Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Santize some inputs and clarify docs #128

Merged
merged 3 commits into from
Jul 9, 2023
Merged

Santize some inputs and clarify docs #128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b6df636
Remove HTML from a couple of fields that should not allow HTML and cl…
snoopdave Jul 1, 2023
23b79cb
Merge branch 'master' into inputs-and-docs
snoopdave Jul 2, 2023
cd4808e
Remove redundant escaping, POJO does the escape
snoopdave Jul 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
import org.apache.roller.util.UUIDGenerator;
import org.apache.roller.weblogger.business.UserManager;
import org.apache.roller.weblogger.util.I18nUtils;
import org.apache.roller.weblogger.util.Utilities;


/**
Expand Down Expand Up @@ -195,7 +196,7 @@ public String getName() {
}

public void setName(String name) {
this.name = name;
this.name = Utilities.removeHTML(name);
}

/**
Expand All @@ -207,7 +208,7 @@ public String getTagline() {
}

public void setTagline(String tagline) {
this.tagline = tagline;
this.tagline = Utilities.removeHTML(tagline);
}

/**
Expand Down Expand Up @@ -567,7 +568,7 @@ public void setAnalyticsCode(String analyticsCode) {
/**
* A description for the weblog (its purpose, authors, etc.)
*
* This field is meant to hold a paragraph or two describing the weblog, in contrast
* This field is meant to hold a paragraph describing the weblog, in contrast
* to the short sentence or two 'description' attribute meant for blog taglines
* and HTML header META description tags.
*
Expand All @@ -577,7 +578,7 @@ public String getAbout() {
}

public void setAbout(String about) {
this.about = about;
this.about = Utilities.removeHTML(about);
}


Expand Down
5 changes: 3 additions & 2 deletions app/src/main/java/org/apache/roller/weblogger/pojos/WeblogCategory.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import org.apache.roller.weblogger.business.WeblogEntryManager;
import org.apache.roller.weblogger.pojos.WeblogEntry.PubStatus;
import org.apache.roller.util.UUIDGenerator;
import org.apache.roller.weblogger.util.Utilities;


/**
Expand Down Expand Up @@ -133,7 +134,7 @@ public String getName() {
}

public void setName(String name) {
this.name = name;
this.name = Utilities.removeHTML(name);
}


Expand All @@ -145,7 +146,7 @@ public String getDescription() {
}

public void setDescription(String description) {
this.description = description;
this.description = Utilities.removeHTML(description);
}

/**
Expand Down
4 changes: 2 additions & 2 deletions app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/WeblogConfigBean.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ public String getTagline() {
}

public void setTagline( String tagline ) {
this.tagline = tagline.replace("<", "&lt;").replace(">", "&gt;");
this.tagline = tagline;
}

public boolean getEnableBloggerApi() {
Expand Down Expand Up @@ -215,7 +215,7 @@ public String getAbout() {
}

public void setAbout(String about) {
this.about = about.replace("<", "&lt;").replace(">", "&gt;");
this.about = about;
}

public String getBloggerCategoryId() {
Expand Down
2 changes: 1 addition & 1 deletion app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ public static String conditionallySanitize(String ret) {
}

/**
* Used to get the text, tags removed or encoded
* Used to get the text, tags removed or encoded
*
* @param html
* @return sanitized text
Expand Down
3 changes: 3 additions & 0 deletions docs/roller-install-guide.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ will use your Roller site to author HTML, then you should configure
Roller to sanitize all HTML published by the system. Do this by setting
the _weblogAdminsUntrusted=true_ property in your
_roller-custom.properties_ file.
* *Do not allow File Uploads*. By default Roller allows users to upload
files for display on their blogs. If don't trust your users, this is unsafe
and you should disable File Uploads via the Server Administration page.
* *Do not allow HTML in comments*. Roller can allow users to write
comments in a safe-subset of HTML, but HTML use in comments is not
allowed at all because of security concerns with even a so called
Expand Down
3 changes: 2 additions & 1 deletion docs/roller-user-guide.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -890,7 +890,8 @@ Safari)
is no longer active and should not appear in hot-blog and other weblog
listing on the site. You might want to do this if you take a very long
vacation or if you have decided to stop updating your weblog for some
other reason.
other reason. Your weblog will still be publicly available, but not
shown in the main community page of your site (if there is one).
* *Number of entries to display on weblog*: Enter the maximum number of
entries to be displayed on your weblog.

Expand Down
Loading