[jspwiki] branch master updated: 2.11.0-M4-git-05, [JSPWIKI-1108] interwiki link escape illegal chars

Tue, 23 Apr 2019 11:16:55 -0700 

This is an automated email from the ASF dual-hosted git repository.

brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git


The following commit(s) were added to refs/heads/master by this push:
     new 87c89f0  2.11.0-M4-git-05,  [JSPWIKI-1108] interwiki link escape 
illegal chars
87c89f0 is described below

commit 87c89f0405d6b31fc165358ce5d5bc4536e32a8a
Author: brushed <[email protected]>
AuthorDate: Tue Apr 23 20:16:05 2019 +0200

    2.11.0-M4-git-05,  [JSPWIKI-1108] interwiki link escape illegal chars
---
 ChangeLog                                                           | 6 ++++++
 jspwiki-main/src/main/java/org/apache/wiki/Release.java             | 2 +-
 .../src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java   | 5 +++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 16a19c7..986ada7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2019-04-23  Dirk Frederickx (brushed AT apache DOT org)
+
+       * 2.11.0-M4-git-05
+
+       * [JSPWIKI-1108] interwiki links with illegal characters causes XSS 
vulnerability
+
 2019-04-22  Dirk Frederickx (brushed AT apache DOT org)
 
        * 2.11.0-M4-git-04
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/Release.java 
b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
index 46d971f..f8b77be 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/Release.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
@@ -72,7 +72,7 @@ public final class Release {
      *  <p>
      *  If the build identifier is empty, it is not added.
      */
-    public static final String     BUILD         = "04";
+    public static final String     BUILD         = "05";
 
     /**
      *  This is the generic version string you should use when printing out 
the version.  It is of
diff --git 
a/jspwiki-main/src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java 
b/jspwiki-main/src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java
index e8ab63c..7abfdf9 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/parser/JSPWikiMarkupParser.java
@@ -1315,7 +1315,8 @@ public class JSPWikiMarkupParser extends MarkupParser {
                     }
                     else
                     {
-                        Object[] args = { extWiki };
+                        Object[] args = { escapeHTMLEntities(extWiki) };
+
                         addElement( makeError( MessageFormat.format( 
rb.getString( "markupparser.error.nointerwikiref" ), args ) ) );
                     }
                 }
@@ -2076,7 +2077,7 @@ public class JSPWikiMarkupParser extends MarkupParser {
                 //  Pop out only spaces, so that the upcoming EOL check does 
not check the
                 //  next line.
                 //
-                if( ch == '\n' || ch == '\r' )
+                else if( ch == '\n' || ch == '\r' )
                 {
                     pushBack(ch);
                 }

Reply via email to