svn commit: r927358 - in /struts/struts2/trunk/core/src: main/java/org/apache/struts2/views/util/UrlHelper.java test/java/org/apache/struts2/views/util/UrlHelperTest.java

Thu, 25 Mar 2010 05:02:29 -0700 

Author: lukaszlenart
Date: Thu Mar 25 12:02:05 2010
New Revision: 927358

URL: http://svn.apache.org/viewvc?rev=927358&view=rev
Log:
Resolved WW-3410 - XSS vulnerability in UrlHelper.java

Modified:
    
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
    
struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java

Modified: 
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java?rev=927358&r1=927357&r2=927358&view=diff
==============================================================================
--- 
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
 (original)
+++ 
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
 Thu Mar 25 12:02:05 2010
@@ -247,7 +247,7 @@ public class UrlHelper {
 
     private static String buildParameterSubstring(String name, String value) {
         StringBuilder builder = new StringBuilder();
-        builder.append(name);
+        builder.append(translateAndEncode(name));
         builder.append('=');
         builder.append(translateAndEncode(value));
 

Modified: 
struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java
URL: 
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java?rev=927358&r1=927357&r2=927358&view=diff
==============================================================================
--- 
struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java
 (original)
+++ 
struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java
 Thu Mar 25 12:02:05 2010
@@ -101,11 +101,12 @@ public class UrlHelperTest extends Strut
     }
 
     public void testBuildParametersStringWithUrlHavingSomeExistingParameters() 
throws Exception {
-        String expectedUrl = 
"http://localhost:8080/myContext/myPage.jsp?initParam=initValue&param1=value1&param2=value2";;
+        String expectedUrl = 
"http://localhost:8080/myContext/myPage.jsp?initParam=initValue&param1=value1&param2=value2&param3%22%3CsCrIpT%3Ealert%281%29%3B%3C%2FsCrIpT%3E=value3";;
 
         Map parameters = new LinkedHashMap();
         parameters.put("param1", "value1");
         parameters.put("param2", "value2");
+        parameters.put("param3\"<sCrIpT>alert(1);</sCrIpT>","value3");
 
         StringBuilder url = new 
StringBuilder("http://localhost:8080/myContext/myPage.jsp?initParam=initValue";);

Reply via email to