You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by bd...@apache.org on 2011/05/23 17:44:36 UTC
svn commit: r1126545 - in /sling/trunk:
bundles/api/src/main/java/org/apache/sling/api/servlets/
launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/
launchpad/test-services/src/main/java/org/apache/sling/...
Author: bdelacretaz
Date: Mon May 23 15:44:36 2011
New Revision: 1126545
URL: http://svn.apache.org/viewvc?rev=1126545&view=rev
Log:
SLING-2082 - escape html characters in HtmlResponse output, with tests
Added:
sling/trunk/launchpad/test-services/src/main/java/org/apache/sling/launchpad/testservices/servlets/HtmlResponseServlet.java (with props)
Modified:
sling/trunk/bundles/api/src/main/java/org/apache/sling/api/servlets/HtmlResponse.java
sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java
Modified: sling/trunk/bundles/api/src/main/java/org/apache/sling/api/servlets/HtmlResponse.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/api/src/main/java/org/apache/sling/api/servlets/HtmlResponse.java?rev=1126545&r1=1126544&r2=1126545&view=diff
==============================================================================
--- sling/trunk/bundles/api/src/main/java/org/apache/sling/api/servlets/HtmlResponse.java (original)
+++ sling/trunk/bundles/api/src/main/java/org/apache/sling/api/servlets/HtmlResponse.java Mon May 23 15:44:36 2011
@@ -476,7 +476,7 @@ public class HtmlResponse {
state = 0;
Object prop = properties.get(varBuffer.toString());
if (prop != null) {
- out.write(prop.toString());
+ out.write(htmlEscape(prop.toString()));
}
varBuffer.setLength(0);
} else {
@@ -487,5 +487,25 @@ public class HtmlResponse {
in.close();
out.flush();
}
+
+ static String htmlEscape(String str) {
+ if(str == null) {
+ return null;
+ }
+ final StringBuilder out = new StringBuilder();
+ for(int i=0; i < str.length(); i++) {
+ final char c = str.charAt(i);
+ if(c == '<') {
+ out.append("<");
+ } else if (c == '>') {
+ out.append(">");
+ } else if(c == '&') {
+ out.append("&");
+ } else {
+ out.append(c);
+ }
+ }
+ return out.toString();
+ }
}
\ No newline at end of file
Modified: sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java?rev=1126545&r1=1126544&r2=1126545&view=diff
==============================================================================
--- sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java (original)
+++ sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java Mon May 23 15:44:36 2011
@@ -18,19 +18,33 @@
*/
package org.apache.sling.launchpad.webapp.integrationtest.issues;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.httpclient.HttpMethodBase;
+import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.sling.commons.testing.integration.HttpTestBase;
public class SLING2082Test extends HttpTestBase {
- public void testPOST() throws Exception {
- final String url = HTTP_BASE_URL + "/" + getClass().getSimpleName() + "/" + Math.random() + ".html/%22%3e%3cscript%3ealert(29679)%3c/script%3e";
- final PostMethod post = new PostMethod(url);
- post.setFollowRedirects(false);
- final int status = httpClient.executeMethod(post);
- assertEquals(201, status);
- final String content = getResponseBodyAsStream(post, 0);
+ private void runTest(HttpMethodBase m, int expectedStatus) throws Exception {
+ m.setFollowRedirects(false);
+ final int status = httpClient.executeMethod(m);
+ assertEquals(expectedStatus, status);
+ final String content = getResponseBodyAsStream(m, 0);
final String scriptTag = "<script>";
assertFalse("Content should not contain '" + scriptTag + "'", content.contains(scriptTag));
}
+
+ public void testPOST() throws Exception {
+ final String path = "/" + getClass().getSimpleName() + "/" + Math.random() + ".html/%22%3e%3cscript%3ealert(29679)%3c/script%3e";
+ final PostMethod post = new PostMethod(HTTP_BASE_URL + path);
+ runTest(post, HttpServletResponse.SC_CREATED);
+ }
+
+ public void testOptingServletPost() throws Exception {
+ final String path = "/testing/HtmlResponseServlet";
+ final GetMethod post = new GetMethod(HTTP_BASE_URL + path);
+ runTest(post, HttpServletResponse.SC_GATEWAY_TIMEOUT);
+ }
}
Added: sling/trunk/launchpad/test-services/src/main/java/org/apache/sling/launchpad/testservices/servlets/HtmlResponseServlet.java
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/test-services/src/main/java/org/apache/sling/launchpad/testservices/servlets/HtmlResponseServlet.java?rev=1126545&view=auto
==============================================================================
--- sling/trunk/launchpad/test-services/src/main/java/org/apache/sling/launchpad/testservices/servlets/HtmlResponseServlet.java (added)
+++ sling/trunk/launchpad/test-services/src/main/java/org/apache/sling/launchpad/testservices/servlets/HtmlResponseServlet.java Mon May 23 15:44:36 2011
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sling.launchpad.testservices.servlets;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.felix.scr.annotations.Component;
+import org.apache.felix.scr.annotations.Properties;
+import org.apache.felix.scr.annotations.Property;
+import org.apache.felix.scr.annotations.Service;
+import org.apache.sling.api.SlingHttpServletRequest;
+import org.apache.sling.api.SlingHttpServletResponse;
+import org.apache.sling.api.servlets.HtmlResponse;
+import org.apache.sling.api.servlets.SlingSafeMethodsServlet;
+
+/** Servlet used to test HtmlResponse escaping */
+@Component(immediate=true, metatype=false)
+@Service(value=javax.servlet.Servlet.class)
+@Properties({
+ @Property(name="service.description", value="Paths Test Servlet"),
+ @Property(name="service.vendor", value="The Apache Software Foundation"),
+ @Property(name="sling.servlet.paths", value={
+ "/testing/HtmlResponseServlet"
+ })
+})
+@SuppressWarnings("serial")
+public class HtmlResponseServlet extends SlingSafeMethodsServlet {
+
+ @Override
+ protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response)
+ throws ServletException,IOException {
+ final HtmlResponse hr = new HtmlResponse();
+ // Specific status to help recognize this servlet in tests
+ final int status = HttpServletResponse.SC_GATEWAY_TIMEOUT;
+ hr.setStatus(status, getClass().getName() + ": GET always fails with status " + status);
+ hr.setLocation("Location: some <script>");
+ hr.setTitle(getClass().getName() + ": fake response to test <escaping>");
+ hr.send(response, true);
+ }
+}
Propchange: sling/trunk/launchpad/test-services/src/main/java/org/apache/sling/launchpad/testservices/servlets/HtmlResponseServlet.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: sling/trunk/launchpad/test-services/src/main/java/org/apache/sling/launchpad/testservices/servlets/HtmlResponseServlet.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision Rev URL