From d83502ac2885c64a9d65a17e1573dedc9b0680d4 Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sat, 1 Jun 2024 13:44:30 -0700 Subject: Remove sanitization option --- src/main/java/org/traccar/MainModule.java | 6 +-- src/main/java/org/traccar/config/Keys.java | 8 ---- .../java/org/traccar/helper/SanitizerModule.java | 45 ---------------------- 3 files changed, 1 insertion(+), 58 deletions(-) delete mode 100644 src/main/java/org/traccar/helper/SanitizerModule.java (limited to 'src/main/java/org/traccar') diff --git a/src/main/java/org/traccar/MainModule.java b/src/main/java/org/traccar/MainModule.java index 89d3d2fe0..66238ab44 100644 --- a/src/main/java/org/traccar/MainModule.java +++ b/src/main/java/org/traccar/MainModule.java @@ -79,7 +79,6 @@ import org.traccar.handler.GeolocationHandler; import org.traccar.handler.SpeedLimitHandler; import org.traccar.handler.TimeHandler; import org.traccar.helper.ObjectMapperContextResolver; -import org.traccar.helper.SanitizerModule; import org.traccar.helper.WebHelper; import org.traccar.mail.LogMailManager; import org.traccar.mail.MailManager; @@ -132,11 +131,8 @@ public class MainModule extends AbstractModule { @Singleton @Provides - public static ObjectMapper provideObjectMapper(Config config) { + public static ObjectMapper provideObjectMapper() { ObjectMapper objectMapper = new ObjectMapper(); - if (config.getBoolean(Keys.WEB_SANITIZE)) { - objectMapper.registerModule(new SanitizerModule()); - } objectMapper.registerModule(new JSONPModule()); objectMapper.disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS); return objectMapper; diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java index 5d9a43c01..91d5dac5d 100644 --- a/src/main/java/org/traccar/config/Keys.java +++ b/src/main/java/org/traccar/config/Keys.java @@ -774,14 +774,6 @@ public final class Keys { List.of(KeyType.CONFIG), 600); - /** - * Sanitize all strings returned via API. This is needed to fix XSS issues in the old web interface. New React-based - * interface doesn't require this. - */ - public static final ConfigKey WEB_SANITIZE = new BooleanConfigKey( - "web.sanitize", - List.of(KeyType.CONFIG)); - /** * Path to the web app folder. */ diff --git a/src/main/java/org/traccar/helper/SanitizerModule.java b/src/main/java/org/traccar/helper/SanitizerModule.java deleted file mode 100644 index af9ac5c2b..000000000 --- a/src/main/java/org/traccar/helper/SanitizerModule.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright 2018 Anton Tananaev (anton@traccar.org) - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.traccar.helper; - -import com.fasterxml.jackson.core.JsonGenerator; -import com.fasterxml.jackson.databind.SerializerProvider; -import com.fasterxml.jackson.databind.module.SimpleModule; -import com.fasterxml.jackson.databind.ser.std.StdSerializer; -import org.owasp.encoder.Encode; - -import java.io.IOException; - -public class SanitizerModule extends SimpleModule { - - public static class SanitizerSerializer extends StdSerializer { - - protected SanitizerSerializer() { - super(String.class); - } - - @Override - public void serialize(String value, JsonGenerator gen, SerializerProvider provider) throws IOException { - gen.writeString(Encode.forHtml(value)); - } - - } - - public SanitizerModule() { - addSerializer(new SanitizerSerializer()); - } - -} -- cgit v1.2.3