You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@beehive.apache.org by cr...@apache.org on 2007/06/08 14:42:30 UTC
svn commit: r545494 - in /beehive/trunk/netui:
src/pageflow/org/apache/beehive/netui/pageflow/
src/pageflow/org/apache/beehive/netui/pageflow/internal/
src/scoping/org/apache/beehive/netui/pageflow/scoping/
src/tags-html/org/apache/beehive/netui/tags/h...
Author: crogers
Date: Fri Jun 8 05:42:28 2007
New Revision: 545494
URL: http://svn.apache.org/viewvc?view=rev&rev=545494
Log:
This is a contribution from Scott L'Hommedieu for BEEHIVE-1197. I modified the changes so that we escape characters for use as a param in the URL rather than use HTML entities. Also added junit and TestRecorder tests. Thanks for the help Scott!
Tests: NetUI BVT (WinXP passed)
Added:
beehive/trunk/netui/test/webapps/drt/src/bugs/j1197/
beehive/trunk/netui/test/webapps/drt/src/bugs/j1197/Controller.java (with props)
beehive/trunk/netui/test/webapps/drt/testRecorder/tests/J1197.xml (with props)
beehive/trunk/netui/test/webapps/drt/web/bugs/j1197/
beehive/trunk/netui/test/webapps/drt/web/bugs/j1197/index.jsp (with props)
Modified:
beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowRequestProcessor.java
beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/DefaultURLRewriter.java
beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java
beehive/trunk/netui/src/scoping/org/apache/beehive/netui/pageflow/scoping/ScopedServletUtils.java
beehive/trunk/netui/src/tags-html/org/apache/beehive/netui/tags/html/Form.java
beehive/trunk/netui/test/src/junitTests/org/apache/beehive/netui/test/pageflow/scoping/ScopedServletUtilsTest.java
beehive/trunk/netui/test/webapps/drt/testRecorder/config/testRecorder-tests.xml
Modified: beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowRequestProcessor.java
URL: http://svn.apache.org/viewvc/beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowRequestProcessor.java?view=diff&rev=545494&r1=545493&r2=545494
==============================================================================
--- beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowRequestProcessor.java (original)
+++ beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/PageFlowRequestProcessor.java Fri Jun 8 05:42:28 2007
@@ -1548,7 +1548,7 @@
//
// If the current request is scoped, add the right request parameter to the URL.
//
- String scopeID = request.getParameter( ScopedServletUtils.SCOPE_ID_PARAM );
+ String scopeID = ScopedServletUtils.getScopeIdParamValue(request);
if ( scopeID != null )
{
return InternalUtils.addParam( url, ScopedServletUtils.SCOPE_ID_PARAM, scopeID );
Modified: beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/DefaultURLRewriter.java
URL: http://svn.apache.org/viewvc/beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/DefaultURLRewriter.java?view=diff&rev=545494&r1=545493&r2=545494
==============================================================================
--- beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/DefaultURLRewriter.java (original)
+++ beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/DefaultURLRewriter.java Fri Jun 8 05:42:28 2007
@@ -120,7 +120,7 @@
// If the current request has a special parameter that addresses a named 'scope',
// add the parameter to the URL.
//
- String scopeID = request.getParameter( ScopedServletUtils.SCOPE_ID_PARAM );
+ String scopeID = ScopedServletUtils.getScopeIdParamValue(request);
if ( scopeID != null )
{
// check to see if the param is already there.
Modified: beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java
URL: http://svn.apache.org/viewvc/beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java?view=diff&rev=545494&r1=545493&r2=545494
==============================================================================
--- beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java (original)
+++ beehive/trunk/netui/src/pageflow/org/apache/beehive/netui/pageflow/internal/InternalUtils.java Fri Jun 8 05:42:28 2007
@@ -18,26 +18,43 @@
*/
package org.apache.beehive.netui.pageflow.internal;
-import org.apache.beehive.netui.util.internal.InternalStringBuilder;
+import java.io.IOException;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.LinkedHashMap;
+import java.util.Locale;
+import java.util.Map;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.jsp.JspContext;
+import javax.servlet.jsp.PageContext;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.apache.beehive.netui.pageflow.*;
-import org.apache.beehive.netui.pageflow.config.PageFlowActionMapping;
-import org.apache.beehive.netui.pageflow.config.PageFlowControllerConfig;
-import org.apache.beehive.netui.pageflow.config.PageFlowActionFormBean;
import org.apache.beehive.netui.pageflow.config.DelegatingActionMapping;
import org.apache.beehive.netui.pageflow.config.DelegatingExceptionConfig;
+import org.apache.beehive.netui.pageflow.config.PageFlowActionFormBean;
+import org.apache.beehive.netui.pageflow.config.PageFlowActionMapping;
+import org.apache.beehive.netui.pageflow.config.PageFlowControllerConfig;
import org.apache.beehive.netui.pageflow.handler.Handlers;
import org.apache.beehive.netui.pageflow.handler.ReloadableClassHandler;
import org.apache.beehive.netui.pageflow.handler.StorageHandler;
import org.apache.beehive.netui.pageflow.scoping.ScopedServletUtils;
import org.apache.beehive.netui.util.Bundle;
-import org.apache.beehive.netui.util.internal.ServletUtils;
import org.apache.beehive.netui.util.config.ConfigUtil;
import org.apache.beehive.netui.util.config.bean.MultipartHandler;
import org.apache.beehive.netui.util.config.bean.PageFlowConfig;
+import org.apache.beehive.netui.util.internal.InternalStringBuilder;
+import org.apache.beehive.netui.util.internal.ServletUtils;
import org.apache.beehive.netui.util.logging.Logger;
import org.apache.struts.Globals;
-import org.apache.struts.util.MessageResources;
import org.apache.struts.action.*;
import org.apache.struts.config.ActionConfig;
import org.apache.struts.config.ControllerConfig;
@@ -46,24 +63,7 @@
import org.apache.struts.config.MessageResourcesConfig;
import org.apache.struts.config.ExceptionConfig;
import org.apache.struts.upload.MultipartRequestWrapper;
-
-import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.jsp.JspContext;
-import javax.servlet.jsp.PageContext;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-import java.io.IOException;
-import java.lang.reflect.Field;
-import java.lang.reflect.Method;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.LinkedHashMap;
-import java.util.Map;
-import java.util.Locale;
+import org.apache.struts.util.MessageResources;
public class InternalUtils
implements PageFlowConstants, InternalConstants
@@ -171,7 +171,7 @@
* Filter output to prevent cross-site scripting (XSS) attacks.
*/
private static String filterValue(String value)
- throws IOException {
+ {
InternalStringBuilder result = new InternalStringBuilder(value.length());
for (int i = 0; i < value.length(); ++i) {
Modified: beehive/trunk/netui/src/scoping/org/apache/beehive/netui/pageflow/scoping/ScopedServletUtils.java
URL: http://svn.apache.org/viewvc/beehive/trunk/netui/src/scoping/org/apache/beehive/netui/pageflow/scoping/ScopedServletUtils.java?view=diff&rev=545494&r1=545493&r2=545494
==============================================================================
--- beehive/trunk/netui/src/scoping/org/apache/beehive/netui/pageflow/scoping/ScopedServletUtils.java (original)
+++ beehive/trunk/netui/src/scoping/org/apache/beehive/netui/pageflow/scoping/ScopedServletUtils.java Fri Jun 8 05:42:28 2007
@@ -18,10 +18,9 @@
*/
package org.apache.beehive.netui.pageflow.scoping;
-import org.apache.beehive.netui.pageflow.scoping.internal.ScopedRequestImpl;
-import org.apache.beehive.netui.pageflow.scoping.internal.ScopedResponseImpl;
-import org.apache.beehive.netui.util.logging.Logger;
-import org.apache.struts.upload.MultipartRequestWrapper;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -32,8 +31,13 @@
import javax.servlet.ServletResponse;
import javax.servlet.ServletResponseWrapper;
-import java.net.URI;
-import java.net.URISyntaxException;
+import org.apache.beehive.netui.pageflow.scoping.internal.ScopedRequestImpl;
+import org.apache.beehive.netui.pageflow.scoping.internal.ScopedResponseImpl;
+import org.apache.beehive.netui.util.Bundle;
+import org.apache.beehive.netui.util.ParamHelper;
+import org.apache.beehive.netui.util.internal.InternalStringBuilder;
+import org.apache.beehive.netui.util.logging.Logger;
+import org.apache.struts.upload.MultipartRequestWrapper;
/**
@@ -317,7 +321,7 @@
*/
public static String getScopedSessionAttrName( String attrName, HttpServletRequest request )
{
- String requestScopeParam = request.getParameter( SCOPE_ID_PARAM );
+ String requestScopeParam = getScopeIdParamValue(request);
if ( requestScopeParam != null )
{
@@ -455,13 +459,62 @@
return uri;
}
-
-
+
/**
* @exclude
*/
public static String decodeURI( HttpServletRequest request )
{
return request.getContextPath() + request.getServletPath(); // TODO: always decoded?
+ }
+
+ /**
+ * This method is for use by the framework. It is a utility
+ * method to get the scope Id parameter from the request.
+ *
+ * @param request the request
+ * @return the value of the scope Id parameter from the request.
+ * @exclude
+ */
+ public static String getScopeIdParamValue(ServletRequest request)
+ {
+ String jpfScopeID = request.getParameter(SCOPE_ID_PARAM);
+
+ // make sure any scripting characters get escaped.
+ jpfScopeID = filterParamValue(jpfScopeID);
+
+ return jpfScopeID;
+ }
+
+ /*
+ * Filter a parameter value to prevent cross-site scripting attacks.
+ * Just escapes some of the characters in the value with their
+ * associated entities;
+ */
+ private static String filterParamValue(String value)
+ {
+ if (value == null) {
+ return null;
+ }
+
+ InternalStringBuilder result = new InternalStringBuilder(value.length());
+ for (int i = 0; i < value.length(); ++i) {
+ char c = value.charAt(i);
+ switch (c) {
+ case '<':
+ result.append("%3C");
+ break;
+ case '>':
+ result.append("%3E");
+ break;
+ case '"':
+ result.append("%22");
+ break;
+ default:
+ result.append(c);
+ }
+ }
+
+ return result.toString();
}
}
Modified: beehive/trunk/netui/src/tags-html/org/apache/beehive/netui/tags/html/Form.java
URL: http://svn.apache.org/viewvc/beehive/trunk/netui/src/tags-html/org/apache/beehive/netui/tags/html/Form.java?view=diff&rev=545494&r1=545493&r2=545494
==============================================================================
--- beehive/trunk/netui/src/tags-html/org/apache/beehive/netui/tags/html/Form.java (original)
+++ beehive/trunk/netui/src/tags-html/org/apache/beehive/netui/tags/html/Form.java Fri Jun 8 05:42:28 2007
@@ -902,7 +902,7 @@
URLRewriterService.rewriteURL(servletContext, request, response, uri, URLType.ACTION, needsToBeSecure);
// Add a scope-ID hidden input, if there's one on this tag, or one in the request.
- String targetScope = (_targetScope != null) ? _targetScope : request.getParameter(ScopedServletUtils.SCOPE_ID_PARAM);
+ String targetScope = (_targetScope != null) ? _targetScope : ScopedServletUtils.getScopeIdParamValue(request);
if (targetScope != null) {
if (_params == null) {
_params = new HashMap();
Modified: beehive/trunk/netui/test/src/junitTests/org/apache/beehive/netui/test/pageflow/scoping/ScopedServletUtilsTest.java
URL: http://svn.apache.org/viewvc/beehive/trunk/netui/test/src/junitTests/org/apache/beehive/netui/test/pageflow/scoping/ScopedServletUtilsTest.java?view=diff&rev=545494&r1=545493&r2=545494
==============================================================================
--- beehive/trunk/netui/test/src/junitTests/org/apache/beehive/netui/test/pageflow/scoping/ScopedServletUtilsTest.java (original)
+++ beehive/trunk/netui/test/src/junitTests/org/apache/beehive/netui/test/pageflow/scoping/ScopedServletUtilsTest.java Fri Jun 8 05:42:28 2007
@@ -167,6 +167,15 @@
assertEquals(relativeURI, ScopedServletUtils.getRelativeURI(contextPath, uri));
}
+ public void testGetHTMLEncodedScopeIDParam() {
+ String name = "jpfScopeID";
+ String value = "\"><script>alert('gotcha')</script>";
+ String query = name + "=" + value;
+ HttpServletRequest request = ServletFactory.getServletRequest(query);
+ String escapedName = ScopedServletUtils.getScopeIdParamValue(request);
+ assertEquals(escapedName, "%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E");
+ }
+
public final class TestRequestWrapper extends HttpServletRequestWrapper
{
public TestRequestWrapper(HttpServletRequest delegate) {
Added: beehive/trunk/netui/test/webapps/drt/src/bugs/j1197/Controller.java
URL: http://svn.apache.org/viewvc/beehive/trunk/netui/test/webapps/drt/src/bugs/j1197/Controller.java?view=auto&rev=545494
==============================================================================
--- beehive/trunk/netui/test/webapps/drt/src/bugs/j1197/Controller.java (added)
+++ beehive/trunk/netui/test/webapps/drt/src/bugs/j1197/Controller.java Fri Jun 8 05:42:28 2007
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * $Header:$
+ */
+package bugs.j1197;
+
+import org.apache.beehive.netui.pageflow.Forward;
+import org.apache.beehive.netui.pageflow.PageFlowController;
+import org.apache.beehive.netui.pageflow.annotations.Jpf;
+import org.apache.beehive.netui.pageflow.scoping.ScopedServletUtils;
+
+@Jpf.Controller()
+public class Controller extends PageFlowController
+{
+ private String _scopeId;
+ public String getScopeId() {
+ return _scopeId;
+ }
+ public void setScopeId(String id) {
+ _scopeId = id;
+ }
+
+ @Jpf.Action(
+ forwards={
+ @Jpf.Forward(name = "success", path = "index.jsp")
+ }
+ )
+ protected Forward begin() throws Throwable {
+ Forward forward = new Forward("success");
+ setScopeId(ScopedServletUtils.getScopeIdParamValue(getRequest()));
+ return forward;
+ }
+
+ @Jpf.Action(
+ forwards={
+ @Jpf.Forward(name = "success", path = "index.jsp")
+ }
+ )
+ protected Forward submit(MyBean bean) throws Throwable {
+ Forward forward = new Forward("success");
+ setScopeId(ScopedServletUtils.getScopeIdParamValue(getRequest()));
+ return forward;
+ }
+
+ @Jpf.FormBean
+ public static class MyBean implements java.io.Serializable {
+ private String _name;
+ public String getName() {
+ return _name;
+ }
+ public void setName(String name) {
+ _name = name;
+ }
+ }
+}
Propchange: beehive/trunk/netui/test/webapps/drt/src/bugs/j1197/Controller.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: beehive/trunk/netui/test/webapps/drt/testRecorder/config/testRecorder-tests.xml
URL: http://svn.apache.org/viewvc/beehive/trunk/netui/test/webapps/drt/testRecorder/config/testRecorder-tests.xml?view=diff&rev=545494&r1=545493&r2=545494
==============================================================================
--- beehive/trunk/netui/test/webapps/drt/testRecorder/config/testRecorder-tests.xml (original)
+++ beehive/trunk/netui/test/webapps/drt/testRecorder/config/testRecorder-tests.xml Fri Jun 8 05:42:28 2007
@@ -5293,6 +5293,16 @@
</features>
</test>
<test>
+ <name>J1197</name>
+ <description>Filter script from jpfScopeID request param (BEEHIVE-1197).</description>
+ <webapp>coreWeb</webapp>
+ <categories>
+ <category>bvt</category>
+ <category>bvt.struts11</category>
+ <category>jiraBugs</category>
+ </categories>
+ </test>
+ <test>
<name>JpfScopedFormsTest49</name>
<description>JpfScopedFormsTest49</description>
<webapp>coreWeb</webapp>
Added: beehive/trunk/netui/test/webapps/drt/testRecorder/tests/J1197.xml
URL: http://svn.apache.org/viewvc/beehive/trunk/netui/test/webapps/drt/testRecorder/tests/J1197.xml?view=auto&rev=545494
==============================================================================
--- beehive/trunk/netui/test/webapps/drt/testRecorder/tests/J1197.xml (added)
+++ beehive/trunk/netui/test/webapps/drt/testRecorder/tests/J1197.xml Fri Jun 8 05:42:28 2007
@@ -0,0 +1,343 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<recorderSession xmlns="http://beehive.apache.org/netui/tools/testrecorder/2004/session">
+<sessionName>J1197</sessionName>
+<tester>crogers</tester>
+<startDate>07 Jun 2007, 04:51:25.991 PM MDT</startDate>
+<description>Filter script from jpfScopeID request param (BEEHIVE-1197).</description>
+<tests>
+<test>
+<testNumber>1</testNumber>
+<request>
+<protocol>HTTP</protocol>
+<protocolVersion>1.1</protocolVersion>
+<host>localhost</host>
+<port>8080</port>
+<uri>/coreWeb/bugs/j1197/begin.do</uri>
+<method>GET</method>
+<parameters>
+</parameters>
+<cookies>
+<cookie>
+<name>JSESSIONID</name>
+<value>420651557751ADFDCF80A37B291B09EF</value>
+</cookie>
+</cookies>
+<headers>
+<header>
+<name>---------------</name>
+<value>------------</value>
+</header>
+<header>
+<name>accept</name>
+<value>text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5</value>
+</header>
+<header>
+<name>accept-charset</name>
+<value>UTF-8,*</value>
+</header>
+<header>
+<name>accept-encoding</name>
+<value>gzip, deflate</value>
+</header>
+<header>
+<name>accept-language</name>
+<value>en-us,en;q=0.5</value>
+</header>
+<header>
+<name>connection</name>
+<value>keep-alive</value>
+</header>
+<header>
+<name>cookie</name>
+<value>JSESSIONID=420651557751ADFDCF80A37B291B09EF</value>
+</header>
+<header>
+<name>host</name>
+<value>localhost:8080</value>
+</header>
+<header>
+<name>keep-alive</name>
+<value>300</value>
+</header>
+<header>
+<name>user-agent</name>
+<value>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4</value>
+</header>
+</headers>
+</request>
+<response>
+<statusCode>200</statusCode>
+<reason></reason>
+<responseBody>
+<![CDATA[<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+ <title>Test for BEEHIVE-1197</title>
+</head>
+<body>
+ <p>Beehive NetUI JavaServer Page - /coreWeb/bugs/j1197/index.jsp</p>
+
+ <p>Test for BEEHIVE-1197</p>
+ <p>
+ Add the following to either the Controller.jpf, begin.do,
+ or submit.do URLs
+ </p>
+ <code>?jpfScopeID=%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E</code>
+
+ <form action="/coreWeb/bugs/j1197/submit.do" method="post">
+ <table>
+ <tr valign="top">
+ <td><label for="name"> Name: </label></td>
+ <td><input type="text" name="{actionForm.name}"></td>
+ </tr>
+ </table>
+ <input type="submit" value="Submit">
+ </form>
+
+ <a href="/coreWeb/bugs/j1197/begin.do">Begin</a>
+
+ <br>
+ Results: filtered jpfScopeID param =
+ <span></span>
+</body>
+
+</html>]]>
+</responseBody>
+</response>
+</test>
+<test>
+<testNumber>2</testNumber>
+<request>
+<protocol>HTTP</protocol>
+<protocolVersion>1.1</protocolVersion>
+<host>localhost</host>
+<port>8080</port>
+<uri>/coreWeb/bugs/j1197/begin.do</uri>
+<method>GET</method>
+<parameters>
+<parameter>
+<name>jpfScopeID</name>
+<value>%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E</value>
+</parameter>
+</parameters>
+<cookies>
+<cookie>
+<name>JSESSIONID</name>
+<value>420651557751ADFDCF80A37B291B09EF</value>
+</cookie>
+</cookies>
+<headers>
+<header>
+<name>---------------</name>
+<value>------------</value>
+</header>
+<header>
+<name>accept</name>
+<value>text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5</value>
+</header>
+<header>
+<name>accept-charset</name>
+<value>UTF-8,*</value>
+</header>
+<header>
+<name>accept-encoding</name>
+<value>gzip, deflate</value>
+</header>
+<header>
+<name>accept-language</name>
+<value>en-us,en;q=0.5</value>
+</header>
+<header>
+<name>connection</name>
+<value>keep-alive</value>
+</header>
+<header>
+<name>cookie</name>
+<value>JSESSIONID=420651557751ADFDCF80A37B291B09EF</value>
+</header>
+<header>
+<name>host</name>
+<value>localhost:8080</value>
+</header>
+<header>
+<name>keep-alive</name>
+<value>300</value>
+</header>
+<header>
+<name>user-agent</name>
+<value>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4</value>
+</header>
+</headers>
+</request>
+<response>
+<statusCode>200</statusCode>
+<reason></reason>
+<responseBody>
+<![CDATA[<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+ <title>Test for BEEHIVE-1197</title>
+</head>
+<body>
+ <p>Beehive NetUI JavaServer Page - /coreWeb/bugs/j1197/index.jsp</p>
+
+ <p>Test for BEEHIVE-1197</p>
+ <p>
+ Add the following to either the Controller.jpf, begin.do,
+ or submit.do URLs
+ </p>
+ <code>?jpfScopeID=%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E</code>
+
+ <form action="/coreWeb/bugs/j1197/submit.do" method="post">
+<input type="hidden" name="jpfScopeID" value="%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E">
+ <table>
+ <tr valign="top">
+ <td><label for="name"> Name: </label></td>
+ <td><input type="text" name="{actionForm.name}"></td>
+ </tr>
+ </table>
+ <input type="submit" value="Submit">
+ </form>
+
+ <a href="/coreWeb/bugs/j1197/begin.do?jpfScopeID=%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E">Begin</a>
+
+ <br>
+ Results: filtered jpfScopeID param =
+ <span>%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E</span>
+</body>
+
+</html>]]>
+</responseBody>
+</response>
+</test>
+<test>
+<testNumber>3</testNumber>
+<request>
+<protocol>HTTP</protocol>
+<protocolVersion>1.1</protocolVersion>
+<host>localhost</host>
+<port>8080</port>
+<uri>/coreWeb/bugs/j1197/submit.do</uri>
+<method>POST</method>
+<parameters>
+<parameter>
+<name>jpfScopeID</name>
+<value>%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E</value>
+</parameter>
+<parameter>
+<name>{actionForm.name}</name>
+<value>test</value>
+</parameter>
+</parameters>
+<cookies>
+<cookie>
+<name>JSESSIONID</name>
+<value>420651557751ADFDCF80A37B291B09EF</value>
+</cookie>
+</cookies>
+<headers>
+<header>
+<name>-------</name>
+<value>----:-----------:------------------------------------------------------------------------------------------</value>
+</header>
+<header>
+<name>---------------</name>
+<value>------------</value>
+</header>
+<header>
+<name>accept</name>
+<value>text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5</value>
+</header>
+<header>
+<name>accept-charset</name>
+<value>UTF-8,*</value>
+</header>
+<header>
+<name>accept-encoding</name>
+<value>gzip, deflate</value>
+</header>
+<header>
+<name>accept-language</name>
+<value>en-us,en;q=0.5</value>
+</header>
+<header>
+<name>connection</name>
+<value>keep-alive</value>
+</header>
+<header>
+<name>content-length</name>
+<value>106</value>
+</header>
+<header>
+<name>content-type</name>
+<value>application/x-www-form-urlencoded</value>
+</header>
+<header>
+<name>cookie</name>
+<value>JSESSIONID=420651557751ADFDCF80A37B291B09EF</value>
+</header>
+<header>
+<name>host</name>
+<value>localhost:8080</value>
+</header>
+<header>
+<name>keep-alive</name>
+<value>300</value>
+</header>
+<header>
+<name>user-agent</name>
+<value>Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4</value>
+</header>
+</headers>
+</request>
+<response>
+<statusCode>200</statusCode>
+<reason></reason>
+<responseBody>
+<![CDATA[<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+ <title>Test for BEEHIVE-1197</title>
+</head>
+<body>
+ <p>Beehive NetUI JavaServer Page - /coreWeb/bugs/j1197/index.jsp</p>
+
+ <p>Test for BEEHIVE-1197</p>
+ <p>
+ Add the following to either the Controller.jpf, begin.do,
+ or submit.do URLs
+ </p>
+ <code>?jpfScopeID=%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E</code>
+
+ <form action="/coreWeb/bugs/j1197/submit.do" method="post">
+<input type="hidden" name="jpfScopeID" value="%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E">
+ <table>
+ <tr valign="top">
+ <td><label for="name"> Name: </label></td>
+ <td><input type="text" name="{actionForm.name}" value="test"></td>
+ </tr>
+ </table>
+ <input type="submit" value="Submit">
+ </form>
+
+ <a href="/coreWeb/bugs/j1197/begin.do?jpfScopeID=%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E">Begin</a>
+
+ <br>
+ Results: filtered jpfScopeID param =
+ <span>%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E</span>
+</body>
+
+</html>]]>
+</responseBody>
+</response>
+</test>
+</tests>
+<endDate>07 Jun 2007, 04:52:20.370 PM MDT</endDate>
+<testCount>3</testCount>
+</recorderSession>
Propchange: beehive/trunk/netui/test/webapps/drt/testRecorder/tests/J1197.xml
------------------------------------------------------------------------------
svn:eol-style = native
Added: beehive/trunk/netui/test/webapps/drt/web/bugs/j1197/index.jsp
URL: http://svn.apache.org/viewvc/beehive/trunk/netui/test/webapps/drt/web/bugs/j1197/index.jsp?view=auto&rev=545494
==============================================================================
--- beehive/trunk/netui/test/webapps/drt/web/bugs/j1197/index.jsp (added)
+++ beehive/trunk/netui/test/webapps/drt/web/bugs/j1197/index.jsp Fri Jun 8 05:42:28 2007
@@ -0,0 +1,51 @@
+<%--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+ $Header:$
+--%>
+<%@ page language="java" contentType="text/html;charset=UTF-8"%>
+<%@taglib uri="http://beehive.apache.org/netui/tags-html-1.0" prefix="netui"%>
+<netui:html>
+<head>
+ <title>Test for BEEHIVE-1197</title>
+</head>
+<netui:body>
+ <p>Beehive NetUI JavaServer Page - ${pageContext.request.requestURI}</p>
+
+ <p>Test for BEEHIVE-1197</p>
+ <p>
+ Add the following to either the Controller.jpf, begin.do,
+ or submit.do URLs
+ </p>
+ <code>?jpfScopeID=%22%3E%3Cscript%3Ealert('gotcha')%3C/script%3E</code>
+
+ <netui:form action="submit">
+ <table>
+ <tr valign="top">
+ <td><label for="name"> Name: </label></td>
+ <td><netui:textBox dataSource="actionForm.name"></netui:textBox></td>
+ </tr>
+ </table>
+ <netui:button value="Submit" type="submit" />
+ </netui:form>
+
+ <netui:anchor action="begin">Begin</netui:anchor>
+
+ <br>
+ Results: filtered jpfScopeID param =
+ <netui:span value="${pageFlow.scopeId}"/>
+</netui:body>
+</netui:html>
Propchange: beehive/trunk/netui/test/webapps/drt/web/bugs/j1197/index.jsp
------------------------------------------------------------------------------
svn:eol-style = native