You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jspwiki.apache.org by br...@apache.org on 2019/04/28 19:10:44 UTC

[jspwiki] branch master updated: 2.11.0-M4-git-11 [JSPWIKI-1107] Fixing XSS vulnerability in the navigation breadcrumbs

This is an automated email from the ASF dual-hosted git repository.

brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git


The following commit(s) were added to refs/heads/master by this push:
     new 4c4b8bf  2.11.0-M4-git-11 [JSPWIKI-1107] Fixing XSS vulnerability in the navigation breadcrumbs
4c4b8bf is described below

commit 4c4b8bf2490f7d09228120507453e49ebded6b5b
Author: brushed <di...@gmail.com>
AuthorDate: Sun Apr 28 21:10:32 2019 +0200

    2.11.0-M4-git-11 [JSPWIKI-1107] Fixing XSS vulnerability in the navigation breadcrumbs
---
 ChangeLog                                            |  9 +++++++++
 .../src/main/java/org/apache/wiki/Release.java       |  2 +-
 .../java/org/apache/wiki/tags/BreadcrumbsTag.java    | 20 +++++++++++---------
 .../main/webapp/templates/default/AttachmentTab.jsp  |  3 +--
 .../main/webapp/templates/default/InfoContent.jsp    |  3 +--
 .../src/main/webapp/templates/default/Nav.jsp        |  2 +-
 6 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1e97d25..cc4a632 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
 2019-04-28  Dirk Frederickx (brushed AT apache DOT org)
 
+       * 2.11.0-M4-git-11
+
+       * [JSPWIKI-1107] Fixing XSS vulnerability in the navigation breadcrumbs (Trail link)
+
+       * Small ui improvement: make Attachment lists sortable on the attachment size field
+
+
+2019-04-28  Dirk Frederickx (brushed AT apache DOT org)
+
        * 2.11.0-M4-git-10
 
        * [JSPWIKI-1107], [JSPWIKI-1109] Fixing XSS vulnerability in various plugins.
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/Release.java b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
index c3e026e..627ddfe 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/Release.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
@@ -72,7 +72,7 @@ public final class Release {
      *  <p>
      *  If the build identifier is empty, it is not added.
      */
-    public static final String     BUILD         = "10";
+    public static final String     BUILD         = "11";
 
     /**
      *  This is the generic version string you should use when printing out the version.  It is of
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/tags/BreadcrumbsTag.java b/jspwiki-main/src/main/java/org/apache/wiki/tags/BreadcrumbsTag.java
index dd94b9b..dcdd7d8 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/tags/BreadcrumbsTag.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/tags/BreadcrumbsTag.java
@@ -1,4 +1,4 @@
-/* 
+/*
     Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
@@ -14,11 +14,12 @@
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
-    under the License.  
+    under the License.
  */
 package org.apache.wiki.tags;
 
 import org.apache.wiki.WikiContext;
+import org.apache.wiki.util.TextUtil;
 
 import javax.servlet.http.HttpSession;
 import javax.servlet.jsp.JspWriter;
@@ -68,7 +69,7 @@ public class BreadcrumbsTag extends WikiTagBase
 
     /**
      *  Returns the maxpages.  This may differ from what was set by setMaxpages().
-     *  
+     *
      *  @return The current size of the pages.
      */
     public int getMaxpages()
@@ -78,7 +79,7 @@ public class BreadcrumbsTag extends WikiTagBase
 
     /**
      *  Sets how many pages to show.
-     *  
+     *
      *  @param maxpages The amount.
      */
     public void setMaxpages(int maxpages)
@@ -88,7 +89,7 @@ public class BreadcrumbsTag extends WikiTagBase
 
     /**
      *  Get the separator string.
-     *  
+     *
      *  @return The string set in setSeparator()
      */
     public String getSeparator()
@@ -98,12 +99,12 @@ public class BreadcrumbsTag extends WikiTagBase
 
     /**
      *  Set the separator string.
-     *  
+     *
      *  @param separator A string which separates the page names.
      */
     public void setSeparator(String separator)
     {
-        m_separator = separator;
+        m_separator = TextUtil.replaceEntities( separator );
     }
 
     /**
@@ -174,7 +175,8 @@ public class BreadcrumbsTag extends WikiTagBase
 
             //FIXME: I can't figure out how to detect the appropriate jsp page to put here, so I hard coded Wiki.jsp
             //This breaks when you view an attachment metadata page
-            out.print("<a class=\"" + linkclass + "\" href=\"" + m_wikiContext.getViewURL(curPage)+ "\">" + curPage + "</a>");
+            out.print("<a class=\"" + linkclass + "\" href=\"" + m_wikiContext.getViewURL(curPage)+ "\">"
+                        + TextUtil.replaceEntities( curPage ) + "</a>");
 
             if( i < queueSize - 2 )
             {
@@ -210,7 +212,7 @@ public class BreadcrumbsTag extends WikiTagBase
 
             return null;
         }
-        
+
         /**
          * @param pageName
          *            the page to be deleted from the breadcrumb
diff --git a/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp b/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp
index 1a04e0e..3cff055 100644
--- a/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/AttachmentTab.jsp
@@ -131,8 +131,7 @@
         <fmt:formatDate value="${att.lastModified}" pattern="${prefs.DateFormat}" timeZone="${prefs.TimeZone}" />
       </td>
 
-      <td class="nowrap" title="${att.size} bytes">
-        <%-- <fmt:formatNumber value='${att.size/1024.0}' maxFractionDigits='1' minFractionDigits='1'/>&nbsp;<fmt:message key="info.kilobytes"/> --%>
+      <td class="nowrap" title="${att.size} bytes" data-sortvalue="${att.size}">
         <%= org.apache.commons.io.FileUtils.byteCountToDisplaySize( att.getSize() ) %>
       </td>
 
diff --git a/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp b/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp
index 111ccdd..78ff3df 100644
--- a/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/InfoContent.jsp
@@ -348,8 +348,7 @@
 	    <fmt:formatDate value="${att.lastModified}" pattern="${prefs.DateFormat}" timeZone="${prefs.TimeZone}" />
 	  </td>
 
-      <td class="nowrap" title="${att.size} bytes">
-        <%-- <fmt:formatNumber value='${att.size/1024.0}' maxFractionDigits='1' minFractionDigits='1'/>&nbsp;<fmt:message key="info.kilobytes"/> --%>
+      <td class="nowrap" title="${att.size} bytes" data-sortvalue="${att.size}">
         <%= org.apache.commons.io.FileUtils.byteCountToDisplaySize( att.getSize() ) %>
       </td>
 
diff --git a/jspwiki-war/src/main/webapp/templates/default/Nav.jsp b/jspwiki-war/src/main/webapp/templates/default/Nav.jsp
index 7e92360..99b7868 100644
--- a/jspwiki-war/src/main/webapp/templates/default/Nav.jsp
+++ b/jspwiki-war/src/main/webapp/templates/default/Nav.jsp
@@ -56,7 +56,7 @@
       --%>
       <c:forEach items="${breadCrumbTrail}" varStatus="status" begin="2">
           <c:set var="crumb" value="${breadCrumbTrail[fn:length(breadCrumbTrail) - status.index]}" />
-          <li><wiki:Link page="${crumb}">${crumb}</wiki:Link></li>
+          <li><wiki:Link page="${crumb}">${fn:escapeXml(crumb)}</wiki:Link></li>
       </c:forEach>
 
     </ul>