Merge pull request #334 from skyhit/sanitize_challenge_properties

ajefts · web-flow · commit 2651cc0de71e · 2017-10-30T14:14:24.000-04:00
sanitize challenge properties before saving
diff --git a/components/project_management/build.xml b/components/project_management/build.xml
@@ -143,6 +143,7 @@
     <property name="junit.jar" value="${ext_libdir}/junit/3.8.2/junit.jar"/>
     <property name="j2ee.jar" value="${ext_libdir}/j2ee/j2ee.jar"/>
     <property name="ifxjdbc.jar" value="${ext_libdir}/informix/ifxjdbc.jar"/>
+    <property name="encoder-1.2.1.jar" value="${ext_libdir}/owasp/encoder-1.2.1.jar"/>
 
     <!-- Java Locations -->
     <property name="java_1_3_bootclasspath" value="c:\program files\JavaSoft\JRE\1.3.1\lib\rt.jar"/>
@@ -160,6 +161,7 @@
     	<pathelement location="${jaxb-api.jar}"/>
     	<pathelement location="${j2ee.jar}"/>
     	<pathelement location="${ifxjdbc.jar}"/>
+        <pathelement location="${encoder-1.2.1.jar}"/>
     	<pathelement location="${logging_wrapper.jar}" />
     	<pathelement location="${typesafe_enum.jar}" />
     	<pathelement location="${data_validation.jar}" />
diff --git a/components/project_management/src/java/main/com/topcoder/management/project/persistence/AbstractInformixProjectPersistence.java b/components/project_management/src/java/main/com/topcoder/management/project/persistence/AbstractInformixProjectPersistence.java
@@ -67,6 +67,7 @@
 import com.topcoder.util.sql.databaseabstraction.CustomResultSet;
 import com.topcoder.util.sql.databaseabstraction.InvalidCursorStateException;
 import com.topcoder.util.sql.databaseabstraction.NullColumnValueException;
+import org.owasp.encoder.Encode;
 
 /**
  * <p>
@@ -5985,13 +5986,15 @@ private void createProjectProperties(Long projectId, Project project, Map idValu
             for (Iterator it = idValueMap.entrySet().iterator(); it.hasNext();) {
                 Entry entry = (Entry) it.next();
 
+                Long key = (Long) entry.getKey();
+                String value = (String) entry.getValue();
+                value = Encode.forHtml(value);
                 // insert the project property into database
-                Object[] queryArgs = new Object[] {projectId, entry.getKey(),
-                        entry.getValue(), operator, operator };
+                Object[] queryArgs = new Object[] {projectId, key,
+                        value, operator, operator };
                 Helper.doDMLQuery(preparedStatement, queryArgs);
                 
-                auditProjectInfo(conn, projectId, project, AUDIT_CREATE_TYPE, (Long) entry.getKey(),
-                		(String) entry.getValue());
+                auditProjectInfo(conn, projectId, project, AUDIT_CREATE_TYPE, key, value);
             }
 
         } catch (SQLException e) {
