You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Lars Krapf (JIRA)" <ji...@apache.org> on 2016/08/18 22:44:20 UTC
[jira] [Comment Edited] (SLING-4560) XSSAPI#getValidHref is empty
for valid Bengali or Hindi characters
[ https://issues.apache.org/jira/browse/SLING-4560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427306#comment-15427306 ]
Lars Krapf edited comment on SLING-4560 at 8/18/16 10:44 PM:
-------------------------------------------------------------
Hello [~radu.cotescu]
With this change {{onSiteURL}} will accept spaces and colons and thus does no longer filter external (and/or " javascript:") URLs.
This could be caught by the following additional tests:{code:title=XSSAPIImplTest.testfilterHtml()} {"<a href=\" javascript:alert(23)\">space</a>","<a>space</a>"},
{"<table background=\"http://www.google.com\"></table>", "<table></table>"},
{code}
Please note however, that the test mentioned above does not contain bengali / hindi characters. FWIW, I tried to come up with a hindi test using google translate:
{code:title=XSSAPIImplTest.testGetValidHref()}
{"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
{"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995", "/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995"},
{code}
Nonetheless, the summary is correct, this test too fails with the old regexps.
The reason for this is that the unicode "letter" character class \p{L} is matching single unicode *code points* only. To match any letter including diacritics, one might use \P{L}\p{M}*+. See also [1] ("Unicode Categories").
I've added a corresponding patch to the regexp (changing only the character class) and added a couple of tests.
Note, The test provided by [~jck] *would still fail* even with this change, but AFAICT that's correct, since these characters are symbols and not letters.
was (Author: chaotic):
Hello [~radu.cotescu]
With this change {{onSiteURL}} will accept spaces and colons and thus does no longer filter external (and/or " javascript:") URLs.
This could be caught by the following additional tests:{code:title=XSSAPIImplTest.testfilterHtml()} {"<a href=\" javascript:alert(23)\">space</a>","<a>space</a>"},
{"<table background=\"http://www.google.com\"></table>", "<table></table>"},
{code}
Please note however, that the added test does not contain bengali / hindi characters. FWIW, I tried to come up with a hindi test using google translate:
{code:title=XSSAPIImplTest.testGetValidHref()}
{"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
{"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995", "/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995"},
{code}
Nonetheless, the summary is correct, this test too fails with the old regexps.
The reason for this is that the unicode "letter" character class \p{L} is matching single unicode *code points* only. To match any letter including diacritics, one might use \P{L}\p{M}*+. See also [1] ("Unicode Categories").
I've added a corresponding patch to the regexp (changing only the character class) and added a couple of tests.
Note, The test provided by [~jck] *would still fail* even with this change, but AFAICT that's correct, since these characters are symbols and not letters.
> XSSAPI#getValidHref is empty for valid Bengali or Hindi characters
> ------------------------------------------------------------------
>
> Key: SLING-4560
> URL: https://issues.apache.org/jira/browse/SLING-4560
> Project: Sling
> Issue Type: Bug
> Components: XSS Protection API
> Affects Versions: XSS Protection API 1.0.0
> Reporter: Jean-Christophe Kautzmann
> Assignee: Radu Cotescu
> Fix For: XSS Protection API 1.0.14
>
> Attachments: xssapi.patch
>
>
> I added (locally) 2 test cases to org.apache.sling.xss.impl.XSSAPIImplTest#testGetValidHref:
> {code}
> {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
> {"/etc/commerce/collections/⺁〡〢☉⊕〒", "/etc/commerce/collections/⺁〡〢☉⊕〒"},
> {code}
> the first test passes (chinese characters), the 2nd fails (bengali/hindi characters) although it should pass as they are valid characters.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)