You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by br...@apache.org on 2022/03/15 21:27:09 UTC
[jspwiki] branch master updated: 2.11.3-git-03 / xss protection
This is an automated email from the ASF dual-hosted git repository.
brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
The following commit(s) were added to refs/heads/master by this push:
new d7e57a3 2.11.3-git-03 / xss protection
d7e57a3 is described below
commit d7e57a3f5d9b8dc140621dc26016985d306c00c7
Author: brushed <di...@gmail.com>
AuthorDate: Tue Mar 15 22:26:55 2022 +0100
2.11.3-git-03 / xss protection
Denounce plugin: sanities the plugin attributes to protect against xss attack.
---
ChangeLog.md | 7 +++++++
jspwiki-api/src/main/java/org/apache/wiki/api/Release.java | 2 +-
jspwiki-main/src/main/java/org/apache/wiki/plugin/Denounce.java | 3 ++-
jspwiki-war/src/main/webapp/templates/default/CommentContent.jsp | 2 +-
jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp | 3 +--
jspwiki-war/src/main/webapp/templates/default/EditContent.jsp | 4 ++--
jspwiki-war/src/main/webapp/templates/default/FindContent.jsp | 2 +-
jspwiki-war/src/main/webapp/templates/default/UserBox.jsp | 7 +++++--
jspwiki-war/src/main/webapp/templates/default/ViewTemplate.jsp | 2 +-
jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp | 8 ++++----
.../src/main/webapp/templates/default/admin/UserManagement.jsp | 6 ++++--
jspwiki-war/src/main/webapp/templates/raw/ViewTemplate.jsp | 1 +
jspwiki-war/src/main/webapp/templates/reader/ViewTemplate.jsp | 2 +-
13 files changed, 31 insertions(+), 18 deletions(-)
diff --git a/ChangeLog.md b/ChangeLog.md
index bbc4fe4..161da52 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -17,6 +17,13 @@ specific language governing permissions and limitations
under the License.
-->
+**2022-03-15 Dirk Frederickx (brushed AT apache DOT org)**
+
+* _2.11.3-git-03_
+
+* Denounce plugin: sanities the plugin attributes to protect against Xss attacks.
+
+
**2022-03-11 Juan Pablo Santos (juanpablo AT apache DOT org)**
* _2.11.3-git-02_
diff --git a/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java b/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java
index 0da36fc..0a3fb2e 100644
--- a/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java
+++ b/jspwiki-api/src/main/java/org/apache/wiki/api/Release.java
@@ -69,7 +69,7 @@ public final class Release {
* <p>
* If the build identifier is empty, it is not added.
*/
- public static final String BUILD = "02";
+ public static final String BUILD = "03";
/**
* This is the generic version string you should use when printing out the version. It is of
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/plugin/Denounce.java b/jspwiki-main/src/main/java/org/apache/wiki/plugin/Denounce.java
index bbf90cc..e40fec0 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/plugin/Denounce.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/plugin/Denounce.java
@@ -124,7 +124,8 @@ public class Denounce implements Plugin {
*/
@Override
public String execute( final Context context, final Map<String, String> params ) throws PluginException {
- final String link = params.get( PARAM_LINK );
+ final String link = TextUtil.replaceEntities( params.get( PARAM_LINK ) );
+ //final String link = params.get( PARAM_LINK );
String text = params.get( PARAM_TEXT );
boolean linkAllowed = true;
diff --git a/jspwiki-war/src/main/webapp/templates/default/CommentContent.jsp b/jspwiki-war/src/main/webapp/templates/default/CommentContent.jsp
index 411b6204..b8037c1 100644
--- a/jspwiki-war/src/main/webapp/templates/default/CommentContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/CommentContent.jsp
@@ -37,6 +37,6 @@
</c:if>
<wiki:InsertPage />
</div>
- <div data-resize=".comment-page" title="<fmt:message key='editor.plain.comment.resize'/>" ></div>
+ <div class="resizer" data-resize=".comment-page" title="<fmt:message key='editor.plain.comment.resize'/>" ></div>
<wiki:Editor />
</div>
\ No newline at end of file
diff --git a/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp b/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp
index 0c6e60e..126273e 100644
--- a/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/DiffTab.jsp
@@ -22,7 +22,6 @@
<%@ page import="org.apache.wiki.api.core.*" %>
<%@ page import="org.apache.wiki.pages.PageManager" %>
<%@ page import="org.apache.wiki.tags.InsertDiffTag" %>
-<%@ page import="org.apache.wiki.variables.VariableManager" %>
<%@ taglib uri="http://jspwiki.apache.org/tags" prefix="wiki" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -32,7 +31,7 @@
Context c = Context.findContext( pageContext );
%>
<c:set var="history" value="<%= c.getEngine().getManager( PageManager.class ).getVersionHistory(c.getPage().getName()) %>" />
-<c:set var="diffprovider" value='<%= c.getEngine().getManager( VariableManager.class ).getVariable(c,"jspwiki.diffProvider") %>' />
+<c:set var="diffprovider"><wiki:Variable var="jspwiki.diffProvider" /></c:set>
<wiki:PageExists>
<form action="<wiki:Link jsp='Diff.jsp' format='url' />"
class="diffbody form-inline"
diff --git a/jspwiki-war/src/main/webapp/templates/default/EditContent.jsp b/jspwiki-war/src/main/webapp/templates/default/EditContent.jsp
index 4700f24..2b82513 100644
--- a/jspwiki-war/src/main/webapp/templates/default/EditContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/EditContent.jsp
@@ -44,9 +44,9 @@
</wiki:CheckLock>
<wiki:CheckVersion mode="notlatest">
- <div class="alert alert-danger">
+ <div class="alert alert-warning center">
<fmt:message key="edit.restoring">
- <fmt:param><wiki:PageVersion/></fmt:param>
+ <fmt:param><span class="version-badge"><wiki:PageVersion/></span></fmt:param>
</fmt:message>
</div>
</wiki:CheckVersion>
diff --git a/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp b/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp
index b2eefd6..c85371c 100644
--- a/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/FindContent.jsp
@@ -44,7 +44,7 @@
<div class="form-inline form-group">
- <input class="btn btn-primary" type="submit" name="ok" id="ok" value="<fmt:message key="find.submit.find"/>" />
+ <input class="btn active" type="submit" name="ok" id="ok" value="<fmt:message key="find.submit.find"/>" />
<input class="btn btn-default" type="submit" name="go" id="go" value="<fmt:message key="find.submit.go"/>" />
<input type="hidden" name="start" id="start" value="0" />
<input type="hidden" name="maxitems" id="maxitems" value="20" />
diff --git a/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp b/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp
index 5b74471..1ce74e4 100644
--- a/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/UserBox.jsp
@@ -105,9 +105,12 @@
--%>
<wiki:UserCheck status="authenticated">
<a href="<wiki:Link jsp='Logout.jsp' format='url' />"
- class="btn btn-default btn-block logout" data-modal=".modal">
+ class="btn btn-default btn-block logout" data-modal=".logout > .modal">
<span class="icon-signout"></span> <fmt:message key="actions.logout"/>
- <div class="modal"><fmt:message key='actions.confirmlogout'/></div>
+ <div class="modal">
+ <h4><fmt:message key="actions.logout"/></h4>
+ <p><fmt:message key='actions.confirmlogout'/></p>
+ </div>
</a>
</wiki:UserCheck>
</li>
diff --git a/jspwiki-war/src/main/webapp/templates/default/ViewTemplate.jsp b/jspwiki-war/src/main/webapp/templates/default/ViewTemplate.jsp
index d118853..0f860d1 100644
--- a/jspwiki-war/src/main/webapp/templates/default/ViewTemplate.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/ViewTemplate.jsp
@@ -58,7 +58,7 @@
<c:set var="sidebarCookie" value="" />
</wiki:CheckRequestContext>
- <div class="content ${sidebarState}" data-toggle="li#menu,.sidebar>.close"
+ <div class="content ${sidebarState}" data-toggle="li#menu"
data-toggle-pref="${sidebarCookie}" >
<div class="page" role="main">
<wiki:Content/>
diff --git a/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp b/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp
index 0df42f7..a8e2b0d 100644
--- a/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/WorkflowContent.jsp
@@ -35,8 +35,8 @@
<%-- Pending Decisions --%>
<div class="tabs">
<h4>
- <fmt:message key="workflow.decisions.heading" />
- <span class="badge">${empty decisions ? "empty" : fn:length(decisions)}</span>
+ <fmt:message key="workflow.decisions.heading" />
+ <c:if test="${!empty decisions}"><span class="badge">${fn:length(decisions)}</span></c:if>
</h4>
<c:if test="${empty decisions}">
@@ -115,8 +115,8 @@
<!-- Running workflows for which current user is the owner -->
<h4>
- <fmt:message key="workflow.workflows.heading" />
- <span class="badge">${empty workflows ? "empty" : fn:length(workflows)}</span>
+ <fmt:message key="workflow.workflows.heading" />
+ <c:if test="${!empty workflows}"><span class="badge">${fn:length(workflows)}</span></c:if>
</h4>
<c:if test="${empty workflows}">
diff --git a/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp b/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp
index d3a226f..abd32b5 100644
--- a/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/admin/UserManagement.jsp
@@ -131,8 +131,10 @@ function addNew()
</table>
<div id="useractions">
- <input type="submit" name="action" value="Remove" data-modal="+ .modal" />
- <div class="modal">"Are you sure you wish to remove this user?</div>
+ <input type="submit" name="action" value="Remove" data-modal="#useractions > .modal" />
+ <div class="modal">
+ <p>Are you sure you wish to remove this user?</p>
+ </div>
<input type="button" value="Add" onclick="javascript:addNew()"/>
</div>
</form>
diff --git a/jspwiki-war/src/main/webapp/templates/raw/ViewTemplate.jsp b/jspwiki-war/src/main/webapp/templates/raw/ViewTemplate.jsp
index 96f58ab..1a810e9 100644
--- a/jspwiki-war/src/main/webapp/templates/raw/ViewTemplate.jsp
+++ b/jspwiki-war/src/main/webapp/templates/raw/ViewTemplate.jsp
@@ -18,6 +18,7 @@
--%>
<%@ taglib uri="http://jspwiki.apache.org/tags" prefix="wiki" %>
+<meta charset="<wiki:ContentEncoding />">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="<wiki:Link format='url' jsp='images/favicon.ico'/>" />
<%-- ie6 needs next line --%>
diff --git a/jspwiki-war/src/main/webapp/templates/reader/ViewTemplate.jsp b/jspwiki-war/src/main/webapp/templates/reader/ViewTemplate.jsp
index d0c5ddf..ce41eb9 100644
--- a/jspwiki-war/src/main/webapp/templates/reader/ViewTemplate.jsp
+++ b/jspwiki-war/src/main/webapp/templates/reader/ViewTemplate.jsp
@@ -25,7 +25,7 @@
<!doctype html>
<html lang="<c:out value='${prefs.Language}' default='en'/>" name="top">
<head>
-
+ <meta charset="<wiki:ContentEncoding />">
<title>
<fmt:message key="view.title.view">
<fmt:param><wiki:Variable var="ApplicationName" /></fmt:param>