Skip to content

Commit

Permalink
Added: sanitizing featured item content property
Browse files Browse the repository at this point in the history
  • Loading branch information
@GPortas
GPortas committed Jan 13, 2025
1 parent bff8e94 commit 5c61511
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 2 deletions.
2 changes: 2 additions & 0 deletions ...u/harvard/iq/dataverse/engine/command/impl/AbstractWriteDataverseFeaturedItemCommand.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import edu.harvard.iq.dataverse.engine.command.exception.CommandException;
import edu.harvard.iq.dataverse.engine.command.exception.InvalidCommandArgumentsException;
import edu.harvard.iq.dataverse.util.BundleUtil;
import edu.harvard.iq.dataverse.util.MarkupChecker;

import java.io.IOException;
import java.io.InputStream;
Expand All @@ -35,6 +36,7 @@ protected void validateAndSetContent(DataverseFeaturedItem featuredItem, String
this
);
}
content = MarkupChecker.sanitizeBasicHTML(content);
if (content.length() > DataverseFeaturedItem.MAX_FEATURED_ITEM_CONTENT_SIZE) {
throw new InvalidCommandArgumentsException(
MessageFormat.format(
Expand Down
8 changes: 6 additions & 2 deletions src/test/java/edu/harvard/iq/dataverse/api/DataverseFeaturedItemsIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,10 @@ public void testUpdateFeaturedItem() {
// Update featured item: set new image file
updateFeatureItemResponse = UtilIT.updateDataverseFeaturedItem(featuredItemId, "updatedTitle1", 2, false, "src/test/resources/images/coffeeshop.png", apiToken);
verifyUpdatedFeaturedItem(updateFeatureItemResponse, "updatedTitle1", "coffeeshop.png", 2);

// Update featured item: set malicious content which should be sanitized
updateFeatureItemResponse = UtilIT.updateDataverseFeaturedItem(featuredItemId, "<p>hello</p><script>alert('hi')</script>", 2, false, "src/test/resources/images/coffeeshop.png", apiToken);
verifyUpdatedFeaturedItem(updateFeatureItemResponse, "<p>hello</p>", "coffeeshop.png", 2);
}

private String createUserAndGetApiToken() {
Expand All @@ -96,9 +100,9 @@ private Long createFeaturedItemAndGetId(String dataverseAlias, String apiToken,
return createdFeaturedItem.getLong("data.id");
}

private void verifyUpdatedFeaturedItem(Response response, String expectedTitle, String expectedImageFileName, int expectedDisplayOrder) {
private void verifyUpdatedFeaturedItem(Response response, String expectedContent, String expectedImageFileName, int expectedDisplayOrder) {
response.then().assertThat()
.body("data.content", equalTo(expectedTitle))
.body("data.content", equalTo(expectedContent))
.body("data.imageFileName", equalTo(expectedImageFileName))
.body("data.displayOrder", equalTo(expectedDisplayOrder))
.statusCode(OK.getStatusCode());
Expand Down
2 changes: 2 additions & 0 deletions src/test/java/edu/harvard/iq/dataverse/util/MarkupCheckerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ public class MarkupCheckerTest {
"'<h1>hello</h2>', '<h1>hello</h1>'",
"'the <a href=\"http://dataverse.org\" target=\"_blank\">Dataverse project</a> in a new window', 'the <a href=\"http://dataverse.org\" target=\"_blank\" rel=\"nofollow\">Dataverse project</a> in a new window'",
"'the <a href=\"http://dataverse.org\">Dataverse project</a> in a new window', 'the <a href=\"http://dataverse.org\" rel=\"nofollow\" target=\"_blank\">Dataverse project</a> in a new window'",
// make sure we keep text as it is when it is not html
"'Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.', 'Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.'",
"NULL, NULL"
}, nullValues = {"NULL"})
public void testSanitizeBasicHTML(String unsafe, String safe) {
Expand Down

0 comments on commit 5c61511

Please sign in to comment.