wso2 · sadilchamishka · Nov 18, 2024 · Nov 16, 2024 · Nov 16, 2024 · Nov 18, 2024
diff --git a/...ava/org/wso2/carbon/identity/organization/management/service/OrganizationManagerImpl.java b/...ava/org/wso2/carbon/identity/organization/management/service/OrganizationManagerImpl.java
@@ -93,6 +93,7 @@
 import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_NO_PARENT_ORG;
 import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_ORGANIZATION_HAS_CHILD_ORGANIZATIONS;
 import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_ORGANIZATION_ID_UNDEFINED;
+import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_ORGANIZATION_NAME_CONTAINS_HTML_CONTENT;
 import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_ORGANIZATION_NAME_EXIST_IN_CHILD_ORGANIZATIONS;
 import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_ORGANIZATION_NAME_RESERVED;
 import static org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants.ErrorMessages.ERROR_CODE_ORGANIZATION_NOT_FOUND_FOR_TENANT;
@@ -150,6 +151,7 @@
 import static org.wso2.carbon.identity.organization.management.service.util.Utils.getUserId;
 import static org.wso2.carbon.identity.organization.management.service.util.Utils.handleClientException;
 import static org.wso2.carbon.identity.organization.management.service.util.Utils.handleServerException;
+import static org.wso2.carbon.identity.organization.management.service.util.Utils.hasHtmlContent;
 import static org.wso2.carbon.identity.organization.management.service.util.Utils.isSubOrganization;
 
 /**
@@ -754,6 +756,9 @@ private void validateOrganizationNameField(String organizationName) throws Organ
         if (StringUtils.equalsIgnoreCase(SUPER, organizationName)) {
             throw handleClientException(ERROR_CODE_ORGANIZATION_NAME_RESERVED, SUPER);
         }
+        if (hasHtmlContent(organizationName)) {
+            throw handleClientException(ERROR_CODE_ORGANIZATION_NAME_CONTAINS_HTML_CONTENT);
+        }
     }
 
     private void validateParentOrganization(Organization organization) throws OrganizationManagementException {

diff --git a/...on/identity/organization/management/service/constant/OrganizationManagementConstants.java b/...on/identity/organization/management/service/constant/OrganizationManagementConstants.java
@@ -380,6 +380,8 @@ public enum ErrorMessages {
                 "The shared user profile attributes are read only."),
         ERROR_CODE_ORGANIZATION_OWNER_NOT_EXIST("60096", "The assigned organization owner does not exist ",
                 "The assigned organization owner is not found in the tenant with ID: %s"),
+        ERROR_CODE_ORGANIZATION_NAME_CONTAINS_HTML_CONTENT("60097", "Invalid organization name.",
+                "HTML content is not allowed in organization name."),
 
         // Server errors.
         ERROR_CODE_UNEXPECTED("65001", "Unexpected processing error",

diff --git a/...ce/src/main/java/org/wso2/carbon/identity/organization/management/service/util/Utils.java b/...ce/src/main/java/org/wso2/carbon/identity/organization/management/service/util/Utils.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2022-2024, WSO2 LLC. (http://www.wso2.com).
  *
  * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
@@ -29,8 +29,6 @@
 import org.wso2.carbon.database.utils.jdbc.exceptions.DataAccessException;
 import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
 import org.wso2.carbon.identity.organization.management.service.OrganizationManagerImpl;
-import org.wso2.carbon.identity.organization.management.service.OrganizationUserResidentResolverService;
-import org.wso2.carbon.identity.organization.management.service.OrganizationUserResidentResolverServiceImpl;
 import org.wso2.carbon.identity.organization.management.service.constant.OrganizationManagementConstants;
 import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementClientException;
 import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
@@ -51,6 +49,7 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.UUID;
+import java.util.regex.Pattern;
 
 import javax.sql.DataSource;
 
@@ -74,9 +73,8 @@ public class Utils {
 
     private static final Log LOG = LogFactory.getLog(Utils.class);
     private static DataSource dataSource;
-    private static final OrganizationUserResidentResolverService organizationUserResidentResolverService =
-            new OrganizationUserResidentResolverServiceImpl();
     private static final OrganizationManager organizationManager = new OrganizationManagerImpl();
+    private static final Pattern htmlContentPattern = Pattern.compile(".*<[^>]+(/>|>.*?</[^>]+>).*");
 
     /**
      * Throw an OrganizationManagementClientException upon client side error in organization management.
@@ -629,4 +627,10 @@ public static boolean isLegacyAuthzRuntime() {
 
         return CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME;
     }
+
+    public static boolean hasHtmlContent(String orgName) {
+
+        return htmlContentPattern.matcher(orgName).find();
+    }
+
 }
diff --git a/...org/wso2/carbon/identity/organization/management/service/OrganizationManagerImplTest.java b/...org/wso2/carbon/identity/organization/management/service/OrganizationManagerImplTest.java
@@ -77,6 +77,7 @@ public class OrganizationManagerImplTest {
     private static final String ORG2_NAME = "XYZ Builders";
     private static final String ORG3_NAME = "Greater";
     private static final String NON_EXISTING_ORG_NAME = "Dummy Builders";
+    private static final String ORG_NAME_WITH_HTML_CONTENT = "<a href=\"evil.com\">Click me</a>";
     private static final String NEW_ORG1_NAME = "ABC Builders New";
     private static final String ORG_DESCRIPTION = "This is a construction company.";
     private static final String NEW_ORG_NAME = "New Org";
@@ -275,6 +276,14 @@ public void testAddOrganizationWithReservedName() throws Exception {
         organizationManager.addOrganization(organization);
     }
 
+    @Test(expectedExceptions = OrganizationManagementClientException.class)
+    public void testAddOrganizationWithNameIncludeHTMLContent() throws Exception {
+
+        Organization organization = getOrganization(UUID.randomUUID().toString(), ORG_NAME_WITH_HTML_CONTENT,
+                ORG_DESCRIPTION, ORG1_NAME, TENANT.toString());
+        organizationManager.addOrganization(organization);
+    }
+
     @DataProvider(name = "dataForAddOrganizationRequiredFieldsMissing")
     public Object[][] dataForAddOrganizationRequiredFieldsMissing() {