You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by bd...@apache.org on 2011/05/23 16:46:46 UTC
svn commit: r1126521 - in /sling/trunk:
bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/HtmlResponse.java
launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java
Author: bdelacretaz
Date: Mon May 23 14:46:45 2011
New Revision: 1126521
URL: http://svn.apache.org/viewvc?rev=1126521&view=rev
Log:
SLING-2082 - escape HTML output in POST response, with test
Added:
sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java (with props)
Modified:
sling/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/HtmlResponse.java
Modified: sling/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/HtmlResponse.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/HtmlResponse.java?rev=1126521&r1=1126520&r2=1126521&view=diff
==============================================================================
--- sling/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/HtmlResponse.java (original)
+++ sling/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/HtmlResponse.java Mon May 23 14:46:45 2011
@@ -140,7 +140,7 @@ public class HtmlResponse extends Abstra
state = 0;
Object prop = getProperty(varBuffer.toString());
if (prop != null) {
- out.write(prop.toString());
+ out.write(htmlEscape(prop.toString()));
}
varBuffer.setLength(0);
} else {
@@ -152,4 +152,24 @@ public class HtmlResponse extends Abstra
out.flush();
}
+ /** HTML escaping */
+ static String htmlEscape(String str) {
+ if(str == null) {
+ return null;
+ }
+ final StringBuilder out = new StringBuilder();
+ for(int i=0; i < str.length(); i++) {
+ final char c = str.charAt(i);
+ if(c == '<') {
+ out.append("<");
+ } else if (c == '>') {
+ out.append(">");
+ } else if(c == '&') {
+ out.append("&");
+ } else {
+ out.append(c);
+ }
+ }
+ return out.toString();
+ }
}
\ No newline at end of file
Added: sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java?rev=1126521&view=auto
==============================================================================
--- sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java (added)
+++ sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java Mon May 23 14:46:45 2011
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.launchpad.webapp.integrationtest.issues;
+
+import org.apache.commons.httpclient.methods.PostMethod;
+import org.apache.sling.commons.testing.integration.HttpTestBase;
+
+public class SLING2082Test extends HttpTestBase {
+
+ public void testPOST() throws Exception {
+ final String url = HTTP_BASE_URL + "/" + getClass().getSimpleName() + "/" + Math.random() + ".html/%22%3e%3cscript%3ealert(29679)%3c/script%3e";
+ final PostMethod post = new PostMethod(url);
+ post.setFollowRedirects(false);
+ final int status = httpClient.executeMethod(post);
+ assertEquals(201, status);
+ final String content = getResponseBodyAsStream(post, 0);
+ final String scriptTag = "<script>";
+ assertFalse("Content should not contain '" + scriptTag + "'", content.contains(scriptTag));
+ }
+}
Propchange: sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/issues/SLING2082Test.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision Rev URL