This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.0 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 11c36ee81918f15f1bc242c43408aa3cde7c577b Author: Radu Cotescu <[email protected]> AuthorDate: Tue Feb 10 21:35:03 2015 +0000 SLING-4176 - Sightly: StyleToken context is doing nothing * provide protection against javascript snippets in CSS (patch provided by Vlad Bailescu) git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/xss@1658820 13f79535-47bb-0310-9956-ffa450edef68 --- src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java | 2 +- src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java index bddab78..bb3810e 100644 --- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java +++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java @@ -209,7 +209,7 @@ public class XSSAPIImpl implements XSSAPI { /** http://www.w3.org/TR/css-syntax-3/#ident-token-diagram */ private static final String IDENTIFIER = "-?[a-z_" + NON_ASCII + "][\\w_\\-" + NON_ASCII + "]*"; /** http://www.w3.org/TR/css-syntax-3/#string-token-diagram */ - private static final String STRING = "\"(?:[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:[^'^\\\\^\\n]|(?:\\\\'))*'"; + private static final String STRING = "\"(?:(?!javascript\\s?:)[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:(?!javascript\\s?:)[^'^\\\\^\\n]|(?:\\\\'))*'"; /** http://www.w3.org/TR/css-syntax-3/#dimension-token-diagram */ private static final String DIMENSION = NUMBER + IDENTIFIER; /** http://www.w3.org/TR/css-syntax-3/#percentage-token-diagram */ diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java index a826b06..6717ece 100644 --- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java +++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java @@ -430,7 +430,11 @@ public class XSSAPIImplTest { // no javascript: {"javascript:alert(1)" , RUBBISH}, + {"'javascript:alert(1)'" , RUBBISH}, + {"\"javascript:alert('XSS')\"" , RUBBISH}, {"url(javascript:alert(1))" , RUBBISH}, + {"url('javascript:alert(1)')" , RUBBISH}, + {"url(\"javascript:alert('XSS')\")" , RUBBISH}, // no expression {"expression(alert(1))" , RUBBISH}, -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
