From ea7f76e53018df27db1158d88f6545046d4a0026 Mon Sep 17 00:00:00 2001
From: Florine Lefebvre <florine.lefebvre.etu@univ-lille.fr>
Date: Fri, 14 Mar 2025 17:03:50 +0100
Subject: [PATCH] protection xss nom d'utilisateur + contrainte chiffre ou
 lettres entre 3 et 24 carac

---
 WEB-INF/src/controleur/Authent.java | 9 ++++++++-
 WEB-INF/vue/signin.jsp              | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/WEB-INF/src/controleur/Authent.java b/WEB-INF/src/controleur/Authent.java
index 6d308e7..e3a7973 100644
--- a/WEB-INF/src/controleur/Authent.java
+++ b/WEB-INF/src/controleur/Authent.java
@@ -4,6 +4,9 @@ import java.io.IOException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 
+import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.text.translate.CharSequenceTranslator;
+
 import jakarta.servlet.ServletException;
 import jakarta.servlet.annotation.WebServlet;
 import jakarta.servlet.http.HttpServlet;
@@ -20,6 +23,9 @@ public class Authent extends HttpServlet {
         String action = req.getParameter("action");
         String username = req.getParameter("username");
         String password = req.getParameter("password");
+        
+        CharSequenceTranslator cst = StringEscapeUtils.ESCAPE_HTML4;
+        
         if(username == null || password == null){
             req.setAttribute("error", "Vous ne pouvez pas avoir un pseudo ou mot de passe vide !");
             req.getRequestDispatcher("/WEB-INF/vue/error.jsp").forward(req, resp);
@@ -27,6 +33,7 @@ public class Authent extends HttpServlet {
         }
         String hashedPassword;
         username = username.toLowerCase();
+        username = cst.translate(username);
         
         MessageDigest md;
         this.getServletContext();
@@ -69,7 +76,7 @@ public class Authent extends HttpServlet {
                     resp.sendRedirect("navigation?page=accueil");
                     return;
                 } catch (Exception e) {
-                    req.setAttribute("error", "Nom d'utilisateur déjà pris");
+                    req.setAttribute("error", "Pseudonyme invalide / Nom d'utilisateur déjà pris");
                     vue = "WEB-INF/vue/signin.jsp";
                 }
                 break;
diff --git a/WEB-INF/vue/signin.jsp b/WEB-INF/vue/signin.jsp
index 75adace..8b405e0 100644
--- a/WEB-INF/vue/signin.jsp
+++ b/WEB-INF/vue/signin.jsp
@@ -30,7 +30,7 @@
                     <div>
                         <div class="mt-2 mb-3">
                             <p class="mb-1">Pseudonyme</p>
-                            <input class="form-control" name="username" type="text" placeholder="pmathieu" maxlength="24" required>
+                            <input class="form-control" name="username" type="text" placeholder="pmathieu" maxlength="24" pattern="\w{3,24}" required>
                         </div>
                         <div class="mb-3">
                             <p class="mb-1">Mot de passe</p>
-- 
GitLab