Author: zhoresh
Date: Fri Oct 15 00:53:09 2010
New Revision: 1022796
URL: http://svn.apache.org/viewvc?rev=1022796&view=rev
Log:
Ref http://codereview.appspot.com/2436042/
Add null checks for CajaCssSanitizer
Modified:
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizer.java
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizerTest.java
Modified:
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizer.java
URL:
http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizer.java?rev=1022796&r1=1022795&r2=1022796&view=diff
==============================================================================
---
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizer.java
(original)
+++
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizer.java
Fri Oct 15 00:53:09 2010
@@ -180,7 +180,7 @@ public class CajaCssSanitizer {
}
}, null);
}
-
+
private static String rewriteUri(ProxyUriManager proxyUriManager, String
input,
final Uri context, GadgetContext
gadgetContext) {
Uri inboundUri = null;
@@ -223,6 +223,9 @@ public class CajaCssSanitizer {
* @param chain chain of nodes
*/
private static void clean(AncestorChain<?> chain) {
+ if (chain == null) {
+ return;
+ }
if (chain.node instanceof CssTree.Declaration ||
chain.node instanceof CssTree.Import) {
if (chain.getParentNode() instanceof CssTree.UserAgentHack) {
Modified:
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizerTest.java
URL:
http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizerTest.java?rev=1022796&r1=1022795&r2=1022796&view=diff
==============================================================================
---
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizerTest.java
(original)
+++
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/parse/caja/CajaCssSanitizerTest.java
Fri Oct 15 00:53:09 2010
@@ -47,7 +47,7 @@ public class CajaCssSanitizerTest extend
public static final String MOCK_CONTAINER = "mockContainer";
private static class FakeContainerConfig extends AbstractContainerConfig {
- private Map<String, Map<String, Object>> containers =
+ private final Map<String, Map<String, Object>> containers =
new HashMap<String, Map<String, Object>>();
private FakeContainerConfig() {
@@ -64,7 +64,7 @@ public class CajaCssSanitizerTest extend
public Object getProperty(String container, String name) {
Map<String, Object> data = containers.get(container);
- // Inherit from default if there is no value for this key.
+ // Inherit from default if there is no value for this key.
if (!data.containsKey(name)) {
data = containers.get(ContainerConfig.DEFAULT_CONTAINER);
}
@@ -107,6 +107,23 @@ public class CajaCssSanitizerTest extend
}
@Test
+ public void testSanitizeBadField() throws Exception {
+ String css = ".xyz { iamevil: 1; }";
+ CssTree.StyleSheet styleSheet = parser.parseDom(css);
+ sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter,
imageRewriter);
+ assertStyleEquals(".xyz {}", styleSheet);
+ }
+
+ @Test
+ public void testSanitizeCleanToParent() throws Exception {
+ String css = ".q_action:hover, #questionsDIV li:nth-child(even)
.q_action:hover, .stream li:nth-child(even) .q_action:hover {" +
+ " background: #d0ebfe; text-decoration: none; }";
+ CssTree.StyleSheet styleSheet = parser.parseDom(css);
+ sanitizer.sanitize(styleSheet, DUMMY, gadgetContext, importRewriter,
imageRewriter);
+ assertStyleEquals(css, styleSheet);
+ }
+
+ @Test
public void testSanitizeUnsafeProperties() throws Exception {
String css = ".xyz { behavior: url('xyz.htc');
-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\";) }";
CssTree.StyleSheet styleSheet = parser.parseDom(css);
