org.owasp.encoder.Encode Java Examples

The following examples show how to use org.owasp.encoder.Encode. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RemoveWorkflowServletTest.java    From hop with Apache License 2.0 7 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testRemoveWorkflowServletEscapesHtmlWhenPipelineNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( RemoveWorkflowServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  removeWorkflowServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #2
Source File: StopTransServletTest.java    From pentaho-kettle with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testWillStopInputStepsOnly() throws ServletException, IOException {
  KettleLogStore.init();
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );
  Trans mockTrans = mock( Trans.class );
  TransMeta mockTransMeta = mock( TransMeta.class );
  LogChannelInterface mockChannelInterface = mock( LogChannelInterface.class );
  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  when( mockHttpServletRequest.getContextPath() ).thenReturn( StopTransServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( "inputOnly" ) ).thenReturn( "Y" );
  when( mockHttpServletRequest.getParameter( "name" ) ).thenReturn( "test" );
  when( mockHttpServletRequest.getParameter( "id" ) ).thenReturn( "123" );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );
  when( mockTransformationMap.getTransformation( any( CarteObjectEntry.class ) ) ).thenReturn( mockTrans );
  when( mockTrans.getLogChannel() ).thenReturn( mockChannelInterface );
  when( mockTrans.getLogChannelId() ).thenReturn( "test" );
  when( mockTrans.getTransMeta() ).thenReturn( mockTransMeta );

  stopTransServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  Mockito.verify( mockTrans ).safeStop();
}
 
Example #3
Source File: ForumServlet.java    From document-management-system with GNU General Public License v2.0 6 votes vote down vote up
@Override
public void updateTopic(long id, GWTForumPost post) throws OKMException {
	log.debug("updateTopic({}, {})", id, post.getId());
	updateSessionManager();

	try {
		// Fix XSS issues
		post.setSubject(Encode.forHtml(post.getSubject()));
		post.setMessage(Encode.forHtml(post.getMessage()));

		// Update post
		ForumPost fp = ForumDAO.findPostByPk(post.getId());
		fp.setSubject(post.getSubject());
		fp.setMessage(post.getMessage());
		ForumDAO.update(fp);

		// Update topic
		ForumTopic ft = ForumDAO.findTopicByPk(id);
		ft.setTitle(post.getSubject()); // Updating the title
		ForumDAO.update(ft);
	} catch (DatabaseException e) {
		log.error(e.getMessage(), e);
		throw new OKMException(ErrorCode.get(ErrorCode.ORIGIN_OKMForumService, ErrorCode.CAUSE_Database),
				e.getMessage());
	}
}
 
Example #4
Source File: ForumServlet.java    From document-management-system with GNU General Public License v2.0 6 votes vote down vote up
@Override
public void updateForum(GWTForum forum) throws OKMException {
	log.debug("updateForum()");
	updateSessionManager();

	try {
		// Fix XSS issues
		forum.setDescription(Encode.forHtml(forum.getDescription()));
		forum.setName(Encode.forHtml(forum.getName()));

		Forum f = ForumDAO.findByPk(forum.getId());
		f.setName(forum.getName());
		f.setDescription(forum.getDescription());
		ForumDAO.update(f);
	} catch (DatabaseException e) {
		log.error(e.getMessage(), e);
		throw new OKMException(ErrorCode.get(ErrorCode.ORIGIN_OKMForumService, ErrorCode.CAUSE_Database),
				e.getMessage());
	}
}
 
Example #5
Source File: ForumServlet.java    From document-management-system with GNU General Public License v2.0 6 votes vote down vote up
@Override
public GWTForum createForum(GWTForum forum) throws OKMException {
	log.debug("createForum()");
	updateSessionManager();

	try {
		// Fix XSS issues
		forum.setDescription(Encode.forHtml(forum.getDescription()));
		forum.setName(Encode.forHtml(forum.getName()));

		forum.setDate(new Date());
		forum.setLastPostDate(new Date());
		forum.setLastPostUser(getThreadLocalRequest().getRemoteUser());
		forum.setNumPosts(0);
		forum.setNumTopics(0);
		Forum f = GWTUtil.copy(forum);
		ForumDAO.create(f);
		return GWTUtil.copy(f);
	} catch (DatabaseException e) {
		log.error(e.getMessage(), e);
		throw new OKMException(ErrorCode.get(ErrorCode.ORIGIN_OKMForumService, ErrorCode.CAUSE_Database),
				e.getMessage());
	}
}
 
Example #6
Source File: ForumServlet.java    From document-management-system with GNU General Public License v2.0 6 votes vote down vote up
@Override
public void updatePost(GWTForumPost post) throws OKMException {
	log.debug("updatePost({})", post.getId());
	updateSessionManager();

	try {
		// Fix XSS issues
		post.setSubject(Encode.forHtml(post.getSubject()));
		post.setMessage(Encode.forHtml(post.getMessage()));

		ForumPost fp = ForumDAO.findPostByPk(post.getId());
		fp.setSubject(post.getSubject());
		fp.setMessage(post.getMessage());
		ForumDAO.update(fp);
	} catch (DatabaseException e) {
		log.error(e.getMessage(), e);
		throw new OKMException(ErrorCode.get(ErrorCode.ORIGIN_OKMForumService, ErrorCode.CAUSE_Database),
				e.getMessage());
	}
}
 
Example #7
Source File: WikiServlet.java    From document-management-system with GNU General Public License v2.0 6 votes vote down vote up
@Override
public GWTWikiPage updateWikiPage(GWTWikiPage wikiPage) throws OKMException {
	log.debug("updateWikiPage({})", wikiPage);

	try {
		// Fix XSS issues
		wikiPage.setTitle(Encode.forHtml(wikiPage.getTitle()));
		wikiPage.setContent(Encode.forHtml(wikiPage.getContent()));

		WikiPage updatedWikiPage = WikiPageDAO.updateWikiPage(GWTUtil.copy(wikiPage));

		if (updatedWikiPage == null) {
			throw new OKMException(ErrorCode.get(ErrorCode.ORIGIN_OKMWikiService, ErrorCode.CAUSE_Database), "Not possible doing update");
		} else {
			return GWTUtil.copy(updatedWikiPage);
		}
	} catch (DatabaseException e) {
		log.error(e.getMessage(), e);
		throw new OKMException(ErrorCode.get(ErrorCode.ORIGIN_OKMWikiService, ErrorCode.CAUSE_Database), e.getMessage());
	}
}
 
Example #8
Source File: StopJobServletTest.java    From pentaho-kettle with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testStopJobServletEscapesHtmlWhenTransNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( StopJobServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  stopJobServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #9
Source File: RemovePipelineServletTest.java    From hop with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testRemovePipelineServletEscapesHtmlWhenPipelineNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( RemovePipelineServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  removePipelineServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #10
Source File: StopTransServletTest.java    From pentaho-kettle with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testStopTransServletEscapesHtmlWhenTransNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( StopTransServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  stopTransServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #11
Source File: StopWorkflowServletTest.java    From hop with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testStopJobServletEscapesHtmlWhenPipelineNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( StopWorkflowServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  stopWorkflowServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #12
Source File: PausePipelineServletTest.java    From hop with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testPausePipelineServletEscapesHtmlWhenPipelineNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( PausePipelineServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  pausePipelineServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #13
Source File: StartJobServletTest.java    From pentaho-kettle with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testStartJobServletEscapesHtmlWhenTransNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( StartJobServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  startJobServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #14
Source File: RemoveJobServletTest.java    From pentaho-kettle with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testRemoveJobServletEscapesHtmlWhenTransNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( RemoveJobServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  removeJobServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #15
Source File: GetWorkflowStatusServletTest.java    From hop with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testGetJobStatusServletEscapesHtmlWhenPipelineNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( GetWorkflowStatusServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  getWorkflowStatusServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );

  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );
  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );

}
 
Example #16
Source File: CleanupTransServletTest.java    From pentaho-kettle with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testCleanupTransServletEscapesHtmlWhenTransNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );
  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );
  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( CleanupTransServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  cleanupTransServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );

  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );
  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #17
Source File: GetPipelineStatusServletTest.java    From hop with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testGetPipelineStatusServletEscapesHtmlWhenPipelineNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( GetPipelineStatusServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  getPipelineStatusServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #18
Source File: SniffStepServletTest.java    From pentaho-kettle with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testSniffStepServletEscapesHtmlWhenTransNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( SniffStepServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  sniffStepServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #19
Source File: StartWorkflowServletTest.java    From hop with Apache License 2.0 6 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testStartWorkflowServletEscapesHtmlWhenPipelineNotFound() throws ServletException, IOException {
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );

  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( StartWorkflowServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );

  startJobServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #20
Source File: GetJobImageServletTest.java    From pentaho-kettle with Apache License 2.0 6 votes vote down vote up
@Test
public void testGetJobImageServletByJobNameDuplicate() throws Exception {
  // Second jobId with the same JOB_NAME.
  String secondJobId = "456";

  Job job = buildJob();

  doReturn( GetJobImageServlet.CONTEXT_PATH ).when( mockHttpServletRequest ).getContextPath( );
  doReturn( JOB_NAME ).when( mockHttpServletRequest ).getParameter( "name" );
  doReturn( USE_XML ).when( mockHttpServletRequest ).getParameter( "xml" );

  jobMap.addJob( JOB_NAME, JOB_ID, job, null );
  jobMap.addJob( JOB_NAME, secondJobId, job, null );

  StringWriter out = mockWriter();

  spyGetJobImageServlet.doGet( mockHttpServletRequest, spyHttpServletResponse );
  String message = BaseMessages.getString( PKG, "GetJobImageServlet.Error.DuplicateJobName", JOB_NAME );
  assertTrue( out.toString().contains( Encode.forHtml( message ) ) );
}
 
Example #21
Source File: OutputEscapedServlet.java    From JavaSecurity with Apache License 2.0 6 votes vote down vote up
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) {
    String name = request.getParameter("outputEscapedName");

    log.info("Received {} as name", name);

    response.setContentType("text/html");

    try (PrintWriter out = response.getWriter()) {
        out.println("<html><head>");
        out.println("<title>Cross-Site Scripting (XSS) - Output Escaping</title>");
        out.println("<link rel='stylesheet' type='text/css' href='resources/css/styles.css' />");
        out.println("</head>");
        out.println("<body>");
        out.println("<h1>Cross-Site Scripting (XSS) - Output Escaping</h1>");
        out.println("<p title='Hello " + Encode.forHtmlAttribute(name) + "'><strong>Hello </strong>");
        Encode.forHtml(out, name);
        out.println("</p>");
        out.println("<p><a href='index.jsp'>Home</a></p>");
        out.println("</body></html>");
    } catch (IOException ex) {
        log.error(ex.getMessage(), ex);
    }
}
 
Example #22
Source File: AuthenticationEndpointUtil.java    From carbon-identity-framework with Apache License 2.0 5 votes vote down vote up
/**
 * To get the property value for the base64 encoded value of the key from the ResourceBundle
 * Retrieve the value of property entry for where key is obtained after replacing "=" with "_" of base64 encoded
 * value of the given key,
 * return key if a value is not found for above calculated
 * @param resourceBundle
 * @param key
 * @return
 */
public static String i18nBase64(ResourceBundle resourceBundle, String key) {
    String base64Key = Base64.encode(key.getBytes(StandardCharsets.UTF_8)).replaceAll(PADDING_CHAR, UNDERSCORE);
    try {
        return Encode.forHtml((StringUtils.isNotBlank(resourceBundle.getString(base64Key)) ?
                resourceBundle.getString(base64Key) : key));
    } catch (Exception e) {
        // Intentionally catching Exception and if something goes wrong while finding the value for key, return
        // default, not to break the UI
        return Encode.forHtml(key);
    }
}
 
Example #23
Source File: PrepareExecutionTransServletTest.java    From pentaho-kettle with Apache License 2.0 5 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testPauseTransServletEscapesHtmlWhenTransFound() throws ServletException, IOException {
  KettleLogStore.init();
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );
  Trans mockTrans = mock( Trans.class );
  TransConfiguration mockTransConf = mock( TransConfiguration.class );
  TransMeta mockTransMeta = mock( TransMeta.class );
  TransExecutionConfiguration mockTransExecutionConf = mock( TransExecutionConfiguration.class );

  LogChannelInterface mockChannelInterface = mock( LogChannelInterface.class );
  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( PrepareExecutionTransServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );
  when( mockTransformationMap.getTransformation( any( CarteObjectEntry.class ) ) ).thenReturn( mockTrans );
  when( mockTransformationMap.getConfiguration( any( CarteObjectEntry.class ) ) ).thenReturn( mockTransConf );
  when( mockTransConf.getTransExecutionConfiguration() ).thenReturn( mockTransExecutionConf );
  when( mockTrans.getLogChannel() ).thenReturn( mockChannelInterface );
  when( mockTrans.getTransMeta() ).thenReturn( mockTransMeta );
  when( mockTransMeta.getMaximum() ).thenReturn( new Point( 10, 10 ) );

  prepareExecutionTransServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H1", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #24
Source File: IdentityManagementEndpointUtil.java    From carbon-identity-framework with Apache License 2.0 5 votes vote down vote up
/**
 * To get the property value for the base64 encoded value of the key from the ResourceBundle
 * Retrieve the value of property entry for where key is obtained after replacing "=" with "_" of base64 encoded
 * value of the given key,
 * return key if a value is not found for above calculated
 *
 * @param resourceBundle name of the resourcebundle object
 * @param key            name of the key
 * @return property value entry of the base64 encoded key value or key value itself
 */
public static String i18nBase64(ResourceBundle resourceBundle, String key) {

    String base64Key = Base64.encode(key.getBytes(StandardCharsets.UTF_8)).replaceAll(PADDING_CHAR, UNDERSCORE);
    try {
        return Encode.forHtml((StringUtils.isNotBlank(resourceBundle.getString(base64Key)) ?
                resourceBundle.getString(base64Key) : key));
    } catch (Exception e) {
        // Intentionally catching Exception and if something goes wrong while finding the value for key, return
        // default, not to break the UI
        return Encode.forHtml(key);
    }
}
 
Example #25
Source File: IdentityManagementEndpointUtil.java    From carbon-identity-framework with Apache License 2.0 5 votes vote down vote up
/**
 * To get the property value for the given key from the ResourceBundle
 * Retrieve the value of property entry for key, return key if a value is not found for key
 *
 * @param resourceBundle name of the resourcebundle object
 * @param key            name of the key
 * @return property value entry of the key or key value itself
 */
public static String i18n(ResourceBundle resourceBundle, String key) {

    try {
        return Encode.forHtml((StringUtils.isNotBlank(resourceBundle.getString(key)) ?
                resourceBundle.getString(key) : key));
    } catch (Exception e) {
        // Intentionally catching Exception and if something goes wrong while finding the value for key, return
        // default, not to break the UI
        return Encode.forHtml(key);
    }
}
 
Example #26
Source File: AuthenticationEndpointUtil.java    From carbon-identity-framework with Apache License 2.0 5 votes vote down vote up
/**
 * Read the value for the key from resources.properties. If there are no matching key call i18nBase64(), which
 * was the previous implementation.
 *
 * @param resourceBundle Resource bundle
 * @param key            key
 * @return value of the key
 */
public static String customi18n(ResourceBundle resourceBundle, String key) {

    try {
        return Encode.forHtml((StringUtils.isNotBlank(resourceBundle.getString(key)) ?
                resourceBundle.getString(key) : key));
    } catch (Exception e) {
        return i18nBase64(resourceBundle, key);
    }
}
 
Example #27
Source File: GetJobImageServletTest.java    From pentaho-kettle with Apache License 2.0 5 votes vote down vote up
@Test
public void testGetJobImageServletByCarteObjectIdNotFound() throws Exception {
  doReturn( GetJobImageServlet.CONTEXT_PATH ).when( mockHttpServletRequest ).getContextPath( );
  doReturn( JOB_ID ).when( mockHttpServletRequest ).getParameter( "id" );
  doReturn( USE_XML ).when( mockHttpServletRequest ).getParameter( "xml" );

  StringWriter out = mockWriter();

  spyGetJobImageServlet.doGet( mockHttpServletRequest, spyHttpServletResponse );

  String message = BaseMessages.getString( PKG, "GetJobImageServlet.Error.CoundNotFindJob", "null", JOB_ID );
  assertTrue( out.toString().contains( Encode.forHtml( message ) ) );
}
 
Example #28
Source File: AllocateServerSocketServletTest.java    From pentaho-kettle with Apache License 2.0 5 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testAllocateServerSocketServletEncodesParametersForHmtlResponse() throws ServletException,
  IOException {
  HttpServletRequest mockRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockResponse = mock( HttpServletResponse.class );
  SocketPortAllocation mockSocketPortAllocation = mock( SocketPortAllocation.class );
  PowerMockito.spy( Encode.class );
  final ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
  ServletOutputStream servletOutputStream = new ServletOutputStream() {

    @Override
    public void write( int b ) throws IOException {
      byteArrayOutputStream.write( b );
    }
  };

  when( mockRequest.getContextPath() ).thenReturn( AllocateServerSocketServlet.CONTEXT_PATH );
  when( mockRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockResponse.getOutputStream() ).thenReturn( servletOutputStream );
  when(
    mockTransformationMap.allocateServerSocketPort(
      anyInt(), anyString(), anyString(), anyString(), anyString(), anyString(), anyString(), anyString(),
      anyString(), anyString() ) ).thenReturn( mockSocketPortAllocation );
  allocateServerSocketServlet.doGet( mockRequest, mockResponse );

  String response = byteArrayOutputStream.toString();
  // Pull out dynamic part of body, remove hardcoded html
  String dynamicBody =
    ServletTestUtils
      .getInsideOfTag( "BODY", response ).replaceAll( "<p>", "" ).replaceAll( "<br>", "" ).replaceAll(
        "<H1>.+</H1>", "" ).replaceAll( "--> port", "" );
  assertFalse( ServletTestUtils.hasBadText( dynamicBody ) );
  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #29
Source File: RemoveTransServletTest.java    From pentaho-kettle with Apache License 2.0 5 votes vote down vote up
@Test
@PrepareForTest( { Encode.class } )
public void testRemoveTransServletEscapesHtmlWhenTransFound() throws ServletException, IOException {
  KettleLogStore.init();
  HttpServletRequest mockHttpServletRequest = mock( HttpServletRequest.class );
  HttpServletResponse mockHttpServletResponse = mock( HttpServletResponse.class );
  Trans mockTrans = mock( Trans.class );
  TransMeta mockTransMeta = mock( TransMeta.class );
  LogChannelInterface mockChannelInterface = mock( LogChannelInterface.class );
  StringWriter out = new StringWriter();
  PrintWriter printWriter = new PrintWriter( out );

  PowerMockito.spy( Encode.class );
  when( mockHttpServletRequest.getContextPath() ).thenReturn( RemoveTransServlet.CONTEXT_PATH );
  when( mockHttpServletRequest.getParameter( anyString() ) ).thenReturn( ServletTestUtils.BAD_STRING_TO_TEST );
  when( mockHttpServletResponse.getWriter() ).thenReturn( printWriter );
  when( mockTransformationMap.getTransformation( any( CarteObjectEntry.class ) ) ).thenReturn( mockTrans );
  when( mockTrans.getLogChannel() ).thenReturn( mockChannelInterface );
  when( mockTrans.getLogChannelId() ).thenReturn( "test" );
  when( mockTrans.getTransMeta() ).thenReturn( mockTransMeta );
  when( mockTransMeta.getMaximum() ).thenReturn( new Point( 10, 10 ) );

  removeTransServlet.doGet( mockHttpServletRequest, mockHttpServletResponse );
  assertFalse( ServletTestUtils.hasBadText( ServletTestUtils.getInsideOfTag( "H3", out.toString() ) ) );

  PowerMockito.verifyStatic( atLeastOnce() );
  Encode.forHtml( anyString() );
}
 
Example #30
Source File: FHIRHttpServletRequestWrapper.java    From FHIR with Apache License 2.0 5 votes vote down vote up
/**
 * This method is responsible for extracting specific query parameters from the request URI and storing them in a
 * Map for use later by our "getHeader" type methods.
 */
private void initQueryParameterValues(HttpServletRequest req) {
    headerQueryParameters = new HashMap<>();
    for (Map.Entry<String,String> mapEntry : headerNameMappings.entrySet()) {
        String headerName = mapEntry.getKey();
        String queryParameterName = mapEntry.getValue();
        String headerValue = req.getParameter(queryParameterName);
        if (headerValue != null) {
            headerQueryParameters.put(headerName, headerValue);
        }
    }

    if (log.isLoggable(Level.FINER)) {
        log.finer("Retrieved these 'header' query parameters from the request URI: " +
                Encode.forHtml(headerQueryParameters.toString()));
    }
}