Merge pull request #25 from contentstack/development

enhancement/CS-39131-SRE Fix: html injection issue resolved

Author: ishaileshmishra

pom.xml

@@ -31,6 +31,7 @@
         <validation-version>2.0.1.Final</validation-version>
         <json-version>20230227</json-version>
         <spring-web-version>6.0.7</spring-web-version>
+        <org.apache.commons-text>1.10.0</org.apache.commons-text>
     </properties>
 
     <developers>
@@ -78,6 +79,13 @@
     </organization>
 
     <dependencies>
+        <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-text -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>${org.apache.commons-text}</version>
+        </dependency>
+
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>

src/main/java/com/contentstack/utils/AutomateCommon.java

@@ -21,6 +21,7 @@
 
 public class AutomateCommon {
 
+
     private static final String ASSET = "asset";
 
     private AutomateCommon() {

src/main/java/com/contentstack/utils/render/DefaultOption.java

@@ -4,6 +4,7 @@
 import com.contentstack.utils.interfaces.NodeCallback;
 import com.contentstack.utils.interfaces.Option;
 import com.contentstack.utils.node.MarkType;
+import org.apache.commons.text.StringEscapeUtils;
 import org.json.JSONObject;
 
 
@@ -58,22 +59,27 @@ public String renderMark(MarkType markType, String text) {
         }
     }
 
+    private String escapeInjectHtml(JSONObject nodeObj, String nodeType) {
+        String injectedHtml = getNodeStr(nodeObj, nodeType);
+        return StringEscapeUtils.escapeHtml4(injectedHtml);
+    }
+
     @Override
     public String renderNode(String nodeType, JSONObject nodeObject, NodeCallback callback) {
         String children = callback.renderChildren(nodeObject.optJSONArray("children"));
         switch (nodeType) {
             case "p":
                 return "<p>" + children + "</p>";
             case "a":
-                return "<a href=\"" + getNodeStr(nodeObject, "href") + "\">" + children + "</a>";
+                return "<a href=\"" + escapeInjectHtml(nodeObject, "href") + "\">" + children + "</a>";
             case "img":
                 String assetLink = getNodeStr(nodeObject, "asset-link");
                 if (!assetLink.isEmpty()) {
-                    return "<img src=\"" + assetLink + "\" />" + children;
+                    return "<img src=\"" + escapeInjectHtml(nodeObject, "asset-link") + "\" />" + children;
                 }
-                return "<img src=\"" + getNodeStr(nodeObject, "src") + "\" />" + children;
+                return "<img src=\"" + escapeInjectHtml(nodeObject, "src") + "\" />" + children;
             case "embed":
-                return "<iframe src=\"" + getNodeStr(nodeObject, "src") + "\"" + children + "</iframe>";
+                return "<iframe src=\"" + escapeInjectHtml(nodeObject, "src") + "\"" + children + "</iframe>";
             case "h1":
                 return "<h1>" + children + "</h1>";
             case "h2":