You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2017/09/13 14:41:03 UTC
[myfaces-tobago] branch master updated (484770d -> 59bd89a)
This is an automated email from the ASF dual-hosted git repository.
lofwyr pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git.
from 484770d rebuild themes after update
new d67a725 TOBAGO-1786: Selector to address UIStyle * fix of id writing in selector * UnitTest
new 59bd89a TOBAGO-1791: There should be a "nonce" for each request to protect CSS and JavaScript with CSP * configure CSP
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../tobago/internal/util/StyleRenderUtils.java | 16 +++-
.../internal/config/AbstractTobagoTestBase.java | 17 ++++
.../internal/util/StyleRenderUtilsUnitTest.java | 91 ++++++++++++++++++++++
.../src/main/webapp/WEB-INF/tobago-config.xml | 3 +-
4 files changed, 122 insertions(+), 5 deletions(-)
create mode 100644 tobago-core/src/test/java/org/apache/myfaces/tobago/internal/util/StyleRenderUtilsUnitTest.java
--
To stop receiving notification emails like this one, please contact
['"commits@myfaces.apache.org" <co...@myfaces.apache.org>'].
[myfaces-tobago] 01/02: TOBAGO-1786: Selector to address UIStyle *
fix of id writing in selector * UnitTest
Posted by lo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lofwyr pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git
commit d67a725e1b0220dd1ca63e7914398b9daa63b6cb
Author: Udo Schnurpfeil <lo...@apache.org>
AuthorDate: Wed Sep 13 16:37:46 2017 +0200
TOBAGO-1786: Selector to address UIStyle
* fix of id writing in selector
* UnitTest
---
.../tobago/internal/util/StyleRenderUtils.java | 16 +++-
.../internal/config/AbstractTobagoTestBase.java | 17 ++++
.../internal/util/StyleRenderUtilsUnitTest.java | 91 ++++++++++++++++++++++
3 files changed, 120 insertions(+), 4 deletions(-)
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/StyleRenderUtils.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/StyleRenderUtils.java
index f9043ec..aac421b 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/StyleRenderUtils.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/util/StyleRenderUtils.java
@@ -20,6 +20,8 @@
package org.apache.myfaces.tobago.internal.util;
import org.apache.myfaces.tobago.webapp.TobagoResponseWriter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import java.io.IOException;
@@ -29,11 +31,12 @@ import java.io.IOException;
*/
public class StyleRenderUtils {
+ private static final Logger LOG = LoggerFactory.getLogger(StyleRenderUtils.class);
+
private StyleRenderUtils() {
// to prevent instantiation
}
-
public static void writeIdSelector(TobagoResponseWriter writer, String id) throws IOException {
writer.writeText("#");
@@ -43,15 +46,20 @@ public class StyleRenderUtils {
for (int i = 0; i < chars.length; i++) {
char c = chars[i];
if (c == ':') {
- writer.writeText(chars, last, i);
- writer.writeText("\\\\:");
- last = i;
+ writer.writeText(chars, last, i - last);
+ writer.writeText("\\:");
+ last = i + 1;
}
}
+ writer.writeText(chars, last, chars.length - last);
}
// not using writeText, because > must not be encoded!
public static void writeSelector(TobagoResponseWriter writer, String selector) throws IOException {
+ if (selector.contains("<")) {
+ LOG.warn("Found invalid char < inside of style!");
+ selector = selector.replaceAll("<", "<");
+ }
writer.write(selector);
}
diff --git a/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/AbstractTobagoTestBase.java b/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/AbstractTobagoTestBase.java
index 218bba0..beff44e 100644
--- a/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/AbstractTobagoTestBase.java
+++ b/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/config/AbstractTobagoTestBase.java
@@ -34,11 +34,14 @@ import org.apache.myfaces.tobago.context.ThemeImpl;
import org.apache.myfaces.tobago.context.TobagoContext;
import org.apache.myfaces.tobago.internal.mock.faces.MockTheme;
import org.apache.myfaces.tobago.internal.util.MimeTypeUtils;
+import org.apache.myfaces.tobago.internal.webapp.HtmlResponseWriter;
import org.junit.After;
import org.junit.Before;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.io.IOException;
+import java.io.StringWriter;
import java.util.Collections;
import java.util.Locale;
@@ -56,6 +59,9 @@ public abstract class AbstractTobagoTestBase extends AbstractJsfTestCase {
private static final Logger LOG = LoggerFactory.getLogger(AbstractTobagoTestBase.class);
+ private StringWriter stringWriter;
+ private int last = 0;
+
/**
* <p>Set up instance variables required by Tobago test cases.</p>
*/
@@ -65,6 +71,9 @@ public abstract class AbstractTobagoTestBase extends AbstractJsfTestCase {
super.setUp();
+ stringWriter = new StringWriter();
+ getFacesContext().setResponseWriter(new HtmlResponseWriter(stringWriter, "", "UTF-8"));
+
// Tobago specific extensions
final TobagoConfigImpl tobagoConfig = TobagoConfigMergingUnitTest.loadAndMerge("tobago-config-for-unit-tests.xml");
@@ -112,4 +121,12 @@ public abstract class AbstractTobagoTestBase extends AbstractJsfTestCase {
public MockHttpServletRequest getRequest() {
return request;
}
+
+ public String getLastWritten() throws IOException {
+ getFacesContext().getResponseWriter().flush(); // is this needed
+ final String full = stringWriter.toString();
+ final String result = full.substring(last);
+ last = full.length();
+ return result;
+ }
}
diff --git a/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/util/StyleRenderUtilsUnitTest.java b/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/util/StyleRenderUtilsUnitTest.java
new file mode 100644
index 0000000..7a0518e
--- /dev/null
+++ b/tobago-core/src/test/java/org/apache/myfaces/tobago/internal/util/StyleRenderUtilsUnitTest.java
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.myfaces.tobago.internal.util;
+
+import org.apache.myfaces.tobago.internal.config.AbstractTobagoTestBase;
+import org.apache.myfaces.tobago.webapp.TobagoResponseWriter;
+import org.junit.Assert;
+import org.junit.Test;
+
+import javax.faces.context.FacesContext;
+import java.io.IOException;
+
+public class StyleRenderUtilsUnitTest extends AbstractTobagoTestBase {
+
+ @Test
+ public void testEncodeSelector() {
+ Assert.assertEquals("", StyleRenderUtils.encodeSelector());
+
+ Assert.assertEquals("", StyleRenderUtils.encodeSelector(""));
+
+ Assert.assertEquals("tag", StyleRenderUtils.encodeSelector("tag"));
+
+ Assert.assertEquals(".class", StyleRenderUtils.encodeSelector(".class"));
+
+ Assert.assertEquals("parent>child", StyleRenderUtils.encodeSelector("parent>child"));
+
+ Assert.assertEquals("#id\\:sub", StyleRenderUtils.encodeSelector("#id:sub"));
+
+ Assert.assertEquals("#id\\:sub\\:sub2", StyleRenderUtils.encodeSelector("#id:sub:sub2"));
+
+ Assert.assertEquals("#id\\:sub\\:sub2\\:sub3", StyleRenderUtils.encodeSelector("#id:sub:sub2:sub3"));
+ }
+
+ @Test
+ public void writeIdSelector() throws IOException {
+
+ final FacesContext facesContext = FacesContext.getCurrentInstance();
+ final TobagoResponseWriter writer = (TobagoResponseWriter) facesContext.getResponseWriter();
+
+ StyleRenderUtils.writeIdSelector(writer, "id");
+ Assert.assertEquals("#id", getLastWritten());
+
+ StyleRenderUtils.writeIdSelector(writer, "id:sub");
+ Assert.assertEquals("#id\\:sub", getLastWritten());
+
+ StyleRenderUtils.writeIdSelector(writer, "id:sub:sub2");
+ Assert.assertEquals("#id\\:sub\\:sub2", getLastWritten());
+
+ StyleRenderUtils.writeIdSelector(writer, "id:sub:sub2:sub3");
+ Assert.assertEquals("#id\\:sub\\:sub2\\:sub3", getLastWritten());
+
+ StyleRenderUtils.writeIdSelector(writer, "id::sub");
+ Assert.assertEquals("#id\\:\\:sub", getLastWritten());
+ }
+
+ @Test
+ public void writeSelector() throws IOException {
+
+ final FacesContext facesContext = FacesContext.getCurrentInstance();
+ final TobagoResponseWriter writer = (TobagoResponseWriter) facesContext.getResponseWriter();
+
+ StyleRenderUtils.writeSelector(writer, "parent>child");
+ Assert.assertEquals("parent>child", getLastWritten());
+
+ StyleRenderUtils.writeSelector(writer, "parent<child");
+ Assert.assertEquals("parent<child", getLastWritten());
+
+ StyleRenderUtils.writeSelector(writer, "#id");
+ Assert.assertEquals("#id", getLastWritten());
+
+ StyleRenderUtils.writeSelector(writer, "#id\\:sub");
+ Assert.assertEquals("#id\\:sub", getLastWritten());
+ }
+}
--
To stop receiving notification emails like this one, please contact
"commits@myfaces.apache.org" <co...@myfaces.apache.org>.
[myfaces-tobago] 02/02: TOBAGO-1791: There should be a "nonce" for
each request to protect CSS and JavaScript with CSP * configure CSP
Posted by lo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lofwyr pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git
commit 59bd89a0abd29911e6c7d900426193a4796ef4be
Author: Udo Schnurpfeil <lo...@apache.org>
AuthorDate: Wed Sep 13 16:38:31 2017 +0200
TOBAGO-1791: There should be a "nonce" for each request to protect CSS and JavaScript with CSP
* configure CSP
---
.../tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
index be81172..2c92235 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
@@ -49,8 +49,9 @@
<!-- XXX With CSP Tobago 3.0.x is currently not working 100% see TOBAGO-1534,
XXX because of JSF-AJAX we need 'unsafe-eval' -->
<!--<directive name="script-src">'self' 'unsafe-eval'</directive>-->
- <!-- needed for <tc:object> in object.xhtml -->
+ <!-- needed for <tc:object> -->
<directive name="child-src">https://maps.google.com</directive>
+ <directive name="child-src">https://*.apache.org</directive>
<!-- needed for the test suite -->
<directive name="child-src">'self'</directive>
</content-security-policy>
--
To stop receiving notification emails like this one, please contact
"commits@myfaces.apache.org" <co...@myfaces.apache.org>.