Add Improvements

[e19166]

Add Improvements

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR changes four JSP locations across two distributions to apply context-appropriate escaping: the resend-confirmation link now uses cleaned query strings that are HTML-attribute-encoded, and invite/password-reset-complete pages now HTML-escape displayed usernames.

Changes

Output Encoding Fixes

Layer / File(s)	Summary
Resend confirmation link query encoding all-in-one-apim/modules/distribution/product/src/main/extensions/basicauth.jsp, api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp	The resend-confirmation-email link builds its href using AuthenticationEndpointUtil.cleanErrorMessages(request.getQueryString()) and applies Encode.forHtmlAttribute(...) to the cleaned query portion instead of previously applying Encode.forJava(...) before cleaning.
Username HTML-escape in invite UI all-in-one-apim/modules/distribution/product/src/main/extensions/password-reset-complete.jsp, api-control-plane/modules/distribution/product/src/main/extensions/password-reset-complete.jsp	The invite/password-reset-complete success messages now render the username value using Encode.forHtml(username) rather than outputting it unescaped.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Add Improvements' is vague and generic, using non-descriptive language that fails to convey what specific improvements are being made.	Use a more specific title that describes the actual changes, such as 'Add HTML attribute encoding for JSP security' or similar to clearly indicate the purpose of the changes.
Description check	❓ Inconclusive	The description 'Add Improvements' is vague and generic, providing no meaningful information about what changes were made or why.	Provide a detailed description explaining the security improvements, affected files, and the rationale for the HTML attribute encoding changes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp (1)

560-562: ⚡ Quick win

Simplify the resend link by precomputing the href outside the attribute.

The nested JSP expressions with mixed encoding (forHtml + forHtmlAttribute) within the href attribute is fragile and harder to maintain. Build the URL in a local variable and apply forHtmlAttribute once at the sink instead.

+    String resendConfirmationHref = "login.do?resend_username="
+            + URLEncoder.encode(request.getParameter("failedUsername"), UTF_8)
+            + "&"
+            + AuthenticationEndpointUtil.cleanErrorMessages(request.getQueryString());
...
-                href="login.do?resend_username=<%=Encode.forHtml(URLEncoder.encode(request.getParameter("failedUsername"), UTF_8))%>&<%=Encode.forHtmlAttribute(AuthenticationEndpointUtil.cleanErrorMessages(request.getQueryString()))%>"
+                href="<%=Encode.forHtmlAttribute(resendConfirmationHref)%>"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp`
around lines 560 - 562, Precompute the resend URL into a local JSP variable
instead of nesting expressions inside the href on the element with id
"registerLink": build a String (e.g., resendUrl) by URL-encoding
request.getParameter("failedUsername") with URLEncoder.encode(..., UTF_8),
append the cleaned query string from
AuthenticationEndpointUtil.cleanErrorMessages(request.getQueryString()), then
apply Encode.forHtmlAttribute once when emitting the href (e.g.,
href="<%=Encode.forHtmlAttribute(resendUrl)%>"). Update the anchor with
data-testid="login-page-resend-confirmation-email-link" to reference that
variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@all-in-one-apim/modules/distribution/product/src/main/extensions/basicauth.jsp`:
- Around line 560-562: The href attribute on the anchor with id "registerLink"
mixes Encode.forHtml and Encode.forHtmlAttribute; instead precompute the full
URL string in a scriptlet/local variable (use
URLEncoder.encode(request.getParameter("failedUsername"), UTF_8) and
AuthenticationEndpointUtil.cleanErrorMessages(request.getQueryString()) to build
the query), then apply Encode.forHtmlAttribute(...) once to the entire href when
rendering the attribute; update the reference to use that variable and remove
the mixed encodings so the entire attribute value is consistently encoded.

---

Nitpick comments:
In
`@api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp`:
- Around line 560-562: Precompute the resend URL into a local JSP variable
instead of nesting expressions inside the href on the element with id
"registerLink": build a String (e.g., resendUrl) by URL-encoding
request.getParameter("failedUsername") with URLEncoder.encode(..., UTF_8),
append the cleaned query string from
AuthenticationEndpointUtil.cleanErrorMessages(request.getQueryString()), then
apply Encode.forHtmlAttribute once when emitting the href (e.g.,
href="<%=Encode.forHtmlAttribute(resendUrl)%>"). Update the anchor with
data-testid="login-page-resend-confirmation-email-link" to reference that
variable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9ac4ebb6-7d62-4b36-a29b-8a961960b682

📥 Commits

Reviewing files that changed from the base of the PR and between b1d6bf2 and 0e879d4.

📒 Files selected for processing (4)

• all-in-one-apim/modules/distribution/product/src/main/extensions/basicauth.jsp
• all-in-one-apim/modules/distribution/product/src/main/extensions/password-reset-complete.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/password-reset-complete.jsp

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp`:
- Around line 560-562: Precompute the full resend URL into a local String (e.g.,
String resendUrl) by building the query string using
URLEncoder.encode(request.getParameter("failedUsername"), UTF_8) and
AuthenticationEndpointUtil.cleanErrorMessages(request.getQueryString()), then
call Encode.forHtmlAttribute(resendUrl) once when rendering the href for the
anchor with id "registerLink" instead of interleaving
Encode.forHtml/Encode.forHtmlAttribute around fragments; this removes
fragment-level encoding and satisfies PMD.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a7f00304-5337-4a7b-bba3-eddfd21c4f20

📥 Commits

Reviewing files that changed from the base of the PR and between 0e879d4 and 406d50a.

📒 Files selected for processing (4)

• all-in-one-apim/modules/distribution/product/src/main/extensions/basicauth.jsp
• all-in-one-apim/modules/distribution/product/src/main/extensions/password-reset-complete.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/basicauth.jsp
• api-control-plane/modules/distribution/product/src/main/extensions/password-reset-complete.jsp

🚧 Files skipped from review as they are similar to previous changes (1)

• all-in-one-apim/modules/distribution/product/src/main/extensions/password-reset-complete.jsp