minor functional and cosmetic updates to the hub demo portlet and the v3 demo portlet
diff --git a/demo/hub-demo-portlet/src/main/java/org/apache/portals/pluto/demo/hub/ColorSelPortlet.java b/demo/hub-demo-portlet/src/main/java/org/apache/portals/pluto/demo/hub/ColorSelPortlet.java
index a541819..91f6c12 100644
--- a/demo/hub-demo-portlet/src/main/java/org/apache/portals/pluto/demo/hub/ColorSelPortlet.java
+++ b/demo/hub-demo-portlet/src/main/java/org/apache/portals/pluto/demo/hub/ColorSelPortlet.java
@@ -32,6 +32,8 @@
import java.io.IOException;
import java.util.Arrays;
import java.util.Enumeration;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import javax.portlet.ActionRequest;
import javax.portlet.ActionResponse;
@@ -82,6 +84,8 @@
public void serveResource(ResourceRequest req, ResourceResponse resp)
throws PortletException, IOException {
}
+
+ final static Pattern validMsgChars = Pattern.compile("^[\\w ]+$");
@ActionMethod(portletName="PH-ColorSelPortlet", publishingEvents= {
@PortletQName(namespaceURI="http://www.apache.org/portals/pluto/ResourcePortlet", localPart="Message")
@@ -118,6 +122,10 @@
String text = req.getActionParameters().getValue(PARAM_MSG_INPUT);
if (text != null) {
+ Matcher m = validMsgChars.matcher(text);
+ if (!m.matches()) {
+ text = "invalid characters.";
+ }
resp.getRenderParameters().setValue(PARAM_MSG_INPUT, text);
}
diff --git a/demo/hub-demo-portlet/src/main/java/org/apache/portals/pluto/demo/hub/ParamTestPortlet.java b/demo/hub-demo-portlet/src/main/java/org/apache/portals/pluto/demo/hub/ParamTestPortlet.java
index 1bd7230..dc92efc 100644
--- a/demo/hub-demo-portlet/src/main/java/org/apache/portals/pluto/demo/hub/ParamTestPortlet.java
+++ b/demo/hub-demo-portlet/src/main/java/org/apache/portals/pluto/demo/hub/ParamTestPortlet.java
@@ -43,11 +43,11 @@
/**
- * A purtlet hub portlet that allows parameter names & values to be entered and set.
+ * A portlet hub portlet that allows parameter names & values to be entered and set.
*
* @author Scott Nicklous
*/
-@PortletConfiguration(portletName = "ParamTestPortlet", publicParams = {"color", "imgName"},
+@PortletConfiguration(portletName = "PH-ParamTestPortlet", publicParams = {"color", "imgName"},
title = @LocaleString("PH Parameter Test Portlet"),
dependencies = @Dependency(name="PortletHub", scope="javax.portlet", version="3.0.0"))
public class ParamTestPortlet extends GenericPortlet {
diff --git a/demo/hub-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ptp.jsp b/demo/hub-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ptp.jsp
index ba5ecea..dbfb0a8 100644
--- a/demo/hub-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ptp.jsp
+++ b/demo/hub-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ptp.jsp
@@ -31,7 +31,7 @@
Entering 'empty' by itself will set the parameter to an empty array.
Leaving the value field empty will set the parameter to an array containing a single empty string.
<p/>
-<p><hr/></p>
+<hr/>
<FORM id='<portlet:namespace/>-setParams' METHOD='POST' onsubmit='return false;' enctype='application/x-www-form-urlencoded' accept-charset='UTF-8'>
<table><tr><td align='left'>
Parameter Name:
@@ -46,7 +46,7 @@
</td></tr></table>
</FORM>
-<p><hr/></p>
+<hr/>
<div id='<portlet:namespace/>-putResourceHere'></div>
@@ -96,27 +96,36 @@
pValue = this[pvid].value,
nstate, vals, ii;
- console.log("PTP: updating parameters. PN=" + pName + ", PV=" + pValue);
-
- nstate = currState.clone();
- if (pValue === 'null') {
- nstate.remove(pName);
+ // limit allowed characters
+ if (/\W/.test(pName) || (pValue.length > 0 && !/^[\w,]+$/.test(pValue))) {
+ console.log("PTP: Bad characters. PN=" + pName + ", PV=" + pValue);
} else {
- if (pValue === 'empty') {
- nstate.parameters[pName] = [];
+
+ console.log("PTP: updating parameters. PN=" + pName + ", PV=" + pValue);
+
+ nstate = currState.clone();
+ if (pValue === 'null') {
+ nstate.remove(pName);
} else {
- vals = pValue.split(",");
- for (ii = 0; ii < vals.length; ii++) {
- if (vals[ii] === 'null') {
- vals[ii] = null;
+ if (pValue === 'empty') {
+ nstate.parameters[pName] = [];
+ } else {
+ vals = pValue.split(",");
+ for (ii = 0; ii < vals.length; ii++) {
+ if (vals[ii] === 'null') {
+ vals[ii] = null;
+ }
}
+ nstate.setValues(pName, vals);
}
- nstate.setValues(pName, vals);
}
+
+ hub.setRenderState(nstate);
}
-
- hub.setRenderState(nstate);
-
+
+ this[pnid].value = '';
+ this[pvid].value = '';
+
event.preventDefault();
});
diff --git a/demo/v3-demo-portlet/pom.xml b/demo/v3-demo-portlet/pom.xml
index b78d60d..50789bb 100644
--- a/demo/v3-demo-portlet/pom.xml
+++ b/demo/v3-demo-portlet/pom.xml
@@ -44,6 +44,10 @@
<artifactId>tomcat-servlet-api</artifactId>
<scope>provided</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ </dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
diff --git a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/AuthSCPortlet.java b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/AuthSCPortlet.java
index 6591165..c3807fe 100644
--- a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/AuthSCPortlet.java
+++ b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/AuthSCPortlet.java
@@ -81,10 +81,13 @@
StringBuilder txt = new StringBuilder();
String scText = req.getRenderParameters().getValue(PARAM_STATUSCODE);
- if (scText != null && scText.matches("\\d+")) {
- int sc = Integer.parseInt(scText);
- if (isDebug) {
- logger.debug("Setting HTTP status code to: " + sc);
+ if (scText != null) {
+ int sc = 400; // bad request
+ if (scText.matches("\\d+")) {
+ sc = Integer.parseInt(scText);
+ if (isDebug) {
+ logger.debug("Setting HTTP status code to: " + sc);
+ }
}
resp.setStatus(sc);
}
@@ -106,8 +109,11 @@
public void processAction(ActionRequest req, ActionResponse resp)
throws PortletException, IOException {
-
- mrp.set(ap);
+
+ String scText = ap.getValue(PARAM_STATUSCODE);
+ if (scText != null && scText.matches("\\d+")) {
+ mrp.set(ap);
+ }
if (isDebug) {
StringBuffer sb = new StringBuffer();
diff --git a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/LongPortlet.java b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/LongPortlet.java
index 5d50d05..9ebc2b7 100644
--- a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/LongPortlet.java
+++ b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/LongPortlet.java
@@ -21,7 +21,7 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import static org.apache.portals.pluto.demo.v3.Constants.ATTRIB_LONGLINES;
+import static org.apache.portals.pluto.demo.v3.Constants.*;
import java.io.IOException;
import java.util.ArrayList;
@@ -171,7 +171,13 @@
public void processAction(ActionRequest req, ActionResponse resp)
throws PortletException, IOException {
- mrp.set(ap);
+ // validate parameters
+
+ String frag = ap.getValue(PARAM_FRAG);
+ String ln = ap.getValue(PARAM_LINE);
+ if (frag != null && frag.matches("^\\w+$") && ln != null && ln.matches("^\\d+$")) {
+ mrp.set(ap);
+ }
if (isDebug) {
StringBuffer sb = new StringBuffer();
diff --git a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/ParamTestPortlet.java b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/ParamTestPortlet.java
index e3fdaa5..9d233bc 100644
--- a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/ParamTestPortlet.java
+++ b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/ParamTestPortlet.java
@@ -18,6 +18,7 @@
package org.apache.portals.pluto.demo.v3;
+import org.apache.commons.lang3.StringEscapeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -154,8 +155,9 @@
// Get the parameter name & values. Parse values string into individual values.
// if string is 'null', change it into null.
- String pn = ap.getValue(PARAM_NAME);
- String pv = ap.getValue(PARAM_VALUES);
+ // string escape here to avoid xss vulnerability & problem with portlet hub json
+ String pn = StringEscapeUtils.escapeHtml4(ap.getValue(PARAM_NAME));
+ String pv = StringEscapeUtils.escapeHtml4(ap.getValue(PARAM_VALUES));
String[] parsedVals = null;
StringBuilder txt = new StringBuilder("Setting values to ");
diff --git a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlAPTestPortlet.java b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlAPTestPortlet.java
index 9ce2d6f..cc48bf3 100644
--- a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlAPTestPortlet.java
+++ b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlAPTestPortlet.java
@@ -18,6 +18,7 @@
package org.apache.portals.pluto.demo.v3;
+import org.apache.commons.lang3.StringEscapeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -363,8 +364,12 @@
txt.append(" <table>");
for (String pn : ap.getNames()) {
- String val = ap.getValue(pn);
+ pn = StringEscapeUtils.escapeHtml4(pn);
+ String val = StringEscapeUtils.escapeHtml4(ap.getValue(pn));
String[] vals = ap.getValues(pn);
+ for (int ii=0; ii < vals.length; ii++) {
+ vals[ii] = StringEscapeUtils.escapeHtml4(vals[ii]);
+ }
txt.append(" <tr><td " + style + ">Name: ")
.append(pn)
.append("</td><td " + style + ">Val: ")
@@ -399,8 +404,9 @@
// Get the parameter name & values. Parse values string into individual values.
// if string is 'null', change it into null.
- String pn = ap.getValue(PARAM_NAME);
- String pv = ap.getValue(PARAM_VALUES);
+ // string escape here to avoid xss vulnerability & problem with portlet hub json
+ String pn = StringEscapeUtils.escapeHtml4(ap.getValue(PARAM_NAME));
+ String pv = StringEscapeUtils.escapeHtml4(ap.getValue(PARAM_VALUES));
String[] parsedVals = null;
txt = new StringBuilder("Setting values to ");
diff --git a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlRPTestPortlet.java b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlRPTestPortlet.java
index 5b648fa..79bf355 100644
--- a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlRPTestPortlet.java
+++ b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlRPTestPortlet.java
@@ -18,6 +18,7 @@
package org.apache.portals.pluto.demo.v3;
+import org.apache.commons.lang3.StringEscapeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -294,8 +295,9 @@
// Get the parameter name & values. Parse values string into individual values.
// if string is 'null', change it into null.
- String pn = ap.getValue(PARAM_NAME);
- String pv = ap.getValue(PARAM_VALUES);
+ // string escape here to avoid xss vulnerability & problem with portlet hub json
+ String pn = StringEscapeUtils.escapeHtml4(ap.getValue(PARAM_NAME));
+ String pv = StringEscapeUtils.escapeHtml4(ap.getValue(PARAM_VALUES));
String[] parsedVals = null;
StringBuilder txt = new StringBuilder("Setting values to ");
diff --git a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlTestPortlet.java b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlTestPortlet.java
index 40bdd86..f017b2a 100644
--- a/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlTestPortlet.java
+++ b/demo/v3-demo-portlet/src/main/java/org/apache/portals/pluto/demo/v3/UrlTestPortlet.java
@@ -18,6 +18,7 @@
package org.apache.portals.pluto.demo.v3;
+import org.apache.commons.lang3.StringEscapeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -339,8 +340,12 @@
txt.append(" <table>");
for (String pn : ap.getNames()) {
- String val = ap.getValue(pn);
+ pn = StringEscapeUtils.escapeHtml4(pn);
+ String val = StringEscapeUtils.escapeHtml4(ap.getValue(pn));
String[] vals = ap.getValues(pn);
+ for (int ii=0; ii < vals.length; ii++) {
+ vals[ii] = StringEscapeUtils.escapeHtml4(vals[ii]);
+ }
txt.append(" <tr><td " + style + ">Name: ")
.append(pn)
.append("</td><td " + style + ">Val: ")
@@ -374,8 +379,9 @@
// Get the parameter name & values. Parse values string into individual values.
// if string is 'null', change it into null.
- String pn = ap.getValue(PARAM_NAME);
- String pv = ap.getValue(PARAM_VALUES);
+ // string escape here to avoid xss vulnerability & problem with portlet hub json
+ String pn = StringEscapeUtils.escapeHtml4(ap.getValue(PARAM_NAME));
+ String pv = StringEscapeUtils.escapeHtml4(ap.getValue(PARAM_VALUES));
String[] parsedVals = null;
txt = new StringBuilder("Setting values to ");
diff --git a/demo/v3-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ivp.jsp b/demo/v3-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ivp.jsp
index 0c63cea..ad81fac 100644
--- a/demo/v3-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ivp.jsp
+++ b/demo/v3-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ivp.jsp
@@ -64,8 +64,8 @@
// Update function called by the Portlet Hub when an onStatechange event occurs.
update = function (type, state) {
- var bo = state.p.getValue('bo'),
- ca = state.p.getValue('ca', hub.constants.PAGE);
+ var bo = state.getValue('bo'),
+ ca = state.getValue('ca', hub.constants.PAGE);
currState = state;
@@ -76,7 +76,7 @@
resparms = hub.newParameters();
if (bo) {
- resparms.setValue('border', bo);
+ resparms['border'] = [bo];
document.getElementById(border).checked = true;
} else {
document.getElementById(border).checked = false;
@@ -117,7 +117,7 @@
if (cacheability !== c) {
cacheability = c;
nstate = currState.clone();
- nstate.p.setValue('ca', c);
+ nstate.setValue('ca', c);
hub.setRenderState(nstate);
}
};
@@ -133,9 +133,9 @@
var nstate = currState.clone();
console.log("IVP: border checked: " + this.checked);
if (this.checked) {
- nstate.p.setValue('bo', '#00F');;
+ nstate.setValue('bo', '#00F');;
} else {
- nstate.p.remove('bo');
+ nstate.remove('bo');
}
hub.setRenderState(nstate);
};
diff --git a/demo/v3-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ptp.jsp b/demo/v3-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ptp.jsp
index d04ef3b..03d7707 100644
--- a/demo/v3-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ptp.jsp
+++ b/demo/v3-demo-portlet/src/main/webapp/WEB-INF/jsp/view-ptp.jsp
@@ -50,7 +50,7 @@
Leaving the value field empty will set the parameter to an array containing a single empty string.
<p/>
<p><%=prpStr.toString() %></p>
-<p><hr/></p>
+<hr/>
<%
ActionURL aurl = renderResponse.createActionURL(ALL);
%>
@@ -87,6 +87,6 @@
</td></tr></table>
</FORM>
-<p><hr/></p>
+<hr/>
<%=renderRequest.getAttribute(ATTRIB_PARAMS) %>
-<p><hr/></p>
+<hr/>
diff --git a/pluto-portal/src/main/resources/pluto-portal-driver-config.xml b/pluto-portal/src/main/resources/pluto-portal-driver-config.xml
index 77be57a..c0c18bd 100644
--- a/pluto-portal/src/main/resources/pluto-portal-driver-config.xml
+++ b/pluto-portal/src/main/resources/pluto-portal-driver-config.xml
@@ -198,7 +198,7 @@
</page>
<page name="V2 and V3 Header Tests" uri="/WEB-INF/themes/pluto-default-theme.jsp">
<portlet context="/v3-demo-portlet" name="V3HeaderPortlet"/>
- <portlet context="/ResourcePortlet-PRP" name="ResourcePortlet-PRP"/>
+ <portlet context="/v3-demo-portlet" name="V3ImageViewer"/>
</page>
<page name="Bean Portlet Demo" uri="/WEB-INF/themes/pluto-default-theme.jsp">
<portlet context="/v3-annotated-demo-portlet" name="BeanPortlet"/>