matthiasblaesing commented on code in PR #7128:
URL: https://github.com/apache/netbeans/pull/7128#discussion_r1536685499
##########
ide/git/src/org/netbeans/modules/git/ui/history/RevisionNode.java:
##########
@@ -78,31 +94,59 @@ public RevisionNode(RepositoryRevision.Event revision,
SearchHistoryPanel master
initProperties();
}
- RepositoryRevision getContainer() {
- return container;
- }
-
RepositoryRevision.Event getEvent() {
return event;
}
+ @Override
+ public String getHtmlDisplayName() {
+ if (isCommitNode()) {
+ return "<b>"+getName()+"</b>";
+ } else {
+ String c = annotationColorForAction(event.getAction());
+ return c != null ? "<font color="+c+">"+getName()+"</font>" :
getName();
+ }
+ }
Review Comment:
> this column actually doesn't use the JDK html renderer but it doesn't hurt
to escape it too
Which html renderer is used then?
> We should consider to upgrade input cleanup to some standard lib like
OWASP.
No we should not.
You can't "cleanup" input in a sane way or only very limited. What you can
do is to limit your input to values that match your target domain. For example
if you expect a quantity you can limit inputs to "NUMBER UNIT" pairs or you can
expect HTML with only a limited subset of allowed elements or attributes.
This works for interactive use where the user can validate the final result
(if you filter) or adjust the input according to the validation feedback. But
we have no interaction here. The data (filename, comment, author name, ....) is
provided as is and needs to be rendered as is.
Cleaning up input for unconstraint domains also does not work. Consider:
https://xkcd.com/327/. You can argue, that input sanitizing should have caught
that, but then I would ask: On which basis do you define the domain "firstname
of a person". Somewhere on this planet that first name will be valid and when
the person tries to enter your country and some point you will need to deal
with that fact.
What is more input sanitizing can't consider the output format. For example
for use in HTML the string `Robert'); DROP TABLE Students;--` is perfectly ok,
for use in SQL it must be escaped. There is no need for OWASP, because escaping
will do the right thing.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
