From 575a7d49796aabf5a16db4b6ec454100ed34fbe8 Mon Sep 17 00:00:00 2001
From: tcbuzor <tcbuzor@gmail.com>
Date: Sun, 8 Sep 2019 23:22:22 -0500
Subject: [PATCH 1/3] input validation for database connection data

---
 .../database/module/langs/translation-en.json |  7 ++-
 .../scripts/index/database-source-ui.js       | 59 +++++++++++++++----
 extensions/database/pom.xml                   |  7 +++
 .../extension/database/DatabaseUtils.java     |  2 +-
 .../database/cmd/SavedConnectionCommand.java  | 53 ++++++++++++++---
 .../cmd/SavedConnectionCommandTest.java       | 49 ++++++++++++++-
 6 files changed, 156 insertions(+), 21 deletions(-)

diff --git a/extensions/database/module/langs/translation-en.json b/extensions/database/module/langs/translation-en.json
index 2feb01e3c..b4ffadf48 100644
--- a/extensions/database/module/langs/translation-en.json
+++ b/extensions/database/module/langs/translation-en.json
@@ -44,5 +44,10 @@
     "database-parsing/limit-next": "Load at most",
     "database-parsing/limit": "row(s) of data",
     "database-parsing/store-row": "Store blank rows",
-    "database-parsing/store-cell": "Store blank cells as nulls"
+    "database-parsing/store-cell": "Store blank cells as nulls",
+    "database-source/alert-conn-name-invalid-character": "Connection Name Input Error: Illegal Character in Input. Only [a-zA-Z0-9._-] Allowed",
+    "database-source/alert-db-host-invalid-character": "Database Host Error: Illegal Character in Input. Only Alphanumeric characters allowed",
+    "database-source/alert-db-user-invalid-character": "Database User Error: Illegal Character in Input. Only Alphanumeric characters allowed",
+    "database-source/alert-db-port-invalid-character": "Database Port Error: Illegal Character in Input. Only Numeric values allowed."
+    
 }
diff --git a/extensions/database/module/scripts/index/database-source-ui.js b/extensions/database/module/scripts/index/database-source-ui.js
index 7b5932c2e..666f772d3 100644
--- a/extensions/database/module/scripts/index/database-source-ui.js
+++ b/extensions/database/module/scripts/index/database-source-ui.js
@@ -127,11 +127,11 @@ Refine.DatabaseSourceUI.prototype.attachUI = function(body) {
  this._elmts.saveConnectionButton.click(function(evt) {
       
        if(self._validateNewConnectionForm() == true){
-               var connectionNameInput = $.trim(self._elmts.connectionNameInput[0].value);
+            var connectionNameInput = $.trim(self._elmts.connectionNameInput[0].value);
             if (connectionNameInput.length === 0) {
                 window.alert($.i18n('database-source/alert-connection-name'));   
             } else{
-                    self._saveConnection(self._getConnectionInfo());
+                self._saveConnection(self._getConnectionInfo());
             }
              
        }
@@ -431,6 +431,9 @@ Refine.DatabaseSourceUI.prototype._getConnectionInfo = function() {
          var self = this;
         var jdbcConnectionInfo = {};
          jdbcConnectionInfo.connectionName = $.trim(self._elmts.connectionNameInput[0].value);
+         
+        // window.alert('input:' + jdbcConnectionInfo.connectionName + ' output:' + self._removeScriptTag(jdbcConnectionInfo.connectionName) );
+         
          jdbcConnectionInfo.databaseType = $.trim(self._elmts.databaseTypeSelect[0].value);
          jdbcConnectionInfo.databaseServer = $.trim(self._elmts.databaseHostInput[0].value);
          jdbcConnectionInfo.databasePort = $.trim(self._elmts.databasePortInput[0].value);
@@ -442,6 +445,18 @@ Refine.DatabaseSourceUI.prototype._getConnectionInfo = function() {
     
 }
 
+Refine.DatabaseSourceUI.prototype._removeScriptTag = function(input) {
+	var div = document.createElement('div');
+    div.innerHTML = s;
+    var scripts = div.getElementsByTagName('script');
+    var i = scripts.length;
+    while (i--) {
+      scripts[i].parentNode.removeChild(scripts[i]);
+    }
+    return div.innerHTML;
+};
+
+
 Refine.DatabaseSourceUI.prototype._validateNewConnectionForm = function() {
     
         var self = this;
@@ -454,21 +469,45 @@ Refine.DatabaseSourceUI.prototype._validateNewConnectionForm = function() {
         var initialDatabaseInput = $.trim(self._elmts.initialDatabaseInput[0].value);
         var initialSchemaInput = $.trim(self._elmts.initialSchemaInput[0].value);
         
-        if (databaseHostInput.length === 0) {
+        var alphaNumRE = /^[a-zA-Z0-9._-]*$/;
+        var numRE = /^[0-9]*$/;
+        
+        var alphaNumConnNameTestResult = alphaNumRE.test(connectionNameInput);
+        var databaseHostTestResult = alphaNumRE.test(databaseHostInput);
+        var databasePortTestResult = numRE.test(databasePortInput);
+        var databaseUserTestResult = alphaNumRE.test(databaseUserInput);
+        
+        if(alphaNumConnNameTestResult == false){
+        	window.alert($.i18n('database-source/alert-conn-name-invalid-character'));
+        	return false;
+        }else if(connectionNameInput.contains("<script>") || connectionNameInput.contains("<img>")){
+        	window.alert($.i18n('database-source/alert-conn-name-invalid-character'));
+        	return false;
+        }else if (databaseHostInput.length === 0) {
             window.alert($.i18n('database-source/alert-server'));
             return false;
+        }else if(databaseHostInput.contains("<script>") || databaseHostInput.contains("<img>")){
+        	window.alert($.i18n('database-source/alert-db-host-invalid-character'));
+        	return false;
         }else if(databasePortInput.length === 0){
-                window.alert($.i18n('database-source/alert-port'));
-                return false;
+            window.alert($.i18n('database-source/alert-port'));
+            return false;
         }else if(databaseUserInput.length === 0){
-                window.alert($.i18n('database-source/alert-user'));
-                return false;
+            window.alert($.i18n('database-source/alert-user'));
+            return false;
+        }else if(databaseUserInput.contains("<script>") || databaseUserInput.contains("<img>")){
+        	window.alert($.i18n('database-source/alert-db-user-invalid-character'));
+        	return false;
         }else if(initialDatabaseInput.length === 0){
-                window.alert($.i18n('database-source/alert-initial-database'));
-                return false;
+            window.alert($.i18n('database-source/alert-initial-database'));
+            return false;
+        }else if(databasePortTestResult == false){
+        	window.alert($.i18n('database-source/alert-db-port-invalid-character'));
+        	return false;
+        	
         }
         else{
-                return true;
+            return true;
 
         }    
     
diff --git a/extensions/database/pom.xml b/extensions/database/pom.xml
index 0b43d1337..a534f85d2 100644
--- a/extensions/database/pom.xml
+++ b/extensions/database/pom.xml
@@ -166,6 +166,13 @@
       <artifactId>commons-lang3</artifactId>
       <version>3.6</version>
     </dependency>
+    
+    <dependency>
+	    <groupId>org.owasp.encoder</groupId>
+	    <artifactId>encoder</artifactId>
+	    <version>1.2.2</version>
+	</dependency>
+
   
 
     <dependency>
diff --git a/extensions/database/src/com/google/refine/extension/database/DatabaseUtils.java b/extensions/database/src/com/google/refine/extension/database/DatabaseUtils.java
index 0cb37354b..a5d0a06bd 100644
--- a/extensions/database/src/com/google/refine/extension/database/DatabaseUtils.java
+++ b/extensions/database/src/com/google/refine/extension/database/DatabaseUtils.java
@@ -314,7 +314,7 @@ public class DatabaseUtils {
         String fileSep = System.getProperty("file.separator"); 
         String filename = dir.getPath() + fileSep + DATABASE_EXTENSION_DIR + fileSep + SETTINGS_FILE_NAME;
         
-       // logger.info("** extension file name: {} **", filename);
+        logger.debug("** extension file name: {} **", filename);
         return filename;
     }
     public static String getExtensionFolder(){
diff --git a/extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java b/extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java
index 679090de1..da6311580 100644
--- a/extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java
+++ b/extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java
@@ -31,12 +31,15 @@ package com.google.refine.extension.database.cmd;
 import java.io.IOException;
 import java.io.Writer;
 import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.http.HttpStatus;
+import org.owasp.encoder.Encode;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -50,6 +53,9 @@ public class SavedConnectionCommand extends DatabaseCommand {
  
     private static final Logger logger = LoggerFactory.getLogger("SavedConnectionCommand");
     
+    private static final Pattern CONN_NAME_PATTERN = Pattern.compile("^[a-zA-Z0-9._-]*");
+    private static final Pattern DATABASE_PORT_PATTERN = Pattern.compile("^[0-9]*");
+    
 
     @Override
     public void doGet(HttpServletRequest request, HttpServletResponse response)
@@ -126,16 +132,24 @@ public class SavedConnectionCommand extends DatabaseCommand {
             writer.writeArrayFieldStart(DatabaseUtils.SAVED_CONNECTION_KEY);
             
             writer.writeStartObject();
-            writer.writeStringField("connectionName", savedConnection.getConnectionName());
+            
+            String sanitizedConnName = Encode.forHtml(savedConnection.getConnectionName());
+      
+//            writer.writeStringField("connectionName", savedConnection.getConnectionName());
+            writer.writeStringField("connectionName", sanitizedConnName);
             
             writer.writeStringField("databaseType", savedConnection.getDatabaseType());
 
-            writer.writeStringField("databaseHost", savedConnection.getDatabaseHost());
+            String sanitizedHost = Encode.forHtml(savedConnection.getDatabaseHost());
+//            writer.writeStringField("databaseHost", savedConnection.getDatabaseHost());
+            writer.writeStringField("databaseHost", sanitizedHost);
 
             writer.writeNumberField("databasePort", savedConnection.getDatabasePort());
 
-            writer.writeStringField("databaseName", savedConnection.getDatabaseName());
-           
+            String sanitizedDbName = Encode.forHtml(savedConnection.getDatabaseName());
+//            writer.writeStringField("databaseName", savedConnection.getDatabaseName());
+            writer.writeStringField("databaseName", sanitizedDbName);
+            
             String dbPasswd = savedConnection.getDatabasePassword();
             if(dbPasswd != null && !dbPasswd.isEmpty()) {
                 dbPasswd = DatabaseUtils.decrypt(savedConnection.getDatabasePassword());
@@ -143,8 +157,11 @@ public class SavedConnectionCommand extends DatabaseCommand {
             writer.writeStringField("databasePassword", dbPasswd);
 
             writer.writeStringField("databaseSchema", savedConnection.getDatabaseSchema());
+            String sanitizedDbUser = Encode.forHtml(savedConnection.getDatabaseUser());
+//            writer.writeStringField("databaseUser", savedConnection.getDatabaseUser());
+            writer.writeStringField("databaseUser", sanitizedDbUser);
             
-            writer.writeStringField("databaseUser", savedConnection.getDatabaseUser());
+            logger.info("Input DB User:{}, SanitizedDbUser:{}", savedConnection.getDatabaseUser(), sanitizedDbUser);
 
             writer.writeEndObject();
             writer.writeEndArray();
@@ -228,6 +245,7 @@ public class SavedConnectionCommand extends DatabaseCommand {
         if(logger.isDebugEnabled()) {
             logger.debug("doPost Connection: {}", request.getParameter("connectionName"));
         }
+       
         
         DatabaseConfiguration jdbcConfig = getJdbcConfiguration(request);
         
@@ -240,6 +258,21 @@ public class SavedConnectionCommand extends DatabaseCommand {
             response.flushBuffer();
             return;
         }
+        
+        if(!validateInput(jdbcConfig.getConnectionName(), CONN_NAME_PATTERN)) {
+        	logger.warn("Invalid Connection Name: {}", jdbcConfig.getConnectionName());
+        	response.sendError(HttpStatus.SC_BAD_REQUEST, "Connection Name is Invalid. Expecting [a-zA-Z0-9._-]");
+            response.flushBuffer();
+            return;
+        }
+        
+        if(!validateInput("" + jdbcConfig.getDatabasePort(), DATABASE_PORT_PATTERN)) {
+        	logger.warn("Invalid Database Port: {}", jdbcConfig.getDatabasePort());
+        	response.sendError(HttpStatus.SC_BAD_REQUEST, "Database Port Invalid. Expecting Numeric values only");
+            response.flushBuffer();
+            return;
+        }
+        
      
         DatabaseConfiguration savedConn = DatabaseUtils.getSavedConnection(jdbcConfig.getConnectionName());
         if(savedConn != null) {
@@ -266,8 +299,14 @@ public class SavedConnectionCommand extends DatabaseCommand {
         }
    
     }
-
-
+    
+    private boolean validateInput(String input, Pattern pattern){
+        Matcher matcher = pattern.matcher(input);
+        if(matcher.matches()){
+            return true;
+        }
+        return false;
+    }
 
     @Override
     public void doPut(HttpServletRequest request, HttpServletResponse response)
diff --git a/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java b/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
index d8a825100..3ec4faf3d 100644
--- a/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
+++ b/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
@@ -1,6 +1,9 @@
 package com.google.refine.extension.database.cmd;
 
 import static org.mockito.Mockito.when;
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertNotEquals;
+import static org.testng.Assert.assertNotNull;
 
 import java.io.File;
 import java.io.IOException;
@@ -154,8 +157,11 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
         SUT.doPost(request, response);
         
         String result = sw.getBuffer().toString().trim();
- 
+        assertNotNull(result);
+        assertFalse(result.isEmpty(), "Valid response Message expected!");
+        
         ObjectNode json = ParsingUtilities.mapper.readValue(result, ObjectNode.class);
+        System.out.println("json:" + json);
         
         ArrayNode savedConnections = (ArrayNode) json.get("savedConnections");
         Assert.assertNotNull(savedConnections);
@@ -229,7 +235,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
         Assert.assertEquals(savedConnections.size(), 1);
         
         ObjectNode sc = (ObjectNode)savedConnections.get(0);
-        System.out.println("sc" + sc);
+        //System.out.println("sc" + sc);
         String newDbHost = sc.get("databaseHost").asText();
         Assert.assertEquals(newDbHost, newHost);
     }
@@ -288,5 +294,44 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
             e.printStackTrace();
         }
     }
+    
+    /**
+     * Added to check XSS invalid tokens
+     * @throws IOException
+     * @throws ServletException
+     */
+    @Test
+    public void testDoPostInvalidConnectionName() throws IOException, ServletException {
+        
+    	when(request.getParameter("connectionName")).thenReturn("<img></img>");
+        when(request.getParameter("databaseType")).thenReturn(MySQLDatabaseService.DB_NAME);
+        when(request.getParameter("databaseServer")).thenReturn(testDbConfig.getDatabaseHost());
+        when(request.getParameter("databasePort")).thenReturn("" + testDbConfig.getDatabasePort());
+        when(request.getParameter("databaseUser")).thenReturn(testDbConfig.getDatabaseUser());
+        when(request.getParameter("databasePassword")).thenReturn(testDbConfig.getDatabasePassword());
+        when(request.getParameter("initialDatabase")).thenReturn(testDbConfig.getDatabaseName());
+       
+        StringWriter sw = new StringWriter();
+        PrintWriter pw = new PrintWriter(sw);
+        
+        when(response.getWriter()).thenReturn(pw);
+       
+        SUT.doPost(request, response);
+        
+        String result = sw.getBuffer().toString().trim();
+        assertNotNull(result);
+        assertFalse(result.isEmpty(), "Valid response Message expected!");
+        
+        ObjectNode json = ParsingUtilities.mapper.readValue(result, ObjectNode.class);
+        System.out.println("json:" + json);
+        
+        ArrayNode savedConnections = (ArrayNode) json.get("savedConnections");
+        Assert.assertNotNull(savedConnections);
+        
+        int len = savedConnections.size();
+        
+        Assert.assertEquals(len, 1);
+    }
+
 
 }

From dca496aa3b2f1266ac4a7575e1d5aa15d0acf0d9 Mon Sep 17 00:00:00 2001
From: tcbuzor <tcbuzor@gmail.com>
Date: Sat, 14 Sep 2019 23:07:23 -0500
Subject: [PATCH 2/3] remove debug statements

---
 .../scripts/index/database-source-ui.js       | 100 +++++-------------
 .../database/cmd/SavedConnectionCommand.java  |  27 ++---
 .../cmd/SavedConnectionCommandTest.java       |   7 +-
 3 files changed, 37 insertions(+), 97 deletions(-)

diff --git a/extensions/database/module/scripts/index/database-source-ui.js b/extensions/database/module/scripts/index/database-source-ui.js
index 666f772d3..f65fdd53e 100644
--- a/extensions/database/module/scripts/index/database-source-ui.js
+++ b/extensions/database/module/scripts/index/database-source-ui.js
@@ -148,19 +148,11 @@ Refine.DatabaseSourceUI.prototype.attachUI = function(body) {
         jdbcQueryInfo.databasePassword = $( "#currentDatabasePasswordInput" ).val();
         jdbcQueryInfo.initialDatabase = $( "#currentInitialDatabaseInput" ).val();
         jdbcQueryInfo.query = $.trim($( "#queryTextArea" ).val()); 
-        
-//	    if(jdbcQueryInfo.query && jdbcQueryInfo.query.length > 0 ) {
-//      	   self._executeQuery(jdbcQueryInfo);
-//	    }else{
-//	    	  window.alert($.i18n('database-source/alert-query'));
-//	    }
-        
+      
         if(self.validateQuery(jdbcQueryInfo.query)) {
                 self._executeQuery(jdbcQueryInfo);
         }
-        
-        
-        
+  
         
   });
 
@@ -251,11 +243,8 @@ Refine.DatabaseSourceUI.prototype._editConnection = function(connectionInfo) {
               $( "#menuListUl" ).empty();
               var items = [];
               $.each(settings.savedConnections,function(index,savedConnection){
-//				  items.push('<a href="#" class="list-group-item list-group-item-action">'
-//						    + '<span class="context-menu-one context-menu-text" >' + savedConnection.connectionName + '</span>'
-//					        + '<span class="sc-context-more-vert pull-right"> </span> </a>');
-                  
-                  items.push('<li class="pure-menu-item sc-list"><a href="#" class="pure-menu-link context-menu-one">'
+
+                 items.push('<li class="pure-menu-item sc-list"><a href="#" class="pure-menu-link context-menu-one">'
                     + '<span class="context-menu-text" >' + savedConnection.connectionName + '</span>'
                     + '<span class="sc-context-more-vert pull-right"> </span></a></li>');
                })
@@ -275,26 +264,23 @@ Refine.DatabaseSourceUI.prototype._executeQuery = function(jdbcQueryInfo) {
     //remove start line
     
     var dismiss = DialogSystem.showBusy($.i18n('database-import/checking'));
-    //$("#executeQueryBtn").text('Please wait ...').attr('disabled','disabled');
-    
+   
     $.post(
       "command/database/test-query",
       jdbcQueryInfo,
       function(jdbcConnectionResult) {
-         // $("#executeQueryBtn").text('Preview Query Result').removeAttr('disabled');
+         
           dismiss();
           self._controller.startImportingDocument(jdbcQueryInfo);
               
       },
       "json"
     ).fail(function( jqXhr, textStatus, errorThrown ){
-        //$("#executeQueryBtn").text('Preview Query Result').removeAttr('disabled');
+       
         dismiss();
         alert( textStatus + ':' + errorThrown );
     });
-    //remove end line
-    
-    //self._controller.startImportingDocument(jdbcQueryInfo);
+
 }
 
 Refine.DatabaseSourceUI.prototype._saveConnection = function(jdbcConnectionInfo) {	
@@ -304,16 +290,11 @@ Refine.DatabaseSourceUI.prototype._saveConnection = function(jdbcConnectionInfo)
       jdbcConnectionInfo,
       function(settings) {
           if(settings){
-              
-//			  self._elmts.scListGroupDiv.empty();
+    
               self._elmts.menuListUl.empty();
               var items = [];
               $.each(settings.savedConnections,function(index,savedConnection){
-                                                   
-//				  items.push('<a href="#" class="list-group-item list-group-item-action">'
-//						    + '<span class="context-menu-one context-menu-text" >' + savedConnection.connectionName + '</span>'
-//					        + '<span class="sc-context-more-vert pull-right"> </span> </a>');
-                  
+             
                   items.push('<li class="pure-menu-item sc-list"><a href="#" class="pure-menu-link context-menu-one">'
                     + '<span class="context-menu-text" >' + savedConnection.connectionName + '</span>'
                     + '<span class="sc-context-more-vert pull-right"> </span></a></li>');
@@ -339,14 +320,10 @@ Refine.DatabaseSourceUI.prototype._loadSavedConnections = function() {
           if(settings){
     
               self._elmts.menuListUl.empty();
-                //self._elmts.scListGroupDiv.empty();
+             
               var items = [];
               $.each(settings.savedConnections,function(index,savedConnection){
                   
-//				  items.push('<a href="#" class="list-group-item list-group-item-action context-menu-one">'
-//				    + '<span class="context-menu-text" >' + savedConnection.connectionName + '</span>'
-//			        + '<span class="sc-context-more-vert pull-right"> </span> </a>');
-                      
                   items.push('<li class="pure-menu-item sc-list"><a href="#" class="pure-menu-link context-menu-one">'
                     + '<span class="context-menu-text" >' + savedConnection.connectionName + '</span>'
                     + '<span class="sc-context-more-vert pull-right"> </span></a></li>');
@@ -354,7 +331,7 @@ Refine.DatabaseSourceUI.prototype._loadSavedConnections = function() {
                })
              
               self._elmts.menuListUl.append(items.join(''));
-            //  self._elmts.scListGroupDiv.append(items.join(''));
+        
           }
         
       },
@@ -407,12 +384,10 @@ Refine.DatabaseSourceUI.prototype._connect = function(jdbcConnectionInfo) {
                     + jdbcConnectionInfo.databasePort + "/"
                     + jdbcConnectionInfo.initialDatabase;
               
-              //alert("connectionParam::" + connectionParam);
+             
               $( "#connectionParameterSpan" ).text(connectionParam);
-            //   self._body.find('.newConnectionDiv').hide();
-            // 	self._body.find('.sqlEditorDiv').show();
-                $( "#newConnectionDiv" ).hide();
-                $( "#sqlEditorDiv" ).show();
+              $( "#newConnectionDiv" ).hide();
+              $( "#sqlEditorDiv" ).show();
             
           }else{
               window.alert("Unable to establish connection to database");
@@ -428,34 +403,20 @@ Refine.DatabaseSourceUI.prototype._connect = function(jdbcConnectionInfo) {
 };
 
 Refine.DatabaseSourceUI.prototype._getConnectionInfo = function() {
-         var self = this;
-        var jdbcConnectionInfo = {};
-         jdbcConnectionInfo.connectionName = $.trim(self._elmts.connectionNameInput[0].value);
-         
-        // window.alert('input:' + jdbcConnectionInfo.connectionName + ' output:' + self._removeScriptTag(jdbcConnectionInfo.connectionName) );
-         
-         jdbcConnectionInfo.databaseType = $.trim(self._elmts.databaseTypeSelect[0].value);
-         jdbcConnectionInfo.databaseServer = $.trim(self._elmts.databaseHostInput[0].value);
-         jdbcConnectionInfo.databasePort = $.trim(self._elmts.databasePortInput[0].value);
-         jdbcConnectionInfo.databaseUser = $.trim(self._elmts.databaseUserInput[0].value);
-         jdbcConnectionInfo.databasePassword = $.trim(self._elmts.databasePasswordInput[0].value); 
-         jdbcConnectionInfo.initialDatabase = $.trim(self._elmts.initialDatabaseInput[0].value);
-         jdbcConnectionInfo.initialSchema = $.trim(self._elmts.initialSchemaInput[0].value);
-         return jdbcConnectionInfo;
+     var self = this;
+     var jdbcConnectionInfo = {};
+     jdbcConnectionInfo.connectionName = $.trim(self._elmts.connectionNameInput[0].value);
+     jdbcConnectionInfo.databaseType = $.trim(self._elmts.databaseTypeSelect[0].value);
+     jdbcConnectionInfo.databaseServer = $.trim(self._elmts.databaseHostInput[0].value);
+     jdbcConnectionInfo.databasePort = $.trim(self._elmts.databasePortInput[0].value);
+     jdbcConnectionInfo.databaseUser = $.trim(self._elmts.databaseUserInput[0].value);
+     jdbcConnectionInfo.databasePassword = $.trim(self._elmts.databasePasswordInput[0].value); 
+     jdbcConnectionInfo.initialDatabase = $.trim(self._elmts.initialDatabaseInput[0].value);
+     jdbcConnectionInfo.initialSchema = $.trim(self._elmts.initialSchemaInput[0].value);
+     return jdbcConnectionInfo;
     
 }
 
-Refine.DatabaseSourceUI.prototype._removeScriptTag = function(input) {
-	var div = document.createElement('div');
-    div.innerHTML = s;
-    var scripts = div.getElementsByTagName('script');
-    var i = scripts.length;
-    while (i--) {
-      scripts[i].parentNode.removeChild(scripts[i]);
-    }
-    return div.innerHTML;
-};
-
 
 Refine.DatabaseSourceUI.prototype._validateNewConnectionForm = function() {
     
@@ -480,24 +441,15 @@ Refine.DatabaseSourceUI.prototype._validateNewConnectionForm = function() {
         if(alphaNumConnNameTestResult == false){
         	window.alert($.i18n('database-source/alert-conn-name-invalid-character'));
         	return false;
-        }else if(connectionNameInput.contains("<script>") || connectionNameInput.contains("<img>")){
-        	window.alert($.i18n('database-source/alert-conn-name-invalid-character'));
-        	return false;
         }else if (databaseHostInput.length === 0) {
             window.alert($.i18n('database-source/alert-server'));
             return false;
-        }else if(databaseHostInput.contains("<script>") || databaseHostInput.contains("<img>")){
-        	window.alert($.i18n('database-source/alert-db-host-invalid-character'));
-        	return false;
         }else if(databasePortInput.length === 0){
             window.alert($.i18n('database-source/alert-port'));
             return false;
         }else if(databaseUserInput.length === 0){
             window.alert($.i18n('database-source/alert-user'));
             return false;
-        }else if(databaseUserInput.contains("<script>") || databaseUserInput.contains("<img>")){
-        	window.alert($.i18n('database-source/alert-db-user-invalid-character'));
-        	return false;
         }else if(initialDatabaseInput.length === 0){
             window.alert($.i18n('database-source/alert-initial-database'));
             return false;
diff --git a/extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java b/extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java
index da6311580..a30e2d000 100644
--- a/extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java
+++ b/extensions/database/src/com/google/refine/extension/database/cmd/SavedConnectionCommand.java
@@ -133,35 +133,22 @@ public class SavedConnectionCommand extends DatabaseCommand {
             
             writer.writeStartObject();
             
-            String sanitizedConnName = Encode.forHtml(savedConnection.getConnectionName());
-      
-//            writer.writeStringField("connectionName", savedConnection.getConnectionName());
-            writer.writeStringField("connectionName", sanitizedConnName);
-            
+       
+            writer.writeStringField("connectionName", savedConnection.getConnectionName());
             writer.writeStringField("databaseType", savedConnection.getDatabaseType());
-
-            String sanitizedHost = Encode.forHtml(savedConnection.getDatabaseHost());
-//            writer.writeStringField("databaseHost", savedConnection.getDatabaseHost());
-            writer.writeStringField("databaseHost", sanitizedHost);
-
+            writer.writeStringField("databaseHost", savedConnection.getDatabaseHost());
             writer.writeNumberField("databasePort", savedConnection.getDatabasePort());
-
-            String sanitizedDbName = Encode.forHtml(savedConnection.getDatabaseName());
-//            writer.writeStringField("databaseName", savedConnection.getDatabaseName());
-            writer.writeStringField("databaseName", sanitizedDbName);
+            writer.writeStringField("databaseName", savedConnection.getDatabaseName());
+       
             
             String dbPasswd = savedConnection.getDatabasePassword();
             if(dbPasswd != null && !dbPasswd.isEmpty()) {
                 dbPasswd = DatabaseUtils.decrypt(savedConnection.getDatabasePassword());
             }
             writer.writeStringField("databasePassword", dbPasswd);
+            writer.writeStringField("databaseSchema", savedConnection.getDatabaseSchema());        
+            writer.writeStringField("databaseUser", savedConnection.getDatabaseUser());
 
-            writer.writeStringField("databaseSchema", savedConnection.getDatabaseSchema());
-            String sanitizedDbUser = Encode.forHtml(savedConnection.getDatabaseUser());
-//            writer.writeStringField("databaseUser", savedConnection.getDatabaseUser());
-            writer.writeStringField("databaseUser", sanitizedDbUser);
-            
-            logger.info("Input DB User:{}, SanitizedDbUser:{}", savedConnection.getDatabaseUser(), sanitizedDbUser);
 
             writer.writeEndObject();
             writer.writeEndArray();
diff --git a/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java b/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
index 3ec4faf3d..762e47e5c 100644
--- a/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
+++ b/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
@@ -161,7 +161,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
         assertFalse(result.isEmpty(), "Valid response Message expected!");
         
         ObjectNode json = ParsingUtilities.mapper.readValue(result, ObjectNode.class);
-        System.out.println("json:" + json);
+       // System.out.println("json:" + json);
         
         ArrayNode savedConnections = (ArrayNode) json.get("savedConnections");
         Assert.assertNotNull(savedConnections);
@@ -235,7 +235,6 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
         Assert.assertEquals(savedConnections.size(), 1);
         
         ObjectNode sc = (ObjectNode)savedConnections.get(0);
-        //System.out.println("sc" + sc);
         String newDbHost = sc.get("databaseHost").asText();
         Assert.assertEquals(newDbHost, newHost);
     }
@@ -323,7 +322,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
         assertFalse(result.isEmpty(), "Valid response Message expected!");
         
         ObjectNode json = ParsingUtilities.mapper.readValue(result, ObjectNode.class);
-        System.out.println("json:" + json);
+        //System.out.println("json:" + json);
         
         ArrayNode savedConnections = (ArrayNode) json.get("savedConnections");
         Assert.assertNotNull(savedConnections);
@@ -333,5 +332,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
         Assert.assertEquals(len, 1);
     }
 
+    
+    
 
 }

From 71e76524e5dd069c41589ea993c274619d44de34 Mon Sep 17 00:00:00 2001
From: Antonin Delpeuch <antonin@delpeuch.eu>
Date: Sun, 22 Sep 2019 18:31:38 +0100
Subject: [PATCH 3/3] Fix database connection list rendering and backend unit
 test

---
 .../scripts/index/database-source-ui.js       |  9 ++++++---
 .../cmd/SavedConnectionCommandTest.java       | 20 ++++---------------
 2 files changed, 10 insertions(+), 19 deletions(-)

diff --git a/extensions/database/module/scripts/index/database-source-ui.js b/extensions/database/module/scripts/index/database-source-ui.js
index f65fdd53e..4a4e6e234 100644
--- a/extensions/database/module/scripts/index/database-source-ui.js
+++ b/extensions/database/module/scripts/index/database-source-ui.js
@@ -241,12 +241,15 @@ Refine.DatabaseSourceUI.prototype._editConnection = function(connectionInfo) {
         success: function(settings) {
              if(settings){
               $( "#menuListUl" ).empty();
+              var menuList = $('#menuListUl');
               var items = [];
               $.each(settings.savedConnections,function(index,savedConnection){
 
-                 items.push('<li class="pure-menu-item sc-list"><a href="#" class="pure-menu-link context-menu-one">'
-                    + '<span class="context-menu-text" >' + savedConnection.connectionName + '</span>'
-                    + '<span class="sc-context-more-vert pull-right"> </span></a></li>');
+                 var li = $('<li class="pure-menu-item sc-list"></li>').appendTo(menuList);
+                 var a = $('<a href="#" class="pure-menu-link context-menu-one"></a>').appendTo(li);
+                 $('<span class="context-menu-text"></span>').text(savedConnection.connectionName)
+                      .appendTo(a);
+                 $('<span class="sc-context-more-vert pull-right"> </span>').appendTo(a);
                })
               
               $( "#menuListUl" ).append(items.join(''));
diff --git a/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java b/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
index 762e47e5c..32ea6fb27 100644
--- a/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
+++ b/extensions/database/tests/src/com/google/refine/extension/database/cmd/SavedConnectionCommandTest.java
@@ -1,8 +1,9 @@
 package com.google.refine.extension.database.cmd;
 
 import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.times;
 import static org.testng.Assert.assertFalse;
-import static org.testng.Assert.assertNotEquals;
 import static org.testng.Assert.assertNotNull;
 
 import java.io.File;
@@ -14,6 +15,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.http.HttpStatus;
 import org.mockito.Mock;
 import org.mockito.MockitoAnnotations;
 import org.testng.Assert;
@@ -281,8 +283,6 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
 
             SUT.doDelete(request, response);
             
-           // String result = sw.getBuffer().toString().trim();
-          
             ObjectNode json = ParsingUtilities.mapper.createObjectNode();
             
             Assert.assertNotNull(json);
@@ -317,19 +317,7 @@ public class SavedConnectionCommandTest extends DBExtensionTests{
        
         SUT.doPost(request, response);
         
-        String result = sw.getBuffer().toString().trim();
-        assertNotNull(result);
-        assertFalse(result.isEmpty(), "Valid response Message expected!");
-        
-        ObjectNode json = ParsingUtilities.mapper.readValue(result, ObjectNode.class);
-        //System.out.println("json:" + json);
-        
-        ArrayNode savedConnections = (ArrayNode) json.get("savedConnections");
-        Assert.assertNotNull(savedConnections);
-        
-        int len = savedConnections.size();
-        
-        Assert.assertEquals(len, 1);
+        verify(response, times(1)).sendError(HttpStatus.SC_BAD_REQUEST, "Connection Name is Invalid. Expecting [a-zA-Z0-9._-]");
     }