Reintroduced jsoup to the search results

Updated the jquery version to 3.3.1
doecode · Mar 19, 2018 · c20a2ef · c20a2ef
1 parent f26cfa5
commit c20a2ef
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 16 deletions.
diff --git a/pom.xml b/pom.xml
@@ -403,6 +403,12 @@
             <artifactId>commons-email</artifactId>
             <version>1.5</version>
         </dependency>
+        <!--Jsoup (for cleaning out script tags to prevent XSS attacks)-->
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>1.11.2</version>
+        </dependency>
         <!--Logging-->
         <dependency>
             <groupId>ch.qos.logback</groupId>

diff --git a/src/main/java/gov/osti/doecode/entity/SearchFunctions.java b/src/main/java/gov/osti/doecode/entity/SearchFunctions.java
@@ -23,6 +23,8 @@
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
+import org.jsoup.Jsoup;
+import org.jsoup.safety.Whitelist;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -63,17 +65,17 @@ private static ObjectNode doSearchPost(HttpServletRequest request, String api_ur
 
           //Get all of the data into a postable object
           ObjectNode post_data = new ObjectNode(JsonObjectUtils.FACTORY_INSTANCE);
-          post_data.put("all_fields", StringUtils.defaultIfBlank(request.getParameter("all_fields"), ""));
-          post_data.put("software_title", StringUtils.defaultIfBlank(request.getParameter("software_title"), ""));
-          post_data.put("developers_contributors", StringUtils.defaultIfBlank(request.getParameter("developers_contributors"), ""));
-          post_data.put("biblio_data", StringUtils.defaultIfBlank(request.getParameter("biblio_data"), ""));
-          post_data.put("identifiers", StringUtils.defaultIfBlank(request.getParameter("identifiers"), ""));
-          post_data.put("date_earliest", StringUtils.defaultIfBlank(request.getParameter("date_earliest"), ""));
-          post_data.put("date_latest", StringUtils.defaultIfBlank(request.getParameter("date_latest"), ""));
+          post_data.put("all_fields", Jsoup.clean(StringUtils.defaultIfBlank(request.getParameter("all_fields"), ""), Whitelist.basic()));
+          post_data.put("software_title", Jsoup.clean(StringUtils.defaultIfBlank(request.getParameter("software_title"), ""), Whitelist.basic()));
+          post_data.put("developers_contributors", Jsoup.clean(StringUtils.defaultIfBlank(request.getParameter("developers_contributors"), ""), Whitelist.basic()));
+          post_data.put("biblio_data", Jsoup.clean(StringUtils.defaultIfBlank(request.getParameter("biblio_data"), ""), Whitelist.basic()));
+          post_data.put("identifiers", Jsoup.clean(StringUtils.defaultIfBlank(request.getParameter("identifiers"), ""), Whitelist.basic()));
+          post_data.put("date_earliest", Jsoup.clean(StringUtils.defaultIfBlank(request.getParameter("date_earliest"), ""), Whitelist.basic()));
+          post_data.put("date_latest", Jsoup.clean(StringUtils.defaultIfBlank(request.getParameter("date_latest"), ""), Whitelist.basic()));
           post_data.put("start", start);
           post_data.put("rows", rows);
-          post_data.put("sort", StringUtils.defaultIfBlank(request.getParameter("sort"), ""));
-          post_data.put("orcid", StringUtils.defaultIfBlank(request.getParameter("orcid"), ""));
+          post_data.put("sort", Jsoup.clean(StringUtils.defaultIfBlank(request.getParameter("sort"), ""), Whitelist.basic()));
+          post_data.put("orcid", Jsoup.clean(StringUtils.defaultIfBlank(request.getParameter("orcid"), ""), Whitelist.basic()));
 
           post_data.put("accessibility", handleRequestArray(request.getParameter("accessibility")));
           post_data.put("licenses", handleRequestArray(request.getParameter("licenses")));
@@ -393,7 +395,7 @@ private static ArrayNode handleRequestArray(String value) {
           if (StringUtils.isNotBlank(value) && !StringUtils.equals("[]", value)) {
                ArrayNode temp_array = new ArrayNode(JsonObjectUtils.FACTORY_INSTANCE);
                for (JsonNode v : JsonObjectUtils.parseArrayNode(value)) {
-                    temp_array.add(v.asText());
+                    temp_array.add(Jsoup.clean(v.asText(), Whitelist.basic()));
                }
                request_array = temp_array;
           }

diff --git a/web/WEB-INF/templates/search/search-form.mustache b/web/WEB-INF/templates/search/search-form.mustache
@@ -1,4 +1,3 @@
-<!--Unashamedly, we have this in its own thing-->
 <form id='search-page-form' method='POST' action='/{{app_name}}/results' accept-charset="UTF-8">
      <input class="search-form-input" type='hidden' id='search-all_fields' name='all_fields' value='{{search_form_data.all_fields}}' data-dtype="string"/>
      <input class="search-form-input" type='hidden' id='search-software_title' name='software_title' value='{{search_form_data.software_title}}' data-dtype="string"/>

diff --git a/web/WEB-INF/templates/wrapper/script-includes.mustache b/web/WEB-INF/templates/wrapper/script-includes.mustache
@@ -1,4 +1,4 @@
-<script src='/{{app_name}}/js/libraries/jquery-3.1.1.min.js' type='text/javascript' defer></script>
+<script src='/{{app_name}}/js/libraries/jquery-3.3.1.min.js' type='text/javascript' defer></script>
 <noscript>Your browser does not support JavaScript!</noscript>
 
 <script src='/{{app_name}}/js/libraries/jquery-ui.min.js' type='text/javascript' defer></script>

diff --git a/web/js/libraries/jquery-3.1.1.min.js b/web/js/libraries/jquery-3.1.1.min.js
diff --git a/web/js/libraries/jquery-3.3.1.min.js b/web/js/libraries/jquery-3.3.1.min.js