This is an automated email from the ASF dual-hosted git repository.
cziegeler pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-servlets-get.git
The following commit(s) were added to refs/heads/master by this push:
new 468daa3 SLING-12055 : Remove dependency on Sling XSS
468daa3 is described below
commit 468daa34fc3a5b86e553f9372daef0f5ee9ea940
Author: Carsten Ziegeler <cziege...@apache.org>
AuthorDate: Fri Sep 29 14:35:25 2023 +0200
SLING-12055 : Remove dependency on Sling XSS
---
.gitignore | 1 +
pom.xml | 6 +++---
.../sling/servlets/get/impl/DefaultGetServlet.java | 8 +------
.../sling/servlets/get/impl/SlingInfoServlet.java | 1 -
.../servlets/get/impl/helpers/HtmlRenderer.java | 25 +++++++++-------------
.../servlets/get/impl/helpers/StreamRenderer.java | 1 -
.../get/impl/helpers/HtmlRendererTest.java | 16 ++++++++------
.../get/impl/helpers/StreamRendererTest.java | 2 +-
8 files changed, 26 insertions(+), 34 deletions(-)
diff --git a/.gitignore b/.gitignore
index 5b783ed..d4bfe7c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.vscode
/target
.idea
.classpath
diff --git a/pom.xml b/pom.xml
index 536abd0..a8a4dc2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -98,9 +98,9 @@
<artifactId>jcr</artifactId>
</dependency>
<dependency>
- <groupId>org.apache.sling</groupId>
- <artifactId>org.apache.sling.xss</artifactId>
- <version>2.2.12</version>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ <version>1.2.3</version>
<scope>provided</scope>
</dependency>
<dependency>
diff --git
a/src/main/java/org/apache/sling/servlets/get/impl/DefaultGetServlet.java
b/src/main/java/org/apache/sling/servlets/get/impl/DefaultGetServlet.java
index 4f02fe7..1f1ae27 100644
--- a/src/main/java/org/apache/sling/servlets/get/impl/DefaultGetServlet.java
+++ b/src/main/java/org/apache/sling/servlets/get/impl/DefaultGetServlet.java
@@ -38,12 +38,9 @@ import
org.apache.sling.servlets.get.impl.helpers.PlainTextRenderer;
import org.apache.sling.servlets.get.impl.helpers.Renderer;
import org.apache.sling.servlets.get.impl.helpers.StreamRenderer;
import org.apache.sling.servlets.get.impl.helpers.XMLRenderer;
-import org.apache.sling.xss.XSSAPI;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
-import org.osgi.service.component.annotations.Reference;
-import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
@@ -157,9 +154,6 @@ public class DefaultGetServlet extends
SlingSafeMethodsServlet {
private boolean enableXml;
- @Reference(policyOption = ReferencePolicyOption.GREEDY)
- private XSSAPI xssApi;
-
private boolean enableEcmaSupport;
public static final String EXT_HTML = "html";
@@ -204,7 +198,7 @@ public class DefaultGetServlet extends
SlingSafeMethodsServlet {
if ( EXT_RES.equals(type) ) {
renderer = new StreamRenderer(index, indexFiles,
getServletContext());
} else if ( EXT_HTML.equals(type) ) {
- renderer = new HtmlRenderer(xssApi);
+ renderer = HtmlRenderer.INSTANCE;
} else if ( EXT_TXT.equals(type) ) {
renderer = new PlainTextRenderer();
} else if (EXT_JSON.equals(type) ) {
diff --git
a/src/main/java/org/apache/sling/servlets/get/impl/SlingInfoServlet.java
b/src/main/java/org/apache/sling/servlets/get/impl/SlingInfoServlet.java
index 71b65c3..3942e06 100644
--- a/src/main/java/org/apache/sling/servlets/get/impl/SlingInfoServlet.java
+++ b/src/main/java/org/apache/sling/servlets/get/impl/SlingInfoServlet.java
@@ -25,7 +25,6 @@ import java.util.HashMap;
import java.util.Map;
import javax.json.Json;
-import javax.json.JsonException;
import javax.json.stream.JsonGenerator;
import javax.servlet.Servlet;
import javax.servlet.http.HttpServletResponse;
diff --git
a/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRenderer.java
b/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRenderer.java
index 2b00fac..33cbe7e 100644
--- a/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRenderer.java
+++ b/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRenderer.java
@@ -28,7 +28,7 @@ import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceNotFoundException;
import org.apache.sling.api.resource.ResourceUtil;
-import org.apache.sling.xss.XSSAPI;
+import org.owasp.encoder.Encode;
/**
* The <code>HtmlRendererServlet</code> renders the current resource in HTML
@@ -36,12 +36,7 @@ import org.apache.sling.xss.XSSAPI;
*/
public class HtmlRenderer implements Renderer {
- private final XSSAPI xssApi;
-
- public HtmlRenderer(final XSSAPI xssApi) {
- this.xssApi = xssApi;
- }
-
+ public static final HtmlRenderer INSTANCE = new HtmlRenderer();
public void render(final SlingHttpServletRequest req,
final SlingHttpServletResponse resp) throws IOException {
@@ -101,19 +96,19 @@ public class HtmlRenderer implements Renderer {
private void printResourceInfo(final PrintWriter pw, final Resource r) {
pw.print("<h1>Resource dumped by ");
- pw.print(xssApi.encodeForHTML(getClass().getSimpleName()));
+ pw.print(Encode.forHtmlContent(getClass().getSimpleName()));
pw.println("</h1>");
pw.print("<p>Resource path: <b>");
- pw.print(xssApi.encodeForHTML(r.getPath()));
+ pw.print(Encode.forHtmlContent(r.getPath()));
pw.println("</b></p>");
pw.print("<p>Resource metadata: <b>");
-
pw.print(xssApi.encodeForHTML(String.valueOf(r.getResourceMetadata())));
+
pw.print(Encode.forHtmlContent(String.valueOf(r.getResourceMetadata())));
pw.println("</b></p>");
pw.print("<p>Resource type: <b>");
- pw.print(xssApi.encodeForHTML(r.getResourceType()));
+ pw.print(Encode.forHtmlContent(r.getResourceType()));
pw.println("</b></p>");
String resourceSuperType =
r.getResourceResolver().getParentResourceType(r);
@@ -121,7 +116,7 @@ public class HtmlRenderer implements Renderer {
resourceSuperType = "-";
}
pw.print("<p>Resource super type: <b>");
- pw.print(xssApi.encodeForHTML(resourceSuperType));
+ pw.print(Encode.forHtmlContent(resourceSuperType));
pw.println("</b></p>");
}
@@ -148,7 +143,7 @@ public class HtmlRenderer implements Renderer {
private void printPropertyValue(final PrintWriter pw, final String name,
final Object value) {
- pw.print(xssApi.encodeForHTML(name));
+ pw.print(Encode.forHtmlContent(name));
pw.print(": <b>");
if ( value.getClass().isArray() ) {
@@ -158,11 +153,11 @@ public class HtmlRenderer implements Renderer {
if (i > 0) {
pw.print(", ");
}
- pw.print(xssApi.encodeForHTML(values[i].toString()));
+ pw.print(Encode.forHtmlContent(values[i].toString()));
}
pw.print(']');
} else {
- pw.print(xssApi.encodeForHTML(value.toString()));
+ pw.print(Encode.forHtmlContent(value.toString()));
}
pw.print("</b><br />");
diff --git
a/src/main/java/org/apache/sling/servlets/get/impl/helpers/StreamRenderer.java
b/src/main/java/org/apache/sling/servlets/get/impl/helpers/StreamRenderer.java
index 1df52bd..45e216d 100644
---
a/src/main/java/org/apache/sling/servlets/get/impl/helpers/StreamRenderer.java
+++
b/src/main/java/org/apache/sling/servlets/get/impl/helpers/StreamRenderer.java
@@ -21,7 +21,6 @@ import static
org.apache.sling.api.servlets.HttpConstants.HEADER_IF_MODIFIED_SIN
import static org.apache.sling.api.servlets.HttpConstants.HEADER_LAST_MODIFIED;
import java.io.BufferedInputStream;
-import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
diff --git
a/src/test/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererTest.java
b/src/test/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererTest.java
index 72a3a1b..fff4003 100644
---
a/src/test/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererTest.java
+++
b/src/test/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererTest.java
@@ -18,6 +18,8 @@
*/
package org.apache.sling.servlets.get.impl.helpers;
+import static org.junit.Assert.assertTrue;
+
import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
@@ -30,7 +32,6 @@ import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
-import org.apache.sling.xss.XSSAPI;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;
@@ -40,6 +41,8 @@ public class HtmlRendererTest {
private SlingHttpServletRequest request;
private SlingHttpServletResponse response;
+ private StringWriter writer;
+
@Before
public void setup() throws IOException {
request = Mockito.mock(SlingHttpServletRequest.class);
@@ -57,15 +60,16 @@ public class HtmlRendererTest {
response = Mockito.mock(SlingHttpServletResponse.class);
- Mockito.when(response.getWriter()).thenReturn(new PrintWriter(new
StringWriter()));
+ this.writer = new StringWriter();
+ Mockito.when(response.getWriter()).thenReturn(new
PrintWriter(this.writer));
}
@Test
public void testEscaping() throws ServletException, IOException {
- XSSAPI xss = Mockito.mock(XSSAPI.class);
-
- new HtmlRenderer(xss).render(request, response);
+ HtmlRenderer.INSTANCE.render(request, response);
- Mockito.verify(xss).encodeForHTML("<script>alert(1);</script>");
+ this.writer.flush();
+ final String contents = this.writer.toString();
+
assertTrue(contents.contains("<script>alert(1);</script>"));
}
}
\ No newline at end of file
diff --git
a/src/test/java/org/apache/sling/servlets/get/impl/helpers/StreamRendererTest.java
b/src/test/java/org/apache/sling/servlets/get/impl/helpers/StreamRendererTest.java
index 1584727..767bd10 100644
---
a/src/test/java/org/apache/sling/servlets/get/impl/helpers/StreamRendererTest.java
+++
b/src/test/java/org/apache/sling/servlets/get/impl/helpers/StreamRendererTest.java
@@ -57,7 +57,7 @@ public class StreamRendererTest {
@Before
public void setup() {
- Resource r = context.create().resource("/abc.txt","prop","value");
+ context.create().resource("/abc.txt","prop","value");
context.build().file("file.txt",
this.getClass().getResourceAsStream("/samplefile.json"));
requestDispatcher = Mockito.mock(RequestDispatcher.class);
context.request().setRequestDispatcherFactory(new
MockRequestDispatcherFactory() {
