You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:25:30 UTC

[sling-org-apache-sling-xss] 04/07: SLING-4560 - XSSAPI#getValidHref is empty for valid Bengali or Hindi characters

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.14
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git

commit 630d0227bd5c754e29fda9fe04aecb29041127c8
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Mon Aug 22 12:53:04 2016 +0000

    SLING-4560 - XSSAPI#getValidHref is empty for valid Bengali or Hindi characters
    
    * applied patch submitted by Lars Krapf to only extend the character classes accepted
    by the OWASP URL regexes, instead of completely changing them like in r1756802
    
    git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1757160 13f79535-47bb-0310-9956-ffa450edef68
---
 src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java  | 4 ++--
 src/main/resources/SLING-INF/content/config.xml             | 4 ++--
 src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 6 ++++--
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
index 91b906b..23926ec 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
@@ -58,8 +58,8 @@ public class XSSFilterImpl implements XSSFilter, EventHandler {
     static final Attribute DEFAULT_HREF_ATTRIBUTE = new Attribute(
             "href",
             Arrays.asList(
-                    Pattern.compile("(?!.*javascript:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*"),
-                    Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*")
+                    Pattern.compile("([\\p{L}\\p{M}*+\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!\\*\\(\\)]*|\\#(\\w)+)"),
+                    Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)[\\p{L}\\p{M}*+\\p{N}]+[\\p{L}\\p{M}*+\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*")
             ),
             Collections.<String>emptyList(),
             "removeAttribute", ""
diff --git a/src/main/resources/SLING-INF/content/config.xml b/src/main/resources/SLING-INF/content/config.xml
index 7dcba85..f71b704 100644
--- a/src/main/resources/SLING-INF/content/config.xml
+++ b/src/main/resources/SLING-INF/content/config.xml
@@ -67,8 +67,8 @@ http://www.w3.org/TR/html401/struct/global.html
         <regexp name="htmlClass" value="[a-zA-Z0-9\s,\-_]+"/>
 
         <!-- Allow empty URL attributes with a '*'-quantifier instead of '+' for the first part of the regexp -->
-        <regexp name="onsiteURL" value="(?!.*javascript:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/>
-        <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/>
+        <regexp name="onsiteURL" value="([\p{L}\p{M}*+\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!\*\(\)]*|\#(\w)+)"/>
+        <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{M}*+\p{N}]+[\p{L}\p{M}*+\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!\*\(\)]*(\s)*"/>
 
         <regexp name="boolean" value="(true|false)"/>
         <regexp name="singlePrintable" value="[a-zA-Z0-9]{1}"/>
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index efe9dc5..e8b9e42 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -204,7 +204,9 @@ public class XSSAPIImplTest {
                 {"<strike>strike</strike>", "<strike>strike</strike>"},
                 {"<s>s</s>", "<s>s</s>"},
 
-                {"<a href=\"\">empty href</a>", "<a href=\"\">empty href</a>"}
+                {"<a href=\"\">empty href</a>", "<a href=\"\">empty href</a>"},
+                {"<a href=\" javascript:alert(23)\">space</a>","<a>space</a>"},
+                {"<table background=\"http://www.google.com\"></table>", "<table></table>"},
         };
 
         for (String[] aTestData : testData) {
@@ -221,7 +223,7 @@ public class XSSAPIImplTest {
                 //         Href                                        Expected Result
                 //
                 {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
-                {"/etc/commerce/collections/⺁〡〢☉⊕〒", "/etc/commerce/collections/⺁〡〢☉⊕〒"},
+                {"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995", "/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995"},
                 {null, ""},
                 {"", ""},
                 {"simple", "simple"},

-- 
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.