Skip to content

S
solo-1
Commit 11bea8df authored by Liang Ding's avatar Liang Ding
Browse files
Options

#12515 统一在获取评论时处理 XSS

parent df594eda
Hide whitespace changes
Inline Side-by-side
Showing with 21 additions and 21 deletions
src/main/java/org/b3log/solo/processor/CommentProcessor.java
View file @ 11bea8df
......@@ -50,7 +50,7 @@ import java.util.Map;
*
* @author <a href="http://88250.b3log.org">Liang Ding</a>
* @author ArmstrongCN
* @version 1.3.3.2, Oct 5, 2018
* @version 1.3.3.3, Oct 7, 2018
* @since 0.3.1
*/
@RequestProcessor
......@@ -114,7 +114,7 @@ public class CommentProcessor {
* "commentName": "",
* "commentEmail": "",
* "commentURL": "",
* "commentContent": "", // HTML
* "commentContent": "",
* "commentOriginalCommentId": "" // optional, if exists this key, the comment is an reply
*/
@RequestProcessing(value = "/add-page-comment.do", method = HTTPRequestMethod.POST)
......@@ -198,7 +198,7 @@ public class CommentProcessor {
* "commentSharpURL": "",
* "commentThumbnailURL": "",
* "commentOriginalCommentName": "", // if exists this key, the comment is an reply
* "commentContent": "" // HTML
* "commentContent": ""
* }
* </pre>
* </p>
......
src/main/java/org/b3log/solo/service/CommentMgmtService.java
View file @ 11bea8df
......@@ -58,7 +58,7 @@ import java.util.Date;
* Comment management service.
*
* @author <a href="http://88250.b3log.org">Liang Ding</a>
* @version 1.3.3.2, Sep 16, 2018
* @version 1.3.3.3, Oct 7, 2018
* @since 0.3.5
*/
@Service
......@@ -254,7 +254,7 @@ public class CommentMgmtService {
/**
* Checks the specified comment adding request.
* <p>
* XSS process (name, content) in this method.
* XSS process (name) in this method.
* </p>
*
* @param requestJSONObject the specified comment adding request, for example,
......@@ -266,7 +266,7 @@ public class CommentMgmtService {
* "commentURL": "",
* "commentContent": "",
* }
* @return check result, for example, <pre>
* @return check result, for example, <pre>
* {
* "sc": boolean,
* "msg": "" // Exists if "sc" equals to false
......@@ -308,7 +308,6 @@ public class CommentMgmtService {
}
String commentName = requestJSONObject.getString(Comment.COMMENT_NAME);
if (MAX_COMMENT_NAME_LENGTH < commentName.length() || MIN_COMMENT_NAME_LENGTH > commentName.length()) {
LOGGER.log(Level.WARN, "Comment name is too long[{0}]", commentName);
ret.put(Keys.MSG, langPropsService.get("nameTooLongLabel"));
......@@ -345,10 +344,6 @@ public class CommentMgmtService {
ret.put(Keys.STATUS_CODE, true);
// name XSS process
commentName = Jsoup.clean(commentName, Whitelist.none());
requestJSONObject.put(Comment.COMMENT_NAME, commentName);
commentContent = Emotions.toAliases(commentContent);
requestJSONObject.put(Comment.COMMENT_CONTENT, commentContent);
......@@ -382,8 +377,8 @@ public class CommentMgmtService {
* "commentOriginalCommentName": "" // optional, corresponding to argument "commentOriginalCommentId"
* "commentThumbnailURL": "",
* "commentSharpURL": "",
* "commentContent": "", // processed XSS HTML
* "commentName": "", // processed XSS
* "commentContent": "",
* "commentName": "",
* "commentURL": "", // optional
* "isReply": boolean,
* "page": {},
......@@ -515,8 +510,8 @@ public class CommentMgmtService {
* "commentOriginalCommentName": "" // optional, corresponding to argument "commentOriginalCommentId"
* "commentThumbnailURL": "",
* "commentSharpURL": "",
* "commentContent": "", // processed XSS HTML
* "commentName": "", // processed XSS
* "commentContent": "",
* "commentName": "",
* "commentURL": "", // optional
* "isReply": boolean,
* "article": {},
......
src/main/java/org/b3log/solo/service/CommentQueryService.java
View file @ 11bea8df
......@@ -53,7 +53,7 @@ import java.util.List;
* Comment query service.
*
* @author <a href="http://88250.b3log.org">Liang Ding</a>
* @version 1.3.2.2, Oct 5, 2018
* @version 1.3.2.3, Oct 7, 2018
* @since 0.3.5
*/
@Service
......@@ -199,6 +199,10 @@ public class CommentQueryService {
commentContent = Jsoup.clean(commentContent, Whitelist.relaxed());
comment.put(Comment.COMMENT_CONTENT, commentContent);
String commentName = comment.optString(Comment.COMMENT_NAME);
commentName = Jsoup.clean(commentName, Whitelist.none());
comment.put(Comment.COMMENT_NAME, commentName);
comment.put(Comment.COMMENT_TIME, comment.optLong(Comment.COMMENT_CREATED));
comment.remove(Comment.COMMENT_CREATED);
}
......@@ -230,10 +234,8 @@ public class CommentQueryService {
*/
public List<JSONObject> getComments(final String onId) throws ServiceException {
try {
final List<JSONObject> ret = new ArrayList<JSONObject>();
final List<JSONObject> ret = new ArrayList<>();
final List<JSONObject> comments = commentRepository.getComments(onId, 1, Integer.MAX_VALUE);
for (final JSONObject comment : comments) {
comment.put(Comment.COMMENT_TIME, comment.optLong(Comment.COMMENT_CREATED));
comment.put(Comment.COMMENT_T_DATE, new Date(comment.optLong(Comment.COMMENT_CREATED)));
......@@ -246,10 +248,9 @@ public class CommentQueryService {
comment.put(Comment.COMMENT_URL, url);
comment.put(Common.IS_REPLY, false); // Assumes this comment is not a reply
final String email = comment.optString(Comment.COMMENT_EMAIL);
final String thumbnailURL = comment.optString(Comment.COMMENT_THUMBNAIL_URL);
if (StringUtils.isBlank(thumbnailURL)) {
final String email = comment.optString(Comment.COMMENT_EMAIL);
comment.put(Comment.COMMENT_THUMBNAIL_URL, Solos.getGravatarURL(email, "128"));
}
......@@ -264,6 +265,10 @@ public class CommentQueryService {
commentContent = Jsoup.clean(commentContent, Whitelist.relaxed());
comment.put(Comment.COMMENT_CONTENT, commentContent);
String commentName = comment.optString(Comment.COMMENT_NAME);
commentName = Jsoup.clean(commentName, Whitelist.none());
comment.put(Comment.COMMENT_NAME, commentName);
ret.add(comment);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment