This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.10
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git

commit 58f95b81f9c59566d268f0453f26a0da40c857a8
Author: Radu Cotescu <[email protected]>
AuthorDate: Thu Jan 21 17:19:35 2016 +0000

    SLING-5445 - XSSAPI#encodeForJSString is too restrictive
    
    * replaced call to Encode.forJavaScript with call to 
Encode.forJavaScriptSource
    
    git-svn-id: 
https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1726027 
13f79535-47bb-0310-9956-ffa450edef68
---
 src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java     |  2 +-
 src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java 
b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
index e4dc086..5e95ae0 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
@@ -412,7 +412,7 @@ public class XSSAPIImpl implements XSSAPI {
      */
     @Override
     public String encodeForJSString(String source) {
-        return source == null ? null : Encode.forJavaScript(source);
+        return source == null ? null : Encode.forJavaScriptSource(source);
     }
 
     /**
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java 
b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index dee3e65..ef26f88 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -378,10 +378,10 @@ public class XSSAPIImplTest {
                 {null, null},
                 {"simple", "simple"},
 
-                {"break\"out", "break\\x22out"},
-                {"break'out", "break\\x27out"},
-
-                {"</script>", "<\\/script>"}
+                {"break\"out", "break\\\"out"},
+                {"break'out", "break\\'out"},
+                {"'alert(document.cookie)", "\\'alert(document.cookie)"},
+                {"2014-04-22T10:11:24.002+01:00", 
"2014-04-22T10:11:24.002+01:00"}
         };
 
         for (String[] aTestData : testData) {
@@ -408,7 +408,7 @@ public class XSSAPIImplTest {
                 {"\"literal string\"", "\"literal string\""},
                 {"'literal string'", "'literal string'"},
                 {"\"bad literal'", RUBBISH},
-                {"'literal'); junk'", "'literal\\x27); junk'"},
+                {"'literal'); junk'", "'literal\\'); junk'"},
 
                 {"1200", "1200"},
                 {"3.14", "3.14"},

-- 
To stop receiving notification emails like this one, please contact
"[email protected]" <[email protected]>.

Reply via email to