8968 - added custom StringEscapper

dataquest-dev · Oct 6, 2023 · 103c8ee · 103c8ee
1 parent bf6e042
commit 103c8ee
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 2 deletions.
diff --git a/dspace-api/src/main/java/org/dspace/util/StringEscapeUtils.java b/dspace-api/src/main/java/org/dspace/util/StringEscapeUtils.java
@@ -0,0 +1,49 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.util;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.text.translate.AggregateTranslator;
+import org.apache.commons.text.translate.CharSequenceTranslator;
+import org.apache.commons.text.translate.EntityArrays;
+import org.apache.commons.text.translate.LookupTranslator;
+
+public class StringEscapeUtils extends org.apache.commons.text.StringEscapeUtils {
+    public static final CharSequenceTranslator ESCAPE_MAIL;
+    static {
+        final Map<CharSequence, CharSequence> escapeMailMap = new HashMap<>();
+        escapeMailMap.put("#", "&#35");
+        ESCAPE_MAIL = new AggregateTranslator(
+                new LookupTranslator(EntityArrays.BASIC_ESCAPE),
+                new LookupTranslator(EntityArrays.APOS_ESCAPE),
+                new LookupTranslator(Collections.unmodifiableMap(escapeMailMap))
+        );
+    }
+
+     /**
+     * Escapes the characters in a {@code String} using custom rules to avoid XSS attacks.
+     *
+     * <p>Escapes user-entered text that is sent with mail to avoid possible XSS attacks.
+     * It escapes double-quote, ampersand, less-than, greater-than, apostrophe, number sign (", &, <, >,',#) </p>
+     *
+     * <p>Example:</p>
+     * <pre>
+     * input string: <div attr="*x" onblur="alert(1)*"> lá lé lí ló LÚ pingüino & yo # </div>!!"
+     * output string: &lt;div attr=&quot;*x&quot; onblur=&quot;alert(1)*&quot;&gt; lá lé lí ló LÚ pingüino &amp; yo &#35 &lt;/div&gt;!!
+     * </pre>
+     *
+     * @param input  String to escape values in, may be null
+     * @return String with escaped values, {@code null} if null string input
+     */
+    public static final String escapeMail(final String input) {
+        return ESCAPE_MAIL.translate(input);
+    }
+}
diff --git a/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/RequestItemRepository.java b/dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/RequestItemRepository.java
@@ -42,6 +42,7 @@
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
 import org.dspace.services.ConfigurationService;
+import org.dspace.util.StringEscapeUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
@@ -172,10 +173,11 @@ public RequestItemRest createAndReturn(Context ctx)
             username = user.getFullName();
         } else { // An anonymous session may provide a name.
             // Escape username to evade nasty XSS attempts
-            username = rir.getRequestName();
+            username = StringEscapeUtils.escapeMail(rir.getRequestName());
         }
 
-        String message = rir.getRequestMessage();
+        // Requester's message text, escaped to evade nasty XSS attempts
+        String message = StringEscapeUtils.escapeMail(rir.getRequestMessage());
 
         // Create the request.
         String token;