SRE Fix: html injection issue resolved

Author: ishaileshmishra

pom.xml

@@ -31,6 +31,7 @@
         <validation-version>2.0.1.Final</validation-version>
         <json-version>20230227</json-version>
         <spring-web-version>6.0.7</spring-web-version>
+        <org.apache.commons-text>1.10.0</org.apache.commons-text>
     </properties>
 
     <developers>
@@ -78,6 +79,13 @@
     </organization>
 
     <dependencies>
+        <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-text -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>${org.apache.commons-text}</version>
+        </dependency>
+
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>

src/main/java/com/contentstack/utils/AutomateCommon.java

@@ -21,7 +21,7 @@
 
 public class AutomateCommon {
 
-    private static final String ASSET = "asset";
+    private static final String ASSET = AutomateCommon.class.getSimpleName();
 
     private AutomateCommon() {
         throw new IllegalStateException("Not allowed to create instance of AutomateCommon");
@@ -176,7 +176,7 @@ private static String extractKeys(@NotNull JSONObject jsonNode, Option renderObj
                     JSONObject contentToPass = filteredContent.get();
                     return getStringOption(renderObject, metadata, contentToPass);
                 } else {
-                    if (attrType.equalsIgnoreCase(ASSET)) {
+                    if (attrType.equalsIgnoreCase("asset")) {
                         return renderObject.renderNode("img", jsonNode, nodeJsonArray -> doRawProcessing(nodeJsonArray, renderObject, embedItem));
                     }
                 }

src/main/java/com/contentstack/utils/render/DefaultOption.java

@@ -4,6 +4,7 @@
 import com.contentstack.utils.interfaces.NodeCallback;
 import com.contentstack.utils.interfaces.Option;
 import com.contentstack.utils.node.MarkType;
+import org.apache.commons.text.StringEscapeUtils;
 import org.json.JSONObject;
 
 
@@ -58,22 +59,27 @@ public String renderMark(MarkType markType, String text) {
         }
     }
 
+    private String escapeInjectHtml(JSONObject nodeObj, String nodeType) {
+        String injectedHtml = getNodeStr(nodeObj, nodeType);
+        return StringEscapeUtils.escapeHtml4(injectedHtml);
+    }
+
     @Override
     public String renderNode(String nodeType, JSONObject nodeObject, NodeCallback callback) {
         String children = callback.renderChildren(nodeObject.optJSONArray("children"));
         switch (nodeType) {
             case "p":
                 return "<p>" + children + "</p>";
             case "a":
-                return "<a href=\"" + getNodeStr(nodeObject, "href") + "\">" + children + "</a>";
+                return "<a href=\"" + escapeInjectHtml(nodeObject, "href") + "\">" + children + "</a>";
             case "img":
                 String assetLink = getNodeStr(nodeObject, "asset-link");
                 if (!assetLink.isEmpty()) {
-                    return "<img src=\"" + assetLink + "\" />" + children;
+                    return "<img src=\"" + escapeInjectHtml(nodeObject, "asset-link") + "\" />" + children;
                 }
-                return "<img src=\"" + getNodeStr(nodeObject, "src") + "\" />" + children;
+                return "<img src=\"" + escapeInjectHtml(nodeObject, "src") + "\" />" + children;
             case "embed":
-                return "<iframe src=\"" + getNodeStr(nodeObject, "src") + "\"" + children + "</iframe>";
+                return "<iframe src=\"" + escapeInjectHtml(nodeObject, "src") + "\"" + children + "</iframe>";
             case "h1":
                 return "<h1>" + children + "</h1>";
             case "h2":