dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 9240: FRED-API: Fixes issues with escaping. Also better handling of coordinates string.

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Sun, 09 Dec 2012 13:37:14 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 9240
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Sun 2012-12-09 16:36:18 +0300
message:
  FRED-API: Fixes issues with escaping. Also better handling of coordinates string.
modified:
  dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FacilityController.java
  dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/GeoUtils.java
  dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ObjectMapperFactoryBean.java
  dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ToFacilityConverter.java
  dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ToOrganisationUnitConverter.java
  dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facilities.vm
  dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facility.vm


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FacilityController.java'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FacilityController.java	2012-12-08 16:07:13 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/controller/FacilityController.java	2012-12-09 13:36:18 +0000
@@ -27,6 +27,7 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.hisp.dhis.common.DeleteNotAllowedException;
 import org.hisp.dhis.common.comparator.IdentifiableObjectNameComparator;
 import org.hisp.dhis.hierarchy.HierarchyViolationException;
@@ -59,18 +60,18 @@
 /**
  * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
  */
-@Controller( value = "facility-controller-" + FredController.PREFIX )
-@RequestMapping( FacilityController.RESOURCE_PATH )
+@Controller(value = "facility-controller-" + FredController.PREFIX)
+@RequestMapping(FacilityController.RESOURCE_PATH)
 public class FacilityController
 {
     public static final String RESOURCE_PATH = "/" + FredController.PREFIX + "/facilities";
 
     @Autowired
-    @Qualifier( "org.hisp.dhis.organisationunit.OrganisationUnitService" )
+    @Qualifier("org.hisp.dhis.organisationunit.OrganisationUnitService")
     private OrganisationUnitService organisationUnitService;
 
     @Autowired
-    @Qualifier( "conversionService" )
+    @Qualifier("conversionService")
     private ConversionService conversionService;
 
     @Autowired
@@ -80,7 +81,7 @@
     // GET HTML
     //--------------------------------------------------------------------------
 
-    @RequestMapping( value = "", method = RequestMethod.GET )
+    @RequestMapping(value = "", method = RequestMethod.GET)
     public String readFacilities( Model model )
     {
         Facilities facilities = new Facilities();
@@ -95,6 +96,7 @@
             facilities.getFacilities().add( facility );
         }
 
+        model.addAttribute( "esc", StringEscapeUtils.class );
         model.addAttribute( "entity", facilities );
         model.addAttribute( "baseUrl", linkTo( FredController.class ).toString() );
         model.addAttribute( "pageName", "facilities" );
@@ -103,13 +105,14 @@
         return FredController.PREFIX + "/layout";
     }
 
-    @RequestMapping( value = "/{id}", method = RequestMethod.GET )
+    @RequestMapping(value = "/{id}", method = RequestMethod.GET)
     public String readFacility( Model model, @PathVariable String id )
     {
         OrganisationUnit organisationUnit = organisationUnitService.getOrganisationUnit( id );
 
         Facility facility = conversionService.convert( organisationUnit, Facility.class );
 
+        model.addAttribute( "esc", StringEscapeUtils.class );
         model.addAttribute( "entity", facility );
         model.addAttribute( "baseUrl", linkTo( FredController.class ).toString() );
         model.addAttribute( "pageName", "facility" );
@@ -122,7 +125,7 @@
     // POST JSON
     //--------------------------------------------------------------------------
 
-    @RequestMapping( value = "", method = RequestMethod.POST )
+    @RequestMapping(value = "", method = RequestMethod.POST)
     public ResponseEntity<String> createFacility( @RequestBody Facility facility ) throws IOException
     {
         OrganisationUnit organisationUnit = conversionService.convert( facility, OrganisationUnit.class );
@@ -149,7 +152,7 @@
     // PUT JSON
     //--------------------------------------------------------------------------
 
-    @RequestMapping( value = "/{id}", method = RequestMethod.PUT, consumes = MediaType.APPLICATION_JSON_VALUE )
+    @RequestMapping(value = "/{id}", method = RequestMethod.PUT, consumes = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<String> updateFacility( @PathVariable String id, @RequestBody Facility facility ) throws IOException
     {
         facility.setId( id );
@@ -187,7 +190,7 @@
     // DELETE JSON
     //--------------------------------------------------------------------------
 
-    @RequestMapping( value = "/{id}", method = RequestMethod.DELETE )
+    @RequestMapping(value = "/{id}", method = RequestMethod.DELETE)
     public ResponseEntity<Void> deleteFacility( @PathVariable String id ) throws HierarchyViolationException
     {
         OrganisationUnit organisationUnit = organisationUnitService.getOrganisationUnit( id );
@@ -206,7 +209,7 @@
     // EXCEPTION HANDLERS
     //--------------------------------------------------------------------------
 
-    @ExceptionHandler( { DeleteNotAllowedException.class, HierarchyViolationException.class } )
+    @ExceptionHandler({ DeleteNotAllowedException.class, HierarchyViolationException.class })
     public ResponseEntity<String> exceptionHandler( Exception ex )
     {
         return new ResponseEntity<String>( ex.getMessage(), HttpStatus.FORBIDDEN );

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/GeoUtils.java'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/GeoUtils.java	2012-12-08 20:35:51 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/GeoUtils.java	2012-12-09 13:36:18 +0000
@@ -27,8 +27,11 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import org.codehaus.jackson.JsonParseException;
+import org.codehaus.jackson.map.JsonMappingException;
 import org.codehaus.jackson.map.ObjectMapper;
 
+import java.io.IOException;
 import java.util.List;
 
 /**
@@ -44,9 +47,9 @@
 
     public static class Coordinates
     {
-        public Double lat = 0.0d;
+        public Double lat;
 
-        public Double lng = 0.0d;
+        public Double lng;
 
         @Override
         public String toString()
@@ -83,14 +86,20 @@
                 coordinates.lng = convertToDouble( list.get( 0 ) );
             }
         }
-        catch ( Exception ignored )
+        catch ( JsonMappingException ignored )
+        {
+        }
+        catch ( JsonParseException ignored )
+        {
+        }
+        catch ( IOException ignored )
         {
         }
 
         return coordinates;
     }
 
-    private static Double convertToDouble( Object object )
+    private static Double convertToDouble( Object object ) throws NumberFormatException
     {
         Double d = 0.0d;
 
@@ -103,6 +112,10 @@
             Integer lng = (Integer) object;
             d = Double.valueOf( lng );
         }
+        else
+        {
+            throw new NumberFormatException();
+        }
 
         return d;
     }

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ObjectMapperFactoryBean.java'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ObjectMapperFactoryBean.java	2012-12-06 20:06:23 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ObjectMapperFactoryBean.java	2012-12-09 13:36:18 +0000
@@ -27,6 +27,7 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import org.codehaus.jackson.JsonGenerator;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.codehaus.jackson.map.SerializationConfig;
 import org.codehaus.jackson.map.annotate.JsonSerialize;
@@ -43,7 +44,8 @@
     public ObjectMapper getObject() throws Exception
     {
         ObjectMapper objectMapper = new ObjectMapper();
-        objectMapper.getSerializationConfig().disable( SerializationConfig.Feature.WRITE_DATES_AS_TIMESTAMPS );
+        objectMapper.configure( JsonGenerator.Feature.ESCAPE_NON_ASCII, true );
+        objectMapper.configure( SerializationConfig.Feature.WRITE_DATES_AS_TIMESTAMPS, false );
         objectMapper.setSerializationInclusion( JsonSerialize.Inclusion.NON_EMPTY );
 
         return objectMapper;
@@ -61,4 +63,3 @@
         return true;
     }
 }
-

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ToFacilityConverter.java'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ToFacilityConverter.java	2012-12-09 12:27:00 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ToFacilityConverter.java	2012-12-09 13:36:18 +0000
@@ -61,10 +61,16 @@
         if ( organisationUnit.getFeatureType() != null && organisationUnit.getFeatureType().equalsIgnoreCase( "POINT" )
             && organisationUnit.getCoordinates() != null )
         {
-            GeoUtils.Coordinates coordinates = GeoUtils.parseCoordinates( organisationUnit.getCoordinates() );
+            try
+            {
+                GeoUtils.Coordinates coordinates = GeoUtils.parseCoordinates( organisationUnit.getCoordinates() );
 
-            facility.getCoordinates().add( coordinates.lng );
-            facility.getCoordinates().add( coordinates.lat );
+                facility.getCoordinates().add( coordinates.lng );
+                facility.getCoordinates().add( coordinates.lat );
+            }
+            catch ( NumberFormatException ignored )
+            {
+            }
         }
 
         if ( organisationUnit.getParent() != null )

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ToOrganisationUnitConverter.java'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ToOrganisationUnitConverter.java	2012-12-09 12:27:00 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/java/org/hisp/dhis/web/webapi/v1/utils/ToOrganisationUnitConverter.java	2012-12-09 13:36:18 +0000
@@ -86,9 +86,15 @@
 
         organisationUnit.setFeatureType( OrganisationUnit.FEATURETYPE_POINT );
 
-        GeoUtils.Coordinates coordinates = GeoUtils.parseCoordinates( facility.getCoordinates().toString() );
-
-        organisationUnit.setCoordinates( String.format( "[%f, %f]", coordinates.lng, coordinates.lat ) );
+        try
+        {
+            GeoUtils.Coordinates coordinates = GeoUtils.parseCoordinates( facility.getCoordinates().toString() );
+            organisationUnit.setCoordinates( String.format( "[%f, %f]", coordinates.lng, coordinates.lat ) );
+        }
+        catch ( NumberFormatException err )
+        {
+            organisationUnit.setCoordinates( "" );
+        }
 
         return organisationUnit;
     }

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facilities.vm'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facilities.vm	2012-12-09 12:27:00 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facilities.vm	2012-12-09 13:36:18 +0000
@@ -8,7 +8,7 @@
         #foreach( $facility in $entity.facilities )
         {
             id: "$facility.id",
-            name: "$facility.name",
+            name: "$esc.escapeEcmaScript($facility.name)",
             coordinates: "$facility.coordinates"
         },
         #end
@@ -168,7 +168,7 @@
     <tbody>
         #foreach( $facility in $entity.facilities )
         <tr data-facility-id='$facility.id'>
-            <td class='facility-name'><a href='$facility.url'>$facility.name</a></td>
+            <td class='facility-name'><a href='$facility.url'>$esc.escapeHtml4($facility.name)</a></td>
 
             <td class='facility-actions' style='width: 1px;'>
                 <div class='btn-group'>

=== modified file 'dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facility.vm'
--- dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facility.vm	2012-12-09 12:27:00 +0000
+++ dhis-2/dhis-web/dhis-web-api-fred/src/main/webapp/WEB-INF/api-fred-velocity/v1/facility.vm	2012-12-09 13:36:18 +0000
@@ -2,6 +2,12 @@
 
 <script>
     function updateMap(coordinates) {
+        if(!coordinates[0] || !coordinates[1])
+        {
+            noCoordinatesProvided();
+            return;
+        }
+
         var latlng = new google.maps.LatLng(coordinates[1], coordinates[0]);
 
         var options = {
@@ -15,10 +21,15 @@
         var marker = new google.maps.Marker({
             position: latlng,
             map: map,
-            title: '$entity.name'
+            title: '$esc.escapeEcmaScript($entity.name)'
         });
     }
 
+    function noCoordinatesProvided() {
+        $( '#mapTarget' ).html( '<div style="text-align: center;">No coordinates provided.</div>' )
+                .parent().addClass( 'hidden-phone' );
+    }
+
     $(function () {
         var coordinates = JSON.parse("$entity.coordinates");
 
@@ -28,8 +39,7 @@
 
             updateMap(coordinates);
         } else {
-            $('#mapTarget').html('<div style="text-align: center;">No coordinates provided.</div>')
-                .parent().addClass('hidden-phone');
+            noCoordinatesProvided();
         }
 
         $('#facilityForm').submit(function (e) {
@@ -49,6 +59,8 @@
 
                 data.coordinates = [ lng, lat ];
 
+                console.log(data.coordinates);
+
                 $.ajax({
                     url: '$baseUrl/facilities/${entity.id}',
                     contentType: 'application/json; charset=UTF-8',
@@ -56,11 +68,10 @@
                     data: JSON.stringify(data),
                     dataType: 'json'
                 }).success(function (data) {
-                    console.log("save success!", data);
                     updateMap([lng, lat]);
+
                     $('#facilitySubmit').removeAttr('disabled').text('Save');
                 }).error(function (data) {
-                    console.log("could not update!", data);
                     $('#facilitySubmit').removeAttr('disabled').text('Save');
                 });
             });
@@ -85,7 +96,7 @@
                 <input id="facilityID" disabled="disabled" type="text" class="$inputSize" value="$entity.id"/>
 
                 <label for="facilityName">Name</label>
-                <input #if(!$canEdit)disabled#end id="facilityName" type="text" class="$inputSize" value="$entity.name"/>
+                <input #if(!$canEdit)disabled#end id="facilityName" type="text" class="$inputSize" value="$esc.escapeHtml4($entity.name)"/>
 
                 <label for="facilityActive">Active</label>