Merge pull request from GHSA-h4jg-287w-hc7g

- also update JSP README.md for running
- use the OWASP sanitizer library

For: XSS bug in util.unicode.org JSP utils #498

Author: srl295

UnicodeJsps/pom.xml

@@ -80,7 +80,19 @@
 			<artifactId>unicodetools-testutils</artifactId>
 			<scope>test</scope>
 		</dependency>
-	</dependencies>
+
+		<dependency>
+			<groupId>org.owasp.encoder</groupId>
+			<artifactId>encoder</artifactId>
+			<version>1.2.3</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.owasp.encoder</groupId>
+			<artifactId>encoder-jsp</artifactId>
+			<version>1.2.3</version>
+		</dependency>
+			</dependencies>
 	<build>
 		<finalName>${project.artifactId}</finalName>
 		<plugins>

UnicodeJsps/src/main/webapp/bidic.jsp

@@ -1,3 +1,4 @@
+<%@ page import="org.owasp.encoder.Encode" %>
 <html>
 
 <head>
@@ -258,7 +259,7 @@ function setUbaInput(str) {
         </tr>
         <tr>
             <td>
-                <textarea id="idInputCharSeq" name="s" rows="2" cols="100" maxlength="200" oninput="setUbaInputFromEdit(event)"><%= valInputCharSeq %></textarea>
+                <textarea id="idInputCharSeq" name="s" rows="2" cols="100" maxlength="200" oninput="setUbaInputFromEdit(event)"><%= Encode.forHtmlContent(valInputCharSeq) %></textarea>
             </td>
         </tr>
         <tr style="display:none">

UnicodeJsps/src/main/webapp/bnf.jsp

@@ -1,3 +1,4 @@
+<%@ page import="org.owasp.encoder.Encode" %>
 <html>
 <head>
 <%@ include file="header.jsp" %>
@@ -50,23 +51,23 @@
       <th style="width: 50%">Input</th>
     </tr>
     <tr>
-      <td><textarea name="a" rows="8" cols="10" style="width: 100%"><%=bnf%></textarea></td>
+      <td><textarea name="a" rows="8" cols="10" style="width: 100%"><%=Encode.forHtmlContent(bnf)%></textarea></td>
     </tr>
     <tr>
       <th style="width: 50%">TestText</th>
     </tr>
     <tr>
-      <td><textarea name="b" rows="8" cols="10" style="width: 100%"><%=test%></textarea></td>
+      <td><textarea name="b" rows="8" cols="10" style="width: 100%"><%=Encode.forHtmlContent(test)%></textarea></td>
     </tr>
 </table>
 <input id='main' type="submit" value="Show Modified BNF Pattern" onClick="window.location.href='bnf.jsp?a='+document.getElementById('main').value"/>
 </form>
   <hr>
   <h2>Modified BNF Pattern</h2>
-  <p><%=fixedbnf%></p>
+  <p><%=Encode.forHtmlContent(fixedbnf)%></p>
   <hr>
   <h2>Underlined Find Values</h2>
-  <p><%=testPattern%></p>
+  <p><%=Encode.forHtmlContent(testPattern)%></p>
   <hr>
   <h2>Random Generation</h2>
   <%=random%>

UnicodeJsps/src/main/webapp/breaks.jsp

@@ -1,3 +1,4 @@
+<%@ page import="org.owasp.encoder.Encode" %>
 <html>
 
 <head>
@@ -38,7 +39,7 @@ span.break   { border-right: 1px solid red;}
       <input type="submit" value="Test" /></td>
     </tr>
     <tr>
-      <td><textarea name="a" rows="30" cols="30" style="width:100%; height:100%"><%=text%></textarea></td>
+      <td><textarea name="a" rows="30" cols="30" style="width:100%; height:100%"><%=Encode.forHtmlContent(text)%></textarea></td>
       <td>
       <%=UnicodeJsp.showBreaks(text, choice)%>&nbsp;</td>
     </tr>

UnicodeJsps/src/main/webapp/idna.jsp

@@ -1,3 +1,4 @@
+<%@ page import="org.owasp.encoder.Encode" %>
 <html>
 <head>
 <%@ include file="header.jsp" %>
@@ -29,7 +30,7 @@
       <th class='r'>For special characters, you can use <a target="picker" href="http://macchiato.com/picker/MyApplication.html">Picker</a></th>
     </tr>
     <tr>
-      <td colSpan='2'><textarea name="a" rows="12" cols="10" style="width: 100%"><%=IDNA2008%></textarea></td>
+      <td colSpan='2'><textarea name="a" rows="12" cols="10" style="width: 100%"><%=Encode.forHtmlContent(IDNA2008)%></textarea></td>
     </tr>
 </table>
 <input id='main' type="submit" value="Show IDNA Status" onClick="window.location.href='idna.jsp?a='+document.getElementById('main').value"/>

UnicodeJsps/src/main/webapp/languageid.jsp

@@ -1,3 +1,4 @@
+<%@ page import="org.owasp.encoder.Encode" %>
 <html>
 <head>
 <%@ include file="header.jsp" %>
@@ -45,7 +46,7 @@
       <th style="width: 50%">Input</th>
     </tr>
     <tr>
-      <td><input type="text" name="a" rows="8" cols="10" style="width: 100%" value="<%=languageCode%>"/></td>
+      <td><input type="text" name="a" rows="8" cols="10" style="width: 100%" value="<%=Encode.forHtmlAttribute(languageCode)%>"/></td>
     </tr>
   </table>
 

UnicodeJsps/src/main/webapp/list-unicodeset.jsp

@@ -1,5 +1,6 @@
 <html>
 <head>
+<%@ page import="org.owasp.encoder.Encode" %>
 <%@ include file="header.jsp" %>
 <title>Unicode Utilities: UnicodeSet</title>
 </head>
@@ -36,7 +37,7 @@
       <th style="width: 50%">Input</th>
     </tr>
     <tr>
-      <td><textarea name="a" rows="8" cols="10" style="width: 100%"><%=setA%></textarea></td>
+      <td><textarea name="a" rows="8" cols="10" style="width: 100%"><%=Encode.forHtmlContent(setA)%></textarea></td>
     </tr>
     <tr>
       <td>
@@ -46,9 +47,9 @@
       <input type="checkbox" <%=ucdFormat ? "checked" : ""%> name="ucd"><label for="ucd">UCD format</label>&nbsp;&nbsp;
       <input type="checkbox" <%=escape ? "checked" : ""%> name="esc"><label for="esc">Escape</label>&nbsp;&nbsp;
       <label for="g">Group by:</label>
-      <input type="text" <%=escape ? "checked" : ""%> name="g" size="25" value="<%=group%>">
+      <input type="text" <%=escape ? "checked" : ""%> name="g" size="25" value="<%=Encode.forHtmlAttribute(group)%>">
       <label for="i">Info:</label>
-      <input type="text" <%=escape ? "checked" : ""%> name="i" size="25" value="<%=info%>">
+      <input type="text" <%=escape ? "checked" : ""%> name="i" size="25" value="<%=Encode.forHtmlAttribute(info)%>">
       </td>
     </tr>
 </table>

UnicodeJsps/src/main/webapp/regex.jsp

@@ -1,3 +1,4 @@
+<%@ page import="org.owasp.encoder.Encode" %>
 <html>
 <head>
 <%@ include file="header.jsp" %>
@@ -41,20 +42,20 @@
       <th style="width: 50%">Input</th>
     </tr>
     <tr>
-      <td><textarea name="a" rows="8" cols="10" style="width: 100%"><%=regex%></textarea></td>
+      <td><textarea name="a" rows="8" cols="10" style="width: 100%"><%=Encode.forHtmlContent(regex)%></textarea></td>
     </tr>
     <tr>
       <th style="width: 50%">TestText</th>
     </tr>
     <tr>
-      <td><textarea name="b" rows="8" cols="10" style="width: 100%"><%=test%></textarea></td>
+      <td><textarea name="b" rows="8" cols="10" style="width: 100%"><%=Encode.forHtmlContent(test)%></textarea></td>
     </tr>
 </table>
 <input id='main' type="submit" value="Show Modified Regex Pattern" onClick="window.location.href='regex.jsp?a='+document.getElementById('main').value"/>
 </form>
   <hr>
   <h2>Modified Regex Pattern</h2>
-  <p><%=fixedRegex%></p>
+  <p><%=Encode.forHtmlContent(fixedRegex)%></p>
   <hr>
   <h2>Underlined Find Values</h2>
   <p><%=testPattern%></p>

UnicodeJsps/src/main/webapp/transform.jsp

@@ -1,3 +1,4 @@
+<%@ page import="org.owasp.encoder.Encode" %>
 <html>
 <head>
 <%@ include file="header.jsp" %>
@@ -24,13 +25,13 @@
       <th style="width: 50%">Transform Rules</th>
     </tr>
     <tr>
-      <td><textarea name="a" rows="8" cols="10" style="width: 100%"><%=transform%></textarea></td>
+      <td><textarea name="a" rows="8" cols="10" style="width: 100%"><%=Encode.forHtmlContent(transform)%></textarea></td>
     </tr>
     <tr>
       <th style="width: 50%">Sample</th>
     </tr>
     <tr>
-      <td><textarea name="b" rows="8" cols="10" style="width: 100%"><%=sample%></textarea></td>
+      <td><textarea name="b" rows="8" cols="10" style="width: 100%"><%=Encode.forHtmlContent(sample)%></textarea></td>
     </tr>
 </table>
 <input id='main' type="submit" value="Show Transform" onClick="window.location.href='transform.jsp?a='+document.getElementById('main').value"/>