Mercurial > hg > Members > shoshi > jungle > bulletinboard

changeset 15:1905f2eb6f3b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sanitizing
author one
date Wed, 30 Jul 2014 22:09:33 +0900
parents 96d168910482
children 6f744149f030
files src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/BulletinBoard.java src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/CassandraBulletinBoard.java src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/CreateBoardServlet.java src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/JungleBulletinBoard.java src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/ShowBoardMessageServlet.java src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/ShowBoardsServlet.java
diffstat 6 files changed, 35 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/BulletinBoard.java	Sat Jul 05 16:13:56 2014 +0900
+++ b/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/BulletinBoard.java	Wed Jul 30 22:09:33 2014 +0900
@@ -6,6 +6,6 @@
 	public void createBoards(String _name,String _author,String _initMessage,String _editKey);
 	public void createBoardMessage(String _board,String _author,String _message,String _editKey);
 	public void editMessage(String _board,String _uuid,String _author,String _message,String _editKey);
-	
+	public String sanitize(String str);
 	public Iterable<BoardMessage> getMessages(String _boardName);
 }
--- a/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/CassandraBulletinBoard.java	Sat Jul 05 16:13:56 2014 +0900
+++ b/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/CassandraBulletinBoard.java	Wed Jul 30 22:09:33 2014 +0900
@@ -204,5 +204,17 @@
 		
 		template.update(updater);
 	}
+	
+	public String sanitize( String str ) {
+	    if(str==null) {
+	        return str;
+	    }
+	    str = str.replaceAll("&" , "&amp;" );
+	    str = str.replaceAll("<" , "&lt;"  );
+	    str = str.replaceAll(">" , "&gt;"  );
+	    str = str.replaceAll("\"", "&quot;");
+	    str = str.replaceAll("'" , "&#39;" );
+	    return str;
+	 }
 
 }
--- a/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/CreateBoardServlet.java	Sat Jul 05 16:13:56 2014 +0900
+++ b/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/CreateBoardServlet.java	Wed Jul 30 22:09:33 2014 +0900
@@ -6,6 +6,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.commons.lang.StringEscapeUtils;
+
 public class CreateBoardServlet extends HttpServlet
 {
 	private final BulletinBoard bbs;
@@ -23,10 +25,10 @@
 
 	public void doPost(HttpServletRequest _req,HttpServletResponse _res)
 	{
-		String boardName = _req.getParameter(PARAM_BOARD_NAME);
-		String author = _req.getParameter(PARAM_BOARD_AUTHOR);
-		String msg = _req.getParameter(PARAM_BOARD_INITMESSAGE);
-		String key = _req.getParameter(PARAM_BOARD_EDITKEY);
+		String boardName = StringEscapeUtils.unescapeHtml(_req.getParameter(PARAM_BOARD_NAME));
+		String author = StringEscapeUtils.unescapeHtml(_req.getParameter(PARAM_BOARD_AUTHOR));
+		String msg = StringEscapeUtils.unescapeHtml(_req.getParameter(PARAM_BOARD_INITMESSAGE));
+		String key = StringEscapeUtils.unescapeHtml(_req.getParameter(PARAM_BOARD_EDITKEY));
 		
 		try{
 			bbs.createBoards(boardName,author,msg,key);
--- a/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/JungleBulletinBoard.java	Sat Jul 05 16:13:56 2014 +0900
+++ b/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/JungleBulletinBoard.java	Wed Jul 30 22:09:33 2014 +0900
@@ -2,6 +2,7 @@
 
 import java.nio.ByteBuffer;
 import java.util.concurrent.atomic.AtomicInteger;
+
 import jp.ac.u_ryukyu.ie.cr.shoshi.jungle.DefaultJungle;
 import jp.ac.u_ryukyu.ie.cr.shoshi.jungle.Jungle;
 import jp.ac.u_ryukyu.ie.cr.shoshi.jungle.JungleTree;
@@ -206,4 +207,16 @@
 			return uuid;
 		}
 	}
+	
+	public String sanitize( String str ) {
+	    if(str==null) {
+	        return str;
+	    }
+	    str = str.replaceAll("&" , "&amp;" );
+	    str = str.replaceAll("<" , "&lt;"  );
+	    str = str.replaceAll(">" , "&gt;"  );
+	    str = str.replaceAll("\"", "&quot;");
+	    str = str.replaceAll("'" , "&#39;" );
+	    return str;
+	 }
 }
--- a/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/ShowBoardMessageServlet.java	Sat Jul 05 16:13:56 2014 +0900
+++ b/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/ShowBoardMessageServlet.java	Wed Jul 30 22:09:33 2014 +0900
@@ -40,7 +40,7 @@
 	private void printBoard(String _bname,PrintWriter _pw) throws Exception
 	{
 		_pw.write("<html><body>\n");
-		_pw.write("<h1>"+_bname+"</h1>\n");
+		_pw.write("<h1>"+bbs.sanitize(_bname)+"</h1>\n");
 		
 		_pw.write("<form action='"+createBoardMessagePath+"' method='POST'\n");
 		_pw.write("<p>Author : <input type='text' name='author'/> <input type='hidden' name='bname' value='"+_bname+"'/> EditKey : <input type='text' name='key'/></p>\n");
--- a/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/ShowBoardsServlet.java	Sat Jul 05 16:13:56 2014 +0900
+++ b/src/main/java/jp/ac/u_ryukyu/ie/cr/shoshi/jungle/bbs/ShowBoardsServlet.java	Wed Jul 30 22:09:33 2014 +0900
@@ -26,6 +26,7 @@
 	public void doGet(HttpServletRequest _req,HttpServletResponse _res)
 	{
 		try{
+			_res.setCharacterEncoding("UTF-8");
 			printBoard(_res.getWriter());
 		}catch(Exception _e){
 			_res.setStatus(500);
@@ -46,7 +47,7 @@
 		
 		_pw.write("<h2>list of boards</h2>");
 		for(String board : bbs.getBoards()){
-			_pw.write("<p><a href='"+showBoardMessagePath+"?bname="+board+"'>"+board+"</a></p>");
+			_pw.write("<p><a href='"+showBoardMessagePath+"?bname=" + bbs.sanitize(board) + "'>"+ bbs.sanitize(board) + "</a></p>");
 		}
 		
 		_pw.write("</body></html>");