Fix profile xss

app/api/Datasets.scala

@@ -716,7 +716,15 @@ class  Datasets @Inject()(
       }
       Logger.debug("----- Adding file to dataset completed")
     } else {
+        val foldersContainingFile = folders.findByFileId(file.id).sortBy(_.name)
         Logger.debug("File was already in dataset.")
+        Logger.debug("Remove file from folders in dataset")
+        foldersContainingFile.foreach(folder => {
+          if (folder.parentDatasetId == dsId){
+            folders.removeFile(folder.id, fileId)
+
+          }
+        })
     }
   }
 

app/api/Users.scala

@@ -1,5 +1,6 @@
 package api
-
+// import org.springframework.web.util.HtmlUtils.htmlEscape
+import org.apache.commons.lang.StringEscapeUtils.escapeJavaScript
 import javax.inject.Inject
 import play.api.libs.json._
 import play.api.Play.current
@@ -61,10 +62,14 @@ class Users @Inject()(users: UserService, events: EventService) extends ApiContr
   /** @deprecated use id instead of email */
   def updateName(id: UUID, firstName: String, lastName: String) = PermissionAction(Permission.EditUser, Some(ResourceRef(ResourceRef.user, id))) { implicit request =>
     implicit val user = request.user
-    users.updateUserField(id, "firstName", firstName)
-    users.updateUserField(id, "lastName", lastName)
-    users.updateUserField(id, "fullName", firstName + " " + lastName)
-    users.updateUserFullName(id, firstName + " " + lastName)
+//    val escapedFirstName = htmlEscape(firstName)
+//    val escapedLastName = htmlEscape(lastName)
+    val escapedFirstName = scala.xml.Text(firstName).toString
+    val escapedLastName = scala.xml.Text(lastName).toString
+    users.updateUserField(id, "firstName", escapedFirstName)
+    users.updateUserField(id, "lastName", escapedLastName)
+    users.updateUserField(id, "fullName", escapedFirstName + " " + escapedLastName)
+    users.updateUserFullName(id, escapedFirstName + " " + escapedLastName)
 
     Ok(Json.obj("status" -> "success"))
   }

app/views/profile.scala.html

@@ -65,7 +65,7 @@ <h1>@profile.fullName</h1>
             } else {
                 @if(ownProfile){
                     <div id="prf-first-name" class="text-left inline">
-                        <h1 id="first-name-title" class="inline" style="cursor:pointer" title="Click to edit user's first name.">@Html(profile.firstName)</h1>
+                        <h1 id="first-name-title" class="inline" style="cursor:pointer" title="Click to edit user's first name.">@Html(escapeString("<script>alert('XSS')</script>"))</h1>
                         <div id="h-edit-first" class="hiddencomplete" title="Click to edit user's first name.">
                             <a href="javascript:updateFirstLastName()"></a>
                         </div>

docker-compose.yml

@@ -51,7 +51,7 @@ services:
 
   # main clowder application
   clowder:
-    image: clowder/clowder:${CLOWDER_VERSION:-latest}
+    image: clowder:bugfix
     restart: unless-stopped
     networks:
       - clowder

public/javascripts/htmlEncodeDecode.js

@@ -11,4 +11,13 @@ function htmlEncode(value){
 
 function htmlDecode(value){
 	return $('<div/>').html(value).text();
+}
+
+function escapeString(htmlStr) {
+	return htmlStr.replace(/&/g, "&amp;")
+		.replace(/</g, "&lt;")
+		.replace(/>/g, "&gt;")
+		.replace(/"/g, "&quot;")
+		.replace(/'/g, "&#39;");
+
 }