Author: radu Date: Tue Feb 10 21:35:03 2015 New Revision: 1658820 URL: http://svn.apache.org/r1658820 Log: SLING-4176 - Sightly: StyleToken context is doing nothing
* provide protection against javascript snippets in CSS (patch provided by Vlad Bailescu) Modified: sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java Modified: sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java?rev=1658820&r1=1658819&r2=1658820&view=diff ============================================================================== --- sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java (original) +++ sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java Tue Feb 10 21:35:03 2015 @@ -209,7 +209,7 @@ public class XSSAPIImpl implements XSSAP /** http://www.w3.org/TR/css-syntax-3/#ident-token-diagram */ private static final String IDENTIFIER = "-?[a-z_" + NON_ASCII + "][\\w_\\-" + NON_ASCII + "]*"; /** http://www.w3.org/TR/css-syntax-3/#string-token-diagram */ - private static final String STRING = "\"(?:[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:[^'^\\\\^\\n]|(?:\\\\'))*'"; + private static final String STRING = "\"(?:(?!javascript\\s?:)[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:(?!javascript\\s?:)[^'^\\\\^\\n]|(?:\\\\'))*'"; /** http://www.w3.org/TR/css-syntax-3/#dimension-token-diagram */ private static final String DIMENSION = NUMBER + IDENTIFIER; /** http://www.w3.org/TR/css-syntax-3/#percentage-token-diagram */ Modified: sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java?rev=1658820&r1=1658819&r2=1658820&view=diff ============================================================================== --- sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java (original) +++ sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java Tue Feb 10 21:35:03 2015 @@ -430,7 +430,11 @@ public class XSSAPIImplTest { // no javascript: {"javascript:alert(1)" , RUBBISH}, + {"'javascript:alert(1)'" , RUBBISH}, + {"\"javascript:alert('XSS')\"" , RUBBISH}, {"url(javascript:alert(1))" , RUBBISH}, + {"url('javascript:alert(1)')" , RUBBISH}, + {"url(\"javascript:alert('XSS')\")" , RUBBISH}, // no expression {"expression(alert(1))" , RUBBISH},