UE: Encoding HTML in Tooltip and Description using XSSAPI (#1267)

* Encoding HTML in strings using custom serializer

* Adding test cases

* Removing encoding annotation for AbstractBase

* Clean up

* Moving Serializer to FormStructParser

* Fixing formatting

Author: TalmizAhmed

bundles/af-core/src/main/java/com/adobe/cq/forms/core/components/internal/form/FormStructureParserImpl.java

@@ -19,6 +19,7 @@
 import java.io.StringWriter;
 import java.io.Writer;
 
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.sling.api.SlingHttpServletRequest;
 import org.apache.sling.api.resource.Resource;
 import org.apache.sling.models.annotations.Model;
@@ -33,7 +34,11 @@
 import com.adobe.cq.forms.core.components.models.form.FormStructureParser;
 import com.adobe.cq.forms.core.components.util.ComponentUtils;
 import com.adobe.cq.forms.core.components.views.Views;
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonSerializer;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.module.SimpleModule;
 
 @Model(
     adaptables = { SlingHttpServletRequest.class, Resource.class },
@@ -118,6 +123,7 @@ public String getFormDefinition() {
         FormContainer formContainer = resource.adaptTo(FormContainer.class);
         try {
             ObjectMapper mapper = new ObjectMapper();
+            mapper.registerModule(new SimpleModule().addSerializer(String.class, new FormStructureParserImpl.EncodeHTMLSerializer()));
             Writer writer = new StringWriter();
             // return publish view specific properties only for runtime
             mapper.writerWithView(Views.Publish.class).writeValue(writer, formContainer);
@@ -127,4 +133,14 @@ public String getFormDefinition() {
         }
         return result;
     }
+
+    private static class EncodeHTMLSerializer extends JsonSerializer<String> {
+        @Override
+        public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider) throws IOException {
+            if (value != null) {
+                String escapedValue = StringEscapeUtils.escapeHtml4(value);
+                jsonGenerator.writeString(escapedValue);
+            }
+        }
+    }
 }

bundles/af-core/src/test/java/com/adobe/cq/forms/core/components/internal/models/v1/form/FormStructureParserImplTest.java

@@ -25,6 +25,7 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.sling.api.resource.Resource;
 import org.apache.sling.testing.mock.sling.servlet.MockSlingHttpServletRequest;
+import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -100,6 +101,19 @@ void testFormDefinition() throws JsonProcessingException {
         assertEquals(formJson.get("fieldType"), "form");
     }
 
+    @Test
+    void testFormDefinitionWithHTMLEncoding() throws JsonProcessingException {
+        String path = FORM_CONTAINER_PATH;
+        FormStructureParser formStructureParser = getFormStructureParserUnderTest(path);
+        String formDef = formStructureParser.getFormDefinition();
+        HashMap<String, Object> formJson = (HashMap<String, Object>) new ObjectMapper().readValue(formDef,
+            new TypeReference<Map<String, Object>>() {});
+        Assertions.assertNotNull(formStructureParser.getFormDefinition());
+        Map<String, Object> datepicker = (Map<String, Object>) ((Map<String, Object>) formJson.get(":items")).get("datepicker");
+        Assertions.assertEquals(datepicker.get("description"), "&lt;p&gt;dummy&lt;/p&gt;");
+        Assertions.assertEquals(datepicker.get("tooltip"), "&lt;p&gt;test-short-description&lt;/p&gt;");
+    }
+
     @Test
     void testFormContainerPathEmbedWithoutIframe() {
         FormStructureParser formStructureParser = getFormStructureParserUnderTest(JCR_CONTENT_PATH, FORM_CONTAINER_PATH);

bundles/af-core/src/test/resources/form/formstructparser/test-content.json

@@ -20,8 +20,10 @@
           "name": "abc",
           "jcr:title": "def",
           "hideTitle": false,
-          "description": "dummy",
-          "visible": false
+          "description": "<p>dummy</p>",
+          "tooltip": "<p>test-short-description</p>",
+          "visible": false,
+          "fieldType": "datepicker"
         },
         "container1": {
           "jcr:primaryType": "nt:unstructured",