From b0491588644686391fc8191ced2c04a1fc4fccb8 Mon Sep 17 00:00:00 2001
From: Georgy Litvinov <git@litvinovg.pro>
Date: Fri, 23 Jun 2023 16:29:52 +0200
Subject: [PATCH] limit callback to only used values (#3896)

Co-authored-by: Georgy Litvinov <georgy.litvinov@tib.eu>
---
 .../capabilitymap/CapabilityMapRequestHandler.java     | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/visualization/capabilitymap/CapabilityMapRequestHandler.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/visualization/capabilitymap/CapabilityMapRequestHandler.java
index 60baa82d72..5928f644b6 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/visualization/capabilitymap/CapabilityMapRequestHandler.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/visualization/capabilitymap/CapabilityMapRequestHandler.java
@@ -31,12 +31,18 @@
 import edu.cornell.mannlib.vitro.webapp.visualization.visutils.VisualizationRequestHandler;
 import org.apache.commons.logging.Log;
 
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
 public class CapabilityMapRequestHandler implements VisualizationRequestHandler {
+    
+    private static final String IPRET_FULL_RESULTS = "ipretFullResults";
+    private static final String IPRET_RESULTS = "ipretResults";
+    private static Set<String> callbackValues = new HashSet<String>(Arrays.asList(IPRET_FULL_RESULTS, IPRET_RESULTS));
+    
     @Override
     public AuthorizationRequest getRequiredPrivileges() {
         return null;
@@ -109,7 +115,7 @@ public Object generateAjaxVisualization(VitroRequest vitroRequest, Log log, Data
             ObjectMapper mapper = new ObjectMapper();
 
             String callback = vitroRequest.getParameter("callback");
-            if (!StringUtils.isEmpty(callback)) {
+            if (!StringUtils.isEmpty(callback) && callbackValues.contains(callback)) {
                 return callback + "(" + mapper.writeValueAsString(response) + ");";
             }
             return mapper.writeValueAsString(response);
@@ -162,7 +168,7 @@ public Object generateAjaxVisualization(VitroRequest vitroRequest, Log log, Data
 
             ObjectMapper mapper = new ObjectMapper();
             String callback = vitroRequest.getParameter("callback");
-            if (!StringUtils.isEmpty(callback)) {
+            if (!StringUtils.isEmpty(callback) && callbackValues.contains(callback)) {
                 return callback + "(" + mapper.writeValueAsString(response) + ");";
             }
             return mapper.writeValueAsString(response);