Fix/escape space name description (#459)

* Ranaming `master` branch to `main`.

* Escape space name and description to avoid xss.

* Comment out irods dependency as it is not available anymore.

* Upgrade actions/cache from v1 to v3

Author: lmarini

app/controllers/Spaces.scala

@@ -7,6 +7,7 @@ import org.joda.time.DateTime
 import play.api.data.Forms._
 import play.api.data.{Form, Forms}
 import play.api.i18n.Messages
+import play.api.templates.HtmlFormat
 import play.api.{Logger, Play}
 import securesocial.core.providers.{Token, UsernamePasswordProvider}
 import services._
@@ -411,7 +412,7 @@ class Spaces @Inject() (spaces: SpaceService, users: UserService, events: EventS
                   formData => {
                     if (Permission.checkPermission(user, Permission.CreateSpace)) {
                       Logger.debug("Creating space " + formData.name)
-                      val newSpace = ProjectSpace(name = formData.name, description = formData.description,
+                      val newSpace = ProjectSpace(name = HtmlFormat.escape(formData.name).toString(), description = HtmlFormat.escape(formData.description).toString(),
                         created = new Date, creator = userId, homePage = formData.homePage,
                         logoURL = formData.logoURL, bannerURL = formData.bannerURL,
                         collectionCount = 0, datasetCount = 0, fileCount = 0, userCount = 0, spaceBytes = 0, metadata = List.empty,

app/views/spaces/listItem.scala.html

@@ -22,7 +22,7 @@ <h3><a href="@routes.Spaces.getSpace(space.id)">@space.name</a></h3>
 
                 <div class= "row">
                     <div class="col-md-6 col-sm-6 col-lg-6">
-                        <div class = 'abstractsummary'>@Html(space.description.replace("\n","<br>"))</div>
+                        <div class = 'abstractsummary'>space.description.replace("\n","<br>")</div>
                         <div>@space.created.format("MMM dd, yyyy")</div>
                         <div>
                             <span class="glyphicon glyphicon-briefcase" title="@space.datasetCount datasets"></span> @space.datasetCount

app/views/spaces/newEditTemplate.scala.html

@@ -13,7 +13,7 @@
     <ol class="breadcrumb">
       @(spaceId, spaceName) match {
         case (Some(s), Some(name)) => {
-          <li> <span class="glyphicon glyphicon-hdd"></span>  <a href="@routes.Spaces.getSpace(s)" title="@name"> @Html(ellipsize(name, 18))</a></li>
+          <li> <span class="glyphicon glyphicon-hdd"></span>  <a href="@routes.Spaces.getSpace(s)" title="@name"> @name</a></li>
           <li> <span class="glyphicon glyphicon-edit"></span> @Html(title)</li>
         }
         case (_,_) => {

app/views/spaces/space.scala.html

@@ -28,7 +28,7 @@
                     <h1 id="spacenamedisplay" class="space-title"><span class="glyphicon glyphicon-hdd"></span> @space.name</h1>
                 </div>
                 <div class="col-md-12">
-                    <p><span id="spacedescdisplay" class='abstract'>@Html(space.description.replace("\n","<br>"))</span></p>
+                    <p><span id="spacedescdisplay" class='abstract'>@space.description.replace("\n","<br>")</span></p>
                 </div>
                 @if(user.isDefined) {
                     <div class="col-xs-12">

app/views/spaces/tile.scala.html

@@ -13,7 +13,7 @@
             }
         <div class="caption break-word">
             <h4 class="no-overflow oneline"><a href="@routes.Spaces.getSpace(space.id)">@space.name</a></h4>
-            <p class = 'abstractsummary'>@Html(space.description.replace("\n","<br>"))</p>
+            <p class = 'abstractsummary'>@space.description.replace("\n","<br>")</p>
         </div>
         </div>
             <!-- Space Info -->