[HippoCMS-scm] [Git][cms-community/hippo-site-toolkit][release/5.0] HSTTWO-4214 [Backport 12.0] Improved sitemenu link validation

Mon, 15 Jan 2018 13:59:13 -0800 

Ate Douma pushed to branch release/5.0 at cms-community / hippo-site-toolkit


Commits:
de0b3656 by Ate Douma at 2018-01-15T22:57:20+01:00
HSTTWO-4214 [Backport 12.0] Improved sitemenu link validation

(cherry picked from commit 783bc88efccb926b23967eea275aae7d6ab21b23)

- - - - -


2 changed files:

- 
client-modules/page-composer/src/main/java/org/hippoecm/hst/pagecomposer/jaxrs/services/helpers/SiteMenuItemHelper.java
- 
components/core/src/main/resources/org/hippoecm/hst/site/container/SpringComponentManager.properties


Changes:

=====================================
client-modules/page-composer/src/main/java/org/hippoecm/hst/pagecomposer/jaxrs/services/helpers/SiteMenuItemHelper.java
=====================================
--- 
a/client-modules/page-composer/src/main/java/org/hippoecm/hst/pagecomposer/jaxrs/services/helpers/SiteMenuItemHelper.java
+++ 
b/client-modules/page-composer/src/main/java/org/hippoecm/hst/pagecomposer/jaxrs/services/helpers/SiteMenuItemHelper.java
@@ -37,7 +37,9 @@ import org.hippoecm.hst.pagecomposer.jaxrs.model.LinkType;
 import org.hippoecm.hst.pagecomposer.jaxrs.model.SiteMenuItemRepresentation;
 import org.hippoecm.hst.pagecomposer.jaxrs.services.exceptions.ClientError;
 import org.hippoecm.hst.pagecomposer.jaxrs.services.exceptions.ClientException;
+import org.hippoecm.hst.site.HstServices;
 import org.hippoecm.repository.util.NodeIterable;
+import org.htmlcleaner.Utils;
 
 import static 
org.hippoecm.hst.configuration.HstNodeTypes.NODETYPE_HST_SITEMENU;
 import static 
org.hippoecm.hst.configuration.HstNodeTypes.NODETYPE_HST_SITEMENUITEM;
@@ -50,6 +52,7 @@ import static 
org.hippoecm.repository.api.NodeNameCodec.encode;
 
 public class SiteMenuItemHelper extends AbstractHelper {
 
+    private Boolean omitJavascriptProtocol;
 
     @SuppressWarnings("unchecked")
     @Override
@@ -126,7 +129,7 @@ public class SiteMenuItemHelper extends AbstractHelper {
             rename(node, modifiedName);
         }
 
-        final String modifiedLink = modifiedItem.getLink();
+        String modifiedLink = modifiedItem.getLink();
         if (modifiedItem.getLinkType() == LinkType.NONE) {
             removeProperty(node, SITEMENUITEM_PROPERTY_EXTERNALLINK);
             removeProperty(node, SITEMENUITEM_PROPERTY_REFERENCESITEMAPITEM);
@@ -134,6 +137,18 @@ public class SiteMenuItemHelper extends AbstractHelper {
             node.setProperty(SITEMENUITEM_PROPERTY_REFERENCESITEMAPITEM, 
modifiedLink);
             removeProperty(node, SITEMENUITEM_PROPERTY_EXTERNALLINK);
         } else if (modifiedItem.getLinkType() == LinkType.EXTERNAL) {
+            if (omitJavascriptProtocol == null) {
+                omitJavascriptProtocol = HstServices.getComponentManager()
+                        
.getContainerConfiguration().getBoolean("sitemenu.externallink.omitJavascriptProtocol",
 true);
+            }
+            if (modifiedLink != null && omitJavascriptProtocol) {
+                String normalized =
+                        Utils.escapeXml(modifiedLink.trim().toLowerCase(), 
true, true, true, false, false, false, true)
+                                .replaceAll("[\n\r\t]", "");
+                if (normalized.startsWith("javascript:") || 
normalized.startsWith("data:")) {
+                    modifiedLink = null;
+                }
+            }
             node.setProperty(SITEMENUITEM_PROPERTY_EXTERNALLINK, modifiedLink);
             removeProperty(node, SITEMENUITEM_PROPERTY_REFERENCESITEMAPITEM);
         }


=====================================
components/core/src/main/resources/org/hippoecm/hst/site/container/SpringComponentManager.properties
=====================================
--- 
a/components/core/src/main/resources/org/hippoecm/hst/site/container/SpringComponentManager.properties
+++ 
b/components/core/src/main/resources/org/hippoecm/hst/site/container/SpringComponentManager.properties
@@ -274,5 +274,7 @@ cross.channel.page.copy.supported = false
 
 form.data.flat.storage = true
 
+sitemenu.externallink.omitJavascriptProtocol = true
+
 uriencoding.default.charset = UTF-8
 uriencoding.use.body.charset = false



View it on GitLab: 
https://code.onehippo.org/cms-community/hippo-site-toolkit/commit/de0b365688c57b715afeb5e716ce55e515d8630e

---
View it on GitLab: 
https://code.onehippo.org/cms-community/hippo-site-toolkit/commit/de0b365688c57b715afeb5e716ce55e515d8630e
You're receiving this email because of your account on code.onehippo.org.

_______________________________________________
Hippocms-svn mailing list
Hippocms-svn@lists.onehippo.org
https://lists.onehippo.org/mailman/listinfo/hippocms-svn

Reply via email to