You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ro...@apache.org on 2017/11/07 10:25:30 UTC
[sling-org-apache-sling-xss] 04/07: SLING-4560 -
XSSAPI#getValidHref is empty for valid Bengali or Hindi characters
This is an automated email from the ASF dual-hosted git repository.
rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.14
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
commit 630d0227bd5c754e29fda9fe04aecb29041127c8
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Mon Aug 22 12:53:04 2016 +0000
SLING-4560 - XSSAPI#getValidHref is empty for valid Bengali or Hindi characters
* applied patch submitted by Lars Krapf to only extend the character classes accepted
by the OWASP URL regexes, instead of completely changing them like in r1756802
git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1757160 13f79535-47bb-0310-9956-ffa450edef68
---
src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java | 4 ++--
src/main/resources/SLING-INF/content/config.xml | 4 ++--
src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 6 ++++--
3 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
index 91b906b..23926ec 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
@@ -58,8 +58,8 @@ public class XSSFilterImpl implements XSSFilter, EventHandler {
static final Attribute DEFAULT_HREF_ATTRIBUTE = new Attribute(
"href",
Arrays.asList(
- Pattern.compile("(?!.*javascript:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*"),
- Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*")
+ Pattern.compile("([\\p{L}\\p{M}*+\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!\\*\\(\\)]*|\\#(\\w)+)"),
+ Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)[\\p{L}\\p{M}*+\\p{N}]+[\\p{L}\\p{M}*+\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*")
),
Collections.<String>emptyList(),
"removeAttribute", ""
diff --git a/src/main/resources/SLING-INF/content/config.xml b/src/main/resources/SLING-INF/content/config.xml
index 7dcba85..f71b704 100644
--- a/src/main/resources/SLING-INF/content/config.xml
+++ b/src/main/resources/SLING-INF/content/config.xml
@@ -67,8 +67,8 @@ http://www.w3.org/TR/html401/struct/global.html
<regexp name="htmlClass" value="[a-zA-Z0-9\s,\-_]+"/>
<!-- Allow empty URL attributes with a '*'-quantifier instead of '+' for the first part of the regexp -->
- <regexp name="onsiteURL" value="(?!.*javascript:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/>
- <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/>
+ <regexp name="onsiteURL" value="([\p{L}\p{M}*+\p{N}\\\.\#@\$%\+&;\-_~,\?=/!\*\(\)]*|\#(\w)+)"/>
+ <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{M}*+\p{N}]+[\p{L}\p{M}*+\p{N}\p{Zs}\.\#@\$%\+&;:\-_~,\?=/!\*\(\)]*(\s)*"/>
<regexp name="boolean" value="(true|false)"/>
<regexp name="singlePrintable" value="[a-zA-Z0-9]{1}"/>
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index efe9dc5..e8b9e42 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -204,7 +204,9 @@ public class XSSAPIImplTest {
{"<strike>strike</strike>", "<strike>strike</strike>"},
{"<s>s</s>", "<s>s</s>"},
- {"<a href=\"\">empty href</a>", "<a href=\"\">empty href</a>"}
+ {"<a href=\"\">empty href</a>", "<a href=\"\">empty href</a>"},
+ {"<a href=\" javascript:alert(23)\">space</a>","<a>space</a>"},
+ {"<table background=\"http://www.google.com\"></table>", "<table></table>"},
};
for (String[] aTestData : testData) {
@@ -221,7 +223,7 @@ public class XSSAPIImplTest {
// Href Expected Result
//
{"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
- {"/etc/commerce/collections/⺁〡〢☉⊕〒", "/etc/commerce/collections/⺁〡〢☉⊕〒"},
+ {"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995", "/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995"},
{null, ""},
{"", ""},
{"simple", "simple"},
--
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <co...@sling.apache.org>.