configure XStream security for QuestDataIO

The printing of the exception caught in FControl is very helpful for any
future issues caused by the security settings as it indicates which
class was present in the stream, but not allowed.

Signed-off-by: Jamin W. Collins <jamin.collins@gmail.com>

forge-gui/src/main/java/forge/quest/io/QuestDataIO.java

@@ -17,6 +17,9 @@
  */
 package forge.quest.io;
 
+import com.thoughtworks.xstream.security.NoTypePermission;
+import com.thoughtworks.xstream.security.NullPermission;
+import com.thoughtworks.xstream.security.PrimitiveTypePermission;
 import forge.quest.data.QuestPreferences.QPref;
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.converters.Converter;
@@ -78,6 +81,23 @@ public class QuestDataIO {
      */
     protected static XStream getSerializer(final boolean isIgnoring) {
         final XStream xStream = isIgnoring ? new IgnoringXStream() : new XStream();
+        // clear out existing permissions and set our own
+        xStream.addPermission(NoTypePermission.NONE);
+        // allow some basics
+        xStream.addPermission(NullPermission.NULL);
+        xStream.addPermission(PrimitiveTypePermission.PRIMITIVES);
+        xStream.allowTypeHierarchy(String.class);
+        xStream.allowTypeHierarchy(QuestData.class);
+        xStream.allowTypeHierarchy(HashMap.class);
+        xStream.allowTypeHierarchy(Deck.class);
+        xStream.allowTypeHierarchy(DeckGroup.class);
+        xStream.allowTypeHierarchy(EnumMap.class);
+        xStream.allowTypeHierarchy(QuestItemType.class);
+        // allow any type from the same package
+        xStream.allowTypesByWildcard(new String[] {
+                QuestDataIO.class.getPackage().getName()+".*",
+                "forge.quest.data.*"
+        });
         xStream.registerConverter(new ItemPoolToXml());
         xStream.registerConverter(new DeckToXml());
         xStream.registerConverter(new DraftTournamentToXml());