Allow admins to use basic formatting in welcome message and sanitize output. (Fixes #51)

Author: lmarini

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ### Added
 - Script to clean extractors' tmp files.
 - Script for RabbitMQ error queue cleanup.
+- Ability to use basic html formatting in the welcome message on the home page. [#51](https://github.com/clowder-framework/clowder/issues/51)
 
 ### Changed
 - Improved simple test to report all day success.

app/controllers/Application.scala

@@ -1,17 +1,19 @@
 package controllers
 
 import java.net.URL
-import javax.inject.{Inject, Singleton}
 
+import javax.inject.{Inject, Singleton}
 import api.Permission
 import api.Permission._
 import play.api.{Logger, Play, Routes}
 import play.api.mvc.Action
 import services._
 import models.{Event, UUID, User, UserStatus}
+import org.owasp.html.Sanitizers
 import play.api.Logger
 import play.api.libs.concurrent.Execution.Implicits._
 import play.api.Play.current
+import util.Formatters.sanitizeHTML
 
 import scala.collection.immutable.List
 import scala.collection.mutable.ListBuffer
@@ -212,9 +214,11 @@ class Application @Inject() (files: FileService, collections: CollectionService,
         val spacesCount = spaces.count()
         val usersCount = users.count()
 
+        val sanitezedWelcomeText = sanitizeHTML(AppConfiguration.getWelcomeMessage)
+
         Ok(views.html.index(datasetsCount, filesCount, filesBytes,
           collectionsCount, spacesCount, usersCount,
-          AppConfiguration.getDisplayName, AppConfiguration.getWelcomeMessage))
+          AppConfiguration.getDisplayName, sanitezedWelcomeText))
       }
     }
   }
@@ -233,8 +237,10 @@ class Application @Inject() (files: FileService, collections: CollectionService,
     val spacesCount = spaces.count()
     val usersCount = users.count()
 
+    val sanitezedWelcomeText = sanitizeHTML(AppConfiguration.getWelcomeMessage)
+
     Ok(views.html.index(datasetsCount, filesCount, filesBytes, collectionsCount,
-        spacesCount, usersCount, AppConfiguration.getDisplayName, AppConfiguration.getWelcomeMessage))
+        spacesCount, usersCount, AppConfiguration.getDisplayName, sanitezedWelcomeText))
   }
 
   def email(subject: String, body: String) = UserAction(needActive=false) { implicit request =>

app/util/Formatters.scala

@@ -3,6 +3,9 @@ package util
 import java.text.SimpleDateFormat
 import java.util.Date
 
+import org.owasp.html.Sanitizers
+import services.AppConfiguration
+
 /**
  * Formatters
  */
@@ -77,4 +80,15 @@ object Formatters {
     val formatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSX")
     formatter.parse(date)
   }
+
+  /**
+   * Sanitize text to safely output to web frontend. For example remove any kind of javascript snippets.
+   * @param unsanitezedText user created text that has not been sanitized
+   * @return text that has been sanitized
+   */
+  def sanitizeHTML(unsanitezedText: String): String = {
+    val policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS).and(Sanitizers.IMAGES).and(Sanitizers.BLOCKS).
+      and(Sanitizers.STYLES).and(Sanitizers.TABLES)
+    policy.sanitize(AppConfiguration.getWelcomeMessage)
+  }
 }

app/views/index.scala.html

@@ -8,7 +8,7 @@
     <div class="row featurette">
         <div class="col-md-7">
             <h2 class="featurette-heading">Welcome to @displayedName</h2>
-            <p class="lead">@welcomeMessage</p>
+            <p class="lead">@Html(welcomeMessage)</p>
         </div>
         <div class="col-md-5" id="resources-panel-container">
             <div class="panel panel-default" id="resources-panel" data-clampedwidth=".col-md-5">

project/Build.scala

@@ -72,6 +72,9 @@ object ApplicationBuild extends Build {
 
   val appDependencies = Seq(
     filters,
+
+    "com.googlecode.owasp-java-html-sanitizer" % "owasp-java-html-sanitizer" % "20180219.1",
+
     // login
     "ws.securesocial" %% "securesocial" % "2.1.4" exclude("org.scala-stm", "scala-stm_2.10.0"),
     "com.unboundid" % "unboundid-ldapsdk" % "4.0.1",