From 494dfba063587187609bc6f7396990dd9a29eeb6 Mon Sep 17 00:00:00 2001
From: Arnaud Roques <plantuml@gmail.com>
Date: Sat, 22 Jan 2022 13:03:15 +0100
Subject: [PATCH] textarea improvement

---
 SECURITY.md                                   | 12 ++++++
 .../plantuml/servlet/PlantUmlServlet.java     | 38 +++++++++++++++++++
 src/main/webapp/index.jsp                     |  2 +-
 3 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..431e43c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,12 @@
+# Security Policy
+
+
+
+## Reporting a Vulnerability
+
+If you find any security concern, please send a mail to plantuml@gmail.com
+with title **Security concern**.
+
+We will then study the concern and will answer back by email.
+
+Thanks!
diff --git a/src/main/java/net/sourceforge/plantuml/servlet/PlantUmlServlet.java b/src/main/java/net/sourceforge/plantuml/servlet/PlantUmlServlet.java
index 60164c3..6166c0d 100644
--- a/src/main/java/net/sourceforge/plantuml/servlet/PlantUmlServlet.java
+++ b/src/main/java/net/sourceforge/plantuml/servlet/PlantUmlServlet.java
@@ -77,6 +77,44 @@ public class PlantUmlServlet extends HttpServlet {
             OptionFlags.ALLOW_INCLUDE = true;
         }
     }
+    
+        public static String stringToHTMLString(String string) {
+            final StringBuffer sb = new StringBuffer(string.length());
+            // true if last char was blank
+            final int length = string.length();
+            for (int offset = 0; offset < length; ) {
+                final int c = string.codePointAt(offset);
+                if (c == ' ')
+                    sb.append(' ');
+                else if (c == '"')
+                    sb.append("&quot;");
+                else if (c == '&')
+                    sb.append("&amp;");
+                else if (c == '<')
+                    sb.append("&lt;");
+                else if (c == '>')
+                    sb.append("&gt;");
+                else if (c == '\r')
+                    sb.append("\r");
+                else if (c == '\n')
+                    sb.append("\n");
+                else {
+                    int ci = 0xffffff & c;
+                    if (ci < 160)
+                        // nothing special only 7 Bit
+                        sb.append((char)c);
+                    else {
+                        // Not 7 Bit use the unicode system
+                        sb.append("&#");
+                        sb.append(ci);
+                        sb.append(';');
+                    }
+                }
+                offset += Character.charCount(c);
+            }
+        return sb.toString();
+    }
+
 
     @Override
     public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
diff --git a/src/main/webapp/index.jsp b/src/main/webapp/index.jsp
index 42711bc..2394c58 100644
--- a/src/main/webapp/index.jsp
+++ b/src/main/webapp/index.jsp
@@ -57,7 +57,7 @@
         <%-- CONTENT --%>
         <form method="post" accept-charset="utf-8"  action="<%= hostpath %>/form">
             <p>
-                <textarea id="text" name="text" cols="120" rows="10"><%= decoded %></textarea>
+                <textarea id="text" name="text" cols="120" rows="10"><%= net.sourceforge.plantuml.servlet.PlantUmlServlet.stringToHTMLString(decoded) %></textarea>
                 <input type="submit" />
             </p>
         </form>