diff --git a/app/pom.xml b/app/pom.xml
index f31f90d4e..c94a2df3d 100644
--- a/app/pom.xml
+++ b/app/pom.xml
@@ -24,7 +24,7 @@ limitations under the License.
org.apache.roller
roller-project
- 6.1.2
+ 6.1.3
../pom.xml
@@ -627,7 +627,7 @@ limitations under the License.
org.apache.roller
db-utils
- 6.1.2
+ 6.1.3
commons-dbcp
diff --git a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java
index bde6dc0ea..5b4224e09 100644
--- a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java
+++ b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java
@@ -148,15 +148,14 @@ public void importBookmarks(
WeblogBookmarkFolder newFolder = getFolder(website, folderName);
if (newFolder == null) {
- newFolder = new WeblogBookmarkFolder(
- folderName, website);
+ newFolder = new WeblogBookmarkFolder(folderName, website);
this.strategy.store(newFolder);
}
// Iterate through children of OPML body, importing each
Element body = doc.getRootElement().getChild("body");
- for (Object elem : body.getChildren()) {
- importOpmlElement((Element) elem, newFolder );
+ for (Element elem : body.getChildren()) {
+ importOpmlElement(elem, newFolder );
}
} catch (Exception ex) {
throw new WebloggerException(ex);
@@ -216,8 +215,8 @@ private void importOpmlElement(
}
} else {
// Import suboutline's children into folder
- for (Object subelem : elem.getChildren("outline")) {
- importOpmlElement((Element) subelem, folder );
+ for (Element subelem : elem.getChildren("outline")) {
+ importOpmlElement(subelem, folder );
}
}
}
diff --git a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java
index 0ccdcb8fb..d83bac426 100644
--- a/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java
+++ b/app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java
@@ -67,8 +67,8 @@ public void release() {}
//--------------------------------------------------------------- user CRUD
@Override
- public void saveUser(User data) throws WebloggerException {
- this.strategy.store(data);
+ public void saveUser(User user) throws WebloggerException {
+ this.strategy.store(user);
}
diff --git a/app/src/main/java/org/apache/roller/weblogger/pojos/User.java b/app/src/main/java/org/apache/roller/weblogger/pojos/User.java
index 5e6214632..da100e751 100644
--- a/app/src/main/java/org/apache/roller/weblogger/pojos/User.java
+++ b/app/src/main/java/org/apache/roller/weblogger/pojos/User.java
@@ -28,6 +28,7 @@
import org.apache.roller.util.UUIDGenerator;
import org.apache.roller.weblogger.business.WebloggerFactory;
import org.apache.roller.weblogger.ui.core.RollerContext;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
import org.springframework.security.crypto.password.PasswordEncoder;
@@ -36,7 +37,7 @@
*/
public class User implements Serializable {
- public static final long serialVersionUID = -6354583200913127874L;
+ private static final long serialVersionUID = -6354583200913127874L;
private String id = UUIDGenerator.generateUUID();
private String userName;
@@ -60,15 +61,15 @@ public User( String id, String userName,
String locale, String timeZone,
Date dateCreated,
Boolean isEnabled) {
- //this.id = id;
+
this.userName = userName;
this.password = password;
- this.fullName = fullName;
this.emailAddress = emailAddress;
this.dateCreated = (Date)dateCreated.clone();
- this.locale = locale;
- this.timeZone = timeZone;
this.enabled = isEnabled;
+ setFullName(fullName);
+ setLocale(locale);
+ setTimeZone(timeZone);
}
/**
@@ -91,7 +92,7 @@ public String getUserName() {
}
public void setUserName( String userName ) {
- this.userName = userName;
+ this.userName = HTMLSanitizer.conditionallySanitize(userName);
}
/**
@@ -128,7 +129,7 @@ public String getOpenIdUrl() {
}
public void setOpenIdUrl(String openIdUrl) {
- this.openIdUrl = openIdUrl;
+ this.openIdUrl = HTMLSanitizer.conditionallySanitize(openIdUrl);
}
/**
@@ -139,7 +140,7 @@ public String getScreenName() {
}
public void setScreenName( String screenName ) {
- this.screenName = screenName;
+ this.screenName = HTMLSanitizer.conditionallySanitize(screenName);
}
/**
@@ -150,7 +151,7 @@ public String getFullName() {
}
public void setFullName( String fullName ) {
- this.fullName = fullName;
+ this.fullName = HTMLSanitizer.conditionallySanitize(fullName);
}
/**
@@ -161,7 +162,7 @@ public String getEmailAddress() {
}
public void setEmailAddress( String emailAddress ) {
- this.emailAddress = emailAddress;
+ this.emailAddress = HTMLSanitizer.conditionallySanitize(emailAddress);
}
@@ -185,7 +186,7 @@ public void setDateCreated(final Date date) {
}
/**
- * Locale of the user.
+ * Locale of the user, must be valid Java locale.
*/
public String getLocale() {
return this.locale;
@@ -196,7 +197,7 @@ public void setLocale(String locale) {
}
/**
- * Timezone of the user.
+ * Timezone of the user, must be valid Java timezone.
*/
public String getTimeZone() {
return this.timeZone;
@@ -223,7 +224,7 @@ public String getActivationCode() {
}
public void setActivationCode(String activationCode) {
- this.activationCode = activationCode;
+ this.activationCode = HTMLSanitizer.conditionallySanitize(activationCode);
}
@@ -239,7 +240,7 @@ public boolean hasGlobalPermissions(List actions) {
return false;
}
}
-
+
//------------------------------------------------------- Good citizenship
@Override
diff --git a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java
index ebb06f9e8..6c76b2222 100644
--- a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java
+++ b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java
@@ -18,10 +18,12 @@
package org.apache.roller.weblogger.pojos;
-import java.io.Serializable;
import org.apache.commons.lang3.builder.EqualsBuilder;
import org.apache.commons.lang3.builder.HashCodeBuilder;
import org.apache.roller.util.UUIDGenerator;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
+
+import java.io.Serializable;
/**
@@ -56,16 +58,17 @@ public WeblogBookmark(
String url,
String feedUrl,
String image) {
+
+ setName(name);
+ setDescription(desc);
this.folder = parent;
- this.name = name;
- this.description = desc;
this.url = url;
this.feedUrl = feedUrl;
this.image = image;
folder.addBookmark(this);
calculatePriority();
}
-
+
//------------------------------------------------------------- Attributes
public String getId() {
return this.id;
@@ -92,7 +95,7 @@ public String getName() {
}
public void setName(String name) {
- this.name = name;
+ this.name = HTMLSanitizer.conditionallySanitize(name);
}
/**
@@ -103,7 +106,7 @@ public String getDescription() {
}
public void setDescription(String description) {
- this.description = description;
+ this.description = HTMLSanitizer.conditionallySanitize(description);
}
/**
@@ -143,7 +146,7 @@ public String getFeedUrl() {
public void setFeedUrl(String feedUrl) {
this.feedUrl = feedUrl;
}
-
+
//---------------------------------------------------------- Relationships
public org.apache.roller.weblogger.pojos.WeblogBookmarkFolder getFolder() {
diff --git a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java
index a4425471a..60a040aa6 100644
--- a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java
+++ b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java
@@ -28,6 +28,7 @@
import org.apache.roller.weblogger.business.BookmarkManager;
import org.apache.roller.weblogger.business.WebloggerFactory;
import org.apache.roller.util.UUIDGenerator;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
/**
@@ -54,8 +55,8 @@ public WeblogBookmarkFolder(
String name,
Weblog weblog) {
- this.name = name;
- this.weblog = weblog;
+ setName(name);
+ setWeblog(weblog);
weblog.addBookmarkFolder(this);
}
@@ -132,7 +133,7 @@ public String getName() {
}
public void setName(String name) {
- this.name = name;
+ this.name = HTMLSanitizer.conditionallySanitize(name);
}
/**
@@ -187,5 +188,4 @@ public List retrieveBookmarks() throws WebloggerException {
BookmarkManager bmgr = WebloggerFactory.getWeblogger().getBookmarkManager();
return bmgr.getBookmarks(this);
}
-
}
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java
index 198ce2b43..6f83a0ddb 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java
@@ -22,14 +22,18 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.roller.weblogger.WebloggerException;
-import org.apache.roller.weblogger.business.WebloggerFactory;
import org.apache.roller.weblogger.business.UserManager;
+import org.apache.roller.weblogger.business.WebloggerFactory;
import org.apache.roller.weblogger.config.AuthMethod;
import org.apache.roller.weblogger.config.WebloggerConfig;
import org.apache.roller.weblogger.pojos.User;
import org.apache.roller.weblogger.ui.struts2.util.UIAction;
import org.apache.struts2.interceptor.validation.SkipValidation;
+import java.util.Arrays;
+import java.util.Locale;
+import java.util.Optional;
+import java.util.TimeZone;
/**
* Allows user to edit his/her profile.
@@ -150,6 +154,26 @@ public void myValidate() {
addError("generic.error.check.logs");
}
}
+
+ // validate that bean's timeZone field is a valid time zone
+ if (!StringUtils.isEmpty(getBean().getTimeZone())) {
+ // looking up the time zone by id did not work for me
+ final Optional first = Arrays.stream(TimeZone.getAvailableIDs())
+ .filter(id -> id.equals(getBean().getTimeZone())).findFirst();
+ if (first.isEmpty()) {
+ addError("error.add.user.invalid.timezone");
+ }
+ }
+
+ // validate that bean's locale field is a valid locale
+ if (!StringUtils.isEmpty(getBean().getLocale())) {
+ // looking up the time zone by id did not work for me
+ final Optional first = Arrays.stream(Locale.getAvailableLocales())
+ .filter(locale -> locale.toString().equals(getBean().getLocale())).findFirst();
+ if (first.isEmpty() || "".equals(first.get().getDisplayName())) {
+ addError("error.add.user.invalid.locale");
+ }
+ }
}
public String getAuthMethod() {
diff --git a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java
index 9e556504a..ebb068c72 100644
--- a/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java
+++ b/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java
@@ -27,7 +27,6 @@
import org.apache.roller.weblogger.pojos.WeblogBookmark;
import org.apache.roller.weblogger.ui.struts2.util.UIAction;
import org.apache.roller.weblogger.util.cache.CacheManager;
-import org.apache.struts2.convention.annotation.AllowedMethods;
import org.apache.struts2.interceptor.validation.SkipValidation;
diff --git a/app/src/main/resources/ApplicationResources.properties b/app/src/main/resources/ApplicationResources.properties
index d62710630..b318ff328 100644
--- a/app/src/main/resources/ApplicationResources.properties
+++ b/app/src/main/resources/ApplicationResources.properties
@@ -453,6 +453,8 @@ error.add.user.openIdInUse=Open ID already in use with another account.
error.add.user.missingUserName=You must specify a username.
error.add.user.badUserName=Invalid user name (must be alpha-numerics only).
error.add.user.missingPassword=You must specify a password.
+error.add.user.invalid.timezone=Invalid timezone.
+error.add.user.invalid.locale=Invalid locale.
error.upload.dirmax=You cannot exceed the maximum directory size of {0} MB.
error.upload.disabled=File Upload has been turned off
error.upload.file=No file selected
diff --git a/assembly-release/pom.xml b/assembly-release/pom.xml
index a2401494b..e968240ae 100644
--- a/assembly-release/pom.xml
+++ b/assembly-release/pom.xml
@@ -22,7 +22,7 @@
org.apache.roller
roller-project
- 6.1.2
+ 6.1.3
../pom.xml
diff --git a/assembly-release/sign-release.sh b/assembly-release/sign-release.sh
index 09a7bd015..650ca2c87 100755
--- a/assembly-release/sign-release.sh
+++ b/assembly-release/sign-release.sh
@@ -1,7 +1,7 @@
#!/usr/bin/env bash
export rcstring="r2"
-export vstring="6.1.2"
+export vstring="6.1.3"
# for rc releases we rename the release files
if [ rcstring != "" ]; then
diff --git a/db-utils/pom.xml b/db-utils/pom.xml
index 785b17795..9e6bcdab5 100644
--- a/db-utils/pom.xml
+++ b/db-utils/pom.xml
@@ -7,13 +7,13 @@
org.apache.roller
roller-project
- 6.1.2
+ 6.1.3
../pom.xml
Apache Roller DB Utilities
db-utils
- 6.1.2
+ 6.1.3
diff --git a/it-selenium/pom.xml b/it-selenium/pom.xml
index e8742df1e..4e603999b 100644
--- a/it-selenium/pom.xml
+++ b/it-selenium/pom.xml
@@ -24,7 +24,7 @@
org.apache.roller
roller-project
- 6.1.2
+ 6.1.3
../pom.xml
@@ -188,7 +188,7 @@
org.apache.roller
db-utils
- 6.1.2
+ 6.1.3
commons-dbcp
diff --git a/pom.xml b/pom.xml
index 0acb7f7a6..41f099cc0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -22,7 +22,7 @@ limitations under the License.
4.0.0
org.apache.roller
roller-project
- 6.1.2
+ 6.1.3
pom
Roller
@@ -46,7 +46,7 @@ limitations under the License.
10.0.19
UTF-8
UTF-8
- 6.1.2
+ 6.1.3
1.7.36