From a2277c85158ed563675996488873eb573dc43101 Mon Sep 17 00:00:00 2001
From: Dominik Hanak <dhanak@redhat.com>
Date: Wed, 28 Jun 2023 17:52:13 +0200
Subject: [PATCH] Increase coverage and remove code smells

---
 .../structure/backend/InputEscapeUtils.java   | 23 +++++++++++++
 .../OrganizationalUnitServiceImpl.java        |  1 -
 .../backend/InputEscapeUtilsTest.java         | 33 +++++++++++++++++++
 3 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/InputEscapeUtilsTest.java

diff --git a/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/InputEscapeUtils.java b/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/InputEscapeUtils.java
index b8f466d9e4..2a441a2090 100644
--- a/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/InputEscapeUtils.java
+++ b/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/InputEscapeUtils.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package org.guvnor.structure.backend;
 
 import java.util.ArrayList;
@@ -6,8 +21,16 @@
 import org.apache.commons.text.StringEscapeUtils;
 import org.uberfire.security.Contributor;
 
+/**
+ * Utility class to provide input escaping or other
+ * functionality needed by backend services to sanitize inputs.
+ */
 public class InputEscapeUtils {
 
+    private InputEscapeUtils() {
+        // non-instantiable class
+    }
+
     public static Collection<Contributor> escapeContributorsNames(Collection<Contributor> contributors) {
         Collection<Contributor> escapedContributors = new ArrayList<>();
         contributors.forEach((contributor -> {
diff --git a/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java b/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java
index f094dee557..439b1d26fd 100644
--- a/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java
+++ b/uberfire-structure/uberfire-structure-backend/src/main/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceImpl.java
@@ -33,7 +33,6 @@
 import javax.inject.Inject;
 import javax.inject.Named;
 
-import org.apache.commons.text.StringEscapeUtils;
 import org.uberfire.security.Contributor;
 import org.guvnor.structure.contributors.SpaceContributorsUpdatedEvent;
 import org.guvnor.structure.organizationalunit.NewOrganizationalUnitEvent;
diff --git a/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/InputEscapeUtilsTest.java b/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/InputEscapeUtilsTest.java
new file mode 100644
index 0000000000..5f428c8878
--- /dev/null
+++ b/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/InputEscapeUtilsTest.java
@@ -0,0 +1,33 @@
+package org.guvnor.structure.backend;
+
+import org.apache.commons.text.StringEscapeUtils;
+import org.assertj.core.api.Assertions;
+import org.junit.Test;
+
+import static org.guvnor.structure.backend.InputEscapeUtils.escapeHtmlInput;
+
+public class InputEscapeUtilsTest {
+
+    @Test
+    public void testEscapeHtmlInput() {
+        final String xssString = "<img/src/onerror=alert(\"XSS\")>";
+        final String expectedResult = StringEscapeUtils.escapeHtml4(xssString).replace("'", "");
+        final String result = escapeHtmlInput(xssString);
+        Assertions.assertThat(result).isEqualTo(expectedResult);
+    }
+
+    @Test
+    public void testEscapeHtmlInputWithSingleQoutes() {
+        final String xssString = "<img/src/onerror=alert('XSS')>";
+        final String expectedResult = StringEscapeUtils.escapeHtml4(xssString).replace("'", "");
+        final String result = escapeHtmlInput(xssString);
+        Assertions.assertThat(result).isEqualTo(expectedResult);
+    }
+
+    @Test
+    public void testEscapeHtmlInputNull() {
+        final String xssString = null;
+        final String result = escapeHtmlInput(xssString);
+        Assertions.assertThat(result).isNull();
+    }
+}