libreoffice-online/wsd/FileServerUtil.cpp
Jan Holesovsky 41c0b1add3 Sanitize the css theming.
Change-Id: Id0eb21fc7e7039bf406c074cd210c6c355bd7dbf
Signed-off-by: Andras Timar <andras.timar@collabora.com>

Sanitize the css theming.

Signed-off-by: Andras Timar <andras.timar@collabora.com>
Change-Id: Ifccb58c2bc9a070409c9a4dd9e9e4034e7338469
2021-07-16 11:57:43 +02:00

167 lines
4.7 KiB
C++

/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#include <config.h>
#include <Poco/JSON/Object.h>
#include "FileServer.hpp"
std::string FileServerRequestHandler::uiDefaultsToJSON(const std::string& uiDefaults, std::string& uiMode)
{
static std::string previousUIDefaults;
static std::string previousJSON("{}");
static std::string previousUIMode;
// early exit if we are serving the same thing
if (uiDefaults == previousUIDefaults)
{
uiMode = previousUIMode;
return previousJSON;
}
Poco::JSON::Object json;
Poco::JSON::Object textDefs;
Poco::JSON::Object spreadsheetDefs;
Poco::JSON::Object presentationDefs;
uiMode = "";
StringVector tokens(Util::tokenize(uiDefaults, ';'));
for (const auto& token : tokens)
{
StringVector keyValue(Util::tokenize(tokens.getParam(token), '='));
Poco::JSON::Object* currentDef = nullptr;
std::string key;
// detect the UIMode or component
if (keyValue[0] == "UIMode")
{
if (keyValue[1] == "classic" || keyValue[1] == "notebookbar")
{
json.set("uiMode", keyValue[1]);
uiMode = keyValue[1];
}
else
LOG_ERR("unknown UIMode value " << keyValue[1]);
continue;
}
else if (Util::startsWith(keyValue[0], "Text"))
{
currentDef = &textDefs;
key = keyValue[0].substr(4);
}
else if (Util::startsWith(keyValue[0], "Spreadsheet"))
{
currentDef = &spreadsheetDefs;
key = keyValue[0].substr(11);
}
else if (Util::startsWith(keyValue[0], "Presentation"))
{
currentDef = &presentationDefs;
key = keyValue[0].substr(12);
}
else
{
LOG_ERR("unknown UI default's component " << keyValue[0]);
continue;
}
assert(currentDef);
// detect the actual UI widget we want to hide or show
if (key == "Ruler" || key == "Sidebar" || key == "Statusbar")
{
bool value(true);
if (keyValue[1] == "false" || keyValue[1] == "False" || keyValue[1] == "0")
value = false;
currentDef->set("Show" + key, value);
}
else
{
LOG_ERR("unknown UI default " << keyValue[0]);
continue;
}
}
if (textDefs.size() > 0)
json.set("text", textDefs);
if (spreadsheetDefs.size() > 0)
json.set("spreadsheet", spreadsheetDefs);
if (presentationDefs.size() > 0)
json.set("presentation", presentationDefs);
std::ostringstream oss;
Poco::JSON::Stringifier::stringify(json, oss);
previousUIDefaults = uiDefaults;
previousJSON = oss.str();
previousUIMode = uiMode;
return previousJSON;
}
namespace
{
bool isValidCss(const std::string& token)
{
const std::string forbidden = "<>{}&|\\\"^`'$[]";
for (auto c: token)
{
if (c < 0x20 || c >= 0x7F || forbidden.find(c) != std::string::npos)
return false;
}
return true;
}
}
std::string FileServerRequestHandler::cssVarsToStyle(const std::string& cssVars)
{
static std::string previousVars;
static std::string previousStyle;
// early exit if we are serving the same thing
if (cssVars == previousVars)
return previousStyle;
std::ostringstream styleOSS;
styleOSS << "<style>:root {";
StringVector tokens(Util::tokenize(cssVars, ';'));
for (const auto& token : tokens)
{
StringVector keyValue(Util::tokenize(tokens.getParam(token), '='));
if (keyValue.size() < 2)
{
LOG_ERR("Skipping the token [" << tokens.getParam(token) << "] since it does not have '='");
continue;
}
else if (keyValue.size() > 2)
{
LOG_ERR("Skipping the token [" << tokens.getParam(token) << "] since it has more than one '=' pair");
continue;
}
if (!isValidCss(tokens.getParam(token)))
{
LOG_WRN("Skipping the token [" << tokens.getParam(token) << "] since it contains forbidden characters");
continue;
}
styleOSS << keyValue[0] << ':' << keyValue[1] << ';';
}
styleOSS << "}</style>";
previousVars = cssVars;
previousStyle = styleOSS.str();
return previousStyle;
}
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */