From c52567dfb4b680dc548eb3bbeba95c5593785848 Mon Sep 17 00:00:00 2001 From: jndamito Date: Thu, 8 Aug 2024 10:34:43 -0400 Subject: [PATCH] sanitized getRowData XSS --- pom.xml | 7 ++++ .../java/com/bittercode/util/HTMLUtils.java | 10 ++++++ src/main/java/servlets/StoreBookServlet.java | 35 ++++++++++++------- 3 files changed, 39 insertions(+), 13 deletions(-) create mode 100644 src/main/java/com/bittercode/util/HTMLUtils.java diff --git a/pom.xml b/pom.xml index 33310c3b..357fa85a 100644 --- a/pom.xml +++ b/pom.xml @@ -71,5 +71,12 @@ javax.servlet-api 3.1.0 + + + org.apache.commons + commons-text + 1.9 + + \ No newline at end of file diff --git a/src/main/java/com/bittercode/util/HTMLUtils.java b/src/main/java/com/bittercode/util/HTMLUtils.java new file mode 100644 index 00000000..90803353 --- /dev/null +++ b/src/main/java/com/bittercode/util/HTMLUtils.java @@ -0,0 +1,10 @@ +package com.bittercode.util; + +import org.apache.commons.text.StringEscapeUtils; + +public class HTMLUtils { + + public static String escapeHtml(String input) { + return StringEscapeUtils.escapeHtml4(input); + } +} \ No newline at end of file diff --git a/src/main/java/servlets/StoreBookServlet.java b/src/main/java/servlets/StoreBookServlet.java index 3e90c1bd..788d1541 100644 --- a/src/main/java/servlets/StoreBookServlet.java +++ b/src/main/java/servlets/StoreBookServlet.java @@ -16,6 +16,22 @@ import com.bittercode.service.impl.BookServiceImpl; import com.bittercode.util.StoreUtil; +import com.bittercode.model.Book; +import com.bittercode.service.BookService; +import com.bittercode.service.impl.BookServiceImpl; +import com.bittercode.util.HTMLUtils; +import com.bittercode.util.StoreUtil; + +import javax.servlet.RequestDispatcher; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import java.io.IOException; +import java.io.PrintWriter; +import java.util.List; + public class StoreBookServlet extends HttpServlet { // book service for database operations and logics @@ -34,10 +50,6 @@ public void service(HttpServletRequest req, HttpServletResponse res) throws IOEx } try { - // Add/Remove Item from the cart if requested - // store the comma separated bookIds of cart in the session - // StoreUtil.updateCartItems(req); - RequestDispatcher rd = req.getRequestDispatcher("SellerHome.html"); rd.include(req, res); pw.println("
"); @@ -78,18 +90,15 @@ public void service(HttpServletRequest req, HttpServletResponse res) throws IOEx public String getRowData(Book book) { return " \r\n" - + " " + book.getBarcode() + "\r\n" - + " " + book.getName() + "\r\n" - + " " + book.getAuthor() + "\r\n" + + " " + HTMLUtils.escapeHtml(book.getBarcode()) + "\r\n" + + " " + HTMLUtils.escapeHtml(book.getName()) + "\r\n" + + " " + HTMLUtils.escapeHtml(book.getAuthor()) + "\r\n" + " " + book.getPrice() + "\r\n" - + " " - + book.getQuantity() - + " \r\n" + + " " + book.getQuantity() + "\r\n" + "
" - + " " + + " " + " " + "
" + " \r\n"; } - -} +} \ No newline at end of file