Enduser: ensure to sanitize notification message

Author: ilgrosso

client/idrepo/common-ui/pom.xml

@@ -113,7 +113,12 @@ under the License.
       <groupId>org.apache.pdfbox</groupId>
       <artifactId>pdfbox</artifactId>
     </dependency>
-      
+
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+    </dependency>
+
     <dependency>
       <groupId>org.apache.syncope.common.keymaster</groupId>
       <artifactId>syncope-common-keymaster-client-api</artifactId>

client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/BaseLogin.java

@@ -27,6 +27,7 @@
 import java.util.stream.Collectors;
 import javax.ws.rs.core.HttpHeaders;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.apache.syncope.client.ui.commons.panels.BaseSSOLoginFormPanel;
 import org.apache.syncope.client.ui.commons.panels.NotificationPanel;
 import org.apache.syncope.common.keymaster.client.api.DomainOps;
@@ -209,7 +210,7 @@ public void renderHead(final IHeaderResponse response) {
 
         if (StringUtils.isNotBlank(notificationMessage)) {
             response.render(OnLoadHeaderItem.forScript(StyledNotificationBehavior.jQueryShow(
-                    notificationMessage,
+                    StringEscapeUtils.escapeEcmaScript(notificationMessage),
                     String.format("jQuery('#%s').data('kendoNotification')",
                             notificationPanel.getNotificationMarkupId()),
                     notificationLevel)));

client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/StyledNotificationBehavior.java

@@ -39,17 +39,25 @@ public StyledNotificationBehavior(final String selector, final Options options)
     @Override
     public void show(final IPartialPageRequestHandler handler, final Serializable message, final String level) {
         if (handler != null) {
-            handler.appendJavaScript(jQueryShow(this.format(String.valueOf(message), level), this.widget(), level));
+            handler.appendJavaScript(jQueryShow(format(String.valueOf(message), level), widget(), level));
         }
     }
 
     public static String jQueryShow(final CharSequence message, final String widget, final String level) {
+        String actual = Notification.INFO.equalsIgnoreCase(level)
+                ? Notification.INFO
+                : Notification.SUCCESS.equalsIgnoreCase(level)
+                ? Notification.SUCCESS
+                : Notification.ERROR.equalsIgnoreCase(level)
+                ? Notification.ERROR
+                : Notification.WARNING;
+
         return String.format("%s.options.autoHideAfter = %s; %s.show( { message: '%s' } , '%s');",
                 widget,
-                Notification.SUCCESS.equalsIgnoreCase(level) || Notification.INFO.equalsIgnoreCase(level)
+                Notification.SUCCESS.equals(actual) || Notification.INFO.equals(actual)
                 ? AUTOHIDEAFTER_GOOD : AUTOHIDEAFTER_BAD,
                 widget,
                 message,
-                level.toLowerCase());
+                actual);
     }
 }