escape card text from cardcast. fixes xss issues.

This commit is contained in:
Andy Janata 2017-02-14 20:21:47 -08:00
parent 15aced170f
commit d919c07a89
3 changed files with 12 additions and 11 deletions

View File

@ -275,7 +275,7 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.1</version>
<version>3.5</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>

View File

@ -25,6 +25,7 @@ import javax.net.ssl.X509TrustManager;
import net.socialgamer.cah.cardcast.CardcastModule.CardcastCardId;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
import org.json.simple.JSONArray;
@ -155,8 +156,8 @@ public class CardcastService {
final String text = StringUtils.join(strs, "____");
final int pick = strs.size() - 1;
final int draw = (pick >= 3 ? pick - 1 : 0);
final CardcastBlackCard card = new CardcastBlackCard(cardIdProvider.get(), text, draw,
pick, setId);
final CardcastBlackCard card = new CardcastBlackCard(cardIdProvider.get(),
StringEscapeUtils.escapeXml11(text), draw, pick, setId);
deck.getBlackCards().add(card);
}
}
@ -192,8 +193,8 @@ public class CardcastService {
final String text = StringUtils.join(strs, "");
// don't add blank cards, they don't do anything
if (!text.isEmpty()) {
final CardcastWhiteCard card = new CardcastWhiteCard(cardIdProvider.get(), text,
setId);
final CardcastWhiteCard card = new CardcastWhiteCard(cardIdProvider.get(),
StringEscapeUtils.escapeXml11(text), setId);
deck.getWhiteCards().add(card);
}
}

View File

@ -1,16 +1,16 @@
/**
* Copyright (c) 2012, Andy Janata
* Copyright (c) 2012-2017, Andy Janata
* All rights reserved.
*
*
* Redistribution and use in source and binary forms, with or without modification, are permitted
* provided that the following conditions are met:
*
*
* * Redistributions of source code must retain the above copyright notice, this list of conditions
* and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other materials provided
* with the distribution.
*
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
* FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
@ -44,7 +44,7 @@ import com.google.inject.Inject;
/**
* Handler to play a card.
*
*
* @author Andy Janata (ajanata@socialgamer.net)
*/
public class PlayCardHandler extends GameWithPlayerHandler {
@ -74,7 +74,7 @@ public class PlayCardHandler extends GameWithPlayerHandler {
String text = request.getParameter(AjaxRequest.MESSAGE);
if (text != null && text.contains("<")) {
// somebody must be using a hacked client, because this should have been escaped already.
text = StringEscapeUtils.escapeXml(text);
text = StringEscapeUtils.escapeXml11(text);
}
final ErrorCode ec = game.playCard(user, cardId, text);