This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.0 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 7260fa120f2b826af9d53c6051b715d9a90470dc Author: Robert Munteanu <[email protected]> AuthorDate: Tue Feb 17 15:38:01 2015 +0000 SLING-4428 - Sightly: scriptComment and styleComment contexts are not doing anything - Added support for multiline comment validation in XSS API. - Added implementation and test. - Added styleComment context to Sightly. - Added proper validation for scriptComment and styleComment contexts. This closes #65 Submitted by: Vlad Bailescu git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/xss@1660420 13f79535-47bb-0310-9956-ffa450edef68 --- src/main/java/org/apache/sling/xss/XSSAPI.java | 10 ++++++++++ .../java/org/apache/sling/xss/impl/XSSAPIImpl.java | 10 ++++++++++ .../org/apache/sling/xss/impl/XSSAPIImplTest.java | 21 +++++++++++++++++++++ 3 files changed, 41 insertions(+) diff --git a/src/main/java/org/apache/sling/xss/XSSAPI.java b/src/main/java/org/apache/sling/xss/XSSAPI.java index f9fc0a8..b2ad26f 100644 --- a/src/main/java/org/apache/sling/xss/XSSAPI.java +++ b/src/main/java/org/apache/sling/xss/XSSAPI.java @@ -119,6 +119,16 @@ public interface XSSAPI { @Nullable public String getValidCSSColor(@Nullable String color, @Nullable String defaultColor); + /** + * Validate multiline comment to be used inside a <script>...</script> or <style>...</style> block. Multiline + * comment end block is disallowed + * + * @param comment the comment to be used + * @param defaultComment a default value to use if the comment is {@code null} or not valid. + * @return a valid multiline comment + */ + public String getValidMultiLineComment(@Nullable String comment, @Nullable String defaultComment); + // ============================================================================================= // ENCODERS // diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java index bb3810e..400f279 100644 --- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java +++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java @@ -265,6 +265,16 @@ public class XSSAPIImpl implements XSSAPI { return defaultColor; } + /** + * @see org.apache.sling.xss.XSSAPI#getValidMultiLineComment(String, String) + */ + public String getValidMultiLineComment(String comment, String defaultComment) { + if (comment != null && !comment.contains("*/")) { + return comment; + } + return defaultComment; + } + // ============================================================================================= // ENCODERS // diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java index 6717ece..0bda966 100644 --- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java +++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java @@ -522,4 +522,25 @@ public class XSSAPIImplTest { } } } + + @Test + public void TestGetValidMultiLineComment() { + String[][] testData = { + //Source Expected Result + + {null , RUBBISH}, + {"blah */ hack" , RUBBISH}, + + {"Valid comment" , "Valid comment"} + }; + for (String[] aTestData : testData) { + String source = aTestData[0]; + String expected = aTestData[1]; + + String result = xssAPI.getValidMultiLineComment(source, RUBBISH); + if (!result.equals(expected)) { + fail("Validating multiline comment '" + source + "', expecting '" + expected + "', but got '" + result + "'"); + } + } + } } -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
