001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portlet.xslcontent.action;
016    
017    import com.liferay.portal.kernel.portlet.DefaultConfigurationAction;
018    import com.liferay.portal.kernel.servlet.SessionErrors;
019    import com.liferay.portal.kernel.util.ArrayUtil;
020    import com.liferay.portal.kernel.util.StringUtil;
021    import com.liferay.portal.kernel.util.WebKeys;
022    import com.liferay.portal.theme.ThemeDisplay;
023    
024    import java.net.MalformedURLException;
025    import java.net.URL;
026    
027    import javax.portlet.ActionRequest;
028    import javax.portlet.ActionResponse;
029    import javax.portlet.PortletConfig;
030    
031    /**
032     * @author Brian Wing Shun Chan
033     * @author Hugo Huijser
034     */
035    public class ConfigurationActionImpl extends DefaultConfigurationAction {
036    
037            @Override
038            public void processAction(
039                            PortletConfig portletConfig, ActionRequest actionRequest,
040                            ActionResponse actionResponse)
041                    throws Exception {
042    
043                    validateUrls(actionRequest);
044    
045                    super.processAction(portletConfig, actionRequest, actionResponse);
046            }
047    
048            protected boolean hasAllowedProtocol(String xmlURL) {
049                    try {
050                            URL url = new URL(xmlURL);
051    
052                            String protocol = url.getProtocol();
053    
054                            if (ArrayUtil.contains(_PROTOCOLS, protocol)) {
055                                    return true;
056                            }
057                    }
058                    catch (MalformedURLException murle) {
059                            return false;
060                    }
061    
062                    return false;
063            }
064    
065            protected void validateUrls(ActionRequest actionRequest) {
066                    ThemeDisplay themeDisplay = (ThemeDisplay)actionRequest.getAttribute(
067                            WebKeys.THEME_DISPLAY);
068    
069                    String xmlUrl = getParameter(actionRequest, "xmlUrl");
070    
071                    xmlUrl = StringUtil.replace(
072                            xmlUrl, "@portal_url@", themeDisplay.getPortalURL());
073    
074                    if (!hasAllowedProtocol(xmlUrl)) {
075                            SessionErrors.add(actionRequest, "xmlUrl");
076                    }
077    
078                    String xslUrl = getParameter(actionRequest, "xslUrl");
079    
080                    xslUrl = StringUtil.replace(
081                            xslUrl, "@portal_url@", themeDisplay.getPortalURL());
082    
083                    if (!hasAllowedProtocol(xslUrl)) {
084                            SessionErrors.add(actionRequest, "xslUrl");
085                    }
086            }
087    
088            private static final String[] _PROTOCOLS = {"http", "https"};
089    
090    }