This is an automated email from the ASF dual-hosted git repository. cziegeler pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-servlets-get.git
The following commit(s) were added to refs/heads/master by this push: new 468daa3 SLING-12055 : Remove dependency on Sling XSS 468daa3 is described below commit 468daa34fc3a5b86e553f9372daef0f5ee9ea940 Author: Carsten Ziegeler <cziege...@apache.org> AuthorDate: Fri Sep 29 14:35:25 2023 +0200 SLING-12055 : Remove dependency on Sling XSS --- .gitignore | 1 + pom.xml | 6 +++--- .../sling/servlets/get/impl/DefaultGetServlet.java | 8 +------ .../sling/servlets/get/impl/SlingInfoServlet.java | 1 - .../servlets/get/impl/helpers/HtmlRenderer.java | 25 +++++++++------------- .../servlets/get/impl/helpers/StreamRenderer.java | 1 - .../get/impl/helpers/HtmlRendererTest.java | 16 ++++++++------ .../get/impl/helpers/StreamRendererTest.java | 2 +- 8 files changed, 26 insertions(+), 34 deletions(-) diff --git a/.gitignore b/.gitignore index 5b783ed..d4bfe7c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.vscode /target .idea .classpath diff --git a/pom.xml b/pom.xml index 536abd0..a8a4dc2 100644 --- a/pom.xml +++ b/pom.xml @@ -98,9 +98,9 @@ <artifactId>jcr</artifactId> </dependency> <dependency> - <groupId>org.apache.sling</groupId> - <artifactId>org.apache.sling.xss</artifactId> - <version>2.2.12</version> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>1.2.3</version> <scope>provided</scope> </dependency> <dependency> diff --git a/src/main/java/org/apache/sling/servlets/get/impl/DefaultGetServlet.java b/src/main/java/org/apache/sling/servlets/get/impl/DefaultGetServlet.java index 4f02fe7..1f1ae27 100644 --- a/src/main/java/org/apache/sling/servlets/get/impl/DefaultGetServlet.java +++ b/src/main/java/org/apache/sling/servlets/get/impl/DefaultGetServlet.java @@ -38,12 +38,9 @@ import org.apache.sling.servlets.get.impl.helpers.PlainTextRenderer; import org.apache.sling.servlets.get.impl.helpers.Renderer; import org.apache.sling.servlets.get.impl.helpers.StreamRenderer; import org.apache.sling.servlets.get.impl.helpers.XMLRenderer; -import org.apache.sling.xss.XSSAPI; import org.osgi.service.component.annotations.Activate; import org.osgi.service.component.annotations.Component; import org.osgi.service.component.annotations.Deactivate; -import org.osgi.service.component.annotations.Reference; -import org.osgi.service.component.annotations.ReferencePolicyOption; import org.osgi.service.metatype.annotations.AttributeDefinition; import org.osgi.service.metatype.annotations.Designate; import org.osgi.service.metatype.annotations.ObjectClassDefinition; @@ -157,9 +154,6 @@ public class DefaultGetServlet extends SlingSafeMethodsServlet { private boolean enableXml; - @Reference(policyOption = ReferencePolicyOption.GREEDY) - private XSSAPI xssApi; - private boolean enableEcmaSupport; public static final String EXT_HTML = "html"; @@ -204,7 +198,7 @@ public class DefaultGetServlet extends SlingSafeMethodsServlet { if ( EXT_RES.equals(type) ) { renderer = new StreamRenderer(index, indexFiles, getServletContext()); } else if ( EXT_HTML.equals(type) ) { - renderer = new HtmlRenderer(xssApi); + renderer = HtmlRenderer.INSTANCE; } else if ( EXT_TXT.equals(type) ) { renderer = new PlainTextRenderer(); } else if (EXT_JSON.equals(type) ) { diff --git a/src/main/java/org/apache/sling/servlets/get/impl/SlingInfoServlet.java b/src/main/java/org/apache/sling/servlets/get/impl/SlingInfoServlet.java index 71b65c3..3942e06 100644 --- a/src/main/java/org/apache/sling/servlets/get/impl/SlingInfoServlet.java +++ b/src/main/java/org/apache/sling/servlets/get/impl/SlingInfoServlet.java @@ -25,7 +25,6 @@ import java.util.HashMap; import java.util.Map; import javax.json.Json; -import javax.json.JsonException; import javax.json.stream.JsonGenerator; import javax.servlet.Servlet; import javax.servlet.http.HttpServletResponse; diff --git a/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRenderer.java b/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRenderer.java index 2b00fac..33cbe7e 100644 --- a/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRenderer.java +++ b/src/main/java/org/apache/sling/servlets/get/impl/helpers/HtmlRenderer.java @@ -28,7 +28,7 @@ import org.apache.sling.api.SlingHttpServletResponse; import org.apache.sling.api.resource.Resource; import org.apache.sling.api.resource.ResourceNotFoundException; import org.apache.sling.api.resource.ResourceUtil; -import org.apache.sling.xss.XSSAPI; +import org.owasp.encoder.Encode; /** * The <code>HtmlRendererServlet</code> renders the current resource in HTML @@ -36,12 +36,7 @@ import org.apache.sling.xss.XSSAPI; */ public class HtmlRenderer implements Renderer { - private final XSSAPI xssApi; - - public HtmlRenderer(final XSSAPI xssApi) { - this.xssApi = xssApi; - } - + public static final HtmlRenderer INSTANCE = new HtmlRenderer(); public void render(final SlingHttpServletRequest req, final SlingHttpServletResponse resp) throws IOException { @@ -101,19 +96,19 @@ public class HtmlRenderer implements Renderer { private void printResourceInfo(final PrintWriter pw, final Resource r) { pw.print("<h1>Resource dumped by "); - pw.print(xssApi.encodeForHTML(getClass().getSimpleName())); + pw.print(Encode.forHtmlContent(getClass().getSimpleName())); pw.println("</h1>"); pw.print("<p>Resource path: <b>"); - pw.print(xssApi.encodeForHTML(r.getPath())); + pw.print(Encode.forHtmlContent(r.getPath())); pw.println("</b></p>"); pw.print("<p>Resource metadata: <b>"); - pw.print(xssApi.encodeForHTML(String.valueOf(r.getResourceMetadata()))); + pw.print(Encode.forHtmlContent(String.valueOf(r.getResourceMetadata()))); pw.println("</b></p>"); pw.print("<p>Resource type: <b>"); - pw.print(xssApi.encodeForHTML(r.getResourceType())); + pw.print(Encode.forHtmlContent(r.getResourceType())); pw.println("</b></p>"); String resourceSuperType = r.getResourceResolver().getParentResourceType(r); @@ -121,7 +116,7 @@ public class HtmlRenderer implements Renderer { resourceSuperType = "-"; } pw.print("<p>Resource super type: <b>"); - pw.print(xssApi.encodeForHTML(resourceSuperType)); + pw.print(Encode.forHtmlContent(resourceSuperType)); pw.println("</b></p>"); } @@ -148,7 +143,7 @@ public class HtmlRenderer implements Renderer { private void printPropertyValue(final PrintWriter pw, final String name, final Object value) { - pw.print(xssApi.encodeForHTML(name)); + pw.print(Encode.forHtmlContent(name)); pw.print(": <b>"); if ( value.getClass().isArray() ) { @@ -158,11 +153,11 @@ public class HtmlRenderer implements Renderer { if (i > 0) { pw.print(", "); } - pw.print(xssApi.encodeForHTML(values[i].toString())); + pw.print(Encode.forHtmlContent(values[i].toString())); } pw.print(']'); } else { - pw.print(xssApi.encodeForHTML(value.toString())); + pw.print(Encode.forHtmlContent(value.toString())); } pw.print("</b><br />"); diff --git a/src/main/java/org/apache/sling/servlets/get/impl/helpers/StreamRenderer.java b/src/main/java/org/apache/sling/servlets/get/impl/helpers/StreamRenderer.java index 1df52bd..45e216d 100644 --- a/src/main/java/org/apache/sling/servlets/get/impl/helpers/StreamRenderer.java +++ b/src/main/java/org/apache/sling/servlets/get/impl/helpers/StreamRenderer.java @@ -21,7 +21,6 @@ import static org.apache.sling.api.servlets.HttpConstants.HEADER_IF_MODIFIED_SIN import static org.apache.sling.api.servlets.HttpConstants.HEADER_LAST_MODIFIED; import java.io.BufferedInputStream; -import java.io.Closeable; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; diff --git a/src/test/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererTest.java b/src/test/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererTest.java index 72a3a1b..fff4003 100644 --- a/src/test/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererTest.java +++ b/src/test/java/org/apache/sling/servlets/get/impl/helpers/HtmlRendererTest.java @@ -18,6 +18,8 @@ */ package org.apache.sling.servlets.get.impl.helpers; +import static org.junit.Assert.assertTrue; + import java.io.IOException; import java.io.PrintWriter; import java.io.StringWriter; @@ -30,7 +32,6 @@ import org.apache.sling.api.SlingHttpServletRequest; import org.apache.sling.api.SlingHttpServletResponse; import org.apache.sling.api.resource.Resource; import org.apache.sling.api.resource.ResourceResolver; -import org.apache.sling.xss.XSSAPI; import org.junit.Before; import org.junit.Test; import org.mockito.Mockito; @@ -40,6 +41,8 @@ public class HtmlRendererTest { private SlingHttpServletRequest request; private SlingHttpServletResponse response; + private StringWriter writer; + @Before public void setup() throws IOException { request = Mockito.mock(SlingHttpServletRequest.class); @@ -57,15 +60,16 @@ public class HtmlRendererTest { response = Mockito.mock(SlingHttpServletResponse.class); - Mockito.when(response.getWriter()).thenReturn(new PrintWriter(new StringWriter())); + this.writer = new StringWriter(); + Mockito.when(response.getWriter()).thenReturn(new PrintWriter(this.writer)); } @Test public void testEscaping() throws ServletException, IOException { - XSSAPI xss = Mockito.mock(XSSAPI.class); - - new HtmlRenderer(xss).render(request, response); + HtmlRenderer.INSTANCE.render(request, response); - Mockito.verify(xss).encodeForHTML("<script>alert(1);</script>"); + this.writer.flush(); + final String contents = this.writer.toString(); + assertTrue(contents.contains("<script>alert(1);</script>")); } } \ No newline at end of file diff --git a/src/test/java/org/apache/sling/servlets/get/impl/helpers/StreamRendererTest.java b/src/test/java/org/apache/sling/servlets/get/impl/helpers/StreamRendererTest.java index 1584727..767bd10 100644 --- a/src/test/java/org/apache/sling/servlets/get/impl/helpers/StreamRendererTest.java +++ b/src/test/java/org/apache/sling/servlets/get/impl/helpers/StreamRendererTest.java @@ -57,7 +57,7 @@ public class StreamRendererTest { @Before public void setup() { - Resource r = context.create().resource("/abc.txt","prop","value"); + context.create().resource("/abc.txt","prop","value"); context.build().file("file.txt", this.getClass().getResourceAsStream("/samplefile.json")); requestDispatcher = Mockito.mock(RequestDispatcher.class); context.request().setRequestDispatcherFactory(new MockRequestDispatcherFactory() {