escape card text from cardcast. fixes xss issues.
This commit is contained in:
parent
15aced170f
commit
d919c07a89
2
pom.xml
2
pom.xml
|
@ -275,7 +275,7 @@
|
|||
<dependency>
|
||||
<groupId>org.apache.commons</groupId>
|
||||
<artifactId>commons-lang3</artifactId>
|
||||
<version>3.1</version>
|
||||
<version>3.5</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.hibernate</groupId>
|
||||
|
|
|
@ -25,6 +25,7 @@ import javax.net.ssl.X509TrustManager;
|
|||
|
||||
import net.socialgamer.cah.cardcast.CardcastModule.CardcastCardId;
|
||||
|
||||
import org.apache.commons.lang3.StringEscapeUtils;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.log4j.Logger;
|
||||
import org.json.simple.JSONArray;
|
||||
|
@ -155,8 +156,8 @@ public class CardcastService {
|
|||
final String text = StringUtils.join(strs, "____");
|
||||
final int pick = strs.size() - 1;
|
||||
final int draw = (pick >= 3 ? pick - 1 : 0);
|
||||
final CardcastBlackCard card = new CardcastBlackCard(cardIdProvider.get(), text, draw,
|
||||
pick, setId);
|
||||
final CardcastBlackCard card = new CardcastBlackCard(cardIdProvider.get(),
|
||||
StringEscapeUtils.escapeXml11(text), draw, pick, setId);
|
||||
deck.getBlackCards().add(card);
|
||||
}
|
||||
}
|
||||
|
@ -192,8 +193,8 @@ public class CardcastService {
|
|||
final String text = StringUtils.join(strs, "");
|
||||
// don't add blank cards, they don't do anything
|
||||
if (!text.isEmpty()) {
|
||||
final CardcastWhiteCard card = new CardcastWhiteCard(cardIdProvider.get(), text,
|
||||
setId);
|
||||
final CardcastWhiteCard card = new CardcastWhiteCard(cardIdProvider.get(),
|
||||
StringEscapeUtils.escapeXml11(text), setId);
|
||||
deck.getWhiteCards().add(card);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
/**
|
||||
* Copyright (c) 2012, Andy Janata
|
||||
* Copyright (c) 2012-2017, Andy Janata
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without modification, are permitted
|
||||
* provided that the following conditions are met:
|
||||
*
|
||||
*
|
||||
* * Redistributions of source code must retain the above copyright notice, this list of conditions
|
||||
* and the following disclaimer.
|
||||
* * Redistributions in binary form must reproduce the above copyright notice, this list of
|
||||
* conditions and the following disclaimer in the documentation and/or other materials provided
|
||||
* with the distribution.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
||||
* FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
|
||||
|
@ -44,7 +44,7 @@ import com.google.inject.Inject;
|
|||
|
||||
/**
|
||||
* Handler to play a card.
|
||||
*
|
||||
*
|
||||
* @author Andy Janata (ajanata@socialgamer.net)
|
||||
*/
|
||||
public class PlayCardHandler extends GameWithPlayerHandler {
|
||||
|
@ -74,7 +74,7 @@ public class PlayCardHandler extends GameWithPlayerHandler {
|
|||
String text = request.getParameter(AjaxRequest.MESSAGE);
|
||||
if (text != null && text.contains("<")) {
|
||||
// somebody must be using a hacked client, because this should have been escaped already.
|
||||
text = StringEscapeUtils.escapeXml(text);
|
||||
text = StringEscapeUtils.escapeXml11(text);
|
||||
}
|
||||
|
||||
final ErrorCode ec = game.playCard(user, cardId, text);
|
||||
|
|
Loading…
Reference in New Issue