Skip to content

Commit cafb50d

Browse files
committed
[KNOWAGE-9198] Escape XML attributes in TriggerXMLSerializer and SchedulerUtilitiesV2
1 parent 713f8b7 commit cafb50d

3 files changed

Lines changed: 23 additions & 3 deletions

File tree

knowage-core/src/main/java/it/eng/spagobi/commons/deserializer/XMLDeserializer.java

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,4 @@ public Object deserialize(Object o, Class clazz) throws DeserializationException
8080

8181
return result;
8282
}
83-
84-
8583
}

knowage-core/src/main/java/it/eng/spagobi/commons/serializer/TriggerXMLSerializer.java

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,7 @@ public Object serialize(Object o, Locale locale) throws SerializationException {
144144
Set<String> jobParametersName = jobParameters.keySet();
145145
for (String jobParameterName : jobParametersName) {
146146
String jobParameterValue = jobParameters.get(jobParameterName);
147+
jobParameterValue = escapeXmlAttribute(jobParameterValue);
147148
// already extracted and processed
148149
// if(jobParameterName.equals("chronString")) {
149150
// continue;
@@ -176,6 +177,16 @@ public Object serialize(Object o, Locale locale) throws SerializationException {
176177
return result.toString();
177178
}
178179

180+
private String escapeXmlAttribute(String text) {
181+
if (text == null) return null;
182+
return text
183+
.replace("&", "&amp;") // DEVE essere il primo!
184+
.replace("<", "&lt;")
185+
.replace(">", "&gt;")
186+
.replace("\"", "&quot;")
187+
.replace("'", "&apos;");
188+
}
189+
179190
public String serailizeTime(Date date) {
180191
String serializedTime;
181192

knowage-core/src/main/java/it/eng/spagobi/tools/scheduler/utils/SchedulerUtilitiesV2.java

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -547,7 +547,7 @@ private static String serializeSaveAsMailOptions(DispatchContext dispatchContext
547547
saveOptString += "mailsubj=" + dispatchContext.getMailSubj() + "%26";
548548
}
549549
if ((dispatchContext.getMailTxt() != null) && !dispatchContext.getMailTxt().trim().equals("")) {
550-
saveOptString += "mailtxt=" + dispatchContext.getMailTxt() + "%26";
550+
saveOptString += "mailtxt=" + escapeXmlAttribute(dispatchContext.getMailTxt()) + "%26";
551551
}
552552

553553
// Mail
@@ -574,6 +574,17 @@ private static String serializeSaveAsMailOptions(DispatchContext dispatchContext
574574
return saveOptString;
575575
}
576576

577+
578+
private static String escapeXmlAttribute(String text) {
579+
if (text == null) return null;
580+
return text
581+
.replace("&", "&amp;")
582+
.replace("<", "&lt;")
583+
.replace(">", "&gt;")
584+
.replace("\"", "&quot;")
585+
.replace("'", "&apos;");
586+
}
587+
577588
private static String serializeSaveAsDistributionListOptions(DispatchContext dispatchContext,
578589
String uniqueDispatchContextName, JobTrigger triggerInfo, boolean runImmediately, IEngUserProfile profile)
579590
throws EMFUserError {

0 commit comments

Comments
 (0)