From b5f6e6493f38cd38726d9c998983f111a34e06dd Mon Sep 17 00:00:00 2001
From: Maxime Gosselin~ <maxime.gosselin.etu@univ-lille.fr>
Date: Fri, 14 Mar 2025 09:00:15 +0100
Subject: [PATCH] Gestion de l'injection XSS lors de l'envoie d'un message
---
WEB-INF/src/controleur/MessageController.java | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/WEB-INF/src/controleur/MessageController.java b/WEB-INF/src/controleur/MessageController.java
index e21947d..a6502b5 100644
--- a/WEB-INF/src/controleur/MessageController.java
+++ b/WEB-INF/src/controleur/MessageController.java
@@ -9,6 +9,9 @@ import modele.dao.DaoLike;
import modele.dao.DaoMessage;
import modele.dto.Like;
import modele.dto.Message;
+import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.text.translate.CharSequenceTranslator;
+
import java.io.IOException;
import java.time.LocalDateTime;
@@ -17,6 +20,7 @@ import java.time.LocalDateTime;
public class MessageController extends HttpServlet {
DaoMessage daoMessage = new DaoMessage();
DaoLike daoLike = new DaoLike();
+
@Override
protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String username;
@@ -30,12 +34,13 @@ public class MessageController extends HttpServlet {
switch (action){
case "send":
- String contenue = req.getParameter("message");
+ CharSequenceTranslator cst = StringEscapeUtils.ESCAPE_HTML4;
+ String contenu = cst.translate(req.getParameter("message"));
try {
int idThread = Integer.parseInt(req.getParameter("thread"));
- if (contenue != null && !contenue.isEmpty()) {
- Message message = new Message(0, username, idThread, contenue, LocalDateTime.now());
+ if (contenu != null && !contenu.isEmpty()) {
+ Message message = new Message(0, username, idThread, contenu, LocalDateTime.now());
daoMessage.create(message);
}
vue = "thread?action=open&id=" + idThread;
--
GitLab