LDKController: HTML-encode container-scope messages and redirect URL

labkey-martyp · labkey-martyp · commit eb7432ddda40 · 2026-06-22T14:24:08.000-06:00
The container-scoped-tables inspection view joined validation messages with StringUtils.join and rendered them via HtmlString.of, and the invalid-redirect error wrapped the user-supplied URL with HtmlString.unsafe. Both reflected unescaped user-controlled content into the page (reflected XSS). Each validation message is now passed through PageFlowUtil.filter before joining (the assembled string is then marked HtmlString.unsafe since its pieces are already encoded), and the redirect error now uses HtmlString.of so the URL is escaped.
diff --git a/LDK/src/org/labkey/ldk/LDKController.java b/LDK/src/org/labkey/ldk/LDKController.java
@@ -92,6 +92,7 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.function.Predicate;
+import java.util.stream.Collectors;
 
 public class LDKController extends SpringActionController
 {
@@ -439,9 +440,9 @@ public ModelAndView getView(Object form, BindException errors) throws Exception
             List<String> messages = service.validateContainerScopedTables(false);
 
             String sb = "This page is designed to inspect all registered container scoped tables and report any tables with duplicate keys in the same container.  This should be enforced by the user schema; however, direct DB inserts will bypass this check.<p>" +
-                    StringUtils.join(messages, "<br>");
+                    messages.stream().map(PageFlowUtil::filter).collect(Collectors.joining("<br>"));
 
-            return new HtmlView(HtmlString.of(sb));
+            return new HtmlView(HtmlString.unsafe(sb));
         }
 
         @Override
@@ -912,7 +913,7 @@ public ModelAndView getView(Object form, BindException errors) throws Exception
                     }
                     catch (URISyntaxException e)
                     {
-                        return new HtmlView(HtmlString.unsafe("Invalid redirect URL set: " + urlString));
+                        return new HtmlView(HtmlString.of("Invalid redirect URL set: " + urlString));
                     }
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,7 @@`
`92`	`92`	`import java.util.Map;`
`93`	`93`	`import java.util.Set;`
`94`	`94`	`import java.util.function.Predicate;`
	`95`	`+import java.util.stream.Collectors;`
`95`	`96`
`96`	`97`	`public class LDKController extends SpringActionController`
`97`	`98`	`{`
`@@ -439,9 +440,9 @@ public ModelAndView getView(Object form, BindException errors) throws Exception`
`439`	`440`	`List<String> messages = service.validateContainerScopedTables(false);`
`440`	`441`
`441`	`442`	`String sb = "This page is designed to inspect all registered container scoped tables and report any tables with duplicate keys in the same container. This should be enforced by the user schema; however, direct DB inserts will bypass this check.<p>" +`
`442`		`- StringUtils.join(messages, "<br>");`
	`443`	`+ messages.stream().map(PageFlowUtil::filter).collect(Collectors.joining("<br>"));`
`443`	`444`
`444`		`- return new HtmlView(HtmlString.of(sb));`
	`445`	`+ return new HtmlView(HtmlString.unsafe(sb));`
`445`	`446`	`}`
`446`	`447`
`447`	`448`	`@Override`
`@@ -912,7 +913,7 @@ public ModelAndView getView(Object form, BindException errors) throws Exception`
`912`	`913`	`}`
`913`	`914`	`catch (URISyntaxException e)`
`914`	`915`	`{`
`915`		`- return new HtmlView(HtmlString.unsafe("Invalid redirect URL set: " + urlString));`
	`916`	`+ return new HtmlView(HtmlString.of("Invalid redirect URL set: " + urlString));`
`916`	`917`	`}`
`917`	`918`	`}`
`918`	`919`	`}`