Validate tz

app/pom.xml

@@ -24,7 +24,7 @@ limitations under the License.
     <parent>
         <groupId>org.apache.roller</groupId>
         <artifactId>roller-project</artifactId>
-        <version>6.1.2</version>
+        <version>6.1.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
@@ -627,7 +627,7 @@ limitations under the License.
                     <dependency>
                         <groupId>org.apache.roller</groupId>
                         <artifactId>db-utils</artifactId>
-                        <version>6.1.2</version>
+                        <version>6.1.3</version>
                     </dependency>
                     <dependency>
                         <groupId>commons-dbcp</groupId>

app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java

@@ -104,6 +104,7 @@ public void removeBookmark(WeblogBookmark bookmark) throws WebloggerException {
 
     @Override
     public void saveFolder(WeblogBookmarkFolder folder) throws WebloggerException {
+        folder.sanitize();
 
         // If new folder make sure name is unique
         if ((folder.getId() == null || this.getFolder(folder.getId()) == null) && isDuplicateFolderName(folder)) {
@@ -148,15 +149,15 @@ public void importBookmarks(
 
             WeblogBookmarkFolder newFolder = getFolder(website, folderName);
             if (newFolder == null) {
-                newFolder = new WeblogBookmarkFolder(
-                        folderName, website);
+                newFolder = new WeblogBookmarkFolder(folderName, website);
+                newFolder.sanitize();
                 this.strategy.store(newFolder);
             }
 
             // Iterate through children of OPML body, importing each
             Element body = doc.getRootElement().getChild("body");
-            for (Object elem : body.getChildren()) {
-                importOpmlElement((Element) elem, newFolder );
+            for (Element elem : body.getChildren()) {
+                importOpmlElement(elem, newFolder );
             }
         } catch (Exception ex) {
             throw new WebloggerException(ex);
@@ -211,13 +212,14 @@ private void importOpmlElement(
                         url,
                         xmlUrl,
                         null);
+                bd.sanitize();
                 folder.addBookmark(bd);
                 this.strategy.store(bd);
             }
         } else {
             // Import suboutline's children into folder
-            for (Object subelem : elem.getChildren("outline")) {
-                importOpmlElement((Element) subelem, folder );
+            for (Element subelem : elem.getChildren("outline")) {
+                importOpmlElement(subelem, folder );
             }
         }
     }

app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java

@@ -67,8 +67,9 @@ public void release() {}
     //--------------------------------------------------------------- user CRUD
 
     @Override
-    public void saveUser(User data) throws WebloggerException {
-        this.strategy.store(data);
+    public void saveUser(User user) throws WebloggerException {
+        user.sanitize();
+        this.strategy.store(user);
     }
 
 
@@ -113,6 +114,7 @@ public void addUser(User newUser) throws WebloggerException {
             throw new WebloggerException("error.add.user.userNameInUse");
         }
 
+        newUser.sanitize();
         this.strategy.store(newUser);
 
         grantRole("editor", newUser);

app/src/main/java/org/apache/roller/weblogger/pojos/User.java

@@ -28,6 +28,7 @@
 import org.apache.roller.util.UUIDGenerator;
 import org.apache.roller.weblogger.business.WebloggerFactory;
 import org.apache.roller.weblogger.ui.core.RollerContext;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
 
@@ -36,7 +37,7 @@
  */
 public class User implements Serializable {
 
-    public static final long serialVersionUID = -6354583200913127874L;
+    private static final long serialVersionUID = -6354583200913127874L;
 
     private String  id = UUIDGenerator.generateUUID();
     private String  userName;
@@ -91,7 +92,7 @@ public String getUserName() {
     }
 
     public void setUserName( String userName ) {
-        this.userName = userName;
+        this.userName =  HTMLSanitizer.conditionallySanitize(userName);
     }
 
     /**
@@ -128,7 +129,7 @@ public String getOpenIdUrl() {
     }
 
     public void setOpenIdUrl(String openIdUrl) {
-        this.openIdUrl = openIdUrl;
+        this.openIdUrl =  HTMLSanitizer.conditionallySanitize(openIdUrl);
     }
 
     /**
@@ -139,7 +140,7 @@ public String getScreenName() {
     }
 
     public void setScreenName( String screenName ) {
-        this.screenName = screenName;
+        this.screenName =  HTMLSanitizer.conditionallySanitize(screenName);
     }
 
     /**
@@ -150,7 +151,7 @@ public String getFullName() {
     }
 
     public void setFullName( String fullName ) {
-        this.fullName = fullName;
+        this.fullName =  HTMLSanitizer.conditionallySanitize(fullName);
     }
 
     /**
@@ -161,7 +162,7 @@ public String getEmailAddress() {
     }
 
     public void setEmailAddress( String emailAddress ) {
-        this.emailAddress = emailAddress;
+        this.emailAddress =  HTMLSanitizer.conditionallySanitize(emailAddress);
     }
 
 
@@ -192,7 +193,7 @@ public String getLocale() {
     }
 
     public void setLocale(String locale) {
-        this.locale = locale;
+        this.locale =  HTMLSanitizer.conditionallySanitize(locale);
     }
 
     /**
@@ -203,7 +204,7 @@ public String getTimeZone() {
     }
 
     public void setTimeZone(String timeZone) {
-        this.timeZone = timeZone;
+        this.timeZone =  HTMLSanitizer.conditionallySanitize(timeZone);
     }
 
 
@@ -223,7 +224,7 @@ public String getActivationCode() {
     }
 
     public void setActivationCode(String activationCode) {
-        this.activationCode = activationCode;
+        this.activationCode =  HTMLSanitizer.conditionallySanitize(activationCode);
     }
 
 
@@ -239,6 +240,11 @@ public boolean hasGlobalPermissions(List<String> actions) {
             return false;
         }
     }
+
+    public void sanitize() {
+        setFullName(HTMLSanitizer.conditionallySanitize(getFullName()));
+        setScreenName(HTMLSanitizer.conditionallySanitize(getScreenName()));
+    }
 
     //------------------------------------------------------- Good citizenship
 

app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java

@@ -18,10 +18,12 @@
 
 package org.apache.roller.weblogger.pojos;
 
-import java.io.Serializable;
 import org.apache.commons.lang3.builder.EqualsBuilder;
 import org.apache.commons.lang3.builder.HashCodeBuilder;
 import org.apache.roller.util.UUIDGenerator;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
+
+import java.io.Serializable;
 
 
 /**
@@ -143,6 +145,12 @@ public String getFeedUrl() {
     public void setFeedUrl(String feedUrl) {
         this.feedUrl = feedUrl;
     }
+
+    public void sanitize() {
+        // Conditionally sanitize fields not validated by Struts Validator
+        setName(HTMLSanitizer.conditionallySanitize(this.name));
+        setDescription(this.description == null ? "" : HTMLSanitizer.conditionallySanitize(this.description));
+    }
 
     //---------------------------------------------------------- Relationships
 

app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java

@@ -28,6 +28,7 @@
 import org.apache.roller.weblogger.business.BookmarkManager;
 import org.apache.roller.weblogger.business.WebloggerFactory;
 import org.apache.roller.util.UUIDGenerator;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
 
 
 /**
@@ -188,4 +189,9 @@ public List<WeblogBookmark> retrieveBookmarks() throws WebloggerException {
         return bmgr.getBookmarks(this);
     }
 
+    public void sanitize() {
+        // Conditionally sanitize fields not validated by Struts Validator
+        setName(HTMLSanitizer.conditionallySanitize(getName()));
+    }
+
 }

app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java

@@ -22,14 +22,18 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.roller.weblogger.WebloggerException;
-import org.apache.roller.weblogger.business.WebloggerFactory;
 import org.apache.roller.weblogger.business.UserManager;
+import org.apache.roller.weblogger.business.WebloggerFactory;
 import org.apache.roller.weblogger.config.AuthMethod;
 import org.apache.roller.weblogger.config.WebloggerConfig;
 import org.apache.roller.weblogger.pojos.User;
 import org.apache.roller.weblogger.ui.struts2.util.UIAction;
 import org.apache.struts2.interceptor.validation.SkipValidation;
 
+import java.util.Arrays;
+import java.util.Locale;
+import java.util.Optional;
+import java.util.TimeZone;
 
 /**
  * Allows user to edit his/her profile.
@@ -150,6 +154,23 @@ public void myValidate() {
                 addError("generic.error.check.logs");
             }
         }
+
+        // validate that bean's timeZone field is a valid time zone
+        if (!StringUtils.isEmpty(getBean().getTimeZone())) {
+            final Optional<String> first = Arrays.stream(TimeZone.getAvailableIDs())
+                    .filter(id -> id.equals(getBean().getTimeZone())).findFirst();
+            if (first.isEmpty()) {
+                addError("error.add.user.invalid.timezone");
+            }
+        }
+
+        // validate that bean's locale field is a valid locale
+        if (!StringUtils.isEmpty(getBean().getLocale())) {
+            Locale locale = Locale.forLanguageTag(bean.getLocale());
+            if (locale == null || "".equals(locale.getDisplayName())) {
+                addError("error.add.user.invalid.locale");
+            }
+        }
     }
 
     public String getAuthMethod() {

app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java

@@ -27,7 +27,6 @@
 import org.apache.roller.weblogger.pojos.WeblogBookmark;
 import org.apache.roller.weblogger.ui.struts2.util.UIAction;
 import org.apache.roller.weblogger.util.cache.CacheManager;
-import org.apache.struts2.convention.annotation.AllowedMethods;
 import org.apache.struts2.interceptor.validation.SkipValidation;
 
 

app/src/main/resources/ApplicationResources.properties

@@ -453,6 +453,8 @@ error.add.user.openIdInUse=Open ID already in use with another account.
 error.add.user.missingUserName=You must specify a username.
 error.add.user.badUserName=Invalid user name (must be alpha-numerics only).
 error.add.user.missingPassword=You must specify a password.
+error.add.user.invalid.timezone=Invalid timezone.
+error.add.user.invalid.locale=Invalid locale.
 error.upload.dirmax=You cannot exceed the maximum directory size of {0} MB.
 error.upload.disabled=File Upload has been turned off
 error.upload.file=No file selected

assembly-release/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>org.apache.roller</groupId>
         <artifactId>roller-project</artifactId>
-        <version>6.1.2</version>
+        <version>6.1.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

assembly-release/sign-release.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
-export rcstring="r2"
-export vstring="6.1.2"
+export rcstring="r1"
+export vstring="6.1.3"
 
 # for rc releases we rename the release files
 if [ rcstring != "" ]; then

db-utils/pom.xml

@@ -7,13 +7,13 @@
     <parent>
         <groupId>org.apache.roller</groupId>
         <artifactId>roller-project</artifactId>
-        <version>6.1.2</version>
+        <version>6.1.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
     <name>Apache Roller DB Utilities</name>
     <artifactId>db-utils</artifactId>
-    <version>6.1.2</version>
+    <version>6.1.3</version>
 
     <build>
         <plugins>

it-selenium/pom.xml

@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.apache.roller</groupId>
         <artifactId>roller-project</artifactId>
-        <version>6.1.2</version>
+        <version>6.1.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
@@ -188,7 +188,7 @@
                     <dependency>
                         <groupId>org.apache.roller</groupId>
                         <artifactId>db-utils</artifactId>
-                        <version>6.1.2</version>
+                        <version>6.1.3</version>
                     </dependency>
                     <dependency>
                         <groupId>commons-dbcp</groupId>

pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.apache.roller</groupId>
     <artifactId>roller-project</artifactId>
-    <version>6.1.2</version>
+    <version>6.1.3</version>
     <packaging>pom</packaging>
 
     <name>Roller</name>
@@ -46,7 +46,7 @@ limitations under the License.
         <jetty.plugin.version>10.0.19</jetty.plugin.version> <!-- Jetty 11 requires Jakarta package names -->
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-        <roller.version>6.1.2</roller.version>
+        <roller.version>6.1.3</roller.version>
         <slf4j.version>1.7.36</slf4j.version>
     </properties>