You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Lars Krapf (JIRA)" <ji...@apache.org> on 2016/08/18 22:44:20 UTC

[jira] [Comment Edited] (SLING-4560) XSSAPI#getValidHref is empty for valid Bengali or Hindi characters

    [ https://issues.apache.org/jira/browse/SLING-4560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427306#comment-15427306 ] 

Lars Krapf edited comment on SLING-4560 at 8/18/16 10:44 PM:
-------------------------------------------------------------

Hello [~radu.cotescu]

With this change {{onSiteURL}} will accept spaces and colons and thus does no longer filter external  (and/or " javascript:") URLs.

This could be caught by the following additional tests:{code:title=XSSAPIImplTest.testfilterHtml()} {"<a href=\" javascript:alert(23)\">space</a>","<a>space</a>"},
 {"<table background=\"http://www.google.com\"></table>", "<table></table>"},
{code}

Please note however, that the test mentioned above does not contain bengali / hindi characters. FWIW, I tried to come up with a hindi test using google translate:
{code:title=XSSAPIImplTest.testGetValidHref()}
   {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
  {"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995", "/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995"},
{code}

Nonetheless, the summary is correct, this test too fails with the old regexps. 
The reason for this is that the unicode "letter" character class \p{L} is matching single unicode *code points* only. To match any letter including diacritics, one might use \P{L}\p{M}*+. See also [1] ("Unicode Categories").

I've added a corresponding patch to the regexp (changing only the character class) and added a couple of tests. 

Note, The test provided by [~jck] *would still fail* even with this change, but AFAICT that's correct, since these characters are symbols and not letters. 


was (Author: chaotic):
Hello [~radu.cotescu]

With this change {{onSiteURL}} will accept spaces and colons and thus does no longer filter external  (and/or " javascript:") URLs.

This could be caught by the following additional tests:{code:title=XSSAPIImplTest.testfilterHtml()} {"<a href=\" javascript:alert(23)\">space</a>","<a>space</a>"},
 {"<table background=\"http://www.google.com\"></table>", "<table></table>"},
{code}

Please note however, that the added test does not contain bengali / hindi characters. FWIW, I tried to come up with a hindi test using google translate:
{code:title=XSSAPIImplTest.testGetValidHref()}
   {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
  {"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995", "/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995"},
{code}

Nonetheless, the summary is correct, this test too fails with the old regexps. 
The reason for this is that the unicode "letter" character class \p{L} is matching single unicode *code points* only. To match any letter including diacritics, one might use \P{L}\p{M}*+. See also [1] ("Unicode Categories").

I've added a corresponding patch to the regexp (changing only the character class) and added a couple of tests. 

Note, The test provided by [~jck] *would still fail* even with this change, but AFAICT that's correct, since these characters are symbols and not letters. 

> XSSAPI#getValidHref is empty for valid Bengali or Hindi characters
> ------------------------------------------------------------------
>
>                 Key: SLING-4560
>                 URL: https://issues.apache.org/jira/browse/SLING-4560
>             Project: Sling
>          Issue Type: Bug
>          Components: XSS Protection API
>    Affects Versions: XSS Protection API 1.0.0
>            Reporter: Jean-Christophe Kautzmann
>            Assignee: Radu Cotescu
>             Fix For: XSS Protection API 1.0.14
>
>         Attachments: xssapi.patch
>
>
> I added (locally) 2 test cases to org.apache.sling.xss.impl.XSSAPIImplTest#testGetValidHref:
> {code}
> {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
> {"/etc/commerce/collections/⺁〡〢☉⊕〒", "/etc/commerce/collections/⺁〡〢☉⊕〒"},
> {code}
> the first test passes (chinese characters), the 2nd fails (bengali/hindi characters) although it should pass as they are valid characters.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)