This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.0 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 07248d8fccfd225e193617dfe7dd404bd996b474 Author: Felix Meschberger <[email protected]> AuthorDate: Fri Dec 5 11:33:07 2014 +0000 SLING-4177 Properly XSS escape CSS style string (applying patch by Vlad Bailescu, thanks alot) git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/xss@1643241 13f79535-47bb-0310-9956-ffa450edef68 --- src/main/java/org/apache/sling/xss/XSSAPI.java | 10 ++++++++++ .../java/org/apache/sling/xss/impl/XSSAPIImpl.java | 7 +++++++ .../org/apache/sling/xss/impl/XSSAPIImplTest.java | 21 +++++++++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/src/main/java/org/apache/sling/xss/XSSAPI.java b/src/main/java/org/apache/sling/xss/XSSAPI.java index 076e104..0e026b3 100644 --- a/src/main/java/org/apache/sling/xss/XSSAPI.java +++ b/src/main/java/org/apache/sling/xss/XSSAPI.java @@ -158,6 +158,16 @@ public interface XSSAPI { */ public String encodeForJSString(String source); + /** + * Encodes a souce string for writing to CSS string content. + * DO NOT USE FOR WRITING OUT ARBITRARY CSS TOKENS; YOU MUST USE A VALIDATOR FOR THAT! + * (Encoding only ensures the source string cannot break out of its context.) + * + * @param source the input to encode + * @return an encoded version of the source + */ + public String encodeForCSSString(String source); + // ============================================================================================= // FILTERS diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java index 4306d99..e01aff1 100644 --- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java +++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java @@ -289,6 +289,13 @@ public class XSSAPIImpl implements XSSAPI { return Encode.forJavaScript(source); } + /** + * @see org.apache.sling.xss.XSSAPI#encodeForCSSString(String) + */ + public String encodeForCSSString(String source) { + return Encode.forCssString(source); + } + // ============================================================================================= // FILTERS // diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java index 3f7108c..1367810 100644 --- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java +++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java @@ -338,6 +338,27 @@ public class XSSAPIImplTest { } @Test + public void TestEncodeForCSSString() { + String[][] testData = { + // Source Expected result + {"test" , "test"}, + {"\\" , "\\5c"}, + {"'" , "\\27"}, + {"\"" , "\\22"} + }; + + for (String[] aTestData : testData) { + String source = aTestData[0]; + String expected = aTestData[1]; + + String result = xssAPI.encodeForCSSString(source); + if (!result.equals(expected)) { + fail("Encoding '" + source + "', expecting '" + expected + "', but got '" + result + "'"); + } + } + } + + @Test public void TestGetValidStyleToken() { String[][] testData = { // Source Expected result -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
