Improve implementation of client & server page

src/main/java/org/t246osslab/easybuggy4sb/vulnerabilities/UnintendedFileDisclosureController.java

@@ -1,76 +1,33 @@
 package org.t246osslab.easybuggy4sb.vulnerabilities;
 
-import java.io.IOException;
 import java.util.Locale;
-import java.util.Properties;
 
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-
-import org.apache.commons.io.IOUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.MessageSource;
-import org.springframework.context.NoSuchMessageException;
-import org.springframework.core.io.ClassPathResource;
-import org.springframework.core.io.Resource;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.ModelAndView;
 
 @Controller
 public class UnintendedFileDisclosureController {
 
-    private static final Logger log = LoggerFactory.getLogger(UnintendedFileDisclosureController.class);
-
     @Autowired
     MessageSource msg;
 
     @RequestMapping(value = "/clientinfo")
-    public void clientinfo(HttpServletResponse res, Locale locale) throws IOException {
-        Resource resource = new ClassPathResource("/templates/clientinfo.html");
-        String htmlString = IOUtils.toString(resource.getInputStream());
-        htmlString = repacLocalizedString(htmlString, locale);
-        res.getWriter().write(htmlString);
+    public ModelAndView process(ModelAndView mav, Locale locale) {
+        mav.setViewName("clientinfo");
+        mav.addObject("title", msg.getMessage("section.client.info", null, locale));
+        return mav;
     }
-
+    
     @RequestMapping(value = "/serverinfo")
-    public void serverinfo(HttpSession ses, HttpServletResponse res, Locale locale) throws IOException {
-        StringBuilder sb = new StringBuilder();
-        Properties properties = System.getProperties();
-        for (Object key : properties.keySet()) {
-            Object value = properties.get(key);
-            sb.append("<tr><td>" + key + "</td><td>" + value + "</td></tr>");
-        }
-        Resource resource = new ClassPathResource("/templates/serverinfo.html");
-        String htmlString = IOUtils.toString(resource.getInputStream());
-        String userid = (String) ses.getAttribute("userid");
-        if(userid == null){
-            res.sendRedirect("/");
-            return;
-        }
-        htmlString = htmlString.replace("<!-- [REPLACE:@UserId] -->", userid);
-        htmlString = htmlString.replace("<!-- [REPLACE:@Contents] -->", sb.toString());
-        htmlString = repacLocalizedString(htmlString, locale);
-        res.getWriter().write(htmlString);
-    }
-
-    private String repacLocalizedString(String htmlString, Locale locale) {
-        while (true) {
-            int startIndex = htmlString.indexOf("<!-- [REPLACE:");
-            int endIndex = htmlString.indexOf("] -->");
-            if (startIndex < 0 || endIndex < 0) {
-                break;
-            }
-            String keyString = htmlString.substring(startIndex + 14, endIndex);
-            try {
-                htmlString = htmlString.replace("<!-- [REPLACE:" + keyString + "] -->",
-                        msg.getMessage(keyString, null, locale));
-            } catch (NoSuchMessageException e) {
-                log.warn("{} is not defined in message.properties", keyString, e);
-                break;
-            }
-        }
-        return htmlString;
+    public ModelAndView process(@RequestParam(value = "string", required = false) String string, ModelAndView mav,
+            Locale locale) {
+        mav.setViewName("serverinfo");
+        mav.addObject("title", msg.getMessage("section.server.info", null, locale));
+        mav.addObject("properties", System.getProperties());
+        return mav;
     }
 }

src/main/resources/templates/clientinfo.html

@@ -1,49 +1,36 @@
-<!-- Note: This html is an EasyBuggy Boot original format template, not a template for Thymeleaf -->
-<!DOCTYPE HTML>
-<html>
-<head>
-<title><!-- [REPLACE:section.client.info] --></title>
-<link rel="icon" type="image/vnd.microsoft.icon" href="/images/favicon.ico" />
-<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous" />
-<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous" />
-<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
-<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
-</head>
+<!DOCTYPE html SYSTEM "http://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring4-4.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" th:with="lang=${#locale.language}" th:lang="${lang}">
+<div th:replace="head"></div>
 <body style="margin-left: 20px; margin-right: 20px;">
-	<table style="width: 100%;">
-		<tr>
-			<td>
-				<h2>
-					<span class="glyphicon glyphicon-globe"></span>&nbsp;<!-- [REPLACE:section.client.info] -->
-				</h2>
-			</td>
-			<td align="right">
-				<br> <a href="/"><!-- [REPLACE:label.go.to.main] --></a>
-			</td>
-		</tr>
+	<div th:replace="header"></div>
+	<table class="table table-striped table-bordered table-hover" style="font-size: small;">
+		<tr><th><p th:text="#{label.key}" /></th><th><p th:text="#{label.value}" /></th></tr>
+		<tr><td><p th:text="#{label.code}" /></td><td id="appCodeName"></td></tr>
+		<tr><td><p th:text="#{label.browser}" /></td><td id="appName"></td></tr>
+		<tr><td><p th:text="#{label.version}" /></td><td id="appVersion"></td></tr>
+		<tr><td><p th:text="#{label.platform}" /></td><td id="platform"></td></tr>
+		<tr><td><p th:text="#{label.user.agent}" /></td><td id="userAgent"></td></tr>
+		<tr><td><p th:text="#{label.language}" /></td><td id="browserLanguage"></td></tr>
 	</table>
-	<hr style="margin-top: 0px" />
-	<script type="text/javascript">
-	<!--
-	document.write('<table class="table table-striped table-bordered table-hover" style="font-size: small;">');
-	document.write('<tr><th><!-- [REPLACE:label.key] --></th><th><!-- [REPLACE:label.value] --></th></tr>');
-	document.write('<tr><td><!-- [REPLACE:label.code] --></td><td>' + navigator.appCodeName + '</td></tr>');
-	document.write('<tr><td><!-- [REPLACE:label.browser] --></td><td>' + navigator.appName + '</td></tr>');
-	document.write('<tr><td><!-- [REPLACE:label.version] --></td><td>' + navigator.appVersion + '</td></tr>');
-	document.write('<tr><td><!-- [REPLACE:label.platform] --></td><td>' + navigator.platform + '</td></tr>');
-	document.write('<tr><td><!-- [REPLACE:label.user.agent] --></td><td>' + navigator.userAgent + '</td></tr>');
-	if(document.all){
-		document.write('<tr><td><!-- [REPLACE:label.language] --></td><td>' + navigator.browserLanguage + '</td></tr>');
-	} else {
-		document.write('<tr><td><!-- [REPLACE:label.language] --></td><td>' + navigator.language + '</td></tr>');
-	}
-	document.write('</table>');
-	// -->
-	</script>
 	<hr />
 	<div class="alert alert-info" role="alert">
 		<span class="glyphicon glyphicon-info-sign"></span>&nbsp;
-		<!-- [REPLACE:msg.note.unintended.file.disclosure] -->
+		<p th:text="#{msg.note.unintended.file.disclosure}" />
 	</div>
+	<script type="text/javascript">
+	<!--
+		document.getElementById("appCodeName").textContent=navigator.appCodeName;
+		document.getElementById("appName").textContent=navigator.appName;
+		document.getElementById("appVersion").textContent=navigator.appVersion;
+		document.getElementById("platform").textContent=navigator.platform;
+		document.getElementById("userAgent").textContent=navigator.userAgent;
+		document.getElementById("browserLanguage").textContent=navigator.browserLanguage;
+		if (document.all) {
+			document.getElementById("browserLanguage").textContent=navigator.browserLanguage;
+		} else {
+			document.getElementById("browserLanguage").textContent=navigator.language;
+		}
+	// -->
+	</script>
 </body>
-</html>
+</html>

src/main/resources/templates/serverinfo.html

@@ -1,34 +1,14 @@
-<!-- Note: This html is an EasyBuggy Boot original format template, not a template for Thymeleaf -->
-<!DOCTYPE HTML>
-<html>
-<head>
-<title><!-- [REPLACE:section.server.info] --></title>
-<link rel="icon" type="image/vnd.microsoft.icon" href="/images/favicon.ico" />
-<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous" />
-<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous" />
-<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
-<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
-</head>
+<!DOCTYPE html SYSTEM "http://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring4-4.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" th:with="lang=${#locale.language}" th:lang="${lang}">
+<div th:replace="head"></div>
 <body style="margin-left: 20px; margin-right: 20px;">
-	<table style="width: 100%;">
-		<tr>
-			<td>
-				<h2>
-					<span class="glyphicon glyphicon-globe"></span>&nbsp;<!-- [REPLACE:section.server.info] -->
-				</h2>
-			</td>
-			<td align="right"><!-- [REPLACE:label.user.id] -->: <!-- [REPLACE:@UserId] -->
-				<br> <a href="/logout"><!-- [REPLACE:label.logout] --></a>
-			</td>
-		</tr>
-	</table>
-	<hr style="margin-top: 0px" />
-	<table style="width: 720px;" class="table table-striped table-bordered table-hover" style="font-size:small;">
-		<tr>
-			<th><!-- [REPLACE:label.key] --></th>
-			<th><!-- [REPLACE:label.value] --></th>
-		</tr>
-		<!-- [REPLACE:@Contents] -->
-	</table>
+	<div th:replace="header"></div>
+	<table class="table table-striped table-bordered table-hover" style="font-size: small;">
+		<tr><th><p th:text="#{label.key}" /></th><th><p th:text="#{label.value}" /></th></tr>
+        <tr th:each="key : ${properties.keySet()}">
+            <td th:text="${key}"></td>
+            <td th:text="${properties.getProperty(key)}"></td>
+        </tr>
+    </table>
 </body>
 </html>

src/main/webapp/uid/clientinfo.html

@@ -1,3 +1,4 @@
+<!-- To work directory listing, this Ajax call is needed -->
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
 <script type="text/javascript">
 <!--

src/main/webapp/uid/serverinfo.html

@@ -1,3 +1,4 @@
+<!-- To work directory listing, this Ajax call is needed -->
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
 <script type="text/javascript">
 <!--