[HippoCMS-scm] [Git][cms-community/hippo-site-toolkit][release/4.2] HSTTWO-4215 [Backport 11.2] Improved sitemenu link validation

Mon, 15 Jan 2018 14:08:22 -0800 

Ate Douma pushed to branch release/4.2 at cms-community / hippo-site-toolkit


Commits:
dbe20edd by Ate Douma at 2018-01-15T23:06:54+01:00
HSTTWO-4215 [Backport 11.2] Improved sitemenu link validation

(cherry picked from commit 783bc88efccb926b23967eea275aae7d6ab21b23)

- - - - -


2 changed files:

- 
client-modules/page-composer/src/main/java/org/hippoecm/hst/pagecomposer/jaxrs/services/helpers/SiteMenuItemHelper.java
- 
components/core/src/main/resources/org/hippoecm/hst/site/container/SpringComponentManager.properties


Changes:

=====================================
client-modules/page-composer/src/main/java/org/hippoecm/hst/pagecomposer/jaxrs/services/helpers/SiteMenuItemHelper.java
=====================================
--- 
a/client-modules/page-composer/src/main/java/org/hippoecm/hst/pagecomposer/jaxrs/services/helpers/SiteMenuItemHelper.java
+++ 
b/client-modules/page-composer/src/main/java/org/hippoecm/hst/pagecomposer/jaxrs/services/helpers/SiteMenuItemHelper.java
@@ -37,7 +37,9 @@ import org.hippoecm.hst.pagecomposer.jaxrs.model.LinkType;
 import org.hippoecm.hst.pagecomposer.jaxrs.model.SiteMenuItemRepresentation;
 import org.hippoecm.hst.pagecomposer.jaxrs.services.exceptions.ClientError;
 import org.hippoecm.hst.pagecomposer.jaxrs.services.exceptions.ClientException;
+import org.hippoecm.hst.site.HstServices;
 import org.hippoecm.repository.util.NodeIterable;
+import org.htmlcleaner.Utils;
 
 import static 
org.hippoecm.hst.configuration.HstNodeTypes.NODETYPE_HST_SITEMENU;
 import static 
org.hippoecm.hst.configuration.HstNodeTypes.SITEMENUITEM_HST_PROTOTYPEITEM;
@@ -49,6 +51,7 @@ import static 
org.hippoecm.repository.api.NodeNameCodec.encode;
 
 public class SiteMenuItemHelper extends AbstractHelper {
 
+    private Boolean omitJavascriptProtocol;
 
     @SuppressWarnings("unchecked")
     @Override
@@ -120,7 +123,7 @@ public class SiteMenuItemHelper extends AbstractHelper {
             rename(node, modifiedName);
         }
 
-        final String modifiedLink = modifiedItem.getLink();
+        String modifiedLink = modifiedItem.getLink();
         if (modifiedItem.getLinkType() == LinkType.NONE) {
             removeProperty(node, SITEMENUITEM_PROPERTY_EXTERNALLINK);
             removeProperty(node, SITEMENUITEM_PROPERTY_REFERENCESITEMAPITEM);
@@ -128,6 +131,18 @@ public class SiteMenuItemHelper extends AbstractHelper {
             node.setProperty(SITEMENUITEM_PROPERTY_REFERENCESITEMAPITEM, 
modifiedLink);
             removeProperty(node, SITEMENUITEM_PROPERTY_EXTERNALLINK);
         } else if (modifiedItem.getLinkType() == LinkType.EXTERNAL) {
+            if (omitJavascriptProtocol == null) {
+                omitJavascriptProtocol = HstServices.getComponentManager()
+                        
.getContainerConfiguration().getBoolean("sitemenu.externallink.omitJavascriptProtocol",
 true);
+            }
+            if (modifiedLink != null && omitJavascriptProtocol) {
+                String normalized =
+                        Utils.escapeXml(modifiedLink.trim().toLowerCase(), 
true, true, true, false, false, false, true)
+                                .replaceAll("[\n\r\t]", "");
+                if (normalized.startsWith("javascript:") || 
normalized.startsWith("data:")) {
+                    modifiedLink = null;
+                }
+            }
             node.setProperty(SITEMENUITEM_PROPERTY_EXTERNALLINK, modifiedLink);
             removeProperty(node, SITEMENUITEM_PROPERTY_REFERENCESITEMAPITEM);
         }


=====================================
components/core/src/main/resources/org/hippoecm/hst/site/container/SpringComponentManager.properties
=====================================
--- 
a/components/core/src/main/resources/org/hippoecm/hst/site/container/SpringComponentManager.properties
+++ 
b/components/core/src/main/resources/org/hippoecm/hst/site/container/SpringComponentManager.properties
@@ -273,3 +273,5 @@ filter.suffix.exclusions =
 cross.channel.page.copy.supported = false
 
 form.data.flat.storage = true
+
+sitemenu.externallink.omitJavascriptProtocol = true



View it on GitLab: 
https://code.onehippo.org/cms-community/hippo-site-toolkit/commit/dbe20edd63ec5e7ea9cadb5c30cac806945f0104

---
View it on GitLab: 
https://code.onehippo.org/cms-community/hippo-site-toolkit/commit/dbe20edd63ec5e7ea9cadb5c30cac806945f0104
You're receiving this email because of your account on code.onehippo.org.

_______________________________________________
Hippocms-svn mailing list
Hippocms-svn@lists.onehippo.org
https://lists.onehippo.org/mailman/listinfo/hippocms-svn

Reply via email to