# HG changeset patch
# User Sascha L. Teichmann <sascha.teichmann@intevation.de>
# Date 1341764057 0
# Node ID 68320805566a25287286974c69bb76df8095dd88
# Parent  e01f74c3ec1e048d05107930e97f6b0747e07d42
Removed dynamic XPaths to pervent potential XPath injections.

flys-artifacts/trunk@4902 c6561f87-3c4e-4783-a992-168aeb5c3f6f

diff -r e01f74c3ec1e -r 68320805566a flys-artifacts/ChangeLog
--- a/flys-artifacts/ChangeLog	Sun Jul 08 14:55:03 2012 +0000
+++ b/flys-artifacts/ChangeLog	Sun Jul 08 16:14:17 2012 +0000
@@ -1,3 +1,8 @@
+2012-07-08	Sascha L. Teichmann	<sascha.teichmann@intevation.de>
+
+	* src/main/java/de/intevation/flys/collections/FLYSArtifactCollection.java:
+	  Removed dynamic XPaths to pervent potential XPath injections.
+
 2012-07-08	Sascha L. Teichmann	<sascha.teichmann@intevation.de>
 
 	* contrib/themes2html.xsl: New. Transformation to get a better
@@ -147,7 +152,7 @@
 	  Changed inclusions to include new content file.
 
 	* doc/datacage-config-manual/content.tex: Content from doc/datacage.txt,
- 	  xml formatted.
+	  xml formatted.
 
 2012-07-05	Felix Wolfsteller	<felix.wolfsteller@intevation.de>
 
diff -r e01f74c3ec1e -r 68320805566a flys-artifacts/src/main/java/de/intevation/flys/collections/FLYSArtifactCollection.java
--- a/flys-artifacts/src/main/java/de/intevation/flys/collections/FLYSArtifactCollection.java	Sun Jul 08 14:55:03 2012 +0000
+++ b/flys-artifacts/src/main/java/de/intevation/flys/collections/FLYSArtifactCollection.java	Sun Jul 08 16:14:17 2012 +0000
@@ -429,12 +429,18 @@
         CallContext  context)
     throws IOException
     {
-        log.info("FLYSArtifactCollection.doOut: " + outName);
+        boolean debug = log.isDebugEnabled();
+
+        if (debug) {
+            log.debug("FLYSArtifactCollection.doOut: " + outName);
+        }
 
         ThemeList themeList = new ThemeList(attributes);
 
         int size = themeList.size();
-        log.debug("Output will contain " + size + " elements.");
+        if (debug) {
+            log.debug("Output will contain " + size + " elements.");
+        }
 
         List<ArtifactAndFacet> dataProviders =
             doBlackboardPass(themeList, context);
@@ -451,7 +457,7 @@
                 String art = theme.getArtifact();
                 String facetName = theme.getName();
 
-                if (log.isDebugEnabled()) {
+                if (debug) {
                     log.debug("Do output for...");
                     log.debug("... artifact: " + art);
                     log.debug("... facet: " + facetName);
@@ -624,11 +630,15 @@
     {
         Document attr = cAttr.toXML();
 
+        Map<String, String> vars = new HashMap<String, String>();
+        vars.put("output", output);
+
         Node out = (Node) XMLUtils.xpath(
             attr,
-            "art:attribute/art:outputs/art:output[@name='" + output + "']",
+            "art:attribute/art:outputs/art:output[@name=$output]",
             XPathConstants.NODE,
-            ArtifactNamespaceContext.INSTANCE);
+            ArtifactNamespaceContext.INSTANCE,
+            vars);
 
 
         if (out != null) {
@@ -731,7 +741,14 @@
         CallContext context)
     throws    ArtifactDatabaseException
     {
-        log.debug("FLYSArtifactCollection.getFacetThemeFromAttribute(facet=" + facet + ", index=" + index);
+        boolean debug = log.isDebugEnabled();
+
+        if (debug) {
+            log.debug(
+                "FLYSArtifactCollection.getFacetThemeFromAttribute(facet="
+                + facet + ", index=" + index);
+        }
+
 
         ArtifactDatabase db = context.getDatabase();
         CallMeta       meta = context.getMeta();
@@ -750,7 +767,9 @@
             }
         }
 
-        log.debug("Search attribute of collection item: " + uuid);
+        if (debug) {
+            log.debug("Search attribute of collection item: " + uuid);
+        }
 
         Node tmp = (Node) XMLUtils.xpath(
             attr,
@@ -763,14 +782,20 @@
             return null;
         }
 
-        log.debug("Search theme for facet '" + facet + "' in attribute.");
+        if (debug) {
+            log.debug("Search theme for facet '" + facet + "' in attribute.");
+        }
+
+        Map<String, String> vars = new HashMap<String, String>();
+        vars.put("facet", facet);
+        vars.put("index", String.valueOf(index));
 
         Node theme = (Node) XMLUtils.xpath(
             tmp,
-            "art:themes/theme[@facet='" + facet +
-            "' and @index='" + String.valueOf(index) + "']",
+            "art:themes/theme[@facet=$facet and @index=$index]",
             XPathConstants.NODE,
-            ArtifactNamespaceContext.INSTANCE);
+            ArtifactNamespaceContext.INSTANCE,
+            vars);
 
         if (theme == null) {
             log.warn("Could not find the theme in attribute of: " + facet + " " + uuid);
@@ -846,8 +871,6 @@
 
         try {
             setCollectionItemAttribute(uuid, attr, context);
-
-            //log.debug("addThemeToAttribute: Successfully added theme to item attribute: " + XMLUtils.toString(attr));
         }
         catch (ArtifactDatabaseException e) {
             // do nothing
@@ -874,7 +897,11 @@
         String      outName,
         CallContext context)
     {
-        log.info("FLYSArtifactCollection.initItemAttribute");
+        boolean debug = log.isDebugEnabled();
+
+        if (debug) {
+            log.debug("FLYSArtifactCollection.initItemAttribute");
+        }
 
         Theme t = getThemeForFacet(uuid, facet, pattern, index, outName, context);
 
@@ -886,7 +913,10 @@
         Document attr = XMLUtils.newDocument();
         addThemeToAttribute(uuid, attr, t, context);
 
-        log.debug("initItemAttribute for facet " + facet + ": " + XMLUtils.toString(attr));
+        if (debug) {
+            log.debug("initItemAttribute for facet " + facet + ": "
+                + XMLUtils.toString(attr));
+        }
 
         return attr;
     }