This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.10 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit a1132dcaa1738be6fe7f51a8904b5f7f0d110162 Author: Radu Cotescu <[email protected]> AuthorDate: Wed May 13 13:18:25 2015 +0000 SLING-4525 - XSS protection path mangling issue * Added proper encoding for colons in query string * Added testcases based on Georg Koester's patch (patch provided by Vlad Bailescu; closes #80) git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1679204 13f79535-47bb-0310-9956-ffa450edef68 --- src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java | 4 ++++ src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java index 400f279..cb05449 100644 --- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java +++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java @@ -167,6 +167,10 @@ public class XSSAPIImpl implements XSSAPI { .replaceAll("<", "%3C") .replaceAll("`", "%60") .replaceAll(" ", "%20"); + int qMarkIx = encodedUrl.indexOf('?'); + if (qMarkIx > 0) { + encodedUrl = encodedUrl.substring(0, qMarkIx) + encodedUrl.substring(qMarkIx).replaceAll(":", "%3A"); + } String testHtml = LINK_PREFIX + mangleNamespaces(encodedUrl) + LINK_SUFFIX; // replace all & with & because filterHTML will also apply this encoding testHtml = testHtml.replaceAll("&(?!amp)", "&"); diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java index f1347ec..dce4391 100644 --- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java +++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java @@ -252,6 +252,16 @@ public class XSSAPIImplTest { // ` {"/test/ab`cd", "/test/ab%60cd"}, {"http://localhost:4502/test/ab`cd";, "http://localhost:4502/test/ab%60cd"}, + // colons in query string + {"/test/search.html?0_tag:id=test", "/test/search.html?0_tag%3Aid=test"}, + { // JCR namespaces and colons in query string + "/test/jcr:content/search.html?0_tag:id=test", + "/test/_jcr_content/search.html?0_tag%3Aid=test" + }, + { // ? in query string + "/test/search.html?0_tag:id=test?ing&1_tag:id=abc", + "/test/search.html?0_tag%3Aid=test?ing&1_tag%3Aid=abc", + } }; for (String[] aTestData : testData) { -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
