Removed all escaping for controlled email variables

davidjgonzalez · davidjgonzalez · commit 688ddb2a2684 · 2023-04-18T15:15:09.000-04:00
diff --git a/all/pom.xml b/all/pom.xml
@@ -184,7 +184,7 @@
                     <plugin>
                         <groupId>com.adobe.aem</groupId>
                         <artifactId>aemanalyser-maven-plugin</artifactId>
-                        <version>1.4.20</version> <!-- Make sure to use the latest release -->
+                        <version>1.5.8</version> <!-- Make sure to use the latest release -->
                         <executions>
                             <execution>
                                 <id>aem-analyser</id>
diff --git a/core/src/main/java/com/adobe/aem/commons/assetshare/components/actions/share/ShareService.java b/core/src/main/java/com/adobe/aem/commons/assetshare/components/actions/share/ShareService.java
@@ -43,7 +43,7 @@ public interface ShareService {
      *
      * @param request         the request that provides context of which Asset Share instance the request is coming to.
      * @param response        the response
-     * @param shareParameters a &lt;String, Object&gt; map or parameters; This is initially constructed from the request.getParameterMap() but can be augmented in the ShareService implementationa s needed.
+     * @param shareParameters a &lt;String, Object&gt; map or parameters; This is initially constructed from the request.getParameterMap() but can be augmented in the ShareService implementation as needed.
      * @throws ShareException is thrown if an error occurs with sharing (required share params are missing) or with the sharing initiation itself.
      */
     void share(SlingHttpServletRequest request, SlingHttpServletResponse response, ValueMap shareParameters) throws ShareException;
diff --git a/core/src/main/java/com/adobe/aem/commons/assetshare/components/actions/share/impl/EmailShareServiceImpl.java b/core/src/main/java/com/adobe/aem/commons/assetshare/components/actions/share/impl/EmailShareServiceImpl.java
@@ -37,6 +37,7 @@
 import com.adobe.aem.commons.assetshare.content.AssetModel;
 import com.adobe.aem.commons.assetshare.util.EmailService;
 import com.adobe.aem.commons.assetshare.util.RequireAem;
+import com.adobe.cq.commerce.common.ValueMapDecorator;
 import com.adobe.granite.security.user.UserProperties;
 import com.adobe.granite.security.user.UserPropertiesManager;
 import com.day.cq.commons.Externalizer;
@@ -66,6 +67,7 @@
 import org.slf4j.LoggerFactory;
 
 import javax.jcr.RepositoryException;
+import javax.jcr.Value;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
@@ -116,6 +118,8 @@ public boolean accepts(final SlingHttpServletRequest request) {
 
     @Override
     public final void share(final SlingHttpServletRequest request, final SlingHttpServletResponse response, final ValueMap shareParameters) throws ShareException {
+        final ValueMap unprotectedShareParameters = new ValueMapDecorator(new HashMap<>());
+        unprotectedShareParameters.putAll(shareParameters);
 
         /** Work around for regression issue introduced in AEM 6.4 **/
         SlingBindings bindings = new SlingBindings();
@@ -127,10 +131,11 @@ public final void share(final SlingHttpServletRequest request, final SlingHttpSe
         final EmailShare emailShare = request.adaptTo(EmailShare.class);
 
         shareParameters.putAll(xssProtectUserData(emailShare.getUserData()));
-        //shareParameters.putAll(emailShare.getUserData());
+        unprotectedShareParameters.putAll(emailShare.getUserData());
 
         // Configured data supersedes user data
         shareParameters.putAll(emailShare.getConfiguredData());
+        unprotectedShareParameters.putAll(emailShare.getConfiguredData());
 
         // Except for signature which we may or may  not want to use from configured data, depending on flags in configured data
         shareParameters.put(SIGNATURE, getSignature(emailShare, userProperties));
@@ -141,12 +146,12 @@ public final void share(final SlingHttpServletRequest request, final SlingHttpSe
             shareParameters.put(EmailService.REPLY_TO, replyToAddress);
         }
 
-        share(request.adaptTo(Config.class), shareParameters, StringUtils.defaultIfBlank(emailShare.getEmailTemplatePath(), cfg.emailTemplate()));
+        share(request.adaptTo(Config.class), unprotectedShareParameters, shareParameters, StringUtils.defaultIfBlank(emailShare.getEmailTemplatePath(), cfg.emailTemplate()));
     }
 
-    private final void share(final Config config, final ValueMap shareParameters, final String emailTemplatePath) throws ShareException {
-        final String[] emailAddresses = StringUtils.split(shareParameters.get(EMAIL_ADDRESSES, ""), ",");
-        final String[] assetPaths = Arrays.stream(shareParameters.get(ASSET_PATHS, ArrayUtils.EMPTY_STRING_ARRAY))
+    private final void share(final Config config, final ValueMap unprotectedShareParameters, final ValueMap shareParameters, final String emailTemplatePath) throws ShareException {
+        final String[] emailAddresses = StringUtils.split(unprotectedShareParameters.get(EMAIL_ADDRESSES, ""), ",");
+        final String[] assetPaths = Arrays.stream(unprotectedShareParameters.get(ASSET_PATHS, ArrayUtils.EMPTY_STRING_ARRAY))
                 .filter(StringUtils::isNotBlank)
                 .map(path -> config.getResourceResolver().getResource(path))
                 .filter(Objects::nonNull)
@@ -163,7 +168,7 @@ private final void share(final Config config, final ValueMap shareParameters, fi
         }
 
         // Convert provided params to <String, String>; anything that needs to be accessed in its native type should be accessed and manipulated via shareParameters.get(..)
-        final Map<String, String> emailParameters = new HashMap<String, String>();
+        final Map<String, String> emailParameters = new HashMap<>();
         for (final String key : shareParameters.keySet()) {
             emailParameters.put(key, shareParameters.get(key, String.class));
         }
@@ -288,7 +293,6 @@ private boolean isValidUser(SlingHttpServletRequest request) {
     private Map<String, Object> xssProtectUserData(Map<String, Object> dirtyUserData) {
         Map<String, Object> cleanUserData = new HashMap<String, Object>();
         for (final Map.Entry<String, Object> entry : dirtyUserData.entrySet()) {
-
             if (entry.getValue() instanceof String[]) {
                 cleanUserData.put(entry.getKey(), xssCleanData((String[]) entry.getValue()));
             } else if (entry.getValue() instanceof String) {
diff --git a/core/src/main/java/com/adobe/aem/commons/assetshare/components/actions/share/impl/ShareServlet.java b/core/src/main/java/com/adobe/aem/commons/assetshare/components/actions/share/impl/ShareServlet.java
@@ -82,7 +82,7 @@ private final void share(SlingHttpServletRequest request, SlingHttpServletRespon
                     try {
                         shareService.share(request, response,
                                 // Make map write-able
-                                new ValueMapDecorator(new HashMap<String, Object>(request.getParameterMap())));
+                                new ValueMapDecorator(new HashMap<>(request.getParameterMap())));
                         counter.incrementAndGet();
                     } catch (ShareException e) {
                         if (log.isErrorEnabled()) {
@@ -96,7 +96,7 @@ private final void share(SlingHttpServletRequest request, SlingHttpServletRespon
             if (counter.get() == 0) {
                 defaultShareService.share(request, response,
                         // Make map write-able
-                        new ValueMapDecorator(new HashMap<String, Object>(request.getParameterMap())));
+                        new ValueMapDecorator(new HashMap<>(request.getParameterMap())));
             }
         } catch (ShareException ex) {
             log.error("Unable to share assets from Asset Share Commons", ex);
diff --git a/pom.xml b/pom.xml
@@ -72,7 +72,7 @@
         <!-- the minimum AEM 6.5 version being supported -->
         <aem.classic.api.version>6.5.7.0003</aem.classic.api.version><!-- actually one of https://repo1.maven.org/maven2/io/wcm/maven/io.wcm.maven.aem-dependencies/ -->
         <!-- the minimum AEMaaCS version being supported -->
-        <aem.sdk.api.version>2022.9.8722.20220912T101352Z-220800</aem.sdk.api.version><!-- actually one of https://repo1.maven.org/maven2/com/adobe/aem/aem-sdk-api/ -->
+        <aem.sdk.api.version>2023.3.11382.20230315T073850Z-230200</aem.sdk.api.version><!-- actually one of https://repo1.maven.org/maven2/com/adobe/aem/aem-sdk-api/ -->
         <core.wcm.components.version>2.17.14</core.wcm.components.version>
         <frontend-maven-plugin.version>1.9.0</frontend-maven-plugin.version>
         <node.version>v13.7.0</node.version>

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ public interface ShareService {`
`43`	`43`	`*`
`44`	`44`	`* @param request the request that provides context of which Asset Share instance the request is coming to.`
`45`	`45`	`* @param response the response`
`46`		`- * @param shareParameters a <String, Object> map or parameters; This is initially constructed from the request.getParameterMap() but can be augmented in the ShareService implementationa s needed.`
	`46`	`+ * @param shareParameters a <String, Object> map or parameters; This is initially constructed from the request.getParameterMap() but can be augmented in the ShareService implementation as needed.`
`47`	`47`	`* @throws ShareException is thrown if an error occurs with sharing (required share params are missing) or with the sharing initiation itself.`
`48`	`48`	`*/`
`49`	`49`	`void share(SlingHttpServletRequest request, SlingHttpServletResponse response, ValueMap shareParameters) throws ShareException;`