SAK-42253: revert 9c0fa8b

Author: bjones86

deploy/pom.xml

@@ -495,11 +495,6 @@
             <artifactId>commons-validator</artifactId>
             <scope>compile</scope>
         </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-            <scope>compile</scope>
-        </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpcore</artifactId>

kernel/api/src/main/java/org/sakaiproject/util/api/FormattedText.java

@@ -250,7 +250,6 @@ public String processFormattedText(final String strFromBrowser, StringBuilder er
      * @param value
      *        The text containing entity references (e.g., a News item description).
      * @return The HTML, ready for processing.
-     * @see https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/HtmlUtils.html#htmlUnescape-java.lang.String-
      */
     public String unEscapeHtml(String value);
 
@@ -460,13 +459,4 @@ public String processFormattedText(final String strFromBrowser, StringBuilder er
       */
      public String getHtmlBody(String text);
 
-    /**
-     * Sanitizes the user input to prevent XSS attacks.
-     *
-     * @param userInput The value to sanitize.
-     * @return A sanitized user input.
-     * @see https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/HtmlUtils.html#htmlEscape-java.lang.String-java.lang.String-
-     */
-     public String sanitizeUserInput(final String userInput);
-
 }

kernel/api/src/main/java/org/sakaiproject/util/api/MockFormattedText.java

@@ -223,11 +223,5 @@ public String getHtmlBody(String text) {
 		// TODO Auto-generated method stub
 		return getHtmlBody(null);
 	}
-
-     @Override
-     public String sanitizeUserInput(final String userInput){
-        log.warn(WARNING);
-        return userInput;
-    }
-
+    
 }

kernel/kernel-impl/pom.xml

@@ -247,10 +247,6 @@
             <groupId>org.hibernate</groupId>
             <artifactId>hibernate-core</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-web</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.javassist</groupId>
             <artifactId>javassist</artifactId>

kernel/kernel-impl/src/main/java/org/sakaiproject/user/impl/BaseUserDirectoryService.java

@@ -1519,11 +1519,11 @@ public User addUser(String id, String eid, String firstName, String lastName, St
 		UserEdit edit = addUser(id, eid);
 
 		// fill in the fields
-		edit.setLastName(formattedText().sanitizeUserInput(lastName));
-		edit.setFirstName(formattedText().sanitizeUserInput(firstName));
-		edit.setEmail(formattedText().sanitizeUserInput(email));
+		edit.setLastName(lastName);
+		edit.setFirstName(firstName);
+		edit.setEmail(email);
 		edit.setPassword(pw);
-		edit.setType(formattedText().sanitizeUserInput(type));
+		edit.setType(type);
 
 		ResourcePropertiesEdit props = edit.getPropertiesEdit();
 		if (properties != null)
@@ -1769,43 +1769,44 @@ protected void addLiveUpdateProperties(BaseUserEdit edit)
 		edit.m_lastModifiedInstant = Instant.now();
 	}
 
-    /**
-     * Adjust the id - trim it to null. Note: eid case insensitive option does NOT apply to id.
-     *
-     * @param id
-     *        The id to clean up.
-     * @return A cleaned up id.
-     */
-    protected String cleanId(String id) {
-        if(StringUtils.isEmpty(id)){
-            return null;
-        }
-        // if we are not doing separate id and eid, use the eid rules
-        if (!m_separateIdEid) {
-            id = cleanEid(id);
-        }
-        id = formattedText().sanitizeUserInput(id);
-        // max length for an id is 99 chars
+	/**
+	 * Adjust the id - trim it to null. Note: eid case insensitive option does NOT apply to id.
+	 *
+	 * @param id
+	 *        The id to clean up.
+	 * @return A cleaned up id.
+	 */
+	protected String cleanId(String id)
+	{
+		// if we are not doing separate id and eid, use the eid rules
+		if (!m_separateIdEid) {
+		    id = cleanEid(id);
+		}
+		id = StringUtils.trimToNull(id);
+		// max length for an id is 99 chars
         id = StringUtils.abbreviate(id, 99);
-        return id;
-    }
+		return id;
+	}
 
-    /**
-     * Adjust the eid - trim it to null, and lower case IF we are case insensitive.
-     *
-     * @param eid
-     *        The eid to clean up.
-     * @return A cleaned up eid.
-     */
-    protected String cleanEid(String eid) {
-        if(StringUtils.isEmpty(eid)){
-            return null;
-        }
+	/**
+	 * Adjust the eid - trim it to null, and lower case IF we are case insensitive.
+	 *
+	 * @param eid
+	 *        The eid to clean up.
+	 * @return A cleaned up eid.
+	 */
+	protected String cleanEid(String eid)
+	{
         eid = StringUtils.lowerCase(eid);
-        eid = formattedText().sanitizeUserInput(eid);
+        eid = StringUtils.trimToNull(eid);
+
+        if (eid != null) {
+            // remove all instances of these chars <>,;:\"
+            eid = StringUtils.replaceChars(eid, "<>,;:\\/", "");
+        }
         // NOTE: length check is handled later on
         return eid;
-    }
+	}
 
 	protected UserEdit getCachedUser(String ref)
 	{
@@ -2030,7 +2031,7 @@ public boolean updateUserId(String id,String newEmail)
 					return false;
 				}
 				user.setEid(newEmail);
-				user.setEmail(formattedText().sanitizeUserInput(newEmail));
+				user.setEmail(newEmail);
 				((BaseUserEdit) user).setEvent(SECURE_UPDATE_USER_ANY);
 				commitEdit(user);
 				return true;
@@ -2174,7 +2175,7 @@ public BaseUserEdit(String id, String eid)
 			// if the id is not null (a new user, rather than a reconstruction)
 			// and not the anon (id == "") user,
 			// add the automatic (live) properties
-			if (StringUtils.isNotEmpty(m_id)) addLiveProperties(this);
+			if ((m_id != null) && (m_id.length() > 0)) addLiveProperties(this);
 
 			//KNL-567 lazy set the properties to be lazy so they get loaded
 			props.setLazy(true);
@@ -2214,13 +2215,13 @@ public BaseUserEdit(Element el)
 
 			m_id = cleanId(el.getAttribute("id"));
 			m_eid = cleanEid(el.getAttribute("eid"));
-			m_firstName = formattedText().sanitizeUserInput(el.getAttribute("first-name"));
-			m_lastName = formattedText().sanitizeUserInput(el.getAttribute("last-name"));
-			setEmail(el.getAttribute("email"));
+			m_firstName = StringUtils.trimToNull(el.getAttribute("first-name"));
+			m_lastName = StringUtils.trimToNull(el.getAttribute("last-name"));
+			setEmail(StringUtils.trimToNull(el.getAttribute("email")));
 			m_pw = el.getAttribute("pw");
-			m_type = formattedText().sanitizeUserInput(el.getAttribute("type"));
-			m_createdUserId = formattedText().sanitizeUserInput(el.getAttribute("created-id"));
-			m_lastModifiedUserId = formattedText().sanitizeUserInput(el.getAttribute("modified-id"));
+			m_type = StringUtils.trimToNull(el.getAttribute("type"));
+			m_createdUserId = StringUtils.trimToNull(el.getAttribute("created-id"));
+			m_lastModifiedUserId = StringUtils.trimToNull(el.getAttribute("modified-id"));
 
 			String time = StringUtils.trimToNull(el.getAttribute("created-time"));
 			if (time != null)
@@ -2315,15 +2316,15 @@ public BaseUserEdit(Element el)
 		public BaseUserEdit(String id, String eid, String email, String firstName, String lastName, String type, String pw,
 				String createdBy, Instant createdOn, String modifiedBy, Instant modifiedOn)
 		{
-			m_id = cleanId(id);
-			m_eid = cleanEid(eid);
-			m_firstName = formattedText().sanitizeUserInput(firstName);
-			m_lastName = formattedText().sanitizeUserInput(lastName);
-			m_type = formattedText().sanitizeUserInput(type);
+			m_id = id;
+			m_eid = eid;
+			m_firstName = firstName;
+			m_lastName = lastName;
+			m_type = type;
 			setEmail(email);
 			m_pw = pw;
-			m_createdUserId = formattedText().sanitizeUserInput(createdBy);
-			m_lastModifiedUserId = formattedText().sanitizeUserInput(modifiedBy);
+			m_createdUserId = createdBy;
+			m_lastModifiedUserId = modifiedBy;
 			if (createdOn != null) m_createdInstant = createdOn;
 			if (modifiedBy != null) m_lastModifiedInstant = modifiedOn;
 
@@ -2628,7 +2629,7 @@ public String getDisplayId() {
 		 */
 		public String getFirstName()
 		{
-			if (StringUtils.isEmpty(m_firstName)) return StringUtils.EMPTY;
+			if (m_firstName == null) return "";
 			return m_firstName;
 		}
 
@@ -2637,7 +2638,7 @@ public String getFirstName()
 		 */
 		public String getLastName()
 		{
-			if (StringUtils.isEmpty(m_lastName)) return StringUtils.EMPTY;
+			if (m_lastName == null) return "";
 			return m_lastName;
 		}
 
@@ -2682,7 +2683,7 @@ public String getSortName()
 		 */
 		public String getEmail()
 		{
-			if (StringUtils.isEmpty(m_email)) return StringUtils.EMPTY;
+			if (m_email == null) return "";
 			return m_email;
 		}
 
@@ -2800,7 +2801,8 @@ public void setEid(String eid)
 		public void setFirstName(String name)
 		{
 		    if(!m_restrictedFirstName) {
-		    	m_firstName = formattedText().sanitizeUserInput(name);
+		        // https://jira.sakaiproject.org/browse/SAK-20226 - removed html from name
+		    	m_firstName = formattedText().convertFormattedTextToPlaintext(name);
 		    	m_sortName = null;
 		    }
 		}
@@ -2811,7 +2813,8 @@ public void setFirstName(String name)
 		public void setLastName(String name)
 		{
 			if(!m_restrictedLastName) {
-		    	m_lastName = formattedText().sanitizeUserInput(name);
+                // https://jira.sakaiproject.org/browse/SAK-20226 - removed html from name
+		    	m_lastName = formattedText().convertFormattedTextToPlaintext(name);
 		    	m_sortName = null;
 		    }
 		}
@@ -2822,7 +2825,7 @@ public void setLastName(String name)
 		public void setEmail(String email)
 		{
 			if(!m_restrictedEmail) {
-				m_email = formattedText().sanitizeUserInput(email);
+				m_email = email;
 			}
 		}
 
@@ -2857,7 +2860,7 @@ public void setType(String type)
 		{
 			if(!m_restrictedType) {
 
-				m_type = formattedText().sanitizeUserInput(type);
+				m_type = type;
 
 			}
 		}

kernel/kernel-impl/src/main/java/org/sakaiproject/util/impl/FormattedTextImpl.java

@@ -53,7 +53,6 @@
 import org.sakaiproject.util.ResourceLoader;
 import org.sakaiproject.util.Xml;
 import org.sakaiproject.util.api.FormattedText;
-import org.springframework.web.util.HtmlUtils;
 
 /**
  * FormattedText provides support for user entry of formatted text; the formatted text is HTML. This includes text formatting in user input such as bold, underline, and fonts.
@@ -594,8 +593,8 @@ public String escapeHtml(String value, boolean escapeNewlines) {
          */
         String val = "";
         if (StringUtils.isNotEmpty(value)){
-            val = HtmlUtils.htmlEscape(value, StandardCharsets.UTF_8.name());
-            if (escapeNewlines) {
+            val = StringEscapeUtils.escapeHtml4(value);
+            if (escapeNewlines && val != null) {
                 val = val.replace("\n", "<br/>\n");
             }
         }
@@ -662,7 +661,7 @@ public String encodeUnicode(String value)
     public String unEscapeHtml(String value)
     {
         if (StringUtils.isEmpty(value)) return StringUtils.EMPTY;
-        return HtmlUtils.htmlUnescape(value);
+        return StringEscapeUtils.unescapeHtml4(value);
     }
 
     /* (non-Javadoc)
@@ -1506,12 +1505,4 @@ protected static final char hexDigit(int i)
             9002, 9674, 9824, 9827, 9829, 9830, 34, 38, 60, 62, 338, 339, 352, 353, 376, 710, 732, 8194, 8195, 8201, 8204, 8205,
             8206, 8207, 8211, 8212, 8216, 8217, 8218, 8220, 8221, 8222, 8224, 8225, 8240, 8249, 8250, 8364 };
 
-    public String sanitizeUserInput(final String userInput) {
-        if(StringUtils.EMPTY.equals(userInput)) {
-            return StringUtils.EMPTY;
-        }
-        String val = StringUtils.trimToNull(userInput);
-        val = HtmlUtils.htmlEscape(val, StandardCharsets.UTF_8.name());
-        return val;
-    }
 }

kernel/kernel-impl/src/test/java/org/sakaiproject/user/impl/BaseUserDirectoryServiceTest.java

@@ -180,15 +180,15 @@ public void testCleanEid() {
         Assert.assertNotNull(cleaned);
         Assert.assertEquals(eid, cleaned);
 
-        eid = "[email protected]";
+        eid = "[email protected]";
         cleaned = userDirectoryService.cleanEid(eid);
         Assert.assertNotNull(cleaned);
         Assert.assertEquals(eid, cleaned);
 
-        eid = "<script>alert('xss');</script>";
+        eid = "<script>alert('XSS');</script>";
         cleaned = userDirectoryService.cleanEid(eid);
         Assert.assertNotNull(cleaned);
-        Assert.assertEquals("&lt;script&gt;alert(&#39;xss&#39;);&lt;/script&gt;", cleaned);
+        Assert.assertEquals("scriptalert('xss')script", cleaned);
 
         // empty cases
         eid = "";

kernel/kernel-impl/src/test/java/org/sakaiproject/user/impl/test/UserDirectoryServiceGetTest.java

@@ -241,23 +241,23 @@ public void testLocalUserNameEdit() throws Exception {
         userEdit = userDirectoryService.editUser(localuserId);
         String originalFirstName = userEdit.getFirstName();
         String originalLastName = userEdit.getLastName();
-        userEdit.setFirstName("John");
-        userEdit.setLastName("Sakaiger");
+        userEdit.setFirstName("Aaron");
+        userEdit.setLastName("Zeckoski");
         userDirectoryService.commitEdit(userEdit);
 
         user = userDirectoryService.getUser(localuserId);
-        Assert.assertEquals("John", user.getFirstName());
-        Assert.assertEquals("Sakaiger", user.getLastName());
+        Assert.assertEquals("Aaron", user.getFirstName());
+        Assert.assertEquals("Zeckoski", user.getLastName());
 
         // check https://jira.sakaiproject.org/browse/SAK-20226
         userEdit = userDirectoryService.editUser(localuserId);
-        userEdit.setFirstName("<b>John</b>");
-        userEdit.setLastName("Sakaiger<script>alert(document.cookie)</script>");
+        userEdit.setFirstName("<b>Aaron</b>");
+        userEdit.setLastName("Zeckoski<script>alert(document.cookie)</script>");
         userDirectoryService.commitEdit(userEdit);
 
         user = userDirectoryService.getUser(localuserId);
-        Assert.assertEquals("&lt;b&gt;John&lt;/b&gt;", user.getFirstName());
-        Assert.assertEquals("Sakaiger&lt;script&gt;alert(document.cookie)&lt;/script&gt;", user.getLastName());
+        Assert.assertEquals("Aaron", user.getFirstName());
+        Assert.assertEquals("Zeckoskialert(document.cookie)", user.getLastName());
 
         // Return to where we were.
         userEdit = userDirectoryService.editUser(localuserId);

kernel/kernel-impl/src/test/java/org/sakaiproject/util/impl/FormattedTextTest.java

@@ -1174,10 +1174,5 @@ public void getHtmlBodyTest() {
         Assert.assertEquals("", result);
     }
 
-    @Test
-    public void testEscapeXSS() {
-        String threat = "<img src=a onerror=\"alert(1)\" áéñíòùç %*+,-/;'<=>^|\\";
-        Assert.assertEquals("<img src=a onerror=\"alert(1)\" áéñíòùç %*+,-/;'<=>^|\\", threat);
-        Assert.assertEquals("&lt;img src=a onerror=&quot;alert(1)&quot; áéñíòùç %*+,-/;&#39;&lt;=&gt;^|\\", formattedText.sanitizeUserInput(threat));
-    }
+
 }

kernel/kernel-util/pom.xml

@@ -69,10 +69,6 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-        </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>