Merge pull request SORMAS-Foundation#3083 from hzi-braunschweig/feature-2859-XssHtmlEncoding

Feature 2859 xss html encoding

Author: BarnaBartha

sormas-api/src/main/java/de/symeda/sormas/api/ResourceBundle.java

@@ -1,5 +1,7 @@
 package de.symeda.sormas.api;
 
+import org.apache.commons.text.StringEscapeUtils;
+
 public class ResourceBundle {
 
 	private java.util.ResourceBundle resourceBundle;
@@ -20,7 +22,7 @@ public String getString(String key, String defaultValue) {
 
 		}
 
-		return value;
+		return StringEscapeUtils.escapeHtml4(value);
 	}
 
 	public String getString(String key) {

sormas-api/src/main/java/de/symeda/sormas/api/caze/classification/ClassificationHtmlRenderer.java

@@ -31,6 +31,7 @@
 import de.symeda.sormas.api.utils.DataHelper;
 import de.symeda.sormas.api.utils.DateHelper;
 import de.symeda.sormas.api.utils.InfoProvider;
+import org.apache.commons.text.StringEscapeUtils;
 
 /**
  * Provides methods that create HTML Strings to visualize the automatic classification rules.
@@ -174,7 +175,7 @@ public static String createHtmlForDownload(String sormasServerUrl, List<Disease>
 		html.append("<h1 style=\"text-align: center; color: #005A9C;\">").append(I18nProperties.getString(Strings.classificationClassificationRules)).append("</h1>");
 		html.append("<h4 style=\"text-align: center;\">")
 				.append(I18nProperties.getString(Strings.classificationGeneratedFor))
-				.append(" ").append(InfoProvider.get().getVersion())
+				.append(" ").append(StringEscapeUtils.escapeHtml4(InfoProvider.get().getVersion()))
 				.append(StringUtils.wrap(I18nProperties.getString(Strings.on), " "))
 				.append(sormasServerUrl).append(StringUtils.wrap(I18nProperties.getString(Strings.at), " "))
 				.append(DateHelper.formatLocalDateTime(new Date(), language)).append("</h4>");
@@ -270,9 +271,9 @@ private static String createSurroundingDiv(ClassificationCriteriaType criteriaTy
 		//@formatter:off
 		return "<div class='classification-rules'>"
 				+ "<div class='main-criteria main-criteria-"
-				+ criteriaType.toString()
+				+ StringEscapeUtils.escapeHtml4(criteriaType.toString())
 				+ "'>"
-				+ content
+				+ StringEscapeUtils.escapeHtml4(content)
 				+ "</div></div>";
 		//@formatter:on
 	}
@@ -284,7 +285,7 @@ private static String createHeadlineDiv(String headline) {
 
 		//@formatter:off
 		return "<div class='headline'>"
-				+ headline 
+				+ StringEscapeUtils.escapeHtml4(headline)
 				+ "</div>";
 		//@formatter:on
 	}
@@ -307,7 +308,7 @@ private static String createCriteriaSurroundingDiv(String content) {
 
 		//@formatter:off
 		return "<div class='criteria'>"
-				+ content
+				+ StringEscapeUtils.escapeHtml4(content)
 				+ "</div>";
 		//@formatter:on
 	}
@@ -319,7 +320,7 @@ private static String createSubCriteriaSurroundingDiv(String content) {
 
 		//@formatter:off
 		return "<div class='sub-criteria'><div class='sub-criteria-content'>"
-				+ content
+				+ StringEscapeUtils.escapeHtml4(content)
 				+ "</div></div>";
 		//@formatter:on
 	}
@@ -328,7 +329,7 @@ private static String createSubCriteriaSurroundingDiv(String content) {
 	 * Creates the div for an actual criteria containing its description.
 	 */
 	private static String createCriteriaItemDiv(String text) {
-		return text + "<br/>";
+		return StringEscapeUtils.escapeHtml4(text) + "<br/>";
 	}
 
 	private enum ClassificationCriteriaType {

sormas-ui/src/main/java/de/symeda/sormas/ui/action/ActionListEntry.java

@@ -37,6 +37,7 @@
 import de.symeda.sormas.ui.utils.ButtonHelper;
 import de.symeda.sormas.ui.utils.CssStyles;
 import de.symeda.sormas.ui.utils.DateFormatHelper;
+import org.apache.commons.text.StringEscapeUtils;
 
 @SuppressWarnings("serial")
 public class ActionListEntry extends HorizontalLayout {
@@ -77,11 +78,11 @@ public ActionListEntry(ActionDto action) {
 		descReplyLayout.addStyleName(CssStyles.RICH_TEXT_CONTENT_CONTAINER);
 		withContentLayout.addComponents(descReplyLayout);
 
-		Label description = new Label(action.getDescription(), ContentMode.HTML);
+		Label description = new Label(StringEscapeUtils.escapeHtml4(action.getDescription()), ContentMode.HTML);
 		description.setWidth(100, Unit.PERCENTAGE);
 		descReplyLayout.addComponent(description);
 		if (!Strings.isNullOrEmpty(action.getReply())) {
-			Label replyLabel = new Label(action.getReply(), ContentMode.HTML);
+			Label replyLabel = new Label(StringEscapeUtils.escapeHtml4(action.getReply()), ContentMode.HTML);
 			replyLabel.setWidth(100, Unit.PERCENTAGE);
 			replyLabel.addStyleName(CssStyles.REPLY);
 			descReplyLayout.addComponent(replyLabel);

sormas-ui/src/main/java/de/symeda/sormas/ui/configuration/linelisting/LineListingActiveDistrictsLayout.java

@@ -11,6 +11,7 @@
 import de.symeda.sormas.api.i18n.Strings;
 import de.symeda.sormas.ui.utils.CssStyles;
 import de.symeda.sormas.ui.utils.DateFormatHelper;
+import org.apache.commons.text.StringEscapeUtils;
 
 @SuppressWarnings("serial")
 public class LineListingActiveDistrictsLayout extends CssLayout {
@@ -27,7 +28,7 @@ private void buildLayout() {
 
 		for (FeatureConfigurationIndexDto config : configurations) {
 			StringBuilder captionBuilder = new StringBuilder();
-			captionBuilder.append("<b>").append(config.getDistrictName()).append("</b><br/>");
+			captionBuilder.append("<b>").append(StringEscapeUtils.escapeHtml4(config.getDistrictName())).append("</b><br/>");
 			if (config.getEndDate() != null) {
 				captionBuilder.append(I18nProperties.getString(Strings.until)).append(" ").append(DateFormatHelper.formatDate(config.getEndDate()));
 			} else {

sormas-ui/src/main/java/de/symeda/sormas/ui/configuration/linelisting/LineListingConfigurationEditLayout.java

@@ -24,6 +24,7 @@
 import de.symeda.sormas.api.i18n.Strings;
 import de.symeda.sormas.ui.utils.ButtonHelper;
 import de.symeda.sormas.ui.utils.CssStyles;
+import org.apache.commons.text.StringEscapeUtils;
 
 @SuppressWarnings("serial")
 public class LineListingConfigurationEditLayout extends VerticalLayout {
@@ -66,7 +67,7 @@ private void buildLayout() {
 					I18nProperties.getString(
 						regionName != null ? Strings.infoLineListingConfigurationRegionEdit : Strings.infoLineListingConfigurationNationEdit),
 					disease.toString(),
-					regionName),
+					StringEscapeUtils.escapeHtml4(regionName)),
 			ContentMode.HTML);
 		CssStyles.style(lblInfo, CssStyles.VSPACE_4);
 		addComponent(lblInfo);

sormas-ui/src/main/java/de/symeda/sormas/ui/dashboard/DiseaseBurdenGrid.java

@@ -94,12 +94,9 @@ public String convertToPresentation(Float value, Class<? extends String> targetT
 				String strValue = "" + Math.abs(value);
 				if (strValue.equals("100.0"))
 					strValue = "100";
-//				or use below to remove insignificant decimals
-//				if (strValue.endsWith(".0"))
-//					strValue = strValue.substring(0, strValue.length() - 3);
 
 				//@formatter:off
-				stringRepresentation = 
+				stringRepresentation =
 					  "<div style=\"width:100%\">"
 					+	"<div class=\"\" style=\"display: inline-block;margin-top: 2px;width: 70%;text-align:left;\">" + strValue + "%" + "</div>"
 					+	"<div class=\"v-label v-widget " + criticalLevel + " v-label-" + criticalLevel

sormas-ui/src/main/java/de/symeda/sormas/ui/dashboard/campaigns/CampaignDashboardDiagramComponent.java

@@ -7,6 +7,7 @@
 import de.symeda.sormas.api.i18n.Captions;
 import de.symeda.sormas.api.i18n.I18nProperties;
 import de.symeda.sormas.ui.highcharts.HighChart;
+import org.apache.commons.text.StringEscapeUtils;
 
 import java.math.BigDecimal;
 import java.math.RoundingMode;
@@ -49,7 +50,6 @@ public CampaignDashboardDiagramComponent(
 
 		setMargin(false);
 		addComponent(campaignColumnChart);
-//		setExpandRatio(campaignColumnChart, 1);
 
 		for (CampaignDiagramDataDto diagramData : diagramDataList) {
 			if (!axisKeys.contains(diagramData.getGroupingKey())) {
@@ -106,10 +106,10 @@ public void buildDiagramChart(String title) {
 		}
 
 		//@formatter:off
-		hcjs.append("} } }," 
+		hcjs.append("} } },"
 				+ "legend: { backgroundColor: 'transparent', margin: 30 },"
 				+ "colors: ['#4472C4', '#ED7D31', '#A5A5A5', '#FFC000', '#5B9BD5', '#70AD47', '#FF0000', '#6691C4','#ffba08','#519e8a','#ed254e','#39a0ed','#FF8C00','#344055','#D36135','#82d173'],"
-				+ "title:{ text: '" + title + "', style: { fontSize: '15px' } },");
+				+ "title:{ text: '" + StringEscapeUtils.escapeEcmaScript(title) + "', style: { fontSize: '15px' } },");
 		//@formatter:on
 
 		Map<String, Long> stackMap = diagramDefinition.getCampaignDiagramSeries()
@@ -124,7 +124,7 @@ public void buildDiagramChart(String title) {
 		}
 		hcjs.append("categories: [");
 		for (Object axisKey : axisKeys) {
-			hcjs.append("'").append(axisCaptions.get(axisKey)).append("',");
+			hcjs.append("'").append(StringEscapeUtils.escapeEcmaScript(axisCaptions.get(axisKey))).append("',");
 		}
 		hcjs.append("]},");
 
@@ -166,7 +166,7 @@ public void buildDiagramChart(String title) {
 			Collection<CampaignDiagramDataDto> values = seriesData.values();
 			Iterator<CampaignDiagramDataDto> iterator = values.iterator();
 			final String fieldName = iterator.hasNext() ? iterator.next().getFieldCaption() : seriesKey;
-			hcjs.append("{ name:'").append(fieldName).append("', data: [");
+			hcjs.append("{ name:'").append(StringEscapeUtils.escapeEcmaScript(fieldName)).append("', data: [");
 			for (Object axisKey : axisKeys) {
 				if (seriesData.containsKey(axisKey)) {
 					if (showPercentages && totalValuesMap != null) {
@@ -189,7 +189,7 @@ public void buildDiagramChart(String title) {
 				}
 			}
 			if (series.getStack() != null) {
-				hcjs.append("],stack:'").append(series.getStack()).append("'},");
+				hcjs.append("],stack:'").append(StringEscapeUtils.escapeEcmaScript(series.getStack())).append("'},");
 			} else {
 				hcjs.append("]},");
 			}

sormas-ui/src/main/java/de/symeda/sormas/ui/events/EventController.java

@@ -57,6 +57,7 @@
 import de.symeda.sormas.ui.utils.CommitDiscardWrapperComponent;
 import de.symeda.sormas.ui.utils.CommitDiscardWrapperComponent.CommitListener;
 import de.symeda.sormas.ui.utils.VaadinUiUtil;
+import org.apache.commons.text.StringEscapeUtils;
 
 public class EventController {
 
@@ -397,7 +398,7 @@ public void deleteAllSelectedItems(Collection<EventIndexDto> selectedRows, Runna
 								String.format(
 									I18nProperties.getString(Strings.messageCountEventsNotDeleted),
 									String.format("<b>%s</b>", countNotDeletedEvents),
-									String.format("<b>%s</b>", nonDeletableEvents)),
+									String.format("<b>%s</b>", StringEscapeUtils.escapeHtml4(nonDeletableEvents.toString()))),
 								I18nProperties.getString(Strings.messageEventsNotDeletedReason)),
 							ContentMode.HTML);
 						response.setWidth(600, Sizeable.Unit.PIXELS);

sormas-ui/src/main/java/de/symeda/sormas/ui/statistics/StatisticsView.java

@@ -314,7 +314,7 @@ private void addGenerateButton(VerticalLayout statisticsLayout) {
 			Notification errorNotification = null;
 			for (StatisticsFilterComponent filterComponent : filterComponents) {
 				if (filterComponent.getSelectedAttribute() != StatisticsCaseAttribute.JURISDICTION
-				    && filterComponent.getSelectedAttribute() != StatisticsCaseAttribute.PLACE_OF_RESIDENCE
+					&& filterComponent.getSelectedAttribute() != StatisticsCaseAttribute.PLACE_OF_RESIDENCE
 					&& (filterComponent.getSelectedAttribute() == null
 						|| filterComponent.getSelectedAttribute().getSubAttributes().length > 0
 							&& filterComponent.getSelectedSubAttribute() == null)) {
@@ -544,7 +544,7 @@ public void generateChart() {
 			hcjs.append("xAxis: { categories: [");
 			if (xAxisAttribute != null) {
 				xAxisCaptions.forEach((key, value) -> {
-					hcjs.append("'").append(xAxisCaptions.get(key)).append("',");
+					hcjs.append("'").append(StringEscapeUtils.escapeEcmaScript(xAxisCaptions.get(key))).append("',");
 				});
 
 				if (appendUnknownXAxisCaption) {
@@ -628,7 +628,7 @@ public void generateChart() {
 					seriesValue = value.getIncidence(incidenceDivisor);
 				}
 				Object seriesId = value.getRowKey();
-				hcjs.append("['").append(seriesCaptions.get(seriesId)).append("',").append(seriesValue).append("],");
+				hcjs.append("['").append(StringEscapeUtils.escapeEcmaScript(seriesCaptions.get(seriesId))).append("',").append(seriesValue).append("],");
 			});
 			if (unknownSeriesElement != null) {
 				Object seriesValue;
@@ -1020,7 +1020,7 @@ private List<StatisticsCaseCountDto> generateStatistics() {
 				if (hasMissingPopulationData) {
 					caseIncidencePossible = false;
 					List<String> missingPopulationDataNamesList = FacadeProvider.getRegionFacade().getNamesByIds(missingPopulationDataRegionIds);
-					missingPopulationDataNames = String.join(", ", missingPopulationDataNamesList);
+					missingPopulationDataNames = StringEscapeUtils.escapeEcmaScript(String.join(", ", missingPopulationDataNamesList));
 				}
 			}
 

sormas-ui/src/main/java/de/symeda/sormas/ui/task/TaskGrid.java

@@ -23,9 +23,11 @@
 import com.vaadin.data.provider.DataProvider;
 import com.vaadin.data.provider.ListDataProvider;
 import com.vaadin.shared.data.sort.SortDirection;
+import com.vaadin.ui.Label;
 import com.vaadin.ui.renderers.DateRenderer;
 import com.vaadin.ui.renderers.HtmlRenderer;
 
+import com.vaadin.ui.renderers.TextRenderer;
 import de.symeda.sormas.api.FacadeProvider;
 import de.symeda.sormas.api.Language;
 import de.symeda.sormas.api.ReferenceDto;
@@ -118,14 +120,14 @@ public TaskGrid(TaskCriteria criteria) {
 
 		Column<TaskIndexDto, UserReferenceDto> assigneeUserColumn = (Column<TaskIndexDto, UserReferenceDto>) getColumn(TaskIndexDto.ASSIGNEE_USER);
 		assigneeUserColumn.setRenderer(user -> {
-			String html;
+			String text;
 			if (user != null) {
-				html = ControllerProvider.getTaskController().getUserCaptionWithPendingTaskCount(user);
+				text = ControllerProvider.getTaskController().getUserCaptionWithPendingTaskCount(user);
 			} else {
-				html = "";
+				text = "";
 			}
-			return html;
-		}, new HtmlRenderer());
+			return text;
+		}, new TextRenderer());
 
 		Column<TaskIndexDto, TaskPriority> priorityColumn = (Column<TaskIndexDto, TaskPriority>) getColumn(TaskIndexDto.PRIORITY);
 		priorityColumn.setStyleGenerator(item -> {