Fix/#3167 fixed escaping fields

WebContent/WEB-INF/dwr.xml

@@ -20,11 +20,10 @@
 
 <dwr>
   <init>
-    <converter id="localizableMessage" class="com.serotonin.web.dwr.LocalizableMessageConverter"/>
-    <converter id="protocolVersionConverter" class="com.serotonin.mango.web.dwr.ProtocolVersionConverter"/>
-    <converter id="xssDataPointVoConverter" class="com.serotonin.mango.web.dwr.XssDataPointVoConverter"/>
-    <converter id="xssDataPointBeanConverter" class="com.serotonin.mango.web.dwr.XssDataPointBeanConverter"/>
-    <converter id="opcUaDataTypeConverter" class="com.serotonin.mango.web.dwr.OpcUaDataTypeConverter"/>
+    <converter id="xssLocalizableMessageString" class="org.scada_lts.web.security.dwr.XssLocalizableMessageConverter"/>
+    <converter id="protocolVersionEnum" class="com.serotonin.mango.web.dwr.ProtocolVersionConverter"/>
+    <converter id="opcUaDataTypeEnum" class="com.serotonin.mango.web.dwr.OpcUaDataTypeConverter"/>
+    <converter id="xssBean" class="org.scada_lts.web.security.dwr.XssBeanConverter"/>
   </init>
 
   <allow>
@@ -111,8 +110,8 @@
     <convert converter="bean" match="org.scada_lts.ds.polling.protocol.opcua.vo.OpcUaItem" />
     <convert converter="bean" match="br.org.scadabr.api.vo.*" />
 
-    <convert converter="bean" match="com.serotonin.db.IntValuePair"/>
-    <convert converter="bean" match="com.serotonin.db.KeyValuePair"/>
+    <convert converter="xssBean" match="com.serotonin.db.IntValuePair"/>
+    <convert converter="xssBean" match="com.serotonin.db.KeyValuePair"/>
 
     <convert converter="bean" match="com.serotonin.mango.rt.dataSource.http.HttpReceiverPointSample"/>
     <convert converter="bean" match="com.serotonin.mango.rt.dataSource.onewire.OneWireContainerInfo"/>
@@ -139,28 +138,28 @@
     <convert converter="bean" match="com.serotonin.mango.vo.dataSource.virtual.*"/>
 
     <convert converter="bean" match="com.serotonin.mango.vo.event.handlers.*"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.CompoundEventDetectorVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.EventHandlerVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.EventTypeVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.MaintenanceEventVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.PointEventDetectorVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.event.ScheduledEventVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.hierarchy.PointFolder"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.CompoundEventDetectorVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.EventHandlerVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.EventTypeVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.MaintenanceEventVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.PointEventDetectorVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.event.ScheduledEventVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.hierarchy.PointFolder"/>
     <convert converter="bean" match="com.serotonin.mango.vo.link.PointLinkVO"/>
     <convert converter="bean" match="com.serotonin.mango.vo.mailingList.*"/>
     <convert converter="bean" match="com.serotonin.mango.vo.permission.DataPointAccess"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.publish.PublishedPointVO"/>
-    <convert converter="bean" match="com.serotonin.mango.vo.publish.PublisherVO">
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.PublishedPointVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.PublisherVO">
       <param name="exclude" value="type,eventCodes"/>
     </convert>
     <convert converter="bean" match="com.serotonin.mango.vo.publish.httpSender.*"/>
     <convert converter="bean" match="com.serotonin.mango.vo.publish.pachube.*"/>
     <convert converter="bean" match="com.serotonin.mango.vo.publish.persistent.*"/>
     <convert converter="bean" match="com.serotonin.mango.vo.report.*"/>
-    <convert converter="xssDataPointVoConverter" match="com.serotonin.mango.vo.DataPointVO">
+    <convert converter="xssBean" match="com.serotonin.mango.vo.DataPointVO">
       <param name="include" value="id,xid,name,extendedName,dataSourceId,enabled,dataTypeMessage,pointLocator,engineeringUnits"/>
     </convert>
-    <convert converter="xssDataPointBeanConverter" match="com.serotonin.mango.web.dwr.beans.DataPointBean">
+    <convert converter="xssBean" match="com.serotonin.mango.web.dwr.beans.DataPointBean">
       <param name="include" value="id,xid,name,settable,dataType,dataTypeMessage,chartColour"/>
     </convert>
     <convert converter="bean" match="com.serotonin.mango.vo.User">
@@ -172,16 +171,16 @@
     <convert converter="bean" match="br.org.scadabr.vo.permission.ViewAccess">
      	<param name="include" value="id,permission"/>
     </convert>
-    <convert converter="bean" match="com.serotonin.mango.view.View">
+    <convert converter="xssBean" match="com.serotonin.mango.view.View">
      	<param name="include" value="id,name"/>
     </convert>
-    <convert converter="bean" match="br.org.scadabr.vo.usersProfiles.UsersProfileVO">
+    <convert converter="xssBean" match="br.org.scadabr.vo.usersProfiles.UsersProfileVO">
       <param name="include" value="id,name,dataSourcePermissions,dataPointPermissions, watchlistPermissions, viewPermissions"/>
     </convert>
-    <convert converter="bean" match="com.serotonin.mango.vo.WatchList">
+    <convert converter="xssBean" match="com.serotonin.mango.vo.WatchList">
       <param name="include" value="id,name"/>
     </convert>
-    <convert converter="bean" match="com.serotonin.mango.vo.UserComment"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.UserComment"/>
 
     <convert converter="bean" match="com.serotonin.mango.web.dwr.beans.*"/>
     <convert converter="bean" match="com.serotonin.mango.web.dwr.longPoll.LongPollRequest"/>
@@ -190,8 +189,8 @@
     <convert converter="bean" match="com.serotonin.web.dwr.DwrMessageI18n"/>
     <convert converter="bean" match="com.serotonin.web.dwr.DwrResponseI18n"/>
 
-    <convert converter="localizableMessage" match="com.serotonin.web.i18n.LocalizableMessage"/>
-    <convert converter="bean" match="br.org.scadabr.vo.scripting.ScriptVO">
+    <convert converter="xssLocalizableMessageString" match="com.serotonin.web.i18n.LocalizableMessage"/>
+    <convert converter="xssBean" match="br.org.scadabr.vo.scripting.ScriptVO">
     	<param name="exclude" value="type"/>
     </convert>
      <!-- MBus4J stuff-->
@@ -216,8 +215,8 @@
     <convert converter="enum" match="org.scada_lts.ds.messaging.protocol.amqp.DurabilityType" />
     <convert converter="enum" match="org.scada_lts.ds.messaging.protocol.amqp.MessageAckType" />
     <convert converter="enum" match="org.scada_lts.ds.messaging.protocol.amqp.AmqpVersion" />
-    <convert converter="protocolVersionConverter" match="org.scada_lts.ds.messaging.protocol.ProtocolVersion" />
-    <convert converter="opcUaDataTypeConverter" match="org.scada_lts.ds.polling.protocol.opcua.vo.OpcUaDataType" />
+    <convert converter="protocolVersionEnum" match="org.scada_lts.ds.messaging.protocol.ProtocolVersion" />
+    <convert converter="opcUaDataTypeEnum" match="org.scada_lts.ds.polling.protocol.opcua.vo.OpcUaDataType" />
     <convert converter="enum" match="org.scada_lts.ds.polling.protocol.opcua.vo.OpcUaIdentifierType" />
     <convert converter="enum" match="org.scada_lts.ds.polling.protocol.opcua.security.OpcUaMessageSecurityType" />
     <convert converter="enum" match="org.scada_lts.ds.polling.protocol.opcua.security.OpcUaSecurityPolicyType" />
@@ -240,15 +239,35 @@
     <convert converter="enum" match="net.sf.fhz4j.FhzDeviceTypes" />
     <!- - Fhz4J stuff-->
 
+    <convert converter="xssBean" match="com.serotonin.mango.web.dwr.beans.EventSourceBean"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.mailingList.AddressEntry"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.mailingList.MailingList"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.mailingList.UserEntry"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.report.ReportInstance"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.report.ReportVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.web.dwr.beans.RecipientListEntryBean"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.bean.PointHistoryCount"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.bean.ImageValueBean"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.httpSender.HttpSenderVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.httpSender.HttpPointVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.pachube.PachubeSenderVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.pachube.PachubePointVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.persistent.PersistentSenderVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.publish.persistent.PersistentPointVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.util.ExportCodes"/>
+    <convert converter="xssBean" match="com.serotonin.mango.util.ExportCodes.Element"/>
+    <convert converter="enum" match="com.serotonin.mango.vo.publish.PublisherVO$Type"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.dataSource.http.HttpReceiverPointLocatorVO"/>
+    <convert converter="xssBean" match="com.serotonin.mango.vo.dataSource.sql.SqlPointLocatorVO"/>
 
-
     <convert converter="exception" match="java.lang.Exception">
       <param name="include" value="message"/>
     </convert>
 
-    <convert converter="bean" match="org.scada_lts.dao.model.UserIdentifier"/>
-    <convert converter="bean" match="org.scada_lts.web.mvc.api.dto.MailingListJson"/>
-    <convert converter="bean" match="org.scada_lts.web.mvc.api.dto.EmailRecipientJson"/>
+    <convert converter="xssBean" match="org.scada_lts.dao.model.UserIdentifier"/>
+    <convert converter="xssBean" match="org.scada_lts.web.mvc.api.dto.MailingListJson"/>
+    <convert converter="xssBean" match="org.scada_lts.web.mvc.api.dto.UserEntryJson"/>
+    <convert converter="xssBean" match="org.scada_lts.web.mvc.api.dto.AddressEntryJson"/>
   </allow>
   <signatures>
     <![CDATA[

WebContent/WEB-INF/jsp/compoundEvents.jsp

@@ -96,7 +96,7 @@
             editingCompoundEvent = ced;
 
             $set("xid", ced.xid);
-            $set("name", ced.name);
+            $set("name", unescapeHtml(ced.name));
             $set("alarmLevel", ced.alarmLevel);
             $set("rtn", ced.returnToNormal);
             $set("condition", ced.condition);

WebContent/WEB-INF/jsp/dataSourceEdit/editHttpReceiver.jsp

@@ -182,9 +182,9 @@
   }
 
   function editPointCBImpl(locator) {
-      $set("parameterName", locator.parameterName);
+      $set("parameterName", unescapeHtml(locator.parameterName));
       $set("dataTypeId", locator.dataTypeId);
-      $set("binary0Value", locator.binary0Value);
+      $set("binary0Value", unescapeHtml(locator.binary0Value));
       changeDataTypeId();
   }
 

WebContent/WEB-INF/jsp/dataSourceEdit/editSql.jsp

@@ -126,9 +126,9 @@
   }
 
   function editPointCBImpl(locator) {
-      $set("fieldName", locator.fieldName);
-      $set("timeOverrideName", locator.timeOverrideName);
-      $set("updateStatement", locator.updateStatement);
+      $set("fieldName", unescapeHtml(locator.fieldName));
+      $set("timeOverrideName", unescapeHtml(locator.timeOverrideName));
+      $set("updateStatement", unescapeHtml(locator.updateStatement));
       $set("dataTypeId", locator.dataTypeId);
   }
 

WebContent/WEB-INF/jsp/eventHandlers.jsp

@@ -79,7 +79,7 @@
         var pointNode, dataSourceNode, publisherNode, etNode, wid;
 
         allPoints = data.allPoints;
-        
+
         emailRecipients = new mango.erecip.EmailRecipients("emailRecipients",
                 "<spring:message code="eventHandlers.recipTestEmailMessage" />",
                 data.mailingLists, data.users);
@@ -228,7 +228,7 @@
             img = "images/cog_process.png";
 
         var node = dojo.widget.createWidget("TreeNode", {
-                title: "<img src='"+ img +"'/> <span id='"+ handler.id +"Msg'>"+ handler.message +"</span>",
+                title: "<img src='"+ img +"'/> <span id='"+ handler.id +"Msg'>"+ unescapeHtml(handler.message) +"</span>",
                 widgetId: "h"+ handler.id,
                 object: handler
         });
@@ -286,7 +286,7 @@
             $set("handlerTypeSelect", handler.handlerType);
             $("handlerTypeSelect").disabled = true;
             $set("xid", handler.xid);
-            $set("alias", handler.alias);
+            $set("alias", unescapeHtml(handler.alias));
             $set("disabled", handler.disabled);
             if (handler.handlerType == <c:out value="<%= EventHandlerVO.TYPE_SET_POINT %>"/>) {
                 $set("targetPointSelect", handler.targetPointId);
@@ -527,7 +527,7 @@
                 selectedHandlerNode.onTitleClick();
             }
             else
-                $set(handler.id +"Msg", handler.message);
+                $set(handler.id +"Msg", unescapeHtml(handler.message));
 
             setUserMessage("<spring:message code="eventHandlers.saved"/>");
             selectedHandlerNode.object = handler;

WebContent/WEB-INF/jsp/include/settingsEditor.jsp

@@ -153,15 +153,15 @@
 
         this.updatePointList = function(dataTypes) {
             dwr.util.removeAllOptions("settingsPointList");
-            		
-            for (i=0; i<settingsEditor.pointList.length; i++) {
-				if (contains(dataTypes, settingsEditor.pointList[i].dataType)) {
-				jQuery("#settingsPointList").append( new Option(
-							settingsEditor.pointList[i].name,
-							settingsEditor.pointList[i].id) );
-				}
-			}
-            jQuery("#settingsPointList").append( new Option('',-1) );
+
+        for (let i = 0; i < settingsEditor.pointList.length; i++) {
+            const p = settingsEditor.pointList[i];
+            if (contains(dataTypes, p.dataType)) {
+                const label = unescapeHtml(p.name);
+                jQuery("#settingsPointList").append(new Option(label, p.id));
+            }
+        }
+        jQuery("#settingsPointList").append( new Option('',-1) );
         };
     }
     var settingsEditor = new SettingsEditor();

WebContent/WEB-INF/jsp/mailingLists.jsp

@@ -47,7 +47,7 @@
             editingMailingList = ml;
 
             $set("xid", ml.xid);
-            $set("name", ml.name);
+            $set("name", unescapeHtml(ml.name));
             $set("dailyLimitSentEmailsNumber", ml.dailyLimitSentEmailsNumber);
             $set("cronPattern", ml.cronPattern);
             $set("collectInactiveEmails", ml.collectInactiveEmails);
@@ -98,7 +98,10 @@
             if (!found)
                 availUsers[availUsers.length] = user;
         }
-        dwr.util.addOptions($("userList"), availUsers, "id", "username");
+        dwr.util.addOptions($("userList"), availUsers,
+                function(u) { return u.id; },
+                function(u) { return unescapeHtml(u.username); }
+        );
     }
 
     function saveMailingList() {
@@ -226,6 +229,7 @@
             referenceAddress : addr
         };
         editingMailingList.entries[editingMailingList.entries.length] = addressEntry;
+        addressEntry.referenceAddress = escapeHtml(addressEntry.referenceAddress);
         appendAddressEntry(addressEntry);
         updateEmptyListMessage();
     }

WebContent/WEB-INF/jsp/maintenanceEvents.jsp

@@ -53,7 +53,10 @@
             oncedays[oncedays.length] = new OptionData(i, i);
 
         MaintenanceEventsDwr.getMaintenanceEvents(function(response) {
-            dwr.util.addOptions("dataSourceId", response.data.dataSources, "key", "value");
+        	var ds = response.data.dataSources.map(function(o) {
+                return { key: o.key, value: unescapeHtml(o.value) };
+        	});
+        	dwr.util.addOptions("dataSourceId", ds, "key", "value");
 
         	var events = response.data.events;
             for (var i=0; i<events.length; i++) {
@@ -77,9 +80,9 @@
 
             updateToggle(response.data.activated);
 
-            $set("xid", me.xid);
+            $set("xid", unescapeHtml(me.xid));
             $set("dataSourceId", me.dataSourceId);
-            $set("alias", me.alias);
+            $set("alias", unescapeHtml(me.alias));
             $set("alarmLevel", me.alarmLevel);
             updateAlarmLevelImage();
             $set("scheduleType", me.scheduleType);
@@ -92,14 +95,14 @@
             $set("activeHour", me.activeHour);
             $set("activeMinute", me.activeMinute);
             $set("activeSecond", me.activeSecond);
-            $set("activeCron", me.activeCron);
+            $set("activeCron", unescapeHtml(me.activeCron));
             $set("inactiveYear", me.inactiveYear);
             $set("inactiveMonth", me.inactiveMonth);
             $set("inactiveDay", me.inactiveDay);
             $set("inactiveHour", me.inactiveHour);
             $set("inactiveMinute", me.inactiveMinute);
             $set("inactiveSecond", me.inactiveSecond);
-            $set("inactiveCron", me.inactiveCron);
+            $set("inactiveCron", unescapeHtml(me.inactiveCron));
 
             setUserMessage();
         });

WebContent/WEB-INF/jsp/pointEdit/pointProperties.jsp

@@ -49,7 +49,7 @@
       </td>
     </tr>
 
-    <spring:bind path="form.name">
+    <spring:bind path="form.name" htmlEscape="false">
       <tr>
         <td class="formLabelRequired"><spring:message code="pointEdit.props.name"/></td>
         <div>
@@ -59,7 +59,7 @@
       </tr>
     </spring:bind>
 
-    <spring:bind path="form.description">
+    <spring:bind path="form.description" htmlEscape="false">
       <tr>
         <td class="formLabelRequired"><spring:message code="pointEdit.props.description"/></td>
         <td class="formField"><input type="text" class="formLong" name="description" value="<c:out value="${status.value}"/>"/></td>

WebContent/WEB-INF/jsp/pointHierarchySLTS.jsp

@@ -815,21 +815,33 @@ var messages = {
  		          dialog.getButton('btn-Close').disable();
  		          var $button = this;
  		          $button.disable();
- 		          $button.spin();
- 		          dialog.setClosable(false);
- 		          $.ajax({
-		            type: "POST",
-		        	dataType: "json",
-		        	url:myLocation+"pointHierarchy/new/0/"+dialog.getModalBody().find('input').val(),
-		        	success: function(msg){
-		        	  var titleNewNode = dialog.getModalBody().find('input').val();
-		        	  dialog.getModalBody().html('<div><h3>'+messages.folder+':</h3><ul><li>'+messages.key+':<b>'+msg+'</b></li><li>'+messages.title+':<b>'+titleNewNode+'</b></li></ul></div>');
-		        	  $button.hide();
-		 		      $button.stopSpin();
-		 		      dialog.setClosable(true);
-		 		      dialog.getButton('btn-Close').enable();
-		 		       dialog.close();
-		 		       reload();
+					$button.spin();
+					dialog.setClosable(false);
+					let inputs = dialog.getModalBody().find('input');
+					let titleNewNode;
+					if(inputs.length == 1) {
+						let inputNode = inputs[0];
+						titleNewNode = inputNode.value ? inputNode.value.replaceAll('\\','').replaceAll('\/','') : '';
+					}
+
+					if(!titleNewNode) {
+						dialog.getModalBody().html('<div><h3>'+messages.folderNotAdd+'</h3><p>'+ messages.errorThrown +':'+errorThrown+'</p></div>');
+						dialog.setClosable(true);
+						dialog.getButton('btn-Close').enable();
+						return;
+					}
+
+					$.ajax({
+						type: "POST",
+						dataType: "json",
+						url:myLocation+"pointHierarchy/new/0/"+titleNewNode,
+						success: function(msg){
+							$button.hide();
+							$button.stopSpin();
+							dialog.setClosable(true);
+							dialog.getButton('btn-Close').enable();
+							dialog.close();
+							reload();
 		        	  },
 		        	  error: function(XMLHttpRequest, textStatus, errorThrown) {
 		        	    dialog.getModalBody().html('<div><h3>'+messages.folderNotAdd+'</h3><p>'+ messages.errorThrown +':'+errorThrown+'</p></div>');