[NCITERM-643] Name search failed on diacritics.

[NCITERM-644] Reduce SQL injection AppScan delays.

software/ncitbrowser/src/java/gov/nih/nci/evs/browser/bean/UserSessionBean.java

@@ -220,13 +220,11 @@ public String searchAction() {
 			searchTarget = "names";
 		}
 
-
-
         request.getSession().setAttribute("searchTarget", searchTarget);
         request.getSession().setAttribute("algorithm", matchAlgorithm);
 
-
         String matchText = HTTPUtils.cleanXSS((String) request.getParameter("matchText"));
+
         if (matchText != null) {
             matchText = matchText.trim();
             request.getSession().setAttribute("matchText", matchText);
@@ -1114,6 +1112,12 @@ public String multipleSearchAction() {
             (HttpServletRequest) FacesContext.getCurrentInstance()
                 .getExternalContext().getRequest();
 
+        request.getSession().removeAttribute("error_msg");
+        boolean retval = HTTPUtils.validateRequestParameters(request);
+        if (!retval) {
+			return "invalid_parameter";
+		}
+
 		String selected_vocabularies = HTTPUtils.cleanXSS((String) request.getParameter("selected_vocabularies"));
 
         String[] ontology_list = request.getParameterValues("ontology_list");
@@ -1133,13 +1137,16 @@ public String multipleSearchAction() {
         }
 
         String matchText = HTTPUtils.cleanXSS((String) request.getParameter("matchText"));
+
         if (matchText != null) {
             matchText = matchText.trim();
             request.getSession().setAttribute("matchText", matchText);
         } else {
             matchText = (String) request.getSession().getAttribute("matchText");
         }
 
+
+
         String multiple_search_error =
             (String) request.getSession().getAttribute(
                 "multiple_search_no_match_error");
@@ -1840,6 +1847,12 @@ public String advancedSearchAction() {
             (HttpServletRequest) FacesContext.getCurrentInstance()
                 .getExternalContext().getRequest();
 
+        request.getSession().removeAttribute("error_msg");
+        boolean retval = HTTPUtils.validateRequestParameters(request);
+        if (!retval) {
+			return "invalid_parameter";
+		}
+
         String scheme = HTTPUtils.cleanXSS((String) request.getParameter("dictionary"));
 	    if (scheme == null || DataUtils.getFormalName(scheme) == null) {
 			String message = "Invalid vocabulary name.";
@@ -1930,6 +1943,7 @@ public String advancedSearchAction() {
 
         String searchTarget = HTTPUtils.cleanXSS((String) request.getParameter("searchTarget"));
         String matchText = HTTPUtils.cleanXSS((String) request.getParameter("matchText"));
+
         if (matchText == null || matchText.length() == 0) {
             String message = "Please enter a search string.";
             // request.getSession().setAttribute("message", message);

software/ncitbrowser/src/java/gov/nih/nci/evs/browser/bean/ValueSetBean.java

@@ -1919,11 +1919,16 @@ public String resolvedValueSetSearchAction() {
 
 
     public String valueSetSearchAction() {
-
         HttpServletRequest request =
             (HttpServletRequest) FacesContext.getCurrentInstance()
                 .getExternalContext().getRequest();
 
+        request.getSession().removeAttribute("error_msg");
+        boolean retval = HTTPUtils.validateRequestParameters(request);
+        if (!retval) {
+			return "invalid_parameter";
+		}
+
 		java.lang.String valueSetDefinitionRevisionId = null;
 		String msg = null;
 

software/ncitbrowser/src/java/gov/nih/nci/evs/browser/common/HTTPParameterConstants.java

@@ -0,0 +1,132 @@
+package gov.nih.nci.evs.browser.common;
+
+import java.util.*;
+
+public class HTTPParameterConstants {
+
+    public static final String[] HTTP_REQUEST_PARAMETER_NAMES = {
+       "acceptedLicenses",
+       "action",
+       "adv_search_algorithm",
+       "adv_search_source",
+       "adv_search_type",
+       "algorithm",
+       "answer",
+       "b",
+       "captcha_option",
+       "cart_code",
+       "cart_dictionary",
+       "cart_version",
+       "checked_vocabularies",
+       "code",
+       "content_page",
+       "content_title",
+       "data_type",
+       "dictionary",
+       "dir",
+       "direction",
+       "display_app_logo",
+       "emailaddress",
+       "format",
+       "from_download",
+       "home",
+       "id",
+       "initial_search",
+       "key",
+       "m",
+       "matchText",
+       "message",
+       "multiplematches",
+       "n",
+       "nav_type",
+       "ncbo_id",
+       "ns",
+       "ontology_display_name",
+       "ontology_list_str",
+       "ontology_node_id",
+       "ontology_version",
+       "opt",
+       "page_number",
+       "partial_checked_vocabularies",
+       "prop",
+       "referer",
+       "refresh",
+       "rel",
+       "rel_search_association",
+       "rel_search_direction",
+       "rel_search_rela",
+       "rela",
+       "report",
+       "resultsPerPage",
+       "root_vsd_uri",
+       "sab",
+       "schema",
+       "scheme",
+       "scheme_and_version",
+       "searchTarget",
+       "searchTerm",
+       "selected_vocabularies",
+       "selectedOntology",
+       "selectProperty",
+       "selectPropertyType",
+       "selectSearchOption",
+       "selectValueSetSearchOption",
+       "single_mapping_search",
+       "sortBy",
+       "source",
+       "subject",
+       "text",
+       "type",
+       "uri",
+       "value_set_home",
+       "value_set_tab",
+       "valueset",
+       "valueset_search_algorithm",
+       "version",
+       "view",
+       "vsd_uri",
+       "vse",
+       "javax.faces.ViewState",
+       "ontology_list",
+       "ontology_source",
+       "searchTerm:search.x",
+       "searchTerm:search.y",
+       "searchTerm:multiple_search.x",
+       "searchTerm:multiple_search.y",
+       "advancedSearchForm",
+       "advancedSearchForm:adv_search.x",
+       "advancedSearchForm:adv_search.y",
+       "valueSetSearchForm",
+       "valueSetSearchForm:valueset_search.x",
+       "valueSetSearchForm:valueset_search.y",
+       "value_set_home",
+       "valueset_search_algorithm"
+    };
+
+    public static final List HTTP_REQUEST_PARAMETER_NAME_LIST = Arrays.asList(HTTP_REQUEST_PARAMETER_NAMES);
+
+	public static final String[] adv_search_algorithm_values = new String[] {"contains", "exactMatch", "lucene", "startsWith"};
+	public static final String[] algorithm_values = new String[] {"contains", "exactMatch", "startsWith"};
+	public static final String[] direction_values = new String[] {"source", "target"};
+	public static final String[] searchTarget_values = new String[] {"codes", "names", "properties", "relationships"};
+	public static final String[] selectSearchOption_values = new String[] {"Code", "Name", "Property", "Relationship"};
+	public static final String[] selectValueSetSearchOption_values = new String[] {"Code", "CodingScheme", "Name", "Source"};
+	public static final String[] valueset_search_algorithm_values = new String[] {"contains", "exactMatch", "startsWith"};
+
+	public static List adv_search_algorithm_value_list = Arrays.asList(adv_search_algorithm_values);
+	public static List algorithm_value_list = Arrays.asList(algorithm_values);
+	public static List direction_value_list = Arrays.asList(direction_values);
+	public static List searchTarget_value_list = Arrays.asList(searchTarget_values);
+	public static List selectSearchOption_value_list = Arrays.asList(selectSearchOption_values);
+	public static List selectValueSetSearchOption_value_list = Arrays.asList(selectValueSetSearchOption_values);
+	public static List valueset_search_algorithm_value_list = Arrays.asList(valueset_search_algorithm_values);
+
+    /**
+     * Constructor
+     */
+    private HTTPParameterConstants() {
+        // Prevent class from being explicitly instantiated
+    }
+
+
+} // Class HTTPParameterConstants

software/ncitbrowser/src/java/gov/nih/nci/evs/browser/servlet/AjaxServlet.java

@@ -232,9 +232,29 @@ public static String search_tree(String node_id,
      */
     public void execute(HttpServletRequest request, HttpServletResponse response)
             throws IOException, ServletException {
+
+		//[NCITERM-644] Reduce SQL injection AppScan delays.
+        request.getSession().removeAttribute("error_msg");
+
         // Determine request by attributes
         String action = HTTPUtils.cleanXSS(request.getParameter("action"));// DataConstants.ACTION);
 
+        //search_value_set
+        if (action.compareTo("search_value_set") != 0) {
+			 boolean retval = HTTPUtils.validateRequestParameters(request);
+			 if (!retval) {
+				 try {
+					 String nextJSP = "/pages/appscan_response.jsf";
+					 RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(nextJSP);
+					 dispatcher.forward(request,response);
+					 return;
+
+				 } catch (Exception ex) {
+					 ex.printStackTrace();
+				 }
+			 }
+	    }
+
 //search_hierarchy ns=npo
 
 if (action == null) {