From 056c2745acc28bf1b20259823d7ded9a4e5aa781 Mon Sep 17 00:00:00 2001
From: Luigi Marini <lmarini@illinois.edu>
Date: Thu, 20 Aug 2020 15:24:28 -0500
Subject: [PATCH] Allow admins to use basic formatting in welcome message and
 sanitize output. (Fixes #51)

---
 CHANGELOG.md                      |  1 +
 app/controllers/Application.scala | 12 +++++++++---
 app/util/Formatters.scala         | 14 ++++++++++++++
 app/views/index.scala.html        |  2 +-
 project/Build.scala               |  3 +++
 5 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 61c4fa9eb..f5b7eaf17 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ### Added
 - Script to clean extractors' tmp files.
 - Script for RabbitMQ error queue cleanup.
+- Ability to use basic html formatting in the welcome message on the home page. [#51](https://github.com/clowder-framework/clowder/issues/51)
 
 ### Changed
 - Improved simple test to report all day success.
diff --git a/app/controllers/Application.scala b/app/controllers/Application.scala
index 7433e186c..07bc5ddd0 100644
--- a/app/controllers/Application.scala
+++ b/app/controllers/Application.scala
@@ -1,17 +1,19 @@
 package controllers
 
 import java.net.URL
-import javax.inject.{Inject, Singleton}
 
+import javax.inject.{Inject, Singleton}
 import api.Permission
 import api.Permission._
 import play.api.{Logger, Play, Routes}
 import play.api.mvc.Action
 import services._
 import models.{Event, UUID, User, UserStatus}
+import org.owasp.html.Sanitizers
 import play.api.Logger
 import play.api.libs.concurrent.Execution.Implicits._
 import play.api.Play.current
+import util.Formatters.sanitizeHTML
 
 import scala.collection.immutable.List
 import scala.collection.mutable.ListBuffer
@@ -212,9 +214,11 @@ class Application @Inject() (files: FileService, collections: CollectionService,
         val spacesCount = spaces.count()
         val usersCount = users.count()
 
+        val sanitezedWelcomeText = sanitizeHTML(AppConfiguration.getWelcomeMessage)
+
         Ok(views.html.index(datasetsCount, filesCount, filesBytes,
           collectionsCount, spacesCount, usersCount,
-          AppConfiguration.getDisplayName, AppConfiguration.getWelcomeMessage))
+          AppConfiguration.getDisplayName, sanitezedWelcomeText))
       }
     }
   }
@@ -233,8 +237,10 @@ class Application @Inject() (files: FileService, collections: CollectionService,
     val spacesCount = spaces.count()
     val usersCount = users.count()
 
+    val sanitezedWelcomeText = sanitizeHTML(AppConfiguration.getWelcomeMessage)
+
     Ok(views.html.index(datasetsCount, filesCount, filesBytes, collectionsCount,
-        spacesCount, usersCount, AppConfiguration.getDisplayName, AppConfiguration.getWelcomeMessage))
+        spacesCount, usersCount, AppConfiguration.getDisplayName, sanitezedWelcomeText))
   }
 
   def email(subject: String, body: String) = UserAction(needActive=false) { implicit request =>
diff --git a/app/util/Formatters.scala b/app/util/Formatters.scala
index 3d00ffa2b..9a3b2e4a9 100644
--- a/app/util/Formatters.scala
+++ b/app/util/Formatters.scala
@@ -3,6 +3,9 @@ package util
 import java.text.SimpleDateFormat
 import java.util.Date
 
+import org.owasp.html.Sanitizers
+import services.AppConfiguration
+
 /**
  * Formatters
  */
@@ -77,4 +80,15 @@ object Formatters {
     val formatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSX")
     formatter.parse(date)
   }
+
+  /**
+   * Sanitize text to safely output to web frontend. For example remove any kind of javascript snippets.
+   * @param unsanitezedText user created text that has not been sanitized
+   * @return text that has been sanitized
+   */
+  def sanitizeHTML(unsanitezedText: String): String = {
+    val policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS).and(Sanitizers.IMAGES).and(Sanitizers.BLOCKS).
+      and(Sanitizers.STYLES).and(Sanitizers.TABLES)
+    policy.sanitize(AppConfiguration.getWelcomeMessage)
+  }
 }
diff --git a/app/views/index.scala.html b/app/views/index.scala.html
index e3cf73845..d1abb0222 100644
--- a/app/views/index.scala.html
+++ b/app/views/index.scala.html
@@ -8,7 +8,7 @@
     <div class="row featurette">
         <div class="col-md-7">
             <h2 class="featurette-heading">Welcome to @displayedName</h2>
-            <p class="lead">@welcomeMessage</p>
+            <p class="lead">@Html(welcomeMessage)</p>
         </div>
         <div class="col-md-5" id="resources-panel-container">
             <div class="panel panel-default" id="resources-panel" data-clampedwidth=".col-md-5">
diff --git a/project/Build.scala b/project/Build.scala
index 5f4293fb5..12d41e489 100644
--- a/project/Build.scala
+++ b/project/Build.scala
@@ -72,6 +72,9 @@ object ApplicationBuild extends Build {
 
   val appDependencies = Seq(
     filters,
+
+    "com.googlecode.owasp-java-html-sanitizer" % "owasp-java-html-sanitizer" % "20180219.1",
+
     // login
     "ws.securesocial" %% "securesocial" % "2.1.4" exclude("org.scala-stm", "scala-stm_2.10.0"),
     "com.unboundid" % "unboundid-ldapsdk" % "4.0.1",