svn commit: r1728113 - /portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java

Tue, 02 Feb 2016 05:13:39 -0800 

Author: woonsan
Date: Tue Feb  2 13:13:18 2016
New Revision: 1728113

URL: http://svn.apache.org/viewvc?rev=1728113&view=rev
Log:
remove javascript: portion in url input if any for security reason.

Modified:
    
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java

Modified: 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java
URL: 
http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java?rev=1728113&r1=1728112&r2=1728113&view=diff
==============================================================================
--- 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java
 (original)
+++ 
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/services/rest/PageManagementService.java
 Tue Feb  2 13:13:18 2016
@@ -33,8 +33,8 @@ import javax.ws.rs.PathParam;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.PathSegment;
-import javax.ws.rs.core.UriInfo;
 import javax.ws.rs.core.Response.Status;
+import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.StringUtils;
@@ -300,6 +300,14 @@ public class PageManagementService
                                    @FormParam("url") String url)
     {
         RequestContext requestContext = (RequestContext) 
servletRequest.getAttribute(RequestContext.REQUEST_PORTALENV);
+
+        // For security reason, strip off any part in URL having 'javascript:'.
+        int offset = StringUtils.indexOfIgnoreCase(url, "javascript:");
+        if (offset != -1) {
+            log.warn("A url having javascript: protocol was stripped off: 
'{}'.", url);
+            url = url.substring(0, offset);
+        }
+
         String path = PathSegmentUtils.joinWithPrefix(pathSegments, "/", "/");
         
         try



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org

Reply via email to