You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:24:38 UTC

[sling-org-apache-sling-xss] 08/22: SLING-4176 - Sightly: StyleToken context is doing nothing

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.0
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git

commit 11c36ee81918f15f1bc242c43408aa3cde7c577b
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Tue Feb 10 21:35:03 2015 +0000

    SLING-4176 - Sightly: StyleToken context is doing nothing
    
    * provide protection against javascript snippets in CSS (patch provided by Vlad Bailescu)
    
    
    git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/xss@1658820 13f79535-47bb-0310-9956-ffa450edef68
---
 src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java     | 2 +-
 src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
index bddab78..bb3810e 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
@@ -209,7 +209,7 @@ public class XSSAPIImpl implements XSSAPI {
     /** http://www.w3.org/TR/css-syntax-3/#ident-token-diagram */
     private static final String IDENTIFIER = "-?[a-z_" + NON_ASCII + "][\\w_\\-" + NON_ASCII + "]*";
     /** http://www.w3.org/TR/css-syntax-3/#string-token-diagram */
-    private static final String STRING = "\"(?:[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:[^'^\\\\^\\n]|(?:\\\\'))*'";
+    private static final String STRING = "\"(?:(?!javascript\\s?:)[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:(?!javascript\\s?:)[^'^\\\\^\\n]|(?:\\\\'))*'";
     /** http://www.w3.org/TR/css-syntax-3/#dimension-token-diagram */
     private static final String DIMENSION = NUMBER + IDENTIFIER;
     /** http://www.w3.org/TR/css-syntax-3/#percentage-token-diagram */
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index a826b06..6717ece 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -430,7 +430,11 @@ public class XSSAPIImplTest {
 
                 // no javascript:
                 {"javascript:alert(1)"              , RUBBISH},
+                {"'javascript:alert(1)'"            , RUBBISH},
+                {"\"javascript:alert('XSS')\""      , RUBBISH},
                 {"url(javascript:alert(1))"         , RUBBISH},
+                {"url('javascript:alert(1)')"       , RUBBISH},
+                {"url(\"javascript:alert('XSS')\")" , RUBBISH},
 
                 // no expression
                 {"expression(alert(1))"             , RUBBISH},

-- 
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.