XSSAPIImplTest.java

radu Tue, 10 Feb 2015 13:35:46 -0800

Author: radu
Date: Tue Feb 10 21:35:03 2015
New Revision: 1658820

URL: http://svn.apache.org/r1658820
Log:
SLING-4176 - Sightly: StyleToken context is doing nothing


* provide protection against javascript snippets in CSS (patch provided by Vlad 
Bailescu)

Modified:
    
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
    
sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java

Modified: 
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java?rev=1658820&r1=1658819&r2=1658820&view=diff
==============================================================================
--- 
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
 (original)
+++ 
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
 Tue Feb 10 21:35:03 2015
@@ -209,7 +209,7 @@ public class XSSAPIImpl implements XSSAP
     /** http://www.w3.org/TR/css-syntax-3/#ident-token-diagram */
     private static final String IDENTIFIER = "-?[a-z_" + NON_ASCII + 
"][\\w_\\-" + NON_ASCII + "]*";
     /** http://www.w3.org/TR/css-syntax-3/#string-token-diagram */
-    private static final String STRING = 
"\"(?:[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:[^'^\\\\^\\n]|(?:\\\\'))*'";
+    private static final String STRING = 
"\"(?:(?!javascript\\s?:)[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:(?!javascript\\s?:)[^'^\\\\^\\n]|(?:\\\\'))*'";
     /** http://www.w3.org/TR/css-syntax-3/#dimension-token-diagram */
     private static final String DIMENSION = NUMBER + IDENTIFIER;
     /** http://www.w3.org/TR/css-syntax-3/#percentage-token-diagram */

Modified: 
sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java?rev=1658820&r1=1658819&r2=1658820&view=diff
==============================================================================
--- 
sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
 (original)
+++ 
sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
 Tue Feb 10 21:35:03 2015
@@ -430,7 +430,11 @@ public class XSSAPIImplTest {
 
                 // no javascript:
                 {"javascript:alert(1)"              , RUBBISH},
+                {"'javascript:alert(1)'"            , RUBBISH},
+                {"\"javascript:alert('XSS')\""      , RUBBISH},
                 {"url(javascript:alert(1))"         , RUBBISH},
+                {"url('javascript:alert(1)')"       , RUBBISH},
+                {"url(\"javascript:alert('XSS')\")" , RUBBISH},
 
                 // no expression
                 {"expression(alert(1))"             , RUBBISH},

svn commit: r1658820 - in /sling/trunk/contrib/extensions/xss/src: main/java/org/apache/sling/xss/impl/XSSAPIImpl.java test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java

Reply via email to