This is an automated email from the ASF dual-hosted git repository.
snoopdave pushed a commit to branch inputs-and-docs
in repository https://gitbox.apache.org/repos/asf/roller.git
commit b6df636117156a79c834e3fc9266338cc521d990
Author: David M. Johnson <snoopd...@apache.org>
AuthorDate: Sat Jul 1 18:21:27 2023 -0400
Remove HTML from a couple of fields that should not allow HTML and clarify
docs.
---
app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java | 9 +++++----
.../java/org/apache/roller/weblogger/pojos/WeblogCategory.java | 5 +++--
.../java/org/apache/roller/weblogger/util/HTMLSanitizer.java | 2 +-
docs/roller-install-guide.adoc | 3 +++
docs/roller-user-guide.adoc | 3 ++-
5 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java
b/app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java
index 7e196aa8c..46904f1b7 100644
--- a/app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java
+++ b/app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java
@@ -38,6 +38,7 @@ import
org.apache.roller.weblogger.pojos.WeblogEntry.PubStatus;
import org.apache.roller.util.UUIDGenerator;
import org.apache.roller.weblogger.business.UserManager;
import org.apache.roller.weblogger.util.I18nUtils;
+import org.apache.roller.weblogger.util.Utilities;
/**
@@ -195,7 +196,7 @@ public class Weblog implements Serializable {
}
public void setName(String name) {
- this.name = name;
+ this.name = Utilities.removeHTML(name);
}
/**
@@ -207,7 +208,7 @@ public class Weblog implements Serializable {
}
public void setTagline(String tagline) {
- this.tagline = tagline;
+ this.tagline = Utilities.removeHTML(tagline);
}
/**
@@ -567,7 +568,7 @@ public class Weblog implements Serializable {
/**
* A description for the weblog (its purpose, authors, etc.)
*
- * This field is meant to hold a paragraph or two describing the weblog,
in contrast
+ * This field is meant to hold a paragraph describing the weblog, in
contrast
* to the short sentence or two 'description' attribute meant for blog
taglines
* and HTML header META description tags.
*
@@ -577,7 +578,7 @@ public class Weblog implements Serializable {
}
public void setAbout(String about) {
- this.about = about;
+ this.about = Utilities.removeHTML(about);
}
diff --git
a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogCategory.java
b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogCategory.java
index bc2d6b60f..1179c78c3 100644
--- a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogCategory.java
+++ b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogCategory.java
@@ -27,6 +27,7 @@ import org.apache.roller.weblogger.business.WebloggerFactory;
import org.apache.roller.weblogger.business.WeblogEntryManager;
import org.apache.roller.weblogger.pojos.WeblogEntry.PubStatus;
import org.apache.roller.util.UUIDGenerator;
+import org.apache.roller.weblogger.util.Utilities;
/**
@@ -133,7 +134,7 @@ public class WeblogCategory implements Serializable,
Comparable<WeblogCategory>
}
public void setName(String name) {
- this.name = name;
+ this.name = Utilities.removeHTML(name);
}
@@ -145,7 +146,7 @@ public class WeblogCategory implements Serializable,
Comparable<WeblogCategory>
}
public void setDescription(String description) {
- this.description = description;
+ this.description = Utilities.removeHTML(description);
}
/**
diff --git
a/app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java
b/app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java
index 3f8230562..280e07917 100644
--- a/app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java
+++ b/app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java
@@ -100,7 +100,7 @@ public class HTMLSanitizer {
}
/**
- * Used to get the text, tags removed or encoded
+ * Used to get the text, tags removed or encoded
*
* @param html
* @return sanitized text
diff --git a/docs/roller-install-guide.adoc b/docs/roller-install-guide.adoc
index b59dde170..8e6985319 100644
--- a/docs/roller-install-guide.adoc
+++ b/docs/roller-install-guide.adoc
@@ -55,6 +55,9 @@ will use your Roller site to author HTML, then you should
configure
Roller to sanitize all HTML published by the system. Do this by setting
the _weblogAdminsUntrusted=true_ property in your
_roller-custom.properties_ file.
+* *Do not allow File Uploads*. By default Roller allows users to upload
+files for display on their blogs. If don't trust your users, this is unsafe
+and you should disable File Uploads via the Server Administration page.
* *Do not allow HTML in comments*. Roller can allow users to write
comments in a safe-subset of HTML, but HTML use in comments is not
allowed at all because of security concerns with even a so called
diff --git a/docs/roller-user-guide.adoc b/docs/roller-user-guide.adoc
index 6cd4bb5f0..83ffd2e46 100644
--- a/docs/roller-user-guide.adoc
+++ b/docs/roller-user-guide.adoc
@@ -890,7 +890,8 @@ Safari)
is no longer active and should not appear in hot-blog and other weblog
listing on the site. You might want to do this if you take a very long
vacation or if you have decided to stop updating your weblog for some
-other reason.
+other reason. Your weblog will still be publicly available, but not
+shown in the main community page of your site (if there is one).
* *Number of entries to display on weblog*: Enter the maximum number of
entries to be displayed on your weblog.
