[Student][Teacher][MBL-14758] Sanitize author name in discussion HTML…

…, bump version codes (#1011)
instructure · Sep 22, 2020 · 5fbeb36 · 5fbeb36
1 parent a3b766f
commit 5fbeb36
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 3 deletions.
diff --git a/apps/student/build.gradle b/apps/student/build.gradle
@@ -58,7 +58,7 @@ android {
         applicationId "com.instructure.candroid"
         minSdkVersion Versions.MIN_SDK
         targetSdkVersion Versions.TARGET_SDK
-        versionCode = 219
+        versionCode = 220
         versionName = '6.9.1'
 
         vectorDrawables.useSupportLibrary = true

diff --git a/apps/teacher/build.gradle b/apps/teacher/build.gradle
@@ -41,7 +41,7 @@ android {
     defaultConfig {
         minSdkVersion Versions.MIN_SDK
         targetSdkVersion Versions.TARGET_SDK
-        versionCode = 32
+        versionCode = 33
         versionName = '1.11.2'
         vectorDrawables.useSupportLibrary = true
         multiDexEnabled true

diff --git a/libs/pandautils/build.gradle b/libs/pandautils/build.gradle
@@ -117,6 +117,7 @@ dependencies {
     api ('com.davemorrissey.labs:subsampling-scale-image-view:3.9.0') {
         exclude group: "androidx.exifinterface"
     }
+    implementation 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20200713.1'
 
     /* Crashlytics */
     implementation(Libs.CRASHLYTICS) {

diff --git a/...tils/src/main/java/com/instructure/pandautils/discussions/DiscussionEntryHtmlConverter.kt b/...tils/src/main/java/com/instructure/pandautils/discussions/DiscussionEntryHtmlConverter.kt
@@ -24,6 +24,7 @@ import com.instructure.canvasapi2.utils.localized
 import com.instructure.canvasapi2.utils.toDate
 import com.instructure.pandautils.BuildConfig
 import com.instructure.pandautils.R
+import org.owasp.html.HtmlPolicyBuilder
 
 /**
  * Used to convert DiscussionEntries into HTML. Typically this class only takes data and does little calculation.
@@ -213,7 +214,7 @@ class DiscussionEntryHtmlConverter {
 
                 .replace("__AVATAR_URL__", avatarImage)
                 .replace("__AVATAR_ALT__", context.getString(R.string.userAvatar))
-                .replace("__TITLE__", authorName)
+                .replace("__TITLE__", sanitizePolicy.sanitize(authorName))
                 .replace("__DATE__", date)
                 .replace("__CONTENT_HTML__", content)
                 .replace("__HEADER_ID__", discussionEntry.id.toString())
@@ -295,5 +296,8 @@ class DiscussionEntryHtmlConverter {
                 discussionEntry.ratingSum.localized
             )
         }
+
+        // Use a default policy which should disallow all tags, attributes, etc.
+        private val sanitizePolicy = HtmlPolicyBuilder().toFactory()
     }
 }