You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by kw...@apache.org on 2022/08/13 13:58:47 UTC
[sling-org-apache-sling-scripting-sightly] branch feature/SLING-11538-jsonstring-context created (now c57f631)
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a change to branch feature/SLING-11538-jsonstring-context
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-scripting-sightly.git
at c57f631 SLING-11538 add output context for JSON string
This branch includes the following new commits:
new c57f631 SLING-11538 add output context for JSON string
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[sling-org-apache-sling-scripting-sightly] 01/01: SLING-11538 add output context for JSON string
Posted by kw...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kwin pushed a commit to branch feature/SLING-11538-jsonstring-context
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-scripting-sightly.git
commit c57f63198596d13040c604c97478de464cf42419
Author: Konrad Windszus <kw...@apache.org>
AuthorDate: Sat Aug 13 15:58:43 2022 +0200
SLING-11538 add output context for JSON string
---
pom.xml | 1 -
.../impl/engine/extension/XSSRuntimeExtension.java | 16 +++++++++++
.../engine/extension/XSSRuntimeExtensionTest.java | 32 ++++++++++++++++++++++
3 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 2cf7c35..0689c4f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -298,7 +298,6 @@
<version>2.5</version>
<scope>provided</scope>
</dependency>
-
<dependency>
<groupId>org.jetbrains</groupId>
<artifactId>annotations</artifactId>
diff --git a/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java b/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java
index 40d78bb..c282f86 100644
--- a/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java
+++ b/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java
@@ -24,6 +24,7 @@ import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
+import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.sling.scripting.sightly.SightlyException;
import org.apache.sling.scripting.sightly.extension.RuntimeExtension;
import org.apache.sling.scripting.sightly.render.RenderContext;
@@ -126,6 +127,8 @@ public class XSSRuntimeExtension implements RuntimeExtension {
return xssApi.encodeForJSString(text);
case STYLE_STRING:
return xssApi.encodeForCSSString(text);
+ case JSON_STRING:
+ return encodeForJsonString(text);
case SCRIPT_COMMENT:
case STYLE_COMMENT:
return xssApi.getValidMultiLineComment(text, "");
@@ -137,6 +140,18 @@ public class XSSRuntimeExtension implements RuntimeExtension {
return text; //todo: apply the rest of XSS filters
}
+ // TODO: move to XssApi
+ /**
+ * Escapes a given text so that it is compliant with the grammar for JSON strings as specified in ECMA-404.
+ *
+ * @param text the text to escape
+ * @return the escaped text for using it inside a JSON string (excluding the surrounding quotes)
+ * @see <a href="https://www.ecma-international.org/wp-content/uploads/ECMA-404_2nd_edition_december_2017.pdf">ECMA-404: The JSON Data Interchange Syntax</a>
+ */
+ static String encodeForJsonString(String text) {
+ return StringEscapeUtils.escapeJson(text);
+ }
+
private String escapeElementName(String original) {
original = original.trim();
if (elementNameWhiteList.contains(original.toLowerCase())) {
@@ -249,6 +264,7 @@ public class XSSRuntimeExtension implements RuntimeExtension {
SCRIPT_STRING("scriptString"),
SCRIPT_COMMENT("scriptComment"),
SCRIPT_REGEXP("scriptRegExp"),
+ JSON_STRING("jsonString"),
STYLE_TOKEN("styleToken"),
STYLE_STRING("styleString"),
STYLE_COMMENT("styleComment"),
diff --git a/src/test/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtensionTest.java b/src/test/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtensionTest.java
new file mode 100644
index 0000000..e485703
--- /dev/null
+++ b/src/test/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtensionTest.java
@@ -0,0 +1,32 @@
+/*******************************************************************************
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ ******************************************************************************/
+package org.apache.sling.scripting.sightly.impl.engine.extension;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.Test;
+
+public class XSSRuntimeExtensionTest {
+
+ @Test
+ public void testEncodeForJsonString() {
+ assertEquals("\\\"'\\\\\\t |", XSSRuntimeExtension.encodeForJsonString("\"\'\\\t |"));
+
+ }
+}