Format and cleanup java source #705

ivy-cst · 2025-03-31T12:47:55Z

No description provided.

connectivity/connectivity-demos/src/com/axonivy/connectivity/rest/provider/PersonService.java

      return Response.status(Status.NOT_FOUND)
-              .entity("user with id '" + personId + "' does not exist.")
-              .build();
+          .entity("user with id '" + personId + "' does not exist.")
+          .build();


To fix the cross-site scripting vulnerability, we need to ensure that any user-provided data included in the response is properly sanitized or encoded. In this case, we can use the StringEscapeUtils.escapeHtml4 method from the Apache Commons Lang library to escape any HTML characters in the personId before including it in the response message.

connectivity/connectivity-demos/src/com/axonivy/connectivity/rest/provider/SecureService.java

    return Response.status(Status.OK)
-            .entity("Added entry '" + newEntry + "'")
-            .build();
+        .entity("Added entry '" + newEntry + "'")
+        .build();


To fix the cross-site scripting vulnerability, we need to ensure that any user-provided input is properly sanitized or encoded before being included in the response. The best way to fix this issue is to use a library that provides HTML encoding to escape any potentially harmful characters in the user input.

In this case, we can use the StringEscapeUtils class from the Apache Commons Text library to encode the newEntry parameter before including it in the response.

connectivity/connectivity-demos/src/com/axonivy/connectivity/rest/provider/SecureService.java

    return Response.status(Status.OK)
-            .entity("Update entry with id (" + id + ") to '" + newEntry + "'")
-            .build();
+        .entity("Update entry with id (" + id + ") to '" + newEntry + "'")
+        .build();


To fix the cross-site scripting vulnerability, we need to sanitize or encode the user-provided input before including it in the response. The best way to fix this issue is to use a library that provides HTML encoding to ensure that any potentially malicious scripts are rendered harmless.

In this case, we can use the StringEscapeUtils class from the Apache Commons Text library to encode the newEntry parameter before including it in the response.

Format and cleanup java source

d335210

ivy-cst requested review from weissreto, ivy-bb, ivy-lli and ivy-rew as code owners March 31, 2025 12:47

github-advanced-security bot found potential problems Mar 31, 2025

View reviewed changes

ivy-rew approved these changes Mar 31, 2025

View reviewed changes

ivy-lli approved these changes Mar 31, 2025

View reviewed changes

ivy-cst merged commit dabe13a into master Mar 31, 2025
10 checks passed

ivy-cst deleted the format-java branch March 31, 2025 13:23

@@ -27,2 +27,3 @@
             import org.apache.commons.lang3.StringUtils;
+            import org.apache.commons.text.StringEscapeUtils;
@@ -154,4 +155,5 @@
                 } catch (IndexOutOfBoundsException ex) {
+                  String safePersonId = StringEscapeUtils.escapeHtml4(personId.toString());
                   return Response.status(Status.NOT_FOUND)
-                      .entity("user with id '" + personId + "' does not exist.")
+                      .entity("user with id '" + safePersonId + "' does not exist.")
                       .build();

@@ -5,3 +5,3 @@
             import java.util.List;
+            import org.apache.commons.text.StringEscapeUtils;
             import javax.annotation.security.DenyAll;
@@ -76,4 +76,5 @@
                 entries.add(newEntry);
+                String encodedEntry = StringEscapeUtils.escapeHtml4(newEntry);
                 return Response.status(Status.OK)
-                    .entity("Added entry '" + newEntry + "'")
+                    .entity("Added entry '" + encodedEntry + "'")
                     .build();

@@ -1,2 +1,9 @@
             <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+                <dependencies>
+                    <dependency>
+                        <groupId>org.apache.commons</groupId>
+                        <artifactId>commons-text</artifactId>
+                        <version>1.13.0</version>
+                    </dependency>
+                </dependencies>
               <modelVersion>4.0.0</modelVersion>

Package	Version	Security advisories
org.apache.commons:commons-text (maven)	1.13.0	None

@@ -23,2 +23,3 @@
             import io.swagger.v3.oas.annotations.tags.Tag;
+            import org.apache.commons.text.StringEscapeUtils;
@@ -90,4 +91,5 @@
                 entries.set(id, newEntry);
+                String encodedEntry = StringEscapeUtils.escapeHtml4(newEntry);
                 return Response.status(Status.OK)
-                    .entity("Update entry with id (" + id + ") to '" + newEntry + "'")
+                    .entity("Update entry with id (" + id + ") to '" + encodedEntry + "'")
                     .build();

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Format and cleanup java source #705

Format and cleanup java source #705

ivy-cst commented Mar 31, 2025

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Format and cleanup java source #705

Format and cleanup java source #705

Conversation

ivy-cst commented Mar 31, 2025

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix