Author: fmeschbe
Date: Fri Dec 5 11:33:07 2014
New Revision: 1643241
URL: http://svn.apache.org/viewvc?rev=1643241&view=rev
Log:
SLING-4177 Properly XSS escape CSS style string
(applying patch by Vlad Bailescu, thanks alot)
Modified:
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java
Modified:
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java
URL:
http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java?rev=1643241&r1=1643240&r2=1643241&view=diff
==============================================================================
---
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java
(original)
+++
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java
Fri Dec 5 11:33:07 2014
@@ -158,6 +158,16 @@ public interface XSSAPI {
*/
public String encodeForJSString(String source);
+ /**
+ * Encodes a souce string for writing to CSS string content.
+ * DO NOT USE FOR WRITING OUT ARBITRARY CSS TOKENS; YOU MUST USE A
VALIDATOR FOR THAT!
+ * (Encoding only ensures the source string cannot break out of its
context.)
+ *
+ * @param source the input to encode
+ * @return an encoded version of the source
+ */
+ public String encodeForCSSString(String source);
+
//
=============================================================================================
// FILTERS
Modified:
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
URL:
http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java?rev=1643241&r1=1643240&r2=1643241&view=diff
==============================================================================
---
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
(original)
+++
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
Fri Dec 5 11:33:07 2014
@@ -289,6 +289,13 @@ public class XSSAPIImpl implements XSSAP
return Encode.forJavaScript(source);
}
+ /**
+ * @see org.apache.sling.xss.XSSAPI#encodeForCSSString(String)
+ */
+ public String encodeForCSSString(String source) {
+ return Encode.forCssString(source);
+ }
+
//
=============================================================================================
// FILTERS
//
Modified:
sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
URL:
http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java?rev=1643241&r1=1643240&r2=1643241&view=diff
==============================================================================
---
sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
(original)
+++
sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
Fri Dec 5 11:33:07 2014
@@ -338,6 +338,27 @@ public class XSSAPIImplTest {
}
@Test
+ public void TestEncodeForCSSString() {
+ String[][] testData = {
+ // Source Expected result
+ {"test" , "test"},
+ {"\\" , "\\5c"},
+ {"'" , "\\27"},
+ {"\"" , "\\22"}
+ };
+
+ for (String[] aTestData : testData) {
+ String source = aTestData[0];
+ String expected = aTestData[1];
+
+ String result = xssAPI.encodeForCSSString(source);
+ if (!result.equals(expected)) {
+ fail("Encoding '" + source + "', expecting '" + expected + "',
but got '" + result + "'");
+ }
+ }
+ }
+
+ @Test
public void TestGetValidStyleToken() {
String[][] testData = {
// Source Expected result
Modified:
sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java
URL:
http://svn.apache.org/viewvc/sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java?rev=1643241&r1=1643240&r2=1643241&view=diff
==============================================================================
---
sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java
(original)
+++
sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java
Fri Dec 5 11:33:07 2014
@@ -119,6 +119,8 @@ public class XSSRuntimeExtension impleme
return xssapi.getValidStyleToken(text, "");
case SCRIPT_STRING:
return xssapi.encodeForJSString(text);
+ case STYLE_STRING:
+ return xssapi.encodeForCSSString(text);
case ELEMENT_NAME:
return escapeElementName(text);
case HTML:
