Dev

build.gradle.kts

@@ -5,12 +5,12 @@ val ehcacheVersion = "3.10.8"
 val glassfishJaxbVersion = "4.0.5"
 val hibernateSearchVersion = "7.1.0.Final"
 val tikaVersion = "3.0.0-BETA"
-val postgresqlVersion = "42.7.2"
+val postgresqlVersion = "42.7.3"
 val reflectionsVersion = "0.10.2"
 val guiceVersion = "7.0.0"
 val liquibaseCoreVersion = "4.26.0"
 val quartzVersion = "2.5.0-rc1"
-val guavaVersion = "33.0.0-jre"
+val guavaVersion = "33.1.0-jre"
 val jacksonVersion = "2.17.0"
 val playwrightVersion = "1.42.0"
 val jsoupVersion = "1.17.2"

src/main/kotlin/fr/shikkanime/converters/config/ConfigToConfigDtoConverter.kt

@@ -3,13 +3,14 @@ package fr.shikkanime.converters.config
 import fr.shikkanime.converters.AbstractConverter
 import fr.shikkanime.dtos.ConfigDto
 import fr.shikkanime.entities.Config
+import fr.shikkanime.utils.StringUtils
 
 class ConfigToConfigDtoConverter : AbstractConverter<Config, ConfigDto>() {
     override fun convert(from: Config): ConfigDto {
         return ConfigDto(
             uuid = from.uuid,
             propertyKey = from.propertyKey,
-            propertyValue = from.propertyValue,
+            propertyValue = from.propertyValue?.let { StringUtils.sanitizeXSS(it) },
         )
     }
 }

src/main/kotlin/fr/shikkanime/modules/Routing.kt

@@ -9,6 +9,7 @@ import fr.shikkanime.services.caches.ConfigCacheService
 import fr.shikkanime.services.caches.SimulcastCacheService
 import fr.shikkanime.utils.Constant
 import fr.shikkanime.utils.LoggerFactory
+import fr.shikkanime.utils.StringUtils
 import fr.shikkanime.utils.routes.*
 import fr.shikkanime.utils.routes.method.Delete
 import fr.shikkanime.utils.routes.method.Get
@@ -291,6 +292,7 @@ private suspend fun handleTemplateResponse(
 
     val map = response.data as Map<String, Any> // NOSONAR
     val modelMap = (map["model"] as Map<String, Any?>).toMutableMap() // NOSONAR
+    modelMap["su"] = StringUtils
 
     val linkObjects = LinkObject.list()
 
@@ -309,6 +311,7 @@ private suspend fun handleTemplateResponse(
         link
     }
 
+
     modelMap["footerLinks"] = list.filter { it.footer }
 
     modelMap["title"] = (map["title"] as? String)?.let { title ->

src/main/kotlin/fr/shikkanime/socialnetworks/ThreadsSocialNetwork.kt

@@ -53,8 +53,9 @@ class ThreadsSocialNetwork : AbstractSocialNetwork() {
     }
 
     private fun checkSession() {
-        if (initializedAt != null && initializedAt!!.plusMinutes(configCacheService.getValueAsInt(ConfigPropertyKey.THREADS_SESSION_TIMEOUT, 10).toLong())
-                .isAfter(ZonedDateTime.now())
+        if (isInitialized &&
+            initializedAt != null &&
+            initializedAt!!.plusMinutes(configCacheService.getValueAsInt(ConfigPropertyKey.THREADS_SESSION_TIMEOUT, 10).toLong()).isAfter(ZonedDateTime.now())
         ) {
             return
         }

src/main/kotlin/fr/shikkanime/utils/StringUtils.kt

@@ -71,4 +71,12 @@ object StringUtils {
         val slug: String = NONLATIN.matcher(normalized).replaceAll("").replace("-+".toRegex(), "-")
         return slug.lowercase()
     }
+
+    fun sanitizeXSS(input: String): String = input.replace("<", "&lt;")
+        .replace(">", "&gt;")
+        .replace("\"", "&quot;")
+
+    fun unSanitizeXSS(input: String): String = input.replace("&lt;", "<")
+        .replace("&gt;", ">")
+        .replace("&quot;", "\"")
 }

src/main/resources/templates/_freemarker_implicit.ftl

@@ -26,6 +26,7 @@
 [#-- @ftlvariable name="footerLinks" type="kotlin.collections.AbstractList<fr.shikkanime.entities.LinkObject>" --]
 [#-- @ftlvariable name="seoLinks" type="kotlin.collections.AbstractList<fr.shikkanime.entities.enums.Link>" --]
 [#-- @ftlvariable name="query" type="java.lang.String" --]
+[#-- @ftlvariable name="su" type="fr.shikkanime.utils.StringUtils" --]
 
 [#-- @ftlvariable name="analyticsDomain" type="java.lang.String" --]
 [#-- @ftlvariable name="analyticsApi" type="java.lang.String" --]

src/main/resources/templates/admin/animes/edit.ftl

@@ -46,12 +46,12 @@
                     </div>
                     <div class="col-md-6">
                         <label for="name" class="form-label">Name</label>
-                        <input type="text" class="form-control" id="name" name="name" value="${anime.name}">
+                        <input type="text" class="form-control" id="name" name="name" value="${su.sanitizeXSS(anime.name)}">
                     </div>
                     <div class="col-md-6">
                         <label for="shortName" class="form-label">Short name</label>
                         <input type="text" class="form-control" id="shortName" name="shortName"
-                               value="${anime.shortName}" disabled>
+                               value="${su.sanitizeXSS(anime.shortName)}" disabled>
                     </div>
                     <div class="col-md-6">
                         <label for="releaseDateTime" class="form-label">Release date time</label>

src/main/resources/templates/admin/animes/list.ftl

@@ -61,7 +61,7 @@
             table.innerHTML = '';
 
             animes.forEach(anime => {
-                table.innerHTML += buildTableElement(anime.uuid, anime.name, anime.description, anime.status);
+                table.innerHTML += buildTableElement(anime.uuid, anime.shortName, anime.description, anime.status);
             });
         }
 

src/main/resources/templates/admin/config/edit.ftl

@@ -30,7 +30,7 @@
                     </div>
                     <div class="col-md-6">
                         <label for="value" class="form-label">Value</label>
-                        <input type="text" class="form-control" id="value" name="value" value="${config.propertyValue}">
+                        <input type="text" class="form-control" id="value" name="value" value="${su.sanitizeXSS(config.propertyValue)}">
                     </div>
                 </div>
             </div>

src/main/resources/templates/admin/episodes/edit.ftl

@@ -46,7 +46,7 @@
                     </div>
                     <div class="col-md-6">
                         <label for="anime" class="form-label">Anime</label>
-                        <input type="text" class="form-control" id="anime" name="anime" value="${episode.anime.name}"
+                        <input type="text" class="form-control" id="anime" name="anime" value="${su.sanitizeXSS(episode.anime.shortName)}"
                                disabled>
                     </div>
                     <div class="col-md-6">

src/main/resources/templates/site/_layout.ftl

@@ -37,7 +37,7 @@
 
         <#if (analyticsDomain?? && analyticsDomain?length != 0) && (analyticsApi?? && analyticsApi?length != 0) && (analyticsScript?? && analyticsScript?length != 0)>
             <script data-domain="${analyticsDomain}" data-api="${analyticsApi}">
-                ${analyticsScript}
+                ${su.unSanitizeXSS(analyticsScript)}
             </script>
         </#if>
     </head>

src/main/resources/templates/site/anime.ftl

@@ -6,7 +6,7 @@
         <div class="row g-3 mt-3">
             <div class="col-md-4 col-12 mt-0 text-center">
                 <img src="https://api.shikkanime.fr/v1/attachments?uuid=${anime.uuid}&type=image"
-                     alt="${anime.shortName?replace("\"", "'")} anime image" class="img-fluid w-50" width="480"
+                     alt="${su.sanitizeXSS(anime.shortName)} anime image" class="img-fluid w-50" width="480"
                      height="720">
             </div>
 

src/main/resources/templates/site/components/anime.ftl

@@ -5,7 +5,7 @@
                @mouseleave="hover = false">
                 <div class="position-relative">
                     <img src="https://api.shikkanime.fr/v1/attachments?uuid=${anime.uuid}&type=image"
-                         alt="${anime.shortName?replace("\"", "'")} anime image" class="img-fluid" width="480"
+                         alt="${su.sanitizeXSS(anime.shortName)} anime image" class="img-fluid" width="480"
                          height="720">
 
                     <span class="h6 mt-2 text-truncate-2">${anime.shortName}</span>

src/main/resources/templates/site/components/episode.ftl

@@ -16,7 +16,7 @@
                 <div class="position-relative">
                     <div class="position-relative">
                         <img src="https://api.shikkanime.fr/v1/attachments?uuid=${episode.uuid}&type=image"
-                             alt="${episode.anime.shortName?replace("\"", "'")} episode preview image"
+                             alt="${su.sanitizeXSS(episode.anime.shortName)} episode preview image"
                              class="img-fluid<#if episode.uncensored> blur</#if>" width="640" height="360">
 
                         <img src="https://www.shikkanime.fr/assets/img/platforms/${episode.platform.image}"