LPD-3300 sanitize fields

modules/apps/commerce/commerce-product-service/src/main/resources/META-INF/portlet-model-hints.xml

@@ -208,22 +208,27 @@
 		<field name="languageId" type="String" />
 		<field name="name" type="String">
 			<hint-collection name="TEXTAREA" />
+			<sanitize content-type="text/html" modes="ALL" />
 		</field>
 		<field name="shortDescription" type="String">
 			<hint-collection name="TEXTAREA" />
+			<sanitize content-type="text/html" modes="ALL" />
 		</field>
 		<field name="description" type="String">
 			<hint-collection name="CLOB" />
 			<sanitize content-type="text/html" modes="ALL" />
 		</field>
 		<field name="metaTitle" type="String">
 			<hint name="max-length">255</hint>
+			<sanitize content-type="text/html" modes="ALL" />
 		</field>
 		<field name="metaDescription" type="String">
 			<hint name="max-length">255</hint>
+			<sanitize content-type="text/html" modes="ALL" />
 		</field>
 		<field name="metaKeywords" type="String">
 			<hint name="max-length">255</hint>
+			<sanitize content-type="text/html" modes="ALL" />
 		</field>
 	</model>
 	<model name="com.liferay.commerce.product.model.CPDefinitionOptionRel">

modules/apps/commerce/commerce-product-test/src/testIntegration/java/com/liferay/commerce/product/service/test/CPDefinitionLocalServiceTest.java

@@ -12,6 +12,7 @@
 import com.liferay.commerce.price.list.service.CommercePriceListLocalService;
 import com.liferay.commerce.product.constants.CPInstanceConstants;
 import com.liferay.commerce.product.model.CPDefinition;
+import com.liferay.commerce.product.model.CPDefinitionLocalization;
 import com.liferay.commerce.product.model.CPInstance;
 import com.liferay.commerce.product.model.CPOption;
 import com.liferay.commerce.product.model.CProduct;
@@ -357,6 +358,52 @@ public void testAddCPDefinitionWithIgnoreSKUCombinationsAndDefaultInstance()
 		Assert.assertEquals(1, approvedCPInstances);
 	}
 
+	@Test
+	public void testAvoidMaliciousCodeInCPDefinitionFields() throws Exception {
+		frutillaRule.scenario(
+			"Add product definition with clean fields"
+		).given(
+			"I add a product definition"
+		).when(
+			"I try to set malicious value in fields"
+		).then(
+			"The value is escaped."
+		);
+
+		CPDefinition cpDefinition = CPTestUtil.addCPDefinitionFromCatalog(
+			_commerceCatalog.getGroupId(), SimpleCPTypeConstants.NAME, false,
+			false);
+
+		String testString =
+			"'\"></option><img src=x onerror=alert(document.location)>";
+
+		CPDefinitionLocalization cpDefinitionLocalization =
+			_cpDefinitionLocalService.updateCPDefinitionLocalization(
+				cpDefinition, cpDefinition.getDefaultLanguageId(), testString,
+				testString, testString, testString, testString, testString);
+
+		String expectedString = "'&quot;&gt;<img src=\"x\">";
+
+		Assert.assertEquals(
+			"Expected name", expectedString,
+			cpDefinitionLocalization.getName());
+		Assert.assertEquals(
+			"Expected short description", expectedString,
+			cpDefinitionLocalization.getShortDescription());
+		Assert.assertEquals(
+			"Expected description", expectedString,
+			cpDefinitionLocalization.getDescription());
+		Assert.assertEquals(
+			"Expected metaTitle", expectedString,
+			cpDefinitionLocalization.getMetaTitle());
+		Assert.assertEquals(
+			"Expected metaDescription", expectedString,
+			cpDefinitionLocalization.getMetaDescription());
+		Assert.assertEquals(
+			"Expected metaKeywords", expectedString,
+			cpDefinitionLocalization.getMetaKeywords());
+	}
+
 	@Test
 	public void testClonedProductPriceChangeDoesNotAffectParent()
 		throws PortalException {