You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2015/02/17 16:38:02 UTC
svn commit: r1660420 - in /sling/trunk/contrib:
extensions/xss/src/main/java/org/apache/sling/xss/
extensions/xss/src/main/java/org/apache/sling/xss/impl/
extensions/xss/src/test/java/org/apache/sling/xss/impl/
scripting/sightly/engine/src/main/java/or...
Author: rombert
Date: Tue Feb 17 15:38:01 2015
New Revision: 1660420
URL: http://svn.apache.org/r1660420
Log:
SLING-4428 - Sightly: scriptComment and styleComment contexts are not doing anything
- Added support for multiline comment validation in XSS API.
- Added implementation and test.
- Added styleComment context to Sightly.
- Added proper validation for scriptComment and styleComment contexts.
Submitted by: Vlad Bailescu
Modified:
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java
sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java
sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/plugin/MarkupContext.java
Modified: sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java?rev=1660420&r1=1660419&r2=1660420&view=diff
==============================================================================
--- sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java (original)
+++ sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/XSSAPI.java Tue Feb 17 15:38:01 2015
@@ -119,6 +119,16 @@ public interface XSSAPI {
@Nullable
public String getValidCSSColor(@Nullable String color, @Nullable String defaultColor);
+ /**
+ * Validate multiline comment to be used inside a <script>...</script> or <style>...</style> block. Multiline
+ * comment end block is disallowed
+ *
+ * @param comment the comment to be used
+ * @param defaultComment a default value to use if the comment is {@code null} or not valid.
+ * @return a valid multiline comment
+ */
+ public String getValidMultiLineComment(@Nullable String comment, @Nullable String defaultComment);
+
// =============================================================================================
// ENCODERS
//
Modified: sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java?rev=1660420&r1=1660419&r2=1660420&view=diff
==============================================================================
--- sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java (original)
+++ sling/trunk/contrib/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java Tue Feb 17 15:38:01 2015
@@ -265,6 +265,16 @@ public class XSSAPIImpl implements XSSAP
return defaultColor;
}
+ /**
+ * @see org.apache.sling.xss.XSSAPI#getValidMultiLineComment(String, String)
+ */
+ public String getValidMultiLineComment(String comment, String defaultComment) {
+ if (comment != null && !comment.contains("*/")) {
+ return comment;
+ }
+ return defaultComment;
+ }
+
// =============================================================================================
// ENCODERS
//
Modified: sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java?rev=1660420&r1=1660419&r2=1660420&view=diff
==============================================================================
--- sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java (original)
+++ sling/trunk/contrib/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java Tue Feb 17 15:38:01 2015
@@ -522,4 +522,25 @@ public class XSSAPIImplTest {
}
}
}
+
+ @Test
+ public void TestGetValidMultiLineComment() {
+ String[][] testData = {
+ //Source Expected Result
+
+ {null , RUBBISH},
+ {"blah */ hack" , RUBBISH},
+
+ {"Valid comment" , "Valid comment"}
+ };
+ for (String[] aTestData : testData) {
+ String source = aTestData[0];
+ String expected = aTestData[1];
+
+ String result = xssAPI.getValidMultiLineComment(source, RUBBISH);
+ if (!result.equals(expected)) {
+ fail("Validating multiline comment '" + source + "', expecting '" + expected + "', but got '" + result + "'");
+ }
+ }
+ }
}
Modified: sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java?rev=1660420&r1=1660419&r2=1660420&view=diff
==============================================================================
--- sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java (original)
+++ sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java Tue Feb 17 15:38:01 2015
@@ -109,7 +109,6 @@ public class XSSRuntimeExtension impleme
case URI:
return xssapi.getValidHref(text);
case SCRIPT_TOKEN:
- case SCRIPT_COMMENT:
return xssapi.getValidJSToken(text, "");
case STYLE_TOKEN:
return xssapi.getValidStyleToken(text, "");
@@ -117,6 +116,9 @@ public class XSSRuntimeExtension impleme
return xssapi.encodeForJSString(text);
case STYLE_STRING:
return xssapi.encodeForCSSString(text);
+ case SCRIPT_COMMENT:
+ case STYLE_COMMENT:
+ return xssapi.getValidMultiLineComment(text, "");
case ELEMENT_NAME:
return escapeElementName(text);
case HTML:
Modified: sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/plugin/MarkupContext.java
URL: http://svn.apache.org/viewvc/sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/plugin/MarkupContext.java?rev=1660420&r1=1660419&r2=1660420&view=diff
==============================================================================
--- sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/plugin/MarkupContext.java (original)
+++ sling/trunk/contrib/scripting/sightly/engine/src/main/java/org/apache/sling/scripting/sightly/impl/plugin/MarkupContext.java Tue Feb 17 15:38:01 2015
@@ -38,6 +38,7 @@ public enum MarkupContext {
SCRIPT_REGEXP("scriptRegExp"),
STYLE_TOKEN("styleToken"),
STYLE_STRING("styleString"),
+ STYLE_COMMENT("styleComment"),
COMMENT("comment"),
NUMBER("number"),
UNSAFE("unsafe");