XSSAPIImplTest.java

radu Mon, 22 Aug 2016 06:00:57 -0700

Author: radu
Date: Mon Aug 22 12:53:04 2016
New Revision: 1757160

URL: http://svn.apache.org/viewvc?rev=1757160&view=rev
Log:
SLING-4560 - XSSAPI#getValidHref is empty for valid Bengali or Hindi characters


* applied patch submitted by Lars Krapf to only extend the character classes 
accepted
by the OWASP URL regexes, instead of completely changing them like in r1756802

Modified:
    
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
    
sling/trunk/bundles/extensions/xss/src/main/resources/SLING-INF/content/config.xml
    
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java

Modified: 
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java?rev=1757160&r1=1757159&r2=1757160&view=diff
==============================================================================
--- 
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
 (original)
+++ 
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
 Mon Aug 22 12:53:04 2016
@@ -58,8 +58,8 @@ public class XSSFilterImpl implements XS
     static final Attribute DEFAULT_HREF_ATTRIBUTE = new Attribute(
             "href",
             Arrays.asList(
-                    
Pattern.compile("(?!.*javascript:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*"),
-                    
Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*")
+                    
Pattern.compile("([\\p{L}\\p{M}*+\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!\\*\\(\\)]*|\\#(\\w)+)"),
+                    
Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)[\\p{L}\\p{M}*+\\p{N}]+[\\p{L}\\p{M}*+\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*")
             ),
             Collections.<String>emptyList(),
             "removeAttribute", ""

Modified: 
sling/trunk/bundles/extensions/xss/src/main/resources/SLING-INF/content/config.xml
URL: 
http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/resources/SLING-INF/content/config.xml?rev=1757160&r1=1757159&r2=1757160&view=diff
==============================================================================
--- 
sling/trunk/bundles/extensions/xss/src/main/resources/SLING-INF/content/config.xml
 (original)
+++ 
sling/trunk/bundles/extensions/xss/src/main/resources/SLING-INF/content/config.xml
 Mon Aug 22 12:53:04 2016
@@ -67,8 +67,8 @@ http://www.w3.org/TR/html401/struct/glob
         <regexp name="htmlClass" value="[a-zA-Z0-9\s,\-_]+"/>
 
         <!-- Allow empty URL attributes with a '*'-quantifier instead of '+' 
for the first part of the regexp -->
-        <regexp name="onsiteURL" 
value="(?!.*javascript:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/>
-        <regexp name="offsiteURL" 
value="(\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/>
+        <regexp name="onsiteURL" 
value="([\p{L}\p{M}*+\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!\*\(\)]*|\#(\w)+)"/>
+        <regexp name="offsiteURL" 
value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{M}*+\p{N}]+[\p{L}\p{M}*+\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!\*\(\)]*(\s)*"/>
 
         <regexp name="boolean" value="(true|false)"/>
         <regexp name="singlePrintable" value="[a-zA-Z0-9]{1}"/>

Modified: 
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java?rev=1757160&r1=1757159&r2=1757160&view=diff
==============================================================================
--- 
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
 (original)
+++ 
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
 Mon Aug 22 12:53:04 2016
@@ -204,7 +204,9 @@ public class XSSAPIImplTest {
                 {"<strike>strike</strike>", "<strike>strike</strike>"},
                 {"<s>s</s>", "<s>s</s>"},
 
-                {"<a href=\"\">empty href</a>", "<a href=\"\">empty href</a>"}
+                {"<a href=\"\">empty href</a>", "<a href=\"\">empty href</a>"},
+                {"<a href=\" javascript:alert(23)\">space</a>","<a>space</a>"},
+                {"<table background=\"http://www.google.com\";></table>", 
"<table></table>"},
         };
 
         for (String[] aTestData : testData) {
@@ -221,7 +223,7 @@ public class XSSAPIImplTest {
                 //         Href                                        
Expected Result
                 //
                 {"/etc/commerce/collections/ä¸æ", 
"/etc/commerce/collections/ä¸æ"},
-                {"/etc/commerce/collections/âºã¡ã¢ââã", 
"/etc/commerce/collections/âºã¡ã¢ââã"},
+                
{"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995",
 
"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995"},
                 {null, ""},
                 {"", ""},
                 {"simple", "simple"},

svn commit: r1757160 - in /sling/trunk/bundles/extensions/xss/src: main/java/org/apache/sling/xss/impl/XSSFilterImpl.java main/resources/SLING-INF/content/config.xml test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java

Reply via email to