You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by lr...@apache.org on 2009/02/28 00:06:32 UTC
svn commit: r748734 - in /incubator/shindig/trunk/java/gadgets/src:
main/java/org/apache/shindig/gadgets/
main/java/org/apache/shindig/gadgets/render/
main/java/org/apache/shindig/gadgets/servlet/
main/java/org/apache/shindig/gadgets/spec/ test/java/or...
Author: lryan
Date: Fri Feb 27 23:06:32 2009
New Revision: 748734
URL: http://svn.apache.org/viewvc?rev=748734&view=rev
Log:
Add support for experimental type="x-html-sanitized" view content
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultUrlGenerator.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/Gadget.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/RenderingContentRewriter.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/SanitizedRenderingContentRewriter.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/JsonRpcHandler.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/View.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizedRenderingContentRewriterTest.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/spec/ViewTest.java
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultUrlGenerator.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultUrlGenerator.java?rev=748734&r1=748733&r2=748734&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultUrlGenerator.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/DefaultUrlGenerator.java Fri Feb 27 23:06:32 2009
@@ -121,6 +121,7 @@
uri = new UriBuilder(view.getHref());
break;
case HTML:
+ case X_HTML_SANITIZED:
default:
Uri iframeBaseUri = iframeBaseUris.get(context.getContainer());
uri = iframeBaseUri != null ? new UriBuilder(iframeBaseUri) : new UriBuilder();
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/Gadget.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/Gadget.java?rev=748734&r1=748733&r2=748734&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/Gadget.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/Gadget.java Fri Feb 27 23:06:32 2009
@@ -18,16 +18,17 @@
package org.apache.shindig.gadgets;
import org.apache.shindig.gadgets.preload.PreloadedData;
+import org.apache.shindig.gadgets.servlet.ProxyBase;
import org.apache.shindig.gadgets.spec.GadgetSpec;
import org.apache.shindig.gadgets.spec.LocaleSpec;
import org.apache.shindig.gadgets.spec.View;
+import com.google.common.collect.Sets;
+
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
-import com.google.common.collect.Sets;
-
/**
* Intermediary representation of all state associated with processing
* of a single gadget request.
@@ -131,4 +132,13 @@
return removedFeatures;
}
+
+ /**
+ * Should the gadget content be sanitized on output
+ * @return
+ */
+ public boolean sanitizeOutput() {
+ return (getCurrentView().getType() == View.ContentType.X_HTML_SANITIZED ||
+ "1".equals(getContext().getParameter(ProxyBase.SANITIZE_CONTENT_PARAM)));
+ }
}
\ No newline at end of file
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/RenderingContentRewriter.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/RenderingContentRewriter.java?rev=748734&r1=748733&r2=748734&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/RenderingContentRewriter.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/RenderingContentRewriter.java Fri Feb 27 23:06:32 2009
@@ -46,6 +46,13 @@
import org.apache.shindig.gadgets.spec.ModulePrefs;
import org.apache.shindig.gadgets.spec.UserPref;
import org.apache.shindig.gadgets.spec.View;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+import com.google.inject.Inject;
+
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -61,12 +68,6 @@
import java.util.logging.Level;
import java.util.logging.Logger;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-import com.google.inject.Inject;
-
/**
* Produces a valid HTML document for the gadget output, automatically inserting appropriate HTML
* document wrapper data as needed.
@@ -120,7 +121,7 @@
public RewriterResults rewrite(Gadget gadget, MutableContent mutableContent) {
// Don't touch sanitized gadgets.
- if ("1".equals(gadget.getContext().getParameter("sanitize"))) {
+ if (gadget.sanitizeOutput()) {
return RewriterResults.notCacheable();
}
@@ -140,7 +141,6 @@
head.removeChild(n);
}
-
// Only inject default styles if no doctype was specified.
if (document.getDoctype() == null) {
Element defaultStyle = document.createElement("style");
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/SanitizedRenderingContentRewriter.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/SanitizedRenderingContentRewriter.java?rev=748734&r1=748733&r2=748734&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/SanitizedRenderingContentRewriter.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/render/SanitizedRenderingContentRewriter.java Fri Feb 27 23:06:32 2009
@@ -80,6 +80,15 @@
private static final Map<String, ImmutableSet<String>> PROXY_IMAGE_ATTRIBUTES =
ImmutableMap.of("img", ImmutableSet.of("src"));
+ /**
+ * Is the Gadget to be rendered sanitized
+ * @param gadget
+ * @return
+ */
+ public static boolean isSanitizedRenderingRequest(Gadget gadget) {
+ return ("1".equals(gadget.getContext().getParameter("sanitize")));
+ }
+
private final Set<String> allowedTags;
private final Set<String> allowedAttributes;
private final CajaCssSanitizer cssSanitizer;
@@ -122,7 +131,7 @@
}
public RewriterResults rewrite(Gadget gadget, MutableContent content) {
- if ("1".equals(gadget.getContext().getParameter(ProxyBase.SANITIZE_CONTENT_PARAM))) {
+ if (gadget.sanitizeOutput()) {
boolean sanitized = false;
try {
new NodeSanitizer(gadget).sanitize(content.getDocument().getDocumentElement());
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/JsonRpcHandler.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/JsonRpcHandler.java?rev=748734&r1=748733&r2=748734&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/JsonRpcHandler.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/JsonRpcHandler.java Fri Feb 27 23:06:32 2009
@@ -146,7 +146,7 @@
for (View view : spec.getViews().values()) {
views.put(view.getName(), new JSONObject()
// .put("content", view.getContent())
- .put("type", view.getType().toString().toLowerCase())
+ .put("type", view.getType().toString())
.put("quirks", view.getQuirks())
.put("preferredHeight", view.getPreferredHeight())
.put("preferredWidth", view.getPreferredWidth()));
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/View.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/View.java?rev=748734&r1=748733&r2=748734&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/View.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/View.java Fri Feb 27 23:06:32 2009
@@ -17,12 +17,14 @@
*/
package org.apache.shindig.gadgets.spec;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Maps;
import org.apache.shindig.common.uri.Uri;
import org.apache.shindig.common.xml.XmlUtil;
import org.apache.shindig.gadgets.AuthType;
import org.apache.shindig.gadgets.variables.Substitutions;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Maps;
+
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
@@ -330,14 +332,31 @@
* Possible values for Content/@type
*/
public enum ContentType {
- HTML, URL;
+ HTML("html"), URL("url"), X_HTML_SANITIZED("x-html-sanitized");
+
+ private String viewName;
+
+ private ContentType(String viewName) {
+ this.viewName = viewName;
+ }
/**
- * @param value
+ * @param viewName
* @return The parsed value (defaults to html)
*/
- public static ContentType parse(String value) {
- return "url".equals(value) ? URL : HTML;
+ public static ContentType parse(String viewName) {
+ viewName = viewName.toLowerCase().trim();
+ for (ContentType enumVal : ContentType.values()) {
+ if (enumVal.viewName.equals(viewName)) {
+ return enumVal;
+ }
+ }
+ return HTML;
+ }
+
+ @Override
+ public String toString() {
+ return viewName;
}
}
}
Modified: incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizedRenderingContentRewriterTest.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizedRenderingContentRewriterTest.java?rev=748734&r1=748733&r2=748734&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizedRenderingContentRewriterTest.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/render/SanitizedRenderingContentRewriterTest.java Fri Feb 27 23:06:32 2009
@@ -79,9 +79,10 @@
public void setUp() throws Exception {
Injector injector = Guice.createInjector(new TestParseModule(), new PropertiesModule());
parser = injector.getInstance(GadgetHtmlParser.class);
- gadget = new Gadget().setContext(sanitaryGadgetContext);
+ gadget = new Gadget().setContext(unsanitaryGadgetContext);
gadget.setSpec(new GadgetSpec(Uri.parse("www.example.org/gadget.xml"),
- "<Module><ModulePrefs title=''/><Content type='html'/></Module>"));
+ "<Module><ModulePrefs title=''/><Content type='x-html-sanitized'/></Module>"));
+ gadget.setCurrentView(gadget.getSpec().getViews().values().iterator().next());
}
private String rewrite(Gadget gadget, String content, Set<String> tags, Set<String> attributes) {
@@ -269,12 +270,31 @@
}
@Test
- public void doesNothingWhenNotSanitized() {
+ public void doesNothingWhenNotSanitized() throws Exception {
String markup = "<script src=\"http://evil.org/evil\"></script> <b>hello</b>";
- gadget.setContext(unsanitaryGadgetContext);
+ Gadget gadget = new Gadget().setContext(unsanitaryGadgetContext);
+ gadget.setSpec(new GadgetSpec(Uri.parse("www.example.org/gadget.xml"),
+ "<Module><ModulePrefs title=''/><Content type='html'/></Module>"));
+ gadget.setCurrentView(gadget.getSpec().getViews().values().iterator().next());
assertEquals(markup, rewrite(gadget, markup, set("b"), set()));
}
+ @Test
+ public void forceSanitizeUnsanitaryGadget() throws Exception {
+ String markup =
+ "<p><style type=\"text/css\">A { font : bold; behavior : bad }</style>text <b>bold text</b></p>" +
+ "<b>Bold text</b><i>Italic text<b>Bold text</b></i>";
+
+ String sanitized = "<html><head></head><body><p><style>A {\n font: bold\n}</style>text " +
+ "<b>bold text</b></p><b>Bold text</b></body></html>";
+
+ Gadget gadget = new Gadget().setContext(sanitaryGadgetContext);
+ gadget.setSpec(new GadgetSpec(Uri.parse("www.example.org/gadget.xml"),
+ "<Module><ModulePrefs title=''/><Content type='html'/></Module>"));
+ gadget.setCurrentView(gadget.getSpec().getViews().values().iterator().next());
+ assertEquals(sanitized, rewrite(gadget, markup, set("p", "b", "style"), set()));
+ }
+
private static class TestParseModule extends AbstractModule {
@Override
Modified: incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/spec/ViewTest.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/spec/ViewTest.java?rev=748734&r1=748733&r2=748734&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/spec/ViewTest.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/spec/ViewTest.java Fri Feb 27 23:06:32 2009
@@ -19,21 +19,20 @@
package org.apache.shindig.gadgets.spec;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
import org.apache.shindig.common.uri.Uri;
import org.apache.shindig.common.xml.XmlUtil;
import org.apache.shindig.expressions.RootELResolver;
import org.apache.shindig.gadgets.variables.Substitutions;
import org.apache.shindig.gadgets.variables.Substitutions.Type;
-import java.util.Arrays;
-
import org.junit.Assert;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
import org.junit.Test;
+import java.util.Arrays;
+
public class ViewTest {
private static final Uri SPEC_URL = Uri.parse("http://example.org/g.xml");
@@ -83,6 +82,18 @@
assertEquals(contentType, view.getRawType());
}
+ @Test
+ public void testHtmlSanitizedContentType() throws Exception {
+ String contentType = "x-html-sanitized";
+ String xml = "<Content" +
+ " type=\"" + contentType + '\"' +
+ " quirks=\"false\"><![CDATA[blah]]></Content>";
+ View view = new View("default", Arrays.asList(XmlUtil.parse(xml)), SPEC_URL);
+
+ assertEquals(View.ContentType.X_HTML_SANITIZED, view.getType());
+ assertEquals(contentType, view.getRawType());
+ }
+
@Test(expected = SpecParserException.class)
public void testContentTypeConflict() throws Exception {
String content1 = "<Content type=\"html\"/>";