dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #30479
[Branch ~dhis2-devs-core/dhis2/trunk] Rev 15465: Fixed bug with GIS/DV download as png, removing unsafe characters from svg text elements
Merge authors:
Lars Helge Øverland (larshelge)
------------------------------------------------------------
revno: 15465 [merge]
committer: Lars Helge Overland <larshelge@xxxxxxxxx>
branch nick: dhis2
timestamp: Thu 2014-05-29 15:00:21 +0200
message:
Fixed bug with GIS/DV download as png, removing unsafe characters from svg text elements
modified:
dhis-2/dhis-support/dhis-support-system/src/main/java/org/hisp/dhis/system/util/GeoUtils.java
dhis-2/dhis-support/dhis-support-system/src/test/java/org/hisp/dhis/system/util/GeoUtilsTest.java
dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/SvgConversionController.java
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file 'dhis-2/dhis-support/dhis-support-system/src/main/java/org/hisp/dhis/system/util/GeoUtils.java'
--- dhis-2/dhis-support/dhis-support-system/src/main/java/org/hisp/dhis/system/util/GeoUtils.java 2014-04-29 09:26:28 +0000
+++ dhis-2/dhis-support/dhis-support-system/src/main/java/org/hisp/dhis/system/util/GeoUtils.java 2014-05-29 09:04:36 +0000
@@ -31,6 +31,8 @@
import java.awt.geom.Point2D;
import java.io.IOException;
import java.io.StringReader;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import org.geotools.geojson.geom.GeometryJSON;
import org.geotools.referencing.GeodeticCalculator;
@@ -44,7 +46,9 @@
* @author Lars Helge Overland
*/
public class GeoUtils
-{
+{
+ private static final Pattern SVG_TEXT_PATTERN = Pattern.compile( "text=\"(.*?)\"", Pattern.DOTALL );
+
/**
* Returns boundaries of a box shape which centre is the point defined by the
* given longitude and latitude. The distance between the center point and the
@@ -173,4 +177,29 @@
return false;
}
}
+
+ public static final String replaceUnsafeSvgText( String svg )
+ {
+ if ( svg == null )
+ {
+ return null;
+ }
+
+ StringBuffer sb = new StringBuffer();
+
+ Matcher matcher = SVG_TEXT_PATTERN.matcher( svg );
+
+ while ( matcher.find() )
+ {
+ String text = matcher.group( 1 );
+
+ if ( text != null && !text.isEmpty() )
+ {
+ text = "text=\"" + text.replaceAll( "[<>&]", "" ) + "\"";
+ matcher.appendReplacement( sb, text );
+ }
+ }
+
+ return matcher.appendTail( sb ).toString();
+ }
}
=== modified file 'dhis-2/dhis-support/dhis-support-system/src/test/java/org/hisp/dhis/system/util/GeoUtilsTest.java'
--- dhis-2/dhis-support/dhis-support-system/src/test/java/org/hisp/dhis/system/util/GeoUtilsTest.java 2014-03-18 08:10:10 +0000
+++ dhis-2/dhis-support/dhis-support-system/src/test/java/org/hisp/dhis/system/util/GeoUtilsTest.java 2014-05-29 09:04:36 +0000
@@ -29,6 +29,7 @@
*/
import static org.hisp.dhis.system.util.GeoUtils.getBoxShape;
+import static org.hisp.dhis.system.util.GeoUtils.replaceUnsafeSvgText;
import static org.junit.Assert.assertEquals;
import org.junit.Test;
@@ -61,4 +62,24 @@
assertEquals( -53.6, box[2], DELTA );
assertEquals( -72d, box[3], DELTA );
}
+
+ @Test
+ public void testReplaceUnsafeSvgText()
+ {
+ String text =
+ "<svg xmlns=\"http://www.w3.org/2000/svg\";>" +
+ "<text id=\"ext-sprite-1866\" zIndex=\"500\" text=\"Measles Coverage <1y\" hidden=\"false\">" +
+ "<text id=\"ext-sprite-1866\" zIndex=\"500\" text=\"BCG & DPT Coverage\" hidden=\"false\">" +
+ "</svg>";
+
+ String expected =
+ "<svg xmlns=\"http://www.w3.org/2000/svg\";>" +
+ "<text id=\"ext-sprite-1866\" zIndex=\"500\" text=\"Measles Coverage 1y\" hidden=\"false\">" +
+ "<text id=\"ext-sprite-1866\" zIndex=\"500\" text=\"BCG DPT Coverage\" hidden=\"false\">" +
+ "</svg>";
+
+ String actual = replaceUnsafeSvgText( text );
+
+ assertEquals( expected, actual );
+ }
}
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/SvgConversionController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/SvgConversionController.java 2014-05-22 12:40:24 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/SvgConversionController.java 2014-05-29 09:04:36 +0000
@@ -40,19 +40,21 @@
import org.apache.batik.transcoder.image.ImageTranscoder;
import org.apache.batik.transcoder.image.PNGTranscoder;
import org.apache.fop.svg.PDFTranscoder;
+import org.hisp.dhis.system.util.CodecUtils;
import org.hisp.dhis.webapi.utils.ContextUtils;
import org.hisp.dhis.webapi.utils.ContextUtils.CacheStrategy;
-import org.hisp.dhis.system.util.CodecUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
+import static org.hisp.dhis.system.util.GeoUtils.replaceUnsafeSvgText;
+
@Controller
@RequestMapping
public class SvgConversionController
-{
+{
@Autowired
private ContextUtils contextUtils;
@@ -85,6 +87,8 @@
private void convertToPng( String svg, OutputStream out )
throws TranscoderException
{
+ svg = replaceUnsafeSvgText( svg );
+
PNGTranscoder t = new PNGTranscoder();
t.addTranscodingHint( ImageTranscoder.KEY_BACKGROUND_COLOR, Color.WHITE );
@@ -99,6 +103,8 @@
private void convertToPdf( String svg, OutputStream out )
throws TranscoderException
{
+ svg = replaceUnsafeSvgText( svg );
+
PDFTranscoder t = new PDFTranscoder();
TranscoderInput input = new TranscoderInput( new StringReader( svg ) );
