SONAR-4681 SONAR-5295 Escape HTML before markdown interpolation

author: Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com> 2014-05-12 18:43:58 +0200
committer: Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com> 2014-05-12 18:44:06 +0200
commit: 1f906357067c5256314d6c899e76c86f60f7f559 (patch)
tree: 2723c0e6625bf1adefd69af127a444d4e6984090
parent: f59a579d18a7dc338c9adab23806019b14ac5c27 (diff)
download: sonarqube-1f906357067c5256314d6c899e76c86f60f7f559.tar.gz
sonarqube-1f906357067c5256314d6c899e76c86f60f7f559.zip
5 files changed, 14 insertions, 8 deletions
diff --git a/sonar-markdown/pom.xml b/sonar-markdown/pom.xml
index 49f615bd35b..d28e9542fbd 100644
--- a/sonar-markdown/pom.xml
+++ b/sonar-markdown/pom.xml
@@ -19,6 +19,10 @@
       <artifactId>sonar-channel</artifactId>
     </dependency>
     <dependency>
+      <groupId>commons-lang</groupId>
+      <artifactId>commons-lang</artifactId>
+    </dependency>
+    <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>
     </dependency>
diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java
index c236e15a19f..286e7e58c80 100644
--- a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java
+++ b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java
@@ -65,7 +65,7 @@ class HtmlBlockquoteChannel extends Channel<MarkdownOutput> {
   private class QuotedLineElementChannel extends RegexChannel<MarkdownOutput> {
 
     protected QuotedLineElementChannel() {
-      super(">\\s[^\r\n]*+");
+      super("&gt;\\s[^\r\n]*+");
     }
 
     @Override
@@ -80,7 +80,8 @@ class HtmlBlockquoteChannel extends Channel<MarkdownOutput> {
 
     private int searchIndexOfFirstCharacter(CharSequence token) {
       for (int index = 0; index < token.length(); index++) {
-        if (token.charAt(index) == '>') {
+        if (token.charAt(index) == '&') {
+          index += 4;
           while (++ index < token.length()) {
             if (token.charAt(index) != ' ') {
               return index;
diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java b/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java
index 5323a3966d5..3d932c62bc5 100644
--- a/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java
+++ b/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java
@@ -19,6 +19,7 @@
  */
 package org.sonar.markdown;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.sonar.channel.ChannelDispatcher;
 import org.sonar.channel.CodeReader;
 
@@ -53,6 +54,6 @@ public final class Markdown {
   }
 
   public static String convertToHtml(String input) {
-    return new Markdown().convert(input);
+    return new Markdown().convert(StringEscapeUtils.escapeHtml(input));
   }
 }
diff --git a/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java b/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java
index 909fda8c539..462bee37175 100644
--- a/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java
+++ b/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java
@@ -67,8 +67,10 @@ public class MarkdownTest {
 
   @Test
   public void shouldDecorateBlockquote() {
-    assertThat(Markdown.convertToHtml("> Yesterday it worked\n> Today it is not working\r\n> Software is like that\r"))
-        .isEqualTo("<blockquote>Yesterday it worked<br/>\nToday it is not working<br/>\r\nSoftware is like that<br/>\r</blockquote>");
+    assertThat(Markdown.convertToHtml("> Yesterday <br/> it worked\n> Today it is not working\r\n> Software is like that\r"))
+        .isEqualTo("<blockquote>Yesterday &lt;br/&gt; it worked<br/>\nToday it is not working<br/>\r\nSoftware is like that<br/>\r</blockquote>");
+    assertThat(Markdown.convertToHtml("HTML elements should <em>not</em> be quoted!"))
+        .isEqualTo("HTML elements should &lt;em&gt;not&lt;/em&gt; be quoted!");
   }
 
   @Test
diff --git a/sonar-server/src/main/java/org/sonar/server/text/RubyTextService.java b/sonar-server/src/main/java/org/sonar/server/text/RubyTextService.java
index a150c53c5b6..7d04ecea691 100644
--- a/sonar-server/src/main/java/org/sonar/server/text/RubyTextService.java
+++ b/sonar-server/src/main/java/org/sonar/server/text/RubyTextService.java
@@ -19,7 +19,6 @@
  */
 package org.sonar.server.text;
 
-import org.apache.commons.lang.StringEscapeUtils;
 import org.sonar.api.ServerComponent;
 import org.sonar.markdown.Markdown;
 import org.sonar.server.source.HtmlSourceDecorator;
@@ -46,8 +45,7 @@ public class RubyTextService implements ServerComponent {
 
   // TODO add ruby example
   public String markdownToHtml(String markdown) {
-    // TODO move HTML escaping to sonar-markdown
-    return Markdown.convertToHtml(StringEscapeUtils.escapeHtml(markdown));
+    return Markdown.convertToHtml(markdown);
   }
 
   // TODO add ruby example
author	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>	2014-05-12 18:43:58 +0200
committer	Jean-Baptiste Lievremont <jean-baptiste.lievremont@sonarsource.com>	2014-05-12 18:44:06 +0200
commit	1f906357067c5256314d6c899e76c86f60f7f559 (patch)
tree	2723c0e6625bf1adefd69af127a444d4e6984090
parent	f59a579d18a7dc338c9adab23806019b14ac5c27 (diff)
download	sonarqube-1f906357067c5256314d6c899e76c86f60f7f559.tar.gz sonarqube-1f906357067c5256314d6c899e76c86f60f7f559.zip