SAK-30340 sanitize user input content on save of wiki page

rwiki/rwiki-impl/impl/src/java/uk/ac/cam/caret/sakai/rwiki/component/service/impl/RWikiObjectServiceImpl.java

@@ -64,6 +64,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.springframework.orm.hibernate3.HibernateOptimisticLockingFailureException;
 import org.hibernate.HibernateException;
+import org.sakaiproject.util.api.FormattedText;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
@@ -141,6 +142,8 @@ public class RWikiObjectServiceImpl implements RWikiObjectService
 
 	private SecurityService securityService;
 
+	private FormattedText formattedTextService;
+
 	/** Configuration: to run the ddl on init or not. */
 	protected boolean autoDdl = false;
 
@@ -189,7 +192,7 @@ public void init()
 		renderService = (RenderService) load(cm, RenderService.class.getName());
 		preferenceService = (PreferenceService) load(cm,
 				PreferenceService.class.getName());
-
+		formattedTextService = (FormattedText) load(cm, FormattedText.class.getName());
 		userDirectoryService = (UserDirectoryService) load(cm,UserDirectoryService.class.getName());
 		entityManager.registerEntityProducer(this,
 				RWikiObjectService.REFERENCE_ROOT);
@@ -585,12 +588,14 @@ private RWikiHistoryObject updateContent(RWikiCurrentObject rwo,
 
 		if (content != null && !content.equals(rwo.getContent()))
 		{
-
 			// create a history instance
 			RWikiHistoryObject rwho = hdao.createRWikiHistoryObject(rwo);
 
+			// sanitize the content
+			String formattedContent = formattedTextService.escapeHtmlFormattedTextarea(content);
+
 			// set the content and increment the revision
-			rwo.setContent(content.replaceAll("\r\n?", "\n")); //$NON-NLS-1$ //$NON-NLS-2$
+			rwo.setContent(formattedContent.replaceAll("\r\n?", "\n")); //$NON-NLS-1$ //$NON-NLS-2$
 			rwo.setRevision(Integer.valueOf(rwo.getRevision().intValue() + 1));
 
 			// render to get a list of links