Merge remote-tracking branch 'origin/7.1-RELEASE' into 8.1-RELEASE

jogetworkflow · Dec 19, 2024 · 983a286 · 983a286
2 parents 3e0e82a + 47384e8
commit 983a286
Show file tree

Hide file tree

Showing 12 changed files with 299 additions and 190 deletions.
diff --git a/wflow-commons/pom.xml b/wflow-commons/pom.xml
@@ -270,7 +270,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-dbcp2</artifactId>
-            <version>2.1.1</version>
+            <version>2.13.0</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>

diff --git a/wflow-commons/src/main/java/org/joget/commons/util/SecurityUtil.java b/wflow-commons/src/main/java/org/joget/commons/util/SecurityUtil.java
@@ -22,8 +22,6 @@ public class SecurityUtil implements ApplicationContextAware {
 
     public final static String ENVELOPE = "%%%%";
     private static ApplicationContext appContext;
-    private static DataEncryption de;
-    private static NonceGenerator ng;
 
     /**
      * Utility method to retrieve the ApplicationContext of the system
@@ -42,37 +40,16 @@ public void setApplicationContext(ApplicationContext context) throws BeansExcept
         appContext = context;
     }
 
-    /**
-     * Sets a data encryption implementation
-     * @param deImpl
-     */
-    public void setDataEncryption(DataEncryption deImpl) {
-        if (de == null) {
-            de = deImpl;
-        }
-    }
-
     /**
      * Gets the data encryption implementation
      * @return 
      */
     public static DataEncryption getDataEncryption() {
-        if (de == null) {
-            try {
-                de = (DataEncryption) getApplicationContext().getBean("dataEncryption");
-            } catch (Exception e) {
-            }
-        }
-        return de;
-    }
-
-    /**
-     * Sets a nonce generator implementation
-     * @param ngImpl 
-     */
-    public void setNonceGenerator(NonceGenerator ngImpl) {
-        if (ng == null) {
-            ng = ngImpl;
+        try {
+            DataEncryption de = (DataEncryption) getApplicationContext().getBean("dataEncryption");
+            return de;
+        } catch(Exception e) {
+            return null;
         }
     }
 
@@ -81,13 +58,12 @@ public void setNonceGenerator(NonceGenerator ngImpl) {
      * @return 
      */
     public static NonceGenerator getNonceGenerator() {
-        if (ng == null) {
-            try {
-                ng = (NonceGenerator) getApplicationContext().getBean("nonceGenerator");
-            } catch (Exception e) {
-            }
+        try {
+            NonceGenerator ng = (NonceGenerator) getApplicationContext().getBean("nonceGenerator");
+            return ng;
+        } catch(Exception e) {
+            return null;
         }
-        return ng;
     }
 
     /**
@@ -96,12 +72,12 @@ public static NonceGenerator getNonceGenerator() {
      * @return 
      */
     public static String encrypt(String rawContent) {
-
-        if (rawContent != null && getDataEncryption() != null) {
+        DataEncryption de = getDataEncryption();
+        if (rawContent != null && de != null) {
             try {
-                return ENVELOPE + getDataEncryption().encrypt(rawContent) + ENVELOPE;
+                return ENVELOPE + de.encrypt(rawContent) + ENVELOPE;
             } catch (Exception e) {
-                //Ignore
+                LogUtil.warn(SecurityUtil.class.getName(), "Cannot encrypt content: " + e.toString());
             }
         }
         return rawContent;
@@ -113,12 +89,13 @@ public static String encrypt(String rawContent) {
      * @return 
      */
     public static String decrypt(String protectedContent) {
-        if (protectedContent != null && protectedContent.startsWith(ENVELOPE) && protectedContent.endsWith(ENVELOPE) && getDataEncryption() != null) {
+        DataEncryption de = getDataEncryption();
+        if (protectedContent != null && protectedContent.startsWith(ENVELOPE) && protectedContent.endsWith(ENVELOPE) && de != null) {
             try {
                 String tempProtectedContent = cleanPrefixPostfix(protectedContent);
-                return getDataEncryption().decrypt(tempProtectedContent);
+                return de.decrypt(tempProtectedContent);
             } catch (Exception e) {
-                //Ignore
+                LogUtil.warn(SecurityUtil.class.getName(), "Cannot decrypt content: " + e.toString());
             }
         }
         return protectedContent;
@@ -131,10 +108,10 @@ public static String decrypt(String protectedContent) {
      * @return 
      */
     public static String computeHash(String rawContent, String randomSalt) {
-
+        DataEncryption de = getDataEncryption();
         if (rawContent != null && !rawContent.isEmpty()) {
-            if (getDataEncryption() != null) {
-                return ENVELOPE + getDataEncryption().computeHash(rawContent, randomSalt) + ENVELOPE;
+            if (de != null) {
+                return ENVELOPE + de.computeHash(rawContent, randomSalt) + ENVELOPE;
             } else {
                 return StringUtil.md5Base16(rawContent);
             }
@@ -152,9 +129,10 @@ public static String computeHash(String rawContent, String randomSalt) {
      */
     public static Boolean verifyHash(String hash, String randomSalt, String rawContent) {
         if (hash != null && !hash.isEmpty() && rawContent != null && !rawContent.isEmpty()) {
-            if (hash.startsWith(ENVELOPE) && hash.endsWith(ENVELOPE) && getDataEncryption() != null) {
+            DataEncryption de = getDataEncryption();
+            if (hash.startsWith(ENVELOPE) && hash.endsWith(ENVELOPE) && de != null) {
                 hash = cleanPrefixPostfix(hash);
-                return getDataEncryption().verifyHash(hash, randomSalt, rawContent);
+                return de.verifyHash(hash, randomSalt, rawContent);
             } else {
                 return hash.equals(StringUtil.md5Base16(rawContent));
             }
@@ -167,8 +145,9 @@ public static Boolean verifyHash(String hash, String randomSalt, String rawConte
      * @return 
      */
     public static String generateRandomSalt() {
-        if (getDataEncryption() != null) {
-            return getDataEncryption().generateRandomSalt();
+        DataEncryption de = getDataEncryption();
+        if (de != null) {
+            return de.generateRandomSalt();
         }
         return "";
     }

diff --git a/wflow-commons/src/main/java/org/joget/commons/util/StringUtil.java b/wflow-commons/src/main/java/org/joget/commons/util/StringUtil.java
@@ -76,6 +76,7 @@ public class StringUtil {
         whitelistRelaxed = Safelist.relaxed()
                             .addTags("span", "div", "hr")
                             .addAttributes(":all","id","style","class","title","target", "name")
+                            .addProtocols("img", "src", "data")
                             .preserveRelativeLinks(true);
     }
 

diff --git a/wflow-commons/src/test/java/org/joget/commons/util/TestStringUtil.java b/wflow-commons/src/test/java/org/joget/commons/util/TestStringUtil.java
@@ -232,6 +232,12 @@ public void testStripHtmlRelaxed() throws Exception {
         original = "<img src=\"img.png\">";
         expected = "<img src=\"img.png\" />";
         Assert.isTrue(expected.equals(StringUtil.stripHtmlRelaxed(original)), "check img with relative path is allowed");
+
+        //check img with base64 is allowed
+        original = "<img src=\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAABaklEQVQokZWSXYuCQBSG+xdCa5nRRZgzUlmDNlmCxSCjZg4Y9OkwMxf9Sn/aXrRERrC779U5L+fhfHBa9T/Vek3m8/kztm3bcRzXdTebjed50+m0AWy3W4RQXdcAgCcAIcyyTEpZlqVlWQ1ASnm9XpMksW3bsiwAAISQECKEuN/vlNL1et0ALpeLUkoIked5EAS+7xNCqqpSSlFKwzB838FxnCiKzuezEOJ4PJZlebvdOOdxHGOMPyytaRqEEGPMGOOcSymVUoyx5+gfrjQYDB5zn04nznlVVYyxyWRimuYHoN/vD4fD5XKZpmlRFGma7na7w+GQ5zlCaDQavQOu64ZhmCRJlmUYYwDAeDwOw7Aoiv1+v1gsHMdpAIQQSiml1Pd9wzC63a5hGL1eDyEURVEQBJ1OpwFQSuM49jxP13Vd1x+maZpfL2oAq9VqNpu1221N097O8lpdv/3Sj9X6YDaA1p/V6PBr6UPfrxpWT8DSD68AAAAASUVORK5CYII=\">";
+        expected = "<img src=\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAABaklEQVQokZWSXYuCQBSG+xdCa5nRRZgzUlmDNlmCxSCjZg4Y9OkwMxf9Sn/aXrRERrC779U5L+fhfHBa9T/Vek3m8/kztm3bcRzXdTebjed50+m0AWy3W4RQXdcAgCcAIcyyTEpZlqVlWQ1ASnm9XpMksW3bsiwAAISQECKEuN/vlNL1et0ALpeLUkoIked5EAS+7xNCqqpSSlFKwzB838FxnCiKzuezEOJ4PJZlebvdOOdxHGOMPyytaRqEEGPMGOOcSymVUoyx5+gfrjQYDB5zn04nznlVVYyxyWRimuYHoN/vD4fD5XKZpmlRFGma7na7w+GQ5zlCaDQavQOu64ZhmCRJlmUYYwDAeDwOw7Aoiv1+v1gsHMdpAIQQSiml1Pd9wzC63a5hGL1eDyEURVEQBJ1OpwFQSuM49jxP13Vd1x+maZpfL2oAq9VqNpu1221N097O8lpdv/3Sj9X6YDaA1p/V6PBr6UPfrxpWT8DSD68AAAAASUVORK5CYII=\" />";
+        Assert.isTrue(expected.equals(StringUtil.stripHtmlRelaxed(original)), "check img with base64 is allowed");
+
     }
 
     @Test

diff --git a/wflow-consoleweb/src/main/webapp/js/quill/quill.bubble.css b/wflow-consoleweb/src/main/webapp/js/quill/quill.bubble.css
@@ -1,5 +1,5 @@
 /*!
- * Quill Editor v1.3.6
+ * Quill Editor v1.3.7
  * https://quilljs.com/
  * Copyright (c) 2014, Jason Chen
  * Copyright (c) 2013, salesforce.com
@@ -592,22 +592,22 @@
   display: none;
 }
 .ql-bubble .ql-editor h1 {
-  font-size: 2em  !important;
+  font-size: 2em;
 }
 .ql-bubble .ql-editor h2 {
-  font-size: 1.5em  !important;
+  font-size: 1.5em;
 }
 .ql-bubble .ql-editor h3 {
-  font-size: 1.17em  !important;
+  font-size: 1.17em;
 }
 .ql-bubble .ql-editor h4 {
-  font-size: 1em  !important;
+  font-size: 1em;
 }
 .ql-bubble .ql-editor h5 {
-  font-size: 0.83em  !important;
+  font-size: 0.83em;
 }
 .ql-bubble .ql-editor h6 {
-  font-size: 0.67em  !important;
+  font-size: 0.67em;
 }
 .ql-bubble .ql-editor a {
   text-decoration: underline;