You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:24:38 UTC
[sling-org-apache-sling-xss] 08/22: SLING-4176 - Sightly:
StyleToken context is doing nothing
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.0
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 11c36ee81918f15f1bc242c43408aa3cde7c577b
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Tue Feb 10 21:35:03 2015 +0000
SLING-4176 - Sightly: StyleToken context is doing nothing
* provide protection against javascript snippets in CSS (patch provided by Vlad Bailescu)
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/xss@1658820 13f79535-47bb-0310-9956-ffa450edef68
---
src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java | 2 +-
src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
index bddab78..bb3810e 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
@@ -209,7 +209,7 @@ public class XSSAPIImpl implements XSSAPI {
/** http://www.w3.org/TR/css-syntax-3/#ident-token-diagram */
private static final String IDENTIFIER = "-?[a-z_" + NON_ASCII + "][\\w_\\-" + NON_ASCII + "]*";
/** http://www.w3.org/TR/css-syntax-3/#string-token-diagram */
- private static final String STRING = "\"(?:[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:[^'^\\\\^\\n]|(?:\\\\'))*'";
+ private static final String STRING = "\"(?:(?!javascript\\s?:)[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:(?!javascript\\s?:)[^'^\\\\^\\n]|(?:\\\\'))*'";
/** http://www.w3.org/TR/css-syntax-3/#dimension-token-diagram */
private static final String DIMENSION = NUMBER + IDENTIFIER;
/** http://www.w3.org/TR/css-syntax-3/#percentage-token-diagram */
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index a826b06..6717ece 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -430,7 +430,11 @@ public class XSSAPIImplTest {
// no javascript:
{"javascript:alert(1)" , RUBBISH},
+ {"'javascript:alert(1)'" , RUBBISH},
+ {"\"javascript:alert('XSS')\"" , RUBBISH},
{"url(javascript:alert(1))" , RUBBISH},
+ {"url('javascript:alert(1)')" , RUBBISH},
+ {"url(\"javascript:alert('XSS')\")" , RUBBISH},
// no expression
{"expression(alert(1))" , RUBBISH},
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.