You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:25:28 UTC
[sling-org-apache-sling-xss] 02/07: SLING-4560 -
XSSAPI#getValidHref is empty for valid Bengali or Hindi characters
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.14
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit eaaefc64953994212ad1ba97e8a2066772cadd0b
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Thu Aug 18 14:54:58 2016 +0000
SLING-4560 - XSSAPI#getValidHref is empty for valid Bengali or Hindi characters
* changed the href validation regexes to bring them closer to the regexes recommended
by RFC 3986
* added tests for the GB18030 characters which were not previously accepted
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1756802 13f79535-47bb-0310-9956-ffa450edef68
---
src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java | 4 ++--
src/main/resources/SLING-INF/content/config.xml | 5 ++---
src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 2 ++
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
index 2137949..91b906b 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
@@ -58,8 +58,8 @@ public class XSSFilterImpl implements XSSFilter, EventHandler {
static final Attribute DEFAULT_HREF_ATTRIBUTE = new Attribute(
"href",
Arrays.asList(
- Pattern.compile("([\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!\\*\\(\\)]*|\\#(\\w)+)"),
- Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*")
+ Pattern.compile("(?!.*javascript:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*"),
+ Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*")
),
Collections.<String>emptyList(),
"removeAttribute", ""
diff --git a/src/main/resources/SLING-INF/content/config.xml b/src/main/resources/SLING-INF/content/config.xml
index 2ca1732..7dcba85 100644
--- a/src/main/resources/SLING-INF/content/config.xml
+++ b/src/main/resources/SLING-INF/content/config.xml
@@ -67,9 +67,8 @@ http://www.w3.org/TR/html401/struct/global.html
<regexp name="htmlClass" value="[a-zA-Z0-9\s,\-_]+"/>
<!-- Allow empty URL attributes with a '*'-quantifier instead of '+' for the first part of the regexp -->
- <regexp name="onsiteURL" value="([\p{L}\p{N}\\\.\#@\$%\+&;\-_~,\?=/!\*\(\)]*|\#(\w)+)"/>
- <regexp name="offsiteURL"
- value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&;:\-_~,\?=/!\*\(\)]*(\s)*"/>
+ <regexp name="onsiteURL" value="(?!.*javascript:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/>
+ <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/>
<regexp name="boolean" value="(true|false)"/>
<regexp name="singlePrintable" value="[a-zA-Z0-9]{1}"/>
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index 263514e..efe9dc5 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -220,6 +220,8 @@ public class XSSAPIImplTest {
String[][] testData = {
// Href Expected Result
//
+ {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
+ {"/etc/commerce/collections/⺁〡〢☉⊕〒", "/etc/commerce/collections/⺁〡〢☉⊕〒"},
{null, ""},
{"", ""},
{"simple", "simple"},
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.