWidth=Breite in %
 campaignDashboardChartHeight=Höhe in %
 campaignDashboardOrder=Verfügung
+campaignSearch=Kampagne suchen
 
 Campaign=Kampagne
 Campaign.name=Name
@@ -226,6 +228,7 @@ CampaignFormData.campaign = Kampagne
 CampaignFormData.campaignFormMeta = Formular
 CampaignFormData.formDate = Formulardatum
 CampaignFormData.area = Gebiet
+CampaignFormData.edit=Bearbeiten
 
 # CaseData
 caseCasesList=Fall-Liste
@@ -379,6 +382,7 @@ CaseData.eventCount=Anzahl der Ereignisse
 CaseData.latestEventId=ID des neuesten Ereignisses
 CaseData.latestEventStatus=Aktuellster Ereignisstatus
 CaseData.latestEventTitle=Titel des aktuellsten Ereignisses
+CaseData.latestSampleDateTime=Latest collection date
 CaseData.caseIdIsm=Fall-ID ISM
 CaseData.covidTestReason=Grund für COVID-19-Test
 CaseData.covidTestReasonDetails=Anderer Grund
@@ -390,6 +394,11 @@ CaseData.quarantineReasonBeforeIsolationDetails=Anderer Grund
 CaseData.endOfIsolationReason=Grund des Ende der Isolation
 CaseData.endOfIsolationReasonDetails=Anderer Grund
 CaseData.sormasToSormasOriginInfo=Geteilt von
+CaseData.nosocomialOutbreak=Resulted from nosocomial outbreak
+CaseData.infectionSetting=Infection setting
+CaseData.prohibitionToWork=Prohibition to work
+CaseData.prohibitionToWorkFrom=Prohibition to work from
+CaseData.prohibitionToWorkUntil=Prohibition to work until
 
 # CaseExport
 CaseExport.address=Adresse
@@ -564,6 +573,7 @@ Contact.disease=Krankheit des Indexfalls
 Contact.district=Zuständiger Bezirk
 Contact.epiData=Epidemiologische Daten
 Contact.externalID=Externe ID
+Contact.firstContactDate=Datum des ersten Kontakts
 Contact.firstName=Vorname der Kontaktperson
 Contact.followUpComment=Nachverfolgungs-Status-Kommentar
 Contact.followUpStatus=Nachverfolgungs-Status
@@ -573,6 +583,7 @@ Contact.lastContactDate=Datum des letzten Kontakts
 Contact.lastName=Nachname der Kontaktperson
 Contact.latestEventId=ID des neuesten Ereignisses
 Contact.latestEventTitle=Titel des neuesten Ereignisses
+Contact.multiDayContact=Mehrtägiger Kontakt
 Contact.numberOfVisits=Anzahl der Anrufe
 Contact.person=Kontaktperson
 Contact.quarantine=Quarantäne
@@ -620,6 +631,9 @@ Contact.quarantineOfficialOrderSent=Verfügung verschickt?
 Contact.quarantineOfficialOrderSentDate=Verfügung verschickt am
 Contact.endOfQuarantineReason=Grund des Ende der Quarantäne
 Contact.endOfQuarantineReasonDetails=Anderer Grund
+Contact.prohibitionToWork=Prohibition to work
+Contact.prohibitionToWorkFrom=Prohibition to work from
+Contact.prohibitionToWorkUntil=Prohibition to work until
 
 # ContactExport
 ContactExport.address=Adresse
@@ -867,8 +881,11 @@ Event.informationSource=Informationsquelle
 Event.numberOfPendingTasks=Ausstehende Aufgaben
 Event.reportDateTime=Meldedatum
 Event.reportingUser=Meldender Nutzer
+Event.riskLevel=Risk level
 Event.srcType=Information von
 Event.srcEmail=E-Mail
+Event.srcInstitutionalPartnerType=Source institutional partner
+Event.srcInstitutionalPartnerTypeDetails=Source institutional partner details
 Event.srcFirstName=Vorname der Quelle
 Event.srcLastName=Nachname der Quelle
 Event.srcTelNo=Indexfall Telefonnummer
@@ -1233,6 +1250,7 @@ Person.districtName=Bezirk
 Person.educationType=Bildung
 Person.educationDetails=Details
 Person.fathersName=Name des Vaters
+Person.namesOfOtherGuardians=Names of other guardians
 Person.gestationAgeAtBirth=Gestationsalter bei der Geburt (Wochen)
 Person.healthcare.occupationDetails=Position
 Person.lastDisease=Letzte Krankheit
@@ -1249,6 +1267,7 @@ Person.occupationFacilityType=Art der Einrichtung
 Person.occupationRegion=Kanton der Einrichtung
 Person.occupationType=Beschäftigungsart
 Person.other.occupationDetails=Bitte geben Sie Ihren Beruf an
+Person.armedForcesRelationType=Staff of armed forces
 Person.phone=Telefonnummer
 Person.phoneOwner=Besitzer des Telefons
 Person.placeOfBirthRegion=Geburtskanton
@@ -1939,7 +1958,7 @@ sormasToSormasDialogTitle=Mit Gesundheitsamt teilen
 sormasToSormasErrorDialogTitle=Fehler beim Teilen mit einem anderem Gesundheitsamt
 sormasToSormasListTitle=Teilen
 sormasToSormasShare=Teilen
-sormasToSormasReturn=Return
+sormasToSormasReturn=Zurück
 sormasToSormasCaseNotShared=Dieser Fall ist nicht geteilt
 sormasToSormasContactNotShared=Dieser Kontakt ist nicht geteilt
 sormasToSormasSharedWith=Geteilt mit