Merge pull request #324 from skyhit/sanitize_project_name_and_description

sanitize project name and description before saving

Author: ajefts

build-dependencies.xml

@@ -399,6 +399,7 @@
     <property name="ejb3-persistence.jar" value="${ext_libdir}/ejb-api/ejb3-persistence.jar"/>
     <property name="javaee.jar" value="${ext_libdir}/j2ee/1.5/javaee.jar"/>
     <property name="jaxb.jar" value="${ext_libdir}/jaxb/2.1.7/jaxb-api.jar"/>
+    <property name="encoder.jar" value="${ext_libdir}/owasp/encoder-1.2.1.jar" />
     <property name="jsr311.jar" value="${ext_libdir}/j2ee/jsr311-api-1.1.1.jar"/>
 
     <property name="jai_codec-1.1.3.jar" value="${ext_libdir}/jai/jai_codec-1.1.3.jar"/>
@@ -643,6 +644,7 @@
         <pathelement location="${jira-soapclient-all.jar}"/>
         <pathelement location="${servlet-api.jar}"/>
         <pathelement location="${jaxb.jar}"/>
+        <pathelement location="${encoder.jar}"/>
         <pathelement location="${javaee.jar}"/>
         <pathelement location="${aws-java-sdk.jar}"/>
         <pathelement location="${jrss.jar}"/>

build.xml

@@ -316,6 +316,7 @@
         <copy file="${jackson-annotations-2.3.0.jar}" todir="${ear_shared_libdir}" overwrite="true"/>
         <copy file="${jackson-core-2.3.2.jar}" todir="${ear_shared_libdir}" overwrite="true"/>
         <copy file="${jackson-databind-2.3.2.jar}" todir="${ear_shared_libdir}" overwrite="true"/>
+        <copy file="${encoder.jar}" todir="${ear_shared_libdir}" overwrite="true" />
 
     	<copy file="${yuicompressor.jar}" todir="${ear_shared_libdir}" overwrite="true"/>
         <copy file="${java-jwt-1.0.0.jar}" todir="${ear_shared_libdir}" overwrite="true"/>

lib/third_party/owasp/encoder-1.2.1.jar

@@ -49,6 +49,7 @@
     <property name="jboss-jaxws.jar" value="${jboss_home}/server/${jboss_config_name}/lib/jboss-jaxws.jar" />
     <property name="log4j.jar" value="${jboss_home}/server/${jboss_config_name}/lib/log4j.jar" />
     <property name="jaxb-api.jar" value="${ext_libdir}/jaxb/2.1.7/jaxb-api.jar" />
+    <property name="encoder.jar" value="${ext_libdir}/owasp/encoder-1.2.1.jar" />
 
     <property name="jboss-ejb3x.jar" value="${jboss_home}/client/jboss-ejb3x.jar" />
     <property name="ejb3-persistence.jar" value="${jboss_home}/client/ejb3-persistence.jar" />
@@ -80,6 +81,7 @@
         <pathelement location="${jbossall-client.jar}" />
         <pathelement location="${jboss-jaxws.jar}" />
         <pathelement location="${jaxb-api.jar}" />
+        <pathelement location="${encoder.jar}" />
     </path>
 
     <path id="component.test.3rdParty-dependencies">

services/project_service/build-dependencies.xml

@@ -61,6 +61,7 @@
 import com.topcoder.util.log.Level;
 import com.topcoder.util.log.Log;
 import com.topcoder.util.log.LogManager;
+import org.owasp.encoder.Encode;
 
 /**
  * <p>
@@ -870,10 +871,12 @@ public ProjectData createProject(TCSubject tcSubject, ProjectData projectData) t
             // Validate
             checkProjectData(projectData, true);
 
-            // Create a new Project, copy name and description
+            // Create a new Project, copy name and description, and sanitize them
             Project project = new Project();
-            project.setName(projectData.getName());
-            project.setDescription(projectData.getDescription());
+            String projectName = Encode.forHtml(projectData.getName());
+            project.setName(projectName);
+            String description = Encode.forHtml(projectData.getDescription());
+            project.setDescription(description);
             if (projectData.getProjectBillingAccountId() > 0) {
                 // if there is billing account, activate the project
                 project.setProjectStatusId(PROJECT_STATUS_ACTIVE);