diff options
-rw-r--r-- | build.gradle | 1 | ||||
-rw-r--r-- | src/main/java/org/traccar/MainModule.java | 6 | ||||
-rw-r--r-- | src/main/java/org/traccar/config/Keys.java | 8 | ||||
-rw-r--r-- | src/main/java/org/traccar/helper/SanitizerModule.java | 45 |
4 files changed, 1 insertions, 59 deletions
diff --git a/build.gradle b/build.gradle index 77fe9ec36..c24e25843 100644 --- a/build.gradle +++ b/build.gradle @@ -53,7 +53,6 @@ dependencies { implementation "org.slf4j:slf4j-jdk14:2.0.12" implementation "com.google.inject:guice:$guiceVersion" implementation "com.google.inject.extensions:guice-servlet:$guiceVersion" - implementation "org.owasp.encoder:encoder:1.2.3" implementation "org.glassfish:jakarta.json:2.0.1" implementation "com.sun.mail:jakarta.mail:2.0.1" implementation "org.eclipse.jetty:jetty-server:$jettyVersion" diff --git a/src/main/java/org/traccar/MainModule.java b/src/main/java/org/traccar/MainModule.java index 89d3d2fe0..66238ab44 100644 --- a/src/main/java/org/traccar/MainModule.java +++ b/src/main/java/org/traccar/MainModule.java @@ -79,7 +79,6 @@ import org.traccar.handler.GeolocationHandler; import org.traccar.handler.SpeedLimitHandler; import org.traccar.handler.TimeHandler; import org.traccar.helper.ObjectMapperContextResolver; -import org.traccar.helper.SanitizerModule; import org.traccar.helper.WebHelper; import org.traccar.mail.LogMailManager; import org.traccar.mail.MailManager; @@ -132,11 +131,8 @@ public class MainModule extends AbstractModule { @Singleton @Provides - public static ObjectMapper provideObjectMapper(Config config) { + public static ObjectMapper provideObjectMapper() { ObjectMapper objectMapper = new ObjectMapper(); - if (config.getBoolean(Keys.WEB_SANITIZE)) { - objectMapper.registerModule(new SanitizerModule()); - } objectMapper.registerModule(new JSONPModule()); objectMapper.disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS); return objectMapper; diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java index 5d9a43c01..91d5dac5d 100644 --- a/src/main/java/org/traccar/config/Keys.java +++ b/src/main/java/org/traccar/config/Keys.java @@ -775,14 +775,6 @@ public final class Keys { 600); /** - * Sanitize all strings returned via API. This is needed to fix XSS issues in the old web interface. New React-based - * interface doesn't require this. - */ - public static final ConfigKey<Boolean> WEB_SANITIZE = new BooleanConfigKey( - "web.sanitize", - List.of(KeyType.CONFIG)); - - /** * Path to the web app folder. */ public static final ConfigKey<String> WEB_PATH = new StringConfigKey( diff --git a/src/main/java/org/traccar/helper/SanitizerModule.java b/src/main/java/org/traccar/helper/SanitizerModule.java deleted file mode 100644 index af9ac5c2b..000000000 --- a/src/main/java/org/traccar/helper/SanitizerModule.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright 2018 Anton Tananaev (anton@traccar.org) - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.traccar.helper; - -import com.fasterxml.jackson.core.JsonGenerator; -import com.fasterxml.jackson.databind.SerializerProvider; -import com.fasterxml.jackson.databind.module.SimpleModule; -import com.fasterxml.jackson.databind.ser.std.StdSerializer; -import org.owasp.encoder.Encode; - -import java.io.IOException; - -public class SanitizerModule extends SimpleModule { - - public static class SanitizerSerializer extends StdSerializer<String> { - - protected SanitizerSerializer() { - super(String.class); - } - - @Override - public void serialize(String value, JsonGenerator gen, SerializerProvider provider) throws IOException { - gen.writeString(Encode.forHtml(value)); - } - - } - - public SanitizerModule() { - addSerializer(new SanitizerSerializer()); - } - -} |