This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.14 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit eaaefc64953994212ad1ba97e8a2066772cadd0b Author: Radu Cotescu <[email protected]> AuthorDate: Thu Aug 18 14:54:58 2016 +0000 SLING-4560 - XSSAPI#getValidHref is empty for valid Bengali or Hindi characters * changed the href validation regexes to bring them closer to the regexes recommended by RFC 3986 * added tests for the GB18030 characters which were not previously accepted git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1756802 13f79535-47bb-0310-9956-ffa450edef68 --- src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java | 4 ++-- src/main/resources/SLING-INF/content/config.xml | 5 ++--- src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 2 ++ 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java index 2137949..91b906b 100644 --- a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java +++ b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java @@ -58,8 +58,8 @@ public class XSSFilterImpl implements XSSFilter, EventHandler { static final Attribute DEFAULT_HREF_ATTRIBUTE = new Attribute( "href", Arrays.asList( - Pattern.compile("([\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!\\*\\(\\)]*|\\#(\\w)+)"), - Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*") + Pattern.compile("(?!.*javascript:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*"), + Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*") ), Collections.<String>emptyList(), "removeAttribute", "" diff --git a/src/main/resources/SLING-INF/content/config.xml b/src/main/resources/SLING-INF/content/config.xml index 2ca1732..7dcba85 100644 --- a/src/main/resources/SLING-INF/content/config.xml +++ b/src/main/resources/SLING-INF/content/config.xml @@ -67,9 +67,8 @@ http://www.w3.org/TR/html401/struct/global.html <regexp name="htmlClass" value="[a-zA-Z0-9\s,\-_]+"/> <!-- Allow empty URL attributes with a '*'-quantifier instead of '+' for the first part of the regexp --> - <regexp name="onsiteURL" value="([\p{L}\p{N}\\\.\#@\$%\+&;\-_~,\?=/!\*\(\)]*|\#(\w)+)"/> - <regexp name="offsiteURL" - value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&;:\-_~,\?=/!\*\(\)]*(\s)*"/> + <regexp name="onsiteURL" value="(?!.*javascript:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/> + <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/> <regexp name="boolean" value="(true|false)"/> <regexp name="singlePrintable" value="[a-zA-Z0-9]{1}"/> diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java index 263514e..efe9dc5 100644 --- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java +++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java @@ -220,6 +220,8 @@ public class XSSAPIImplTest { String[][] testData = { // Href Expected Result // + {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"}, + {"/etc/commerce/collections/⺁〡〢☉⊕〒", "/etc/commerce/collections/⺁〡〢☉⊕〒"}, {null, ""}, {"", ""}, {"simple", "simple"}, -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
