This is an automated email from the ASF dual-hosted git repository. snoopdave pushed a commit to branch inputs-and-docs in repository https://gitbox.apache.org/repos/asf/roller.git
commit b6df636117156a79c834e3fc9266338cc521d990 Author: David M. Johnson <snoopd...@apache.org> AuthorDate: Sat Jul 1 18:21:27 2023 -0400 Remove HTML from a couple of fields that should not allow HTML and clarify docs. --- app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java | 9 +++++---- .../java/org/apache/roller/weblogger/pojos/WeblogCategory.java | 5 +++-- .../java/org/apache/roller/weblogger/util/HTMLSanitizer.java | 2 +- docs/roller-install-guide.adoc | 3 +++ docs/roller-user-guide.adoc | 3 ++- 5 files changed, 14 insertions(+), 8 deletions(-) diff --git a/app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java b/app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java index 7e196aa8c..46904f1b7 100644 --- a/app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java +++ b/app/src/main/java/org/apache/roller/weblogger/pojos/Weblog.java @@ -38,6 +38,7 @@ import org.apache.roller.weblogger.pojos.WeblogEntry.PubStatus; import org.apache.roller.util.UUIDGenerator; import org.apache.roller.weblogger.business.UserManager; import org.apache.roller.weblogger.util.I18nUtils; +import org.apache.roller.weblogger.util.Utilities; /** @@ -195,7 +196,7 @@ public class Weblog implements Serializable { } public void setName(String name) { - this.name = name; + this.name = Utilities.removeHTML(name); } /** @@ -207,7 +208,7 @@ public class Weblog implements Serializable { } public void setTagline(String tagline) { - this.tagline = tagline; + this.tagline = Utilities.removeHTML(tagline); } /** @@ -567,7 +568,7 @@ public class Weblog implements Serializable { /** * A description for the weblog (its purpose, authors, etc.) * - * This field is meant to hold a paragraph or two describing the weblog, in contrast + * This field is meant to hold a paragraph describing the weblog, in contrast * to the short sentence or two 'description' attribute meant for blog taglines * and HTML header META description tags. * @@ -577,7 +578,7 @@ public class Weblog implements Serializable { } public void setAbout(String about) { - this.about = about; + this.about = Utilities.removeHTML(about); } diff --git a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogCategory.java b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogCategory.java index bc2d6b60f..1179c78c3 100644 --- a/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogCategory.java +++ b/app/src/main/java/org/apache/roller/weblogger/pojos/WeblogCategory.java @@ -27,6 +27,7 @@ import org.apache.roller.weblogger.business.WebloggerFactory; import org.apache.roller.weblogger.business.WeblogEntryManager; import org.apache.roller.weblogger.pojos.WeblogEntry.PubStatus; import org.apache.roller.util.UUIDGenerator; +import org.apache.roller.weblogger.util.Utilities; /** @@ -133,7 +134,7 @@ public class WeblogCategory implements Serializable, Comparable<WeblogCategory> } public void setName(String name) { - this.name = name; + this.name = Utilities.removeHTML(name); } @@ -145,7 +146,7 @@ public class WeblogCategory implements Serializable, Comparable<WeblogCategory> } public void setDescription(String description) { - this.description = description; + this.description = Utilities.removeHTML(description); } /** diff --git a/app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java b/app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java index 3f8230562..280e07917 100644 --- a/app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java +++ b/app/src/main/java/org/apache/roller/weblogger/util/HTMLSanitizer.java @@ -100,7 +100,7 @@ public class HTMLSanitizer { } /** - * Used to get the text, tags removed or encoded + * Used to get the text, tags removed or encoded * * @param html * @return sanitized text diff --git a/docs/roller-install-guide.adoc b/docs/roller-install-guide.adoc index b59dde170..8e6985319 100644 --- a/docs/roller-install-guide.adoc +++ b/docs/roller-install-guide.adoc @@ -55,6 +55,9 @@ will use your Roller site to author HTML, then you should configure Roller to sanitize all HTML published by the system. Do this by setting the _weblogAdminsUntrusted=true_ property in your _roller-custom.properties_ file. +* *Do not allow File Uploads*. By default Roller allows users to upload +files for display on their blogs. If don't trust your users, this is unsafe +and you should disable File Uploads via the Server Administration page. * *Do not allow HTML in comments*. Roller can allow users to write comments in a safe-subset of HTML, but HTML use in comments is not allowed at all because of security concerns with even a so called diff --git a/docs/roller-user-guide.adoc b/docs/roller-user-guide.adoc index 6cd4bb5f0..83ffd2e46 100644 --- a/docs/roller-user-guide.adoc +++ b/docs/roller-user-guide.adoc @@ -890,7 +890,8 @@ Safari) is no longer active and should not appear in hot-blog and other weblog listing on the site. You might want to do this if you take a very long vacation or if you have decided to stop updating your weblog for some -other reason. +other reason. Your weblog will still be publicly available, but not +shown in the main community page of your site (if there is one). * *Number of entries to display on weblog*: Enter the maximum number of entries to be displayed on your weblog.