View Javadoc

1   /**
2    * Copyright 2011-2013 The Kuali Foundation Licensed under the Educational
3    * Community License, Version 2.0 (the "License"); you may not use this file
4    * except in compliance with the License. You may obtain a copy of the License
5    * at
6    *
7    * http://www.osedu.org/licenses/ECL-2.0
8    *
9    * Unless required by applicable law or agreed to in writing, software
10   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12   * License for the specific language governing permissions and limitations under
13   * the License.
14   */
15  package org.kuali.mobility.dining.controllers;
16  
17  import java.util.List;
18  import java.util.regex.Pattern;
19  
20  import org.apache.log4j.Logger;
21  import org.kuali.mobility.dining.entity.Place;
22  import org.kuali.mobility.dining.entity.PlaceByCampusByType;
23  import org.kuali.mobility.dining.service.DiningService;
24  import org.kuali.mobility.dining.util.DiningUtil;
25  import org.springframework.beans.factory.annotation.Autowired;
26  import org.springframework.stereotype.Controller;
27  import org.springframework.ui.Model;
28  import org.springframework.web.bind.annotation.RequestMapping;
29  import org.springframework.web.bind.annotation.RequestMethod;
30  import org.springframework.web.bind.annotation.RequestParam;
31  import org.springframework.web.bind.annotation.ResponseBody;
32  
33  import flexjson.JSONSerializer;
34  import javax.servlet.http.HttpServletRequest;
35  import org.kuali.mobility.security.user.api.User;
36  import org.kuali.mobility.shared.Constants;
37  
38  @Controller
39  @RequestMapping("/dining")
40  public class DiningController {
41  
42  	public static final Logger LOG = Logger.getLogger(DiningController.class);
43  	@Autowired
44  	private DiningService diningService;
45  
46  	public void setDiningService(DiningService diningService) {
47  		this.diningService = diningService;
48  	}
49  
50  	@RequestMapping(method = RequestMethod.GET)
51  	public String getPlaces(HttpServletRequest request, Model uiModel) {
52  		String viewName = null;
53  		User user = (User) request.getSession().getAttribute(Constants.KME_USER_KEY);
54  		String campus = null;
55  		if (user.getViewCampus() == null) {
56  			viewName = "redirect:/campus?toolName=dining";
57  		} else {
58  			campus = user.getViewCampus();
59  			List<PlaceByCampusByType> placeGroups = DiningUtil.convertPlaceListForUI((List<Place>) diningService.getPlaces());
60  			uiModel.addAttribute("placeGroups", placeGroups);
61  			viewName = "dining/alldining";
62  		}
63  		return viewName;
64  	}
65  
66  	@RequestMapping(value = "/getPlaces", method = RequestMethod.GET, headers = "Accept=application/json")
67  	@ResponseBody
68  	public String getPlaceListJson() { //
69  		List<PlaceByCampusByType> placeGroups = DiningUtil.convertPlaceListForUI((List<Place>) diningService.getPlaces());
70  		return new JSONSerializer().exclude("*.class").deepSerialize(placeGroups);
71  	}
72  
73  	@RequestMapping(value = "/menu", method = RequestMethod.GET)
74  	public String getMenus(HttpServletRequest request, Model uiModel, @RequestParam(value = "name", required = true) String name, @RequestParam(value = "location", required = false) String location) {
75  		String viewName = null;
76  		User user = (User) request.getSession().getAttribute(Constants.KME_USER_KEY);
77  		String campus = null;
78  		if (user.getViewCampus() == null) {
79  			viewName = "redirect:/campus?toolName=dining";
80  		} else {
81              String filteredName = removeXSSAttack(name);
82              String filteredLocation = removeXSSAttack(location);
83  			campus = user.getViewCampus();
84  			LOG.debug("getMenus() : name = " + filteredName + " location = " + filteredLocation);
85  			String place = ((filteredLocation == null || filteredLocation.trim().isEmpty()) ? filteredName : (filteredName + " at " + filteredLocation));
86  			uiModel.addAttribute("place", place);
87  			uiModel.addAttribute("name", filteredName);
88  			uiModel.addAttribute("location", filteredLocation);
89  			viewName = "dining/menus_all";
90  		}
91  		return viewName;
92  	}
93  
94  	@RequestMapping(value = "/getMenu")
95  	@ResponseBody
96  	public String getMenusJson(@RequestParam(value = "name", required = true) String name, @RequestParam(value = "location", required = false) String location) {
97          String filteredName = removeXSSAttack(name);
98          String filteredLocation = removeXSSAttack(location);
99  		String jsonData = diningService.getMenusJson(filteredName, (null == filteredLocation || "".equalsIgnoreCase(filteredLocation) ? null : filteredLocation.trim()));
100 
101 		return jsonData;
102 	}
103 	/*
104 	 @RequestMapping(method = RequestMethod.GET)
105 	 public String getList(Model uiModel) {
106 	 List<Menu> menus = diningService.getMenus("SE");
107 	 uiModel.addAttribute("menus", menus);
108 	 return "dining/list";
109 	 }
110 
111 	 @RequestMapping(method = RequestMethod.GET, headers = "Accept=application/json")
112 	 @ResponseBody
113 	 public String getListJson() {
114 	 List<Menu> menus = diningService.getMenus("SE");
115 	 return new JSONSerializer().exclude("*.class").deepSerialize(menus);
116 	 }
117 	 */
118 
119 
120     private String removeXSSAttack(String value) {
121         if (value != null) {
122             // Avoid null characters
123             value = value.replaceAll("", "");
124 
125             // Avoid anything between script tags
126             Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
127             value = scriptPattern.matcher(value).replaceAll("");
128 
129             // Avoid anything in a src='...' type of expression
130             scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
131             value = scriptPattern.matcher(value).replaceAll("");
132 
133             scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
134             value = scriptPattern.matcher(value).replaceAll("");
135 
136             // Remove any lonesome </script> tag
137             scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
138             value = scriptPattern.matcher(value).replaceAll("");
139 
140             // Remove any lonesome <script ...> tag
141             scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
142             value = scriptPattern.matcher(value).replaceAll("");
143 
144             // Avoid eval(...) expressions
145             scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
146             value = scriptPattern.matcher(value).replaceAll("");
147 
148             // Avoid expression(...) expressions
149             scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
150             value = scriptPattern.matcher(value).replaceAll("");
151 
152             // Avoid javascript:... expressions
153             scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
154             value = scriptPattern.matcher(value).replaceAll("");
155 
156             // Avoid vbscript:... expressions
157             scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
158             value = scriptPattern.matcher(value).replaceAll("");
159 
160             // Avoid onload= expressions
161             scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
162             value = scriptPattern.matcher(value).replaceAll("");
163         }
164 
165         return value;
166     }
167 
168 }