This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.10 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 3dcd697cdb08670c0d6b08492cd6fc43e5a251eb Author: Robert Munteanu <[email protected]> AuthorDate: Thu Aug 4 08:43:16 2016 +0000 SLING-5946 - XSSAPI#encodeForJSString is not restrictive enough Submitted-By: Vlad Bailescu git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1755147 13f79535-47bb-0310-9956-ffa450edef68 --- src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java | 2 +- src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java index 8abd350..e0fc15f 100644 --- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java +++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java @@ -429,7 +429,7 @@ public class XSSAPIImpl implements XSSAPI { */ @Override public String encodeForJSString(String source) { - return source == null ? null : Encode.forJavaScriptSource(source); + return source == null ? null : Encode.forJavaScript(source).replace("\\-", "\\u002D"); } /** diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java index 714c575..e6f3c87 100644 --- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java +++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java @@ -400,10 +400,13 @@ public class XSSAPIImplTest { {null, null}, {"simple", "simple"}, - {"break\"out", "break\\\"out"}, - {"break'out", "break\\'out"}, - {"'alert(document.cookie)", "\\'alert(document.cookie)"}, - {"2014-04-22T10:11:24.002+01:00", "2014-04-22T10:11:24.002+01:00"} + {"break\"out", "break\\x22out"}, + {"break'out", "break\\x27out"}, + + {"</script>", "<\\/script>"}, + + {"'alert(document.cookie)", "\\x27alert(document.cookie)"}, + {"2014-04-22T10:11:24.002+01:00", "2014\\u002D04\\u002D22T10:11:24.002+01:00"} }; for (String[] aTestData : testData) { @@ -430,7 +433,7 @@ public class XSSAPIImplTest { {"\"literal string\"", "\"literal string\""}, {"'literal string'", "'literal string'"}, {"\"bad literal'", RUBBISH}, - {"'literal'); junk'", "'literal\\'); junk'"}, + {"'literal'); junk'", "'literal\\x27); junk'"}, {"1200", "1200"}, {"3.14", "3.14"}, -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
