Queue browse improvements in webconsole (#1938)

This change makes sure we always use the correct content type for the
output based on the configured view and also escape xml content when
displaying.

Author: cshannon

activemq-web/pom.xml

@@ -87,6 +87,13 @@
       <artifactId>websocket-jetty-server</artifactId>
     </dependency>
 
+    <!-- Just used for testing -->
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+      <scope>test</scope>
+    </dependency>
+
     <!-- Rome RSS Reader -->
     <dependency>
       <groupId>com.rometools</groupId>

activemq-web/src/main/java/org/apache/activemq/web/util/ViewUtils.java

@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.web.util;
+
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+
+public class ViewUtils {
+
+    public static final String AMP = "&";
+    public static final String QUOTE = "\"";
+    public static final String LT = "<";
+    public static final String GT = ">";
+    public static final String APOS = "'";
+
+    public static final String XML_ESCAPED_AMP = "&amp;";
+    public static final String XML_ESCAPED_QUOTE = "&quot;";
+    public static final String XML_ESCAPED_LT = "&lt;";
+    public static final String XML_ESCAPED_GT = "&gt;";
+    public static final String XML_ESCAPED_APOS = "&apos;";
+
+    public static final Map<String, String> XML_ESCAPE_MAPPINGS;
+
+    static {
+        // order matters for processing so use a linked map
+        Map<String,String> mappings = new LinkedHashMap<>();
+        mappings.put(AMP, XML_ESCAPED_AMP);
+        mappings.put(LT, XML_ESCAPED_LT);
+        mappings.put(GT, XMl_ESCAPED_GT);
+        mappings.put(QUOTE, XML_ESCAPED_QUOTE);
+        mappings.put(APOS, XML_ESCAPED_APOS);
+
+        XML_ESCAPE_MAPPINGS = Collections.unmodifiableMap(mappings);
+    }
+
+
+    public static String escapeXml(String input) {
+        if (input == null) {
+            return null;
+        }
+
+        String escaped = input;
+        for (Entry<String, String> entry : XML_ESCAPE_MAPPINGS.entrySet()) {
+            escaped = escaped.replace(entry.getKey(), entry.getValue());
+        }
+
+        return escaped;
+    }
+
+}

activemq-web/src/main/java/org/apache/activemq/web/view/RssMessageRenderer.java

@@ -49,7 +49,7 @@ public class RssMessageRenderer extends SimpleMessageRenderer {
     private String feedType = "rss_2.0";
     private SyndFeed feed;
     private String description = "This feed is auto-generated by Apache ActiveMQ";
-    private String entryContentType = "text/plain";
+    private static final String ENTRY_CONTENT_TYPE = "text/plain";
 
     public void renderMessage(PrintWriter writer, HttpServletRequest request, HttpServletResponse response, QueueBrowser browser, Message message) throws JMSException {
         SyndFeed feed = getFeed(browser, request);
@@ -79,11 +79,7 @@ public void setFeedType(String feedType) {
     }
 
     public String getEntryContentType() {
-        return entryContentType;
-    }
-
-    public void setEntryContentType(String entryContentType) {
-        this.entryContentType = entryContentType;
+        return ENTRY_CONTENT_TYPE;
     }
 
     // Implementation methods
@@ -122,7 +118,7 @@ protected SyndEntry createEntry(QueueBrowser browser, Message message, HttpServl
 
     protected SyndContent createEntryContent(QueueBrowser browser, Message message, HttpServletRequest request) throws JMSException {
         SyndContent description = new SyndContentImpl();
-        description.setType(entryContentType);
+        description.setType(getEntryContentType());
 
         if (message instanceof TextMessage) {
             String text = ((TextMessage)message).getText();

activemq-web/src/main/java/org/apache/activemq/web/view/SimpleMessageRenderer.java

@@ -26,6 +26,7 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.apache.activemq.web.util.ViewUtils;
 
 /**
  * A simple rendering of the contents of a queue appear as a list of message
@@ -35,11 +36,12 @@
  */
 public class SimpleMessageRenderer implements MessageRenderer {
 
-    private String contentType = "text/xml";
+    protected static final String DEFAULT_CONTENT_TYPE = "text/xml";
+
     private int maxMessages;
 
     public void renderMessages(HttpServletRequest request, HttpServletResponse response, QueueBrowser browser) throws IOException, JMSException, ServletException {
-        // lets use XML by default
+        // XML is used by default unless a child class overrides this method
         response.setContentType(getContentType());
         PrintWriter writer = response.getWriter();
         printHeader(writer, browser, request);
@@ -53,10 +55,10 @@ public void renderMessages(HttpServletRequest request, HttpServletResponse respo
         printFooter(writer, browser, request);
     }
 
-    public void renderMessage(PrintWriter writer, HttpServletRequest request, HttpServletResponse response, QueueBrowser browser, Message message) throws JMSException, ServletException {
+    public void renderMessage(PrintWriter writer, HttpServletRequest request, HttpServletResponse response, QueueBrowser browser, Message message) throws JMSException {
         // lets just write the message IDs for now
         writer.print("<message id='");
-        writer.print(message.getJMSMessageID());
+        writer.print(ViewUtils.escapeXml(message.getJMSMessageID()));
         writer.println("'/>");
     }
 
@@ -71,25 +73,21 @@ public void setMaxMessages(int maxMessages) {
     }
 
     public String getContentType() {
-        return contentType;
-    }
-
-    public void setContentType(String contentType) {
-        this.contentType = contentType;
+        return DEFAULT_CONTENT_TYPE;
     }
 
     // Implementation methods
     // -------------------------------------------------------------------------
 
-    protected void printHeader(PrintWriter writer, QueueBrowser browser, HttpServletRequest request) throws IOException, JMSException, ServletException {
+    protected void printHeader(PrintWriter writer, QueueBrowser browser, HttpServletRequest request) throws IOException, JMSException {
         writer.println("");
         writer.print("<messages queue='");
-        writer.print(browser.getQueue());
+        writer.print(ViewUtils.escapeXml(String.valueOf(browser.getQueue())));
         writer.print("'");
         String selector = browser.getMessageSelector();
         if (selector != null) {
             writer.print(" selector='");
-            writer.print(selector);
+            writer.print(ViewUtils.escapeXml(selector));
             writer.print("'");
         }
         writer.println(">");

activemq-web/src/test/java/org/apache/activemq/web/util/ViewUtilsTest.java

@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.web.util;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import org.apache.commons.text.StringEscapeUtils;
+import org.junit.Test;
+
+public class ViewUtilsTest {
+
+    @Test
+    public void testXmlEscape() throws IOException {
+        final String original = Files.readString(Path.of("src/test/resources/activemq.xml"));
+        final String escaped = ViewUtils.escapeXml(original);
+
+        // Verify that our escape method matches StringEscapeUtils
+        assertEquals(StringEscapeUtils.escapeXml11(original), ViewUtils.escapeXml(original));
+        // Verify if we unescape we get back the original
+        assertEquals(original, StringEscapeUtils.unescapeXml(escaped));
+    }
+}

activemq-web/src/test/resources/activemq.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<!-- START SNIPPET: xbean -->
+<beans
+    xmlns="http://www.springframework.org/schema/beans"
+    xmlns:amq="http://activemq.apache.org/schema/core"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+  http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+
+  <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+  <broker useJmx="false"  xmlns="http://activemq.apache.org/schema/core" persistent="false">
+
+    <transportConnectors>
+      <transportConnector uri="nio://localhost:61616?wireFormat.maxFrameSize=1048576" />
+    </transportConnectors>
+
+  </broker>
+
+</beans>
+    <!-- END SNIPPET: xbean -->

pom.xml

@@ -60,6 +60,7 @@
     <commons-io-version>2.21.0</commons-io-version>
     <commons-logging-version>1.3.6</commons-logging-version>
     <commons-pool2-version>2.13.1</commons-pool2-version>
+    <commons-text-version>1.15.0</commons-text-version>
     <directory-version>2.0.0.AM25</directory-version>
     <ecj.version>3.45.0</ecj.version>
     <hawtbuf-version>1.11</hawtbuf-version>
@@ -901,6 +902,12 @@
         <version>${commons-io-version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-text</artifactId>
+        <version>${commons-text-version}</version>
+      </dependency>
+
       <!-- ACTIVEMQ-WEB Specific Dependencies -->
       <dependency>
         <groupId>com.rometools</groupId>