[ASTERIXDB-2047][UI] Escape special entities in HTML result delivery
- user model changes: no
- storage format changes: no
- interface changes: no
Details:
- Escape HTML special entities to make sure we don't have fancy HTML
style display with user data.
Change-Id: I7aa05fe39b7a1f755574c4f49fd9694239078586
Reviewed-on: https://asterix-gerrit.ics.uci.edu/1949
Sonar-Qube: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Tested-by: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Contrib: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Reviewed-by: Till Westmann <tillw@apache.org>
Integration-Tests: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
diff --git a/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/ResultUtil.java b/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/ResultUtil.java
index fa2f667..72d82e0 100644
--- a/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/ResultUtil.java
+++ b/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/ResultUtil.java
@@ -24,14 +24,11 @@
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.io.StringWriter;
-import java.util.AbstractMap;
+import java.util.Arrays;
import java.util.Collections;
-import java.util.Map;
-import java.util.Map.Entry;
+import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
import org.apache.asterix.app.result.ResultHandle;
import org.apache.asterix.app.result.ResultPrinter;
@@ -41,6 +38,7 @@
import org.apache.asterix.om.types.ARecordType;
import org.apache.asterix.translator.IStatementExecutor.Stats;
import org.apache.asterix.translator.SessionOutput;
+import org.apache.commons.lang3.tuple.Pair;
import org.apache.http.ParseException;
import org.apache.hyracks.algebricks.common.exceptions.AlgebricksException;
import org.apache.hyracks.algebricks.core.algebra.prettyprint.AlgebricksAppendable;
@@ -55,10 +53,9 @@
public class ResultUtil {
private static final Logger LOGGER = Logger.getLogger(ResultUtil.class.getName());
- public static final Map<Character, String> HTML_ENTITIES = Collections.unmodifiableMap(Stream.of(
- new AbstractMap.SimpleImmutableEntry<>('"', """), new AbstractMap.SimpleImmutableEntry<>('&', "&"),
- new AbstractMap.SimpleImmutableEntry<>('<', "<"), new AbstractMap.SimpleImmutableEntry<>('>', ">"))
- .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue)));
+ public static final List<Pair<Character, String>> HTML_ENTITIES = Collections.unmodifiableList(
+ Arrays.asList(Pair.of('&', "&"), Pair.of('"', """), Pair.of('<', "<"), Pair.of('>', ">"),
+ Pair.of('\'', "'")));
private ResultUtil() {
}
@@ -71,7 +68,7 @@
*/
public static String escapeHTML(String aString) {
String escaped = aString;
- for (Entry<Character, String> entry : HTML_ENTITIES.entrySet()) {
+ for (Pair<Character, String> entry : HTML_ENTITIES) {
if (escaped.indexOf(entry.getKey()) >= 0) {
escaped = escaped.replace(entry.getKey().toString(), entry.getValue());
}
@@ -209,8 +206,8 @@
errorCode = 4;
}
- ObjectNode errorResp = ResultUtil.getErrorResponse(errorCode, extractErrorMessage(e), extractErrorSummary(e),
- extractFullStackTrace(e));
+ ObjectNode errorResp = ResultUtil
+ .getErrorResponse(errorCode, extractErrorMessage(e), extractErrorSummary(e), extractFullStackTrace(e));
out.write(errorResp.toString());
}
@@ -304,10 +301,8 @@
* Read the template file which is stored as a resource and return its content. If the file does not exist or is
* not readable return the default template string.
*
- * @param path
- * The path to the resource template file
- * @param defaultTemplate
- * The default template string if the template file does not exist or is not readable
+ * @param path The path to the resource template file
+ * @param defaultTemplate The default template string if the template file does not exist or is not readable
* @return The template string to be used to render the output.
*/
//TODO(till|amoudi|mblow|yingyi|ceej|imaxon): path is ignored completely!!
diff --git a/asterixdb/asterix-app/src/main/java/org/apache/asterix/app/result/ResultPrinter.java b/asterixdb/asterix-app/src/main/java/org/apache/asterix/app/result/ResultPrinter.java
index 56975d1..04ac0b3 100644
--- a/asterixdb/asterix-app/src/main/java/org/apache/asterix/app/result/ResultPrinter.java
+++ b/asterixdb/asterix-app/src/main/java/org/apache/asterix/app/result/ResultPrinter.java
@@ -24,6 +24,7 @@
import java.io.StringWriter;
import java.nio.ByteBuffer;
+import org.apache.asterix.api.http.server.ResultUtil;
import org.apache.asterix.common.api.IApplicationContext;
import org.apache.asterix.om.types.ARecordType;
import org.apache.asterix.translator.IStatementExecutor.Stats;
@@ -180,6 +181,9 @@
// TODO(tillw): this is inefficient as well
record = JSONUtil.quoteAndEscape(record);
}
+ if (conf.is(SessionConfig.FORMAT_HTML)) {
+ record = ResultUtil.escapeHTML(record);
+ }
output.out().print(record);
stats.setCount(stats.getCount() + 1);
// TODO(tillw) fix this approximation