From edf6e256e18ff7d32eae506d58263b920fb074f0 Mon Sep 17 00:00:00 2001 From: Michael Primm Date: Sun, 11 Dec 2022 15:44:48 -0600 Subject: [PATCH] Switch sanitizeHTML to marker load/create/update --- .../src/main/java/org/dynmap/Client.java | 2 + .../dynmap/markers/impl/AreaMarkerImpl.java | 16 ++++---- .../dynmap/markers/impl/CircleMarkerImpl.java | 9 ++++- .../dynmap/markers/impl/MarkerAPIImpl.java | 40 ++++++++++--------- .../dynmap/markers/impl/MarkerIconImpl.java | 2 +- .../org/dynmap/markers/impl/MarkerImpl.java | 9 +++-- .../dynmap/markers/impl/MarkerSetImpl.java | 10 ++--- .../dynmap/markers/impl/PlayerSetImpl.java | 2 +- .../markers/impl/PolyLineMarkerImpl.java | 10 +++-- 9 files changed, 57 insertions(+), 43 deletions(-) diff --git a/DynmapCore/src/main/java/org/dynmap/Client.java b/DynmapCore/src/main/java/org/dynmap/Client.java index 4a7dd0ed..a8a956d8 100644 --- a/DynmapCore/src/main/java/org/dynmap/Client.java +++ b/DynmapCore/src/main/java/org/dynmap/Client.java @@ -286,6 +286,8 @@ public class Client { private static PolicyFactory sanitizer = null; private static PolicyFactory OLDTAGS = new HtmlPolicyBuilder().allowElements("center", "basefont", "hr").toFactory(); public static String sanitizeHTML(String html) { + // Don't sanitize if null or no html markup + if ((html == null) || (html.indexOf('<') < 0)) return html; PolicyFactory s = sanitizer; if (s == null) { // Generous but safe html formatting allowances diff --git a/DynmapCore/src/main/java/org/dynmap/markers/impl/AreaMarkerImpl.java b/DynmapCore/src/main/java/org/dynmap/markers/impl/AreaMarkerImpl.java index 5649d2c4..eff87457 100644 --- a/DynmapCore/src/main/java/org/dynmap/markers/impl/AreaMarkerImpl.java +++ b/DynmapCore/src/main/java/org/dynmap/markers/impl/AreaMarkerImpl.java @@ -72,9 +72,9 @@ class AreaMarkerImpl implements AreaMarker, EnterExitMarker { AreaMarkerImpl(String id, String lbl, boolean markup, String world, double x[], double z[], boolean persistent, MarkerSetImpl set) { markerid = id; if(lbl != null) - label = markup ? lbl : Client.encodeForHTML(lbl); + label = markup ? Client.sanitizeHTML(lbl) : Client.encodeForHTML(lbl); else - label = markup ? id : Client.encodeForHTML(id); + label = markup ? Client.sanitizeHTML(id) : Client.encodeForHTML(id); this.markup = markup; this.corners = new ArrayList(); for(int i = 0; i < x.length; i++) { @@ -118,9 +118,10 @@ class AreaMarkerImpl implements AreaMarker, EnterExitMarker { * Load marker from configuration node * @param node - configuration node */ - boolean loadPersistentData(ConfigurationNode node) { + boolean loadPersistentData(ConfigurationNode node, boolean isSafe) { markup = node.getBoolean("markup", false); label = MarkerAPIImpl.escapeForHTMLIfNeeded(node.getString("label", markerid), markup); + if (!isSafe) label = Client.sanitizeHTML(label); ytop = node.getDouble("ytop", 64.0); ybottom = node.getDouble("ybottom", 64.0); List xx = node.getList("x"); @@ -133,6 +134,7 @@ class AreaMarkerImpl implements AreaMarker, EnterExitMarker { world = node.getString("world", "world"); normalized_world = DynmapWorld.normalizeWorldName(world); desc = node.getString("desc", null); + if (!isSafe) desc = Client.sanitizeHTML(desc); lineweight = node.getInteger("strokeWeight", -1); if(lineweight == -1) { /* Handle typo-saved value */ lineweight = node.getInteger("stokeWeight", 3); @@ -215,12 +217,7 @@ class AreaMarkerImpl implements AreaMarker, EnterExitMarker { @Override public void setLabel(String lbl, boolean markup) { if(markerset == null) return; - if (markup) { - label = lbl; - } - else { // If not markup, escape any HTML-active characters (<>&"') - label = Client.encodeForHTML(lbl); - } + label = markup ? Client.sanitizeHTML(lbl) : Client.encodeForHTML(lbl); this.markup = markup; MarkerAPIImpl.areaMarkerUpdated(this, MarkerUpdate.UPDATED); if(ispersistent) @@ -298,6 +295,7 @@ class AreaMarkerImpl implements AreaMarker, EnterExitMarker { @Override public void setDescription(String desc) { if(markerset == null) return; + desc = Client.sanitizeHTML(desc); if((this.desc == null) || (this.desc.equals(desc) == false)) { this.desc = desc; MarkerAPIImpl.areaMarkerUpdated(this, MarkerUpdate.UPDATED); diff --git a/DynmapCore/src/main/java/org/dynmap/markers/impl/CircleMarkerImpl.java b/DynmapCore/src/main/java/org/dynmap/markers/impl/CircleMarkerImpl.java index 1bb92d13..157129b4 100644 --- a/DynmapCore/src/main/java/org/dynmap/markers/impl/CircleMarkerImpl.java +++ b/DynmapCore/src/main/java/org/dynmap/markers/impl/CircleMarkerImpl.java @@ -67,6 +67,7 @@ class CircleMarkerImpl implements CircleMarker, EnterExitMarker { label = markup ? lbl : Client.encodeColorInHTML(lbl); else label = markup ? id : Client.encodeColorInHTML(id); + label = Client.sanitizeHTML(label); this.markup = markup; this.x = x; this.y = y; this.z = z; this.xr = xr; this.zr = zr; @@ -86,7 +87,7 @@ class CircleMarkerImpl implements CircleMarker, EnterExitMarker { CircleMarkerImpl(String id, MarkerSetImpl set) { markerid = id; markerset = set; - label = Client.encodeForHTML(id); + label = Client.sanitizeHTML(Client.encodeForHTML(id)); markup = false; desc = null; world = normalized_world = "world"; @@ -100,9 +101,10 @@ class CircleMarkerImpl implements CircleMarker, EnterExitMarker { * Load marker from configuration node * @param node - configuration node */ - boolean loadPersistentData(ConfigurationNode node) { + boolean loadPersistentData(ConfigurationNode node, boolean isSafe) { markup = node.getBoolean("markup", false); label = MarkerAPIImpl.escapeForHTMLIfNeeded(node.getString("label", markerid), markup); + if (!isSafe) label = Client.sanitizeHTML(label); world = node.getString("world", "world"); normalized_world = DynmapWorld.normalizeWorldName(world); x = node.getDouble("x", 0); @@ -111,6 +113,7 @@ class CircleMarkerImpl implements CircleMarker, EnterExitMarker { xr = node.getDouble("xr", 0); zr = node.getDouble("zr", 0); desc = node.getString("desc", null); + if (!isSafe) desc = Client.sanitizeHTML(desc); lineweight = node.getInteger("strokeWeight", -1); if(lineweight == -1) { /* Handle typo-saved value */ lineweight = node.getInteger("stokeWeight", 3); @@ -192,6 +195,7 @@ class CircleMarkerImpl implements CircleMarker, EnterExitMarker { @Override public void setLabel(String lbl, boolean markup) { label = markup ? lbl : Client.encodeForHTML(lbl); + label = Client.sanitizeHTML(label); this.markup = markup; MarkerAPIImpl.circleMarkerUpdated(this, MarkerUpdate.UPDATED); if(ispersistent) @@ -262,6 +266,7 @@ class CircleMarkerImpl implements CircleMarker, EnterExitMarker { } @Override public void setDescription(String desc) { + desc = Client.sanitizeHTML(desc); if((this.desc == null) || (this.desc.equals(desc) == false)) { this.desc = desc; MarkerAPIImpl.circleMarkerUpdated(this, MarkerUpdate.UPDATED); diff --git a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java index 39e8f2dc..a185e222 100644 --- a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java +++ b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerAPIImpl.java @@ -102,14 +102,14 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { public MarkerUpdated(Marker m, boolean deleted) { this.id = m.getMarkerID(); - this.label = Client.sanitizeHTML(m.getLabel()); + this.label = m.getLabel(); this.x = m.getX(); this.y = m.getY(); this.z = m.getZ(); this.set = m.getMarkerSet().getMarkerSetID(); this.icon = m.getMarkerIcon().getMarkerIconID(); this.markup = true; // We are markup format all the time now - this.desc = Client.sanitizeHTML(m.getDescription()); + this.desc = m.getDescription(); this.dim = m.getMarkerIcon().getMarkerIconSize().getSize(); this.minzoom = m.getMinZoom(); this.maxzoom = m.getMaxZoom(); @@ -153,7 +153,7 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { public AreaMarkerUpdated(AreaMarker m, boolean deleted) { this.id = m.getMarkerID(); - this.label = Client.sanitizeHTML(m.getLabel()); + this.label = m.getLabel(); this.ytop = m.getTopY(); this.ybottom = m.getBottomY(); int cnt = m.getCornerCount(); @@ -168,7 +168,7 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { opacity = m.getLineOpacity(); fillcolor = String.format("#%06X", m.getFillColor()); fillopacity = m.getFillOpacity(); - desc = Client.sanitizeHTML(m.getDescription()); + desc = m.getDescription(); this.minzoom = m.getMinZoom(); this.maxzoom = m.getMaxZoom(); this.markup = true; // We are markup format all the time now @@ -211,7 +211,7 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { public PolyLineMarkerUpdated(PolyLineMarker m, boolean deleted) { this.id = m.getMarkerID(); - this.label = Client.sanitizeHTML(m.getLabel()); + this.label = m.getLabel(); this.markup = true; // We are markup format all the time now int cnt = m.getCornerCount(); x = new double[cnt]; @@ -225,7 +225,7 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { color = String.format("#%06X", m.getLineColor()); weight = m.getLineWeight(); opacity = m.getLineOpacity(); - desc = Client.sanitizeHTML(m.getDescription()); + desc = m.getDescription(); this.minzoom = m.getMinZoom(); this.maxzoom = m.getMaxZoom(); @@ -271,7 +271,7 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { public CircleMarkerUpdated(CircleMarker m, boolean deleted) { this.id = m.getMarkerID(); - this.label = Client.sanitizeHTML(m.getLabel()); + this.label = m.getLabel(); this.x = m.getCenterX(); this.y = m.getCenterY(); this.z = m.getCenterZ(); @@ -283,7 +283,7 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { opacity = m.getLineOpacity(); fillcolor = String.format("#%06X", m.getFillColor()); fillopacity = m.getFillOpacity(); - desc = Client.sanitizeHTML(m.getDescription()); + desc = m.getDescription(); this.minzoom = m.getMinZoom(); this.maxzoom = m.getMaxZoom(); @@ -822,6 +822,7 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { final ConfigurationNode conf = new ConfigurationNode(api.markerpersist); /* Make configuration object */ /* First, save icon definitions */ HashMap icons = new HashMap(); + conf.put("isSafe", true); // Mark as safe (sanitized) for(String id : api.markericons.keySet()) { MarkerIconImpl ico = api.markericons.get(id); Map dat = ico.getPersistentData(); @@ -885,13 +886,14 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { ConfigurationNode conf = new ConfigurationNode(api.markerpersist); /* Make configuration object */ conf.load(); /* Load persistence */ lock.writeLock().lock(); + boolean isSafe = conf.getBoolean("isSafe", false); try { /* Get icons */ ConfigurationNode icons = conf.getNode("icons"); if(icons == null) return false; for(String id : icons.keySet()) { MarkerIconImpl ico = new MarkerIconImpl(id); - if(ico.loadPersistentData(icons.getNode(id))) { + if(ico.loadPersistentData(icons.getNode(id), isSafe)) { markericons.put(id, ico); } } @@ -900,7 +902,7 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { if(sets != null) { for(String id: sets.keySet()) { MarkerSetImpl set = new MarkerSetImpl(id); - if(set.loadPersistentData(sets.getNode(id))) { + if(set.loadPersistentData(sets.getNode(id), isSafe)) { markersets.put(id, set); } } @@ -910,7 +912,7 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { if(psets != null) { for(String id: psets.keySet()) { PlayerSetImpl set = new PlayerSetImpl(id); - if(set.loadPersistentData(sets.getNode(id))) { + if(set.loadPersistentData(sets.getNode(id), isSafe)) { playersets.put(id, set); } } @@ -3329,10 +3331,10 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { mi = MarkerAPIImpl.getMarkerIconImpl(MarkerIcon.DEFAULT); mdata.put("icon", mi.getMarkerIconID()); mdata.put("dim", mi.getMarkerIconSize().getSize()); - mdata.put("label", Client.sanitizeHTML(m.getLabel())); + mdata.put("label", m.getLabel()); mdata.put("markup", m.isLabelMarkup()); if(m.getDescription() != null) - mdata.put("desc", Client.sanitizeHTML(m.getDescription())); + mdata.put("desc", m.getDescription()); if (m.getMinZoom() >= 0) { mdata.put("minzoom", m.getMinZoom()); } @@ -3365,10 +3367,10 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { mdata.put("opacity", m.getLineOpacity()); mdata.put("fillopacity", m.getFillOpacity()); mdata.put("weight", m.getLineWeight()); - mdata.put("label", Client.sanitizeHTML(m.getLabel())); + mdata.put("label", m.getLabel()); mdata.put("markup", m.isLabelMarkup()); if(m.getDescription() != null) - mdata.put("desc", Client.sanitizeHTML(m.getDescription())); + mdata.put("desc", m.getDescription()); if (m.getMinZoom() >= 0) { mdata.put("minzoom", m.getMinZoom()); } @@ -3400,10 +3402,10 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { mdata.put("color", String.format("#%06X", m.getLineColor())); mdata.put("opacity", m.getLineOpacity()); mdata.put("weight", m.getLineWeight()); - mdata.put("label", Client.sanitizeHTML(m.getLabel())); + mdata.put("label", m.getLabel()); mdata.put("markup", m.isLabelMarkup()); if(m.getDescription() != null) - mdata.put("desc", Client.sanitizeHTML(m.getDescription())); + mdata.put("desc", m.getDescription()); if (m.getMinZoom() >= 0) { mdata.put("minzoom", m.getMinZoom()); } @@ -3430,10 +3432,10 @@ public class MarkerAPIImpl implements MarkerAPI, Event.Listener { mdata.put("opacity", m.getLineOpacity()); mdata.put("fillopacity", m.getFillOpacity()); mdata.put("weight", m.getLineWeight()); - mdata.put("label", Client.sanitizeHTML(m.getLabel())); + mdata.put("label", m.getLabel()); mdata.put("markup", m.isLabelMarkup()); if(m.getDescription() != null) - mdata.put("desc", Client.sanitizeHTML(m.getDescription())); + mdata.put("desc", m.getDescription()); if (m.getMinZoom() >= 0) { mdata.put("minzoom", m.getMinZoom()); } diff --git a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerIconImpl.java b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerIconImpl.java index 12fd432e..7c261558 100644 --- a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerIconImpl.java +++ b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerIconImpl.java @@ -81,7 +81,7 @@ class MarkerIconImpl implements MarkerIcon { return node; } - boolean loadPersistentData(ConfigurationNode node) { + boolean loadPersistentData(ConfigurationNode node, boolean isSafe) { if(is_builtin) return false; diff --git a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerImpl.java b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerImpl.java index c469d37a..fa325978 100644 --- a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerImpl.java +++ b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerImpl.java @@ -63,7 +63,7 @@ class MarkerImpl implements Marker { MarkerImpl(String id, MarkerSetImpl set) { markerid = id; markerset = set; - label = Client.encodeForHTML(id); + label = Client.sanitizeHTML(Client.encodeForHTML(id)); markup = false; desc = null; x = z = 0; y = 64; world = normalized_world = "world"; @@ -75,15 +75,17 @@ class MarkerImpl implements Marker { * Load marker from configuration node * @param node - configuration node */ - boolean loadPersistentData(ConfigurationNode node) { + boolean loadPersistentData(ConfigurationNode node, boolean isSafe) { markup = node.getBoolean("markup", false); label = MarkerAPIImpl.escapeForHTMLIfNeeded(node.getString("label", markerid), markup); + if (!isSafe) label = Client.sanitizeHTML(label); x = node.getDouble("x", 0); y = node.getDouble("y", 64); z = node.getDouble("z", 0); world = node.getString("world", "world"); normalized_world = DynmapWorld.normalizeWorldName(world); desc = node.getString("desc", null); + if (!isSafe) desc = Client.sanitizeHTML(desc); minzoom = node.getInteger("minzoom", -1); maxzoom = node.getInteger("maxzoom", -1); icon = MarkerAPIImpl.getMarkerIconImpl(node.getString("icon", MarkerIcon.DEFAULT)); @@ -168,7 +170,7 @@ class MarkerImpl implements Marker { @Override public void setLabel(String lbl, boolean markup) { if(markerset == null) return; - label = markup ? lbl : Client.encodeForHTML(lbl); + label = Client.sanitizeHTML(markup ? lbl : Client.encodeForHTML(lbl)); this.markup = markup; MarkerAPIImpl.markerUpdated(this, MarkerUpdate.UPDATED); if(ispersistent) @@ -239,6 +241,7 @@ class MarkerImpl implements Marker { @Override public void setDescription(String desc) { if(markerset == null) return; + desc = Client.sanitizeHTML(desc); if((this.desc == null) || (this.desc.equals(desc) == false)) { this.desc = desc; MarkerAPIImpl.markerUpdated(this, MarkerUpdate.UPDATED); diff --git a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerSetImpl.java b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerSetImpl.java index 622121a9..01b590e2 100644 --- a/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerSetImpl.java +++ b/DynmapCore/src/main/java/org/dynmap/markers/impl/MarkerSetImpl.java @@ -449,14 +449,14 @@ class MarkerSetImpl implements MarkerSet { * Load marker from configuration node * @param node - configuration node */ - boolean loadPersistentData(ConfigurationNode node) { + boolean loadPersistentData(ConfigurationNode node, boolean isSafe) { label = node.getString("label", setid); /* Get label */ ConfigurationNode markernode = node.getNode("markers"); if (markernode != null) { for(String id : markernode.keySet()) { MarkerImpl marker = new MarkerImpl(id, this); /* Make and load marker */ ConfigurationNode cfg = markernode.getNode(id); - if ((cfg != null) && marker.loadPersistentData(cfg)) { + if ((cfg != null) && marker.loadPersistentData(cfg, isSafe)) { markers.put(id, marker); } else { @@ -470,7 +470,7 @@ class MarkerSetImpl implements MarkerSet { for(String id : areamarkernode.keySet()) { AreaMarkerImpl marker = new AreaMarkerImpl(id, this); /* Make and load marker */ ConfigurationNode cfg = areamarkernode.getNode(id); - if ((cfg != null) && marker.loadPersistentData(cfg)) { + if ((cfg != null) && marker.loadPersistentData(cfg, isSafe)) { areamarkers.put(id, marker); if(marker.getBoostFlag()) { if(boostingareamarkers == null) { @@ -496,7 +496,7 @@ class MarkerSetImpl implements MarkerSet { for(String id : linemarkernode.keySet()) { PolyLineMarkerImpl marker = new PolyLineMarkerImpl(id, this); /* Make and load marker */ ConfigurationNode cfg = linemarkernode.getNode(id); - if ((cfg != null) && marker.loadPersistentData(cfg)) { + if ((cfg != null) && marker.loadPersistentData(cfg, isSafe)) { linemarkers.put(id, marker); } else { @@ -510,7 +510,7 @@ class MarkerSetImpl implements MarkerSet { for(String id : circlemarkernode.keySet()) { CircleMarkerImpl marker = new CircleMarkerImpl(id, this); /* Make and load marker */ ConfigurationNode cfg = circlemarkernode.getNode(id); - if ((cfg != null) && marker.loadPersistentData(cfg)) { + if ((cfg != null) && marker.loadPersistentData(cfg, isSafe)) { circlemarkers.put(id, marker); if(marker.getBoostFlag()) { if(boostingcirclemarkers == null) { diff --git a/DynmapCore/src/main/java/org/dynmap/markers/impl/PlayerSetImpl.java b/DynmapCore/src/main/java/org/dynmap/markers/impl/PlayerSetImpl.java index e8fab242..06b3025d 100644 --- a/DynmapCore/src/main/java/org/dynmap/markers/impl/PlayerSetImpl.java +++ b/DynmapCore/src/main/java/org/dynmap/markers/impl/PlayerSetImpl.java @@ -71,7 +71,7 @@ class PlayerSetImpl implements PlayerSet { * Load marker from configuration node * @param node - configuration node */ - boolean loadPersistentData(ConfigurationNode node) { + boolean loadPersistentData(ConfigurationNode node, boolean isSafe) { List plist = node.getList("players"); if(plist != null) { players.clear(); diff --git a/DynmapCore/src/main/java/org/dynmap/markers/impl/PolyLineMarkerImpl.java b/DynmapCore/src/main/java/org/dynmap/markers/impl/PolyLineMarkerImpl.java index f49856e8..9f381572 100644 --- a/DynmapCore/src/main/java/org/dynmap/markers/impl/PolyLineMarkerImpl.java +++ b/DynmapCore/src/main/java/org/dynmap/markers/impl/PolyLineMarkerImpl.java @@ -53,6 +53,7 @@ class PolyLineMarkerImpl implements PolyLineMarker { label = markup ? lbl : Client.encodeForHTML(lbl); else label = markup ? id : Client.encodeForHTML(id); + label = Client.sanitizeHTML(label); this.markup = markup; this.corners = new ArrayList(); for(int i = 0; i < x.length; i++) { @@ -74,7 +75,7 @@ class PolyLineMarkerImpl implements PolyLineMarker { PolyLineMarkerImpl(String id, MarkerSetImpl set) { markerid = id; markerset = set; - label = Client.encodeForHTML(id); + label = Client.sanitizeHTML(Client.encodeForHTML(id)); markup = false; desc = null; corners = new ArrayList(); @@ -86,9 +87,10 @@ class PolyLineMarkerImpl implements PolyLineMarker { * Load marker from configuration node * @param node - configuration node */ - boolean loadPersistentData(ConfigurationNode node) { + boolean loadPersistentData(ConfigurationNode node, boolean isSafe) { markup = node.getBoolean("markup", false); label = MarkerAPIImpl.escapeForHTMLIfNeeded(node.getString("label", markerid), markup); + if (!isSafe) label = Client.sanitizeHTML(label); List xx = node.getList("x"); List yy = node.getList("y"); List zz = node.getList("z"); @@ -101,6 +103,7 @@ class PolyLineMarkerImpl implements PolyLineMarker { world = node.getString("world", "world"); normalized_world = DynmapWorld.normalizeWorldName(world); desc = node.getString("desc", null); + if (!isSafe) desc = Client.sanitizeHTML(desc); lineweight = node.getInteger("strokeWeight", -1); if(lineweight == -1) { /* Handle typo-saved value */ lineweight = node.getInteger("stokeWeight", 3); @@ -164,7 +167,7 @@ class PolyLineMarkerImpl implements PolyLineMarker { @Override public void setLabel(String lbl, boolean markup) { if(markerset == null) return; - label = markup ? lbl : Client.encodeForHTML(lbl); + label = markup ? Client.sanitizeHTML(lbl) : Client.encodeForHTML(lbl); this.markup = markup; MarkerAPIImpl.polyLineMarkerUpdated(this, MarkerUpdate.UPDATED); if(ispersistent) @@ -223,6 +226,7 @@ class PolyLineMarkerImpl implements PolyLineMarker { @Override public void setDescription(String desc) { if(markerset == null) return; + desc = Client.sanitizeHTML(desc); if((this.desc == null) || (this.desc.equals(desc) == false)) { this.desc = desc; MarkerAPIImpl.polyLineMarkerUpdated(this, MarkerUpdate.UPDATED);