@RequestMapping(value = "/create-category", method = RequestMethod.POST)
public String createCategory(
Model model,
@ModelAttribute("category") @Valid Category category,
Errors errors,
@RequestParam("name") String name,
@RequestParam("description") String description) {
model.addAttribute("title", "Create Category");
Category newCategory =
new Category(HtmlUtils.htmlEscape(name), HtmlUtils.htmlEscape(description));
if (errors.hasErrors()) {
model.addAttribute("category", category);
return "create-category";
}
/*
* What to do if there is no error
* We need a DAO and Service to add category into the database
*/
try {
categoryService.createCategory(newCategory);
model.addAttribute(
"success",
"<div class=\"info\">Succesfully Created <p> <a href='manage-category.html'>Go back to Management Page</a></div>"); // Add success message
category.setName(""); // Reset form field
category.setDescription(""); // Reset form field
} catch (EJBException e) {
model.addAttribute("error", e.getMessage());
}
return "create-category";
}
public ReservationView(
Reservation reservation,
ElementActionView deleteActionView,
ElementActionView modifyActionView,
ElementActionView copyActionView) {
this.id = reservation.getId();
this.virtualResourceGroup =
reservation.getVirtualResourceGroup().map(g -> g.getName()).orElse("-");
this.sourcePort = new PortView(reservation.getSourcePort());
this.destinationPort = new PortView(reservation.getDestinationPort());
// `<c:out>` strips newlines, so we have to manually HTML escape.
this.failedReason = HtmlUtils.htmlEscape(reservation.formattedFailedReason(), "UTF-8");
this.cancelReason = HtmlUtils.htmlEscape(reservation.getCancelReason(), "UTF-8");
this.startDateTime = reservation.getStartDateTime();
this.endDateTime = reservation.getEndDateTime().orElse(null);
this.bandwidth = reservation.getBandwidth();
this.userCreated = reservation.getUserCreated();
this.providerConnectionId = reservation.getProviderConnectionId();
this.creationDateTime = reservation.getCreationDateTime();
this.protectionType = reservation.getRequesterConnection().getProtectionType();
this.name = reservation.getName();
NsiRequesterConnection connection = reservation.getRequesterConnection();
this.requesterConnectionId = connection.getConnectionId();
this.ero = presentEro(connection);
states = connection.getStates().toShortString();
reservationState = connection.getReservationState();
provisionState = connection.getProvisionState().orElse(null);
lifecycleState = connection.getLifecycleState();
dataPlaneActive = connection.isDataPlaneActive();
this.deleteActionView = deleteActionView;
this.modifyActionView = modifyActionView;
this.copyActionView = copyActionView;
}
@RequestMapping(value = "/resetforgotpassword", method = RequestMethod.POST)
public String resetforgotPassword(HttpServletRequest request, ModelMap model) {
String email = HtmlUtils.htmlEscape(request.getParameter("email"));
if (email != null) {
String userid = email;
String password = HtmlUtils.htmlEscape(request.getParameter("password"));
PersistenceManager pm = PMF.get().getPersistenceManager();
Query q = pm.newQuery(User.class);
q.setFilter("email==userid");
q.declareParameters("String userid");
List<User> result = (List<User>) q.execute(userid);
try {
User c = pm.getObjectById(User.class, result.get(0).getUserId());
c.setPassword(password);
model.addAttribute("registered", "Password reset successfully, Login now !!");
model.addAttribute("subCategoryList", categoryDao.getSubCategoryList());
} finally {
pm.close();
}
return "login";
} else {
model.addAttribute("subCategoryList", categoryDao.getSubCategoryList());
return "login";
}
}
String replaceStringLiterals(String content) {
content =
content.replaceAll(
"%backup_initiated_by%",
HtmlUtils.htmlEscape(backupService.backupRunningSinceISO8601()));
content =
content.replaceAll(
"%backup_started_by%", HtmlUtils.htmlEscape(backupService.backupStartedBy()));
return content;
}
@RequestMapping(value = "/authenticate", method = RequestMethod.POST)
public String authenticate(ModelMap model, HttpServletRequest request) {
String email = HtmlUtils.htmlEscape(request.getParameter("email"));
String password = HtmlUtils.htmlEscape(request.getParameter("password"));
String p = HtmlUtils.htmlEscape(request.getParameter("p"));
PersistenceManager pm = PMF.get().getPersistenceManager();
Query q = pm.newQuery(Category.class);
List<Category> result = null;
model.addAttribute("subCategoryList", categoryDao.getSubCategoryList());
try {
result = (List<Category>) q.execute();
if (result.isEmpty()) {
model.addAttribute("listCategory", null);
} else {
model.addAttribute("listCategory", result);
}
pm = PMF.get().getPersistenceManager();
Query q1 = null;
q = pm.newQuery(User.class);
q.setFilter("email == emailParam && password == passwordParam");
// q.setOrdering("date desc");
q.declareParameters("String emailParam,String passwordParam");
List<User> results = (List<User>) q.execute(email, password);
// System.out.println(email + " " + password + results.size());
if (results.size() >= 1) {
HttpSession hs = request.getSession(true);
hs.setAttribute("userid", email);
hs.setAttribute("username", results.get(0).getUserName());
hs.setAttribute("collegeName", results.get(0).getCollege());
hs.setAttribute("contactNo", results.get(0).getMobile());
model.addAttribute("productDao", productDao);
model.addAttribute("result", "Login Successfully!");
if (p != null && (!p.equals("null")))
// return new ModelAndView("redirect:"+p);
return p;
else return "index";
} else {
model.addAttribute("result", "Incorrect User ID or Password! Try Again");
model.addAttribute("p", p);
return "login";
}
} catch (Exception e) {
e.printStackTrace();
// System.out.println("in exception");
model.addAttribute("result", "Incorrect Userid or Password! Try Again");
return "login";
} finally {
q.closeAll();
pm.close();
}
}
@RequestMapping(value = "/edit-category/{categoryId}", method = RequestMethod.POST)
public String doEditCategory(
@ModelAttribute("category") @Valid Category category,
Errors errors,
@PathVariable String categoryId,
@RequestParam("name") String name,
@RequestParam("description") String description,
Model model) {
model.addAttribute("title", "Edit Category");
if (errors.hasErrors()) {
model.addAttribute("category", category);
return "edit-category";
}
category = categoryService.getCategory(Integer.parseInt(HtmlUtils.htmlEscape(categoryId)));
if (category == null) {
return "redirect:manage-category.html";
}
category.setDescription(description);
category.setName(name);
categoryService.updateCategory(category);
model.addAttribute(
"info",
"<div class=\"info\">Succesfully Updated <p> <a href='../manage-category.html'>Go back to Management Page</a></div>");
return "edit-category";
}
@ResponseBody
@RequestMapping(method = RequestMethod.POST)
public Object insert(Post post, String tags) {
MapContainer form = PostFormValidator.validatePublish(post);
if (!form.isEmpty()) {
return form.put("success", false);
}
post.setId(optionManager.getNextPostid());
post.setCreator(WebContextFactory.get().getUser().getId());
post.setCreateTime(new Date());
post.setLastUpdate(post.getCreateTime());
/* 由于加入xss的过滤,html内容都被转义了,这里需要unescape */
String content = HtmlUtils.htmlUnescape(post.getContent());
post.setContent(JsoupUtils.filter(content));
String cleanTxt = JsoupUtils.plainText(content);
post.setExcerpt(
cleanTxt.length() > PostConstants.EXCERPT_LENGTH
? cleanTxt.substring(0, PostConstants.EXCERPT_LENGTH)
: cleanTxt);
postManager.insertPost(post, PostTagHelper.from(post, tags, post.getCreator()));
return new MapContainer("success", true);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String param = "";
java.util.Enumeration<String> names = request.getParameterNames();
if (names.hasMoreElements()) {
param = names.nextElement(); // just grab first element
}
String bar = org.springframework.web.util.HtmlUtils.htmlEscape(param);
String sql = "SELECT * from USERS where USERNAME=? and PASSWORD='******'";
try {
java.sql.Connection connection =
org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
java.sql.PreparedStatement statement =
connection.prepareStatement(sql, java.sql.Statement.RETURN_GENERATED_KEYS);
statement.setString(1, "foo");
statement.execute();
} catch (java.sql.SQLException e) {
throw new ServletException(e);
}
}
@Override
public void setAsText(String text) {
String value = text;
if (text != null) {
value = HtmlUtils.htmlEscape(text, Constants.DEFAULT_CHARSET);
}
super.setAsText(value);
}
@RequestMapping("/login")
public String userlogin(ModelMap map, HttpServletRequest request) {
map.addAttribute("p", HtmlUtils.htmlEscape(request.getParameter("p")));
HttpSession hs = request.getSession(false);
if (hs != null && hs.getAttribute("userid") != null) {
map.addAttribute("subCategoryList", categoryDao.getSubCategoryList());
return "index";
} else return "login";
}
public Tag set(String attribute, String value) {
if (attribute != null && value != null) {
if (attributes == null) {
attributes = Maps.newLinkedHashMap();
}
attributes.put(attribute, HtmlUtils.htmlEscape(value));
}
return this;
}
/** result name is encoded to prevent security issue with xss injection */
protected void encodeResultName() {
try {
String tempResult = HtmlUtils.htmlEscape(resultName, "UTF-8");
if (!tempResult.equals(resultName)) {
resultName = URLEncoder.encode(resultName, "UTF-8");
}
} catch (Exception e) {
log.debug("error with encoding search result name", e);
}
}
/**
* Displays an informational message.
*
* @param message the message to display.
* @return the model and view.
*/
@RequestMapping(UiConstants.DISPLAY_INFO_MESSAGE_URL)
public ModelAndView displayInfoMessage(
@RequestParam(UiConstants.MODEL_KEY_MESSAGE) String message) {
String viewName = UiConstants.DISPLAY_INFO_MESSAGE_PAGE;
if (message == null) {
return new ModelAndView(viewName);
} else {
return new ModelAndView(
viewName, UiConstants.MODEL_KEY_MESSAGE, HtmlUtils.htmlEscape(message));
}
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String param = request.getQueryString();
String bar = org.springframework.web.util.HtmlUtils.htmlEscape(param);
Object[] obj = {"a", bar};
response.getWriter().println(obj);
}
@RequestMapping(value = "/edit-category/{categoryId}", method = RequestMethod.GET)
public String editCategory(@PathVariable String categoryId, Model model) {
Category category =
categoryService.getCategory(Integer.parseInt(HtmlUtils.htmlEscape(categoryId)));
if (category == null) {
return "redirect:manage-category.html";
}
model.addAttribute("category", category);
return "edit-category";
}
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods.
*
* @param request servlet request
* @param response servlet response
* @throws ServletException if a servlet-specific error occurs
* @throws IOException if an I/O error occurs
*/
final void processRequest(final HttpServletRequest request, final HttpServletResponse response)
throws ServletException, IOException, CerberusException {
response.setContentType("text/html;charset=UTF-8");
final PrintWriter out = response.getWriter();
final PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
try {
final String type = policy.sanitize(request.getParameter("Type"));
final String name = policy.sanitize(request.getParameter("Name"));
// CTE - on utilise la méthode utilitaire pour encoder le xml
final String envelope = request.getParameter("Envelope");
final String envelopeBDD = HtmlUtils.htmlEscape(envelope);
final String description = policy.sanitize(request.getParameter("Description"));
final String servicePath = policy.sanitize(request.getParameter("ServicePath"));
final String parsingAnswer = policy.sanitize(request.getParameter("ParsingAnswer"));
final String method = policy.sanitize(request.getParameter("Method"));
final ApplicationContext appContext =
WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());
final ISoapLibraryService soapLibraryService = appContext.getBean(ISoapLibraryService.class);
final IFactorySoapLibrary factorySoapLibrary = appContext.getBean(IFactorySoapLibrary.class);
final SoapLibrary soapLib =
factorySoapLibrary.create(
type, name, envelopeBDD, description, servicePath, parsingAnswer, method);
soapLibraryService.createSoapLibrary(soapLib);
/** Adding Log entry. */
ILogEventService logEventService = appContext.getBean(LogEventService.class);
IFactoryLogEvent factoryLogEvent = appContext.getBean(FactoryLogEvent.class);
try {
logEventService.insertLogEvent(
factoryLogEvent.create(
0,
0,
request.getUserPrincipal().getName(),
null,
"/CreateSoapLibrary",
"CREATE",
"Create SoapLibrary : " + name,
"",
""));
} catch (CerberusException ex) {
org.apache.log4j.Logger.getLogger(CreateSoapLibrary.class.getName())
.log(org.apache.log4j.Level.ERROR, null, ex);
}
response.sendRedirect("SoapLibrary.jsp");
} finally {
out.close();
}
}
@RequestMapping(value = "/delete-category/{categoryId}", method = RequestMethod.GET)
public String deleteCategory(@PathVariable String categoryId, Model model) {
try {
categoryService.deleteCategory(Integer.parseInt(HtmlUtils.htmlEscape(categoryId)));
model.addAttribute(
"info",
"<div class=\"info\">Succesfully Deleted <p> <a href='../manage-category.html'>Go back to Management Page</a></div>");
} catch (EJBTransactionRolledbackException e) {
model.addAttribute(
"info",
"<div class=\"info\">Category Doesn't Existed <p> <a href='../manage-category.html'>Go back to Management Page</a></div>");
}
return "manage-category";
}
public String toHtml(String query, String keywordClass) {
String sql = formatter.prettyPrint(query);
sql = HtmlUtils.htmlEscape(sql);
for (int i = 0; i < KEYWORDS.length; i++) {
String keyword = KEYWORDS[i][0];
String selectorSuffix = KEYWORDS[i][1];
if (sql.contains(keyword)) {
String spanTag = makeSpanTag(keywordClass, selectorSuffix);
String replace = new StringBuilder(spanTag).append(keyword).append("</span>").toString();
sql = sql.replace(keyword, replace);
}
}
return sql;
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String param = "";
java.util.Enumeration<String> headers = request.getHeaders("foo");
if (headers.hasMoreElements()) {
param = headers.nextElement(); // just grab first element
}
String bar = org.springframework.web.util.HtmlUtils.htmlEscape(param);
Object[] obj = {"a", bar};
response.getWriter().printf(java.util.Locale.US, "notfoo", obj);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String param = request.getHeader("foo");
String bar = org.springframework.web.util.HtmlUtils.htmlEscape(param);
String sql = "UPDATE USERS SET PASSWORD='******' WHERE USERNAME='******'";
try {
java.sql.Statement statement = org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();
int count = statement.executeUpdate(sql, new String[] {"user", "password"});
} catch (java.sql.SQLException e) {
throw new ServletException(e);
}
}
@RequestMapping(method = RequestMethod.GET)
public void viewSource(
@RequestParam("file") String file, HttpServletRequest request, HttpServletResponse response)
throws IOException {
if (!enabled) {
throw (new OpenLegacyRuntimeException("View source controller is not enabled"));
}
ServletContext servletContext = request.getSession().getServletContext();
InputStream resource = servletContext.getResourceAsStream(file);
if (resource == null) {
throw (new OpenLegacyRuntimeException("Specified resource doesn''t exists"));
}
String content = IOUtils.toString(resource);
content = HtmlUtils.htmlEscape(content);
response.getWriter().write(MessageFormat.format(htmlOutput, content));
}
public String[] getStringTable(String parameter, HttpServletRequest request, boolean toEscape) {
if (request.getParameterValues(parameter) != null) {
try {
request.setCharacterEncoding("UTF-8");
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
String[] parameters = request.getParameterValues(parameter);
if (toEscape) {
for (int i = 0; i < parameters.length; i++) {
parameters[i] = HtmlUtils.htmlEscape(parameters[i]);
}
}
return parameters;
}
return new String[0];
}
private void writeSheet(
List<Map<String, String>> valueMaps, String worksheetName, HSSFWorkbook wb) {
// Set column widths
HSSFSheet sheet = wb.createSheet(worksheetName);
sheet.setColumnWidth(Short.parseShort("0"), Short.parseShort("15000"));
sheet.setColumnWidth(Short.parseShort("1"), Short.parseShort("30000"));
// header style
HSSFCellStyle headerStyle;
HSSFFont headerFont = wb.createFont();
headerFont.setFontHeightInPoints((short) 11);
headerStyle = wb.createCellStyle();
headerStyle.setAlignment(HSSFCellStyle.ALIGN_CENTER);
headerStyle.setVerticalAlignment(HSSFCellStyle.VERTICAL_CENTER);
headerStyle.setFillForegroundColor(HSSFColor.GREY_50_PERCENT.index);
headerStyle.setFillPattern(HSSFCellStyle.SOLID_FOREGROUND);
headerStyle.setFont(headerFont);
headerStyle.setWrapText(true);
// header row
HSSFRow headerRow = sheet.createRow(0);
headerRow.setHeightInPoints(30);
HSSFCell headerCell0 = headerRow.createCell((short) 0);
HSSFCell headerCell1 = headerRow.createCell((short) 1);
headerCell0.setCellStyle(headerStyle);
setText(headerCell0, "Layer Name");
headerCell1.setCellStyle(headerStyle);
setText(headerCell1, "Message");
int counter = 1;
for (Map<String, String> valueMap : valueMaps) {
HSSFRow dataRow = sheet.createRow(counter);
String layer = valueMap.get("layer");
String status = valueMap.get("status");
status = HtmlUtils.htmlUnescape(status);
HSSFCell currentCell0 = dataRow.createCell((short) 0);
HSSFCell currentCell1 = dataRow.createCell((short) 1);
setText(currentCell0, layer);
setText(currentCell1, status);
counter++;
}
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String param = "";
java.util.Enumeration<String> headerNames = request.getHeaderNames();
if (headerNames.hasMoreElements()) {
param = headerNames.nextElement(); // just grab first element
}
String bar = org.springframework.web.util.HtmlUtils.htmlEscape(param);
try {
javax.naming.directory.InitialDirContext idc =
org.owasp.benchmark.helpers.Utils.getInitialDirContext();
idc.search("name", bar, new javax.naming.directory.SearchControls());
} catch (javax.naming.NamingException e) {
throw new ServletException(e);
}
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String[] values = request.getParameterValues("foo");
String param;
if (values.length != 0) param = request.getParameterValues("foo")[0];
else param = null;
String bar = org.springframework.web.util.HtmlUtils.htmlEscape(param);
String sql = "UPDATE USERS SET PASSWORD='******' WHERE USERNAME='******'";
try {
java.sql.Statement statement = org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();
int count = statement.executeUpdate(sql);
} catch (java.sql.SQLException e) {
throw new ServletException(e);
}
}
@RequestMapping(value = "/jobs/{jobName}", method = RequestMethod.GET)
public String details(
ModelMap model,
@ModelAttribute("jobName") String jobName,
Errors errors,
@RequestParam(defaultValue = "0") int startJobInstance,
@RequestParam(defaultValue = "20") int pageSize) {
boolean launchable = jobService.isLaunchable(jobName);
try {
Collection<JobInstance> result =
jobService.listJobInstances(jobName, startJobInstance, pageSize);
Collection<JobInstanceInfo> jobInstances = new ArrayList<JobInstanceInfo>();
model.addAttribute(
"jobParameters",
jobParametersExtractor.fromJobParameters(jobService.getLastJobParameters(jobName)));
for (JobInstance jobInstance : result) {
Collection<JobExecution> jobExecutions =
jobService.getJobExecutionsForJobInstance(jobName, jobInstance.getId());
jobInstances.add(new JobInstanceInfo(jobInstance, jobExecutions, timeZone));
}
model.addAttribute("jobInstances", jobInstances);
int total = jobService.countJobInstances(jobName);
TableUtils.addPagination(model, total, startJobInstance, pageSize, "JobInstance");
int count = jobService.countJobExecutionsForJob(jobName);
model.addAttribute(
"jobInfo", new JobInfo(jobName, count, launchable, jobService.isIncrementable(jobName)));
} catch (NoSuchJobException e) {
errors.reject(
"no.such.job",
new Object[] {jobName},
"There is no such job (" + HtmlUtils.htmlEscape(jobName) + ")");
}
return "jobs/job";
}
@RequestMapping(value = "/resetpassword", method = RequestMethod.POST)
public ModelAndView resetPassword(HttpServletRequest request, ModelMap model) {
HttpSession hs = request.getSession(false);
if (hs != null) {
String userid = (String) hs.getAttribute("userid");
String password = HtmlUtils.htmlEscape(request.getParameter("password"));
PersistenceManager pm = PMF.get().getPersistenceManager();
Query q = pm.newQuery(User.class);
q.setFilter("email==userid");
q.declareParameters("String userid");
List<User> result = (List<User>) q.execute(userid);
try {
User c = pm.getObjectById(User.class, result.get(0).getUserId());
c.setPassword(password);
model.addAttribute("resultresetpage", "Password reset successfully");
} finally {
pm.close();
}
return new ModelAndView("redirect:resetpassword");
} else return new ModelAndView("redirect:resetpassword");
}
private static String doSomething(String param) throws ServletException, IOException {
String bar = org.springframework.web.util.HtmlUtils.htmlEscape(param);
return bar;
}
/**
* html转义->html
*
* @param html
* @return
*/
public static String htmlUnescape(String html) {
return HtmlUtils.htmlUnescape(html);
}
@RequestMapping(params = "demoTurn")
@ResponseBody
public String demoTurn(String id) {
String code = systemService.get(TSDemo.class, id).getDemocode();
return HtmlUtils.htmlUnescape(code);
}
