You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2020/01/28 15:19:46 UTC
[sling-org-apache-sling-xss] branch master updated: SLING-9035 -
The XSSProtectionAPIWebConsolePlugin fails to load resources when deployed
under a custom context path
This is an automated email from the ASF dual-hosted git repository.
radu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
The following commit(s) were added to refs/heads/master by this push:
new 08aac0f SLING-9035 - The XSSProtectionAPIWebConsolePlugin fails to load resources when deployed under a custom context path
08aac0f is described below
commit 08aac0f66c92119b3c3f54c7ff8a356dd5374df6
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Tue Jan 28 16:19:30 2020 +0100
SLING-9035 - The XSSProtectionAPIWebConsolePlugin fails to load resources when deployed under a custom context path
* make the plugin extract the console path (including context path) from the URI instead of hard-coding a value
---
.../XSSProtectionAPIWebConsolePlugin.java | 46 +++++++++++-----------
1 file changed, 24 insertions(+), 22 deletions(-)
diff --git a/src/main/java/org/apache/sling/xss/impl/webconsole/XSSProtectionAPIWebConsolePlugin.java b/src/main/java/org/apache/sling/xss/impl/webconsole/XSSProtectionAPIWebConsolePlugin.java
index 74161d0..0293aed 100644
--- a/src/main/java/org/apache/sling/xss/impl/webconsole/XSSProtectionAPIWebConsolePlugin.java
+++ b/src/main/java/org/apache/sling/xss/impl/webconsole/XSSProtectionAPIWebConsolePlugin.java
@@ -70,12 +70,12 @@ public class XSSProtectionAPIWebConsolePlugin extends HttpServlet {
static final String LABEL = "xssprotection";
static final String TITLE= "XSS Protection";
- private static final String URI_ROOT = "/system/console/" + LABEL;
- private static final String URI_CONFIG_XHR = URI_ROOT + "/config.xhr";
- private static final String URI_BLOCKED_XHR = URI_ROOT + "/blocked.json";
- private static final String URI_CONFIG_XML = URI_ROOT + "/config.xml";
+ private static final String PLUGIN_ROOT_PATH = "/" + LABEL;
+ private static final String URI_CONFIG_XHR = PLUGIN_ROOT_PATH + "/config.xhr";
+ private static final String URI_BLOCKED_XHR = PLUGIN_ROOT_PATH + "/blocked.json";
+ private static final String URI_CONFIG_XML = PLUGIN_ROOT_PATH + "/config.xml";
private static final String INTERNAL_RESOURCES_FOLDER = "/webconsole";
- private static final String RES_ROOT = URI_ROOT + INTERNAL_RESOURCES_FOLDER;
+ private static final String RES_ROOT = PLUGIN_ROOT_PATH + INTERNAL_RESOURCES_FOLDER;
private static final String RES_URI_PRETTIFY_CSS = RES_ROOT + "/prettify.css";
private static final String RES_URI_PRETTIFY_JS = RES_ROOT + "/prettify.js";
private static final String RES_URI_XSS_CSS = RES_ROOT + "/xss.css";
@@ -96,29 +96,31 @@ public class XSSProtectionAPIWebConsolePlugin extends HttpServlet {
RES_URI_CONFIG_JS));
@Override
- protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
- String file = FilenameUtils.getName(request.getRequestURI());
- if (file != null && CSS_RESOURCES.contains(request.getRequestURI())) {
- streamResource(response, file, "text/css");
- } else if (file != null && JS_RESOURCES.contains(request.getRequestURI())) {
- streamResource(response, file, "application/javascript");
- } else if (URI_CONFIG_XHR.equalsIgnoreCase(request.getRequestURI()) && xssFilter != null) {
- writeAntiSamyConfiguration(response);
- } else if (URI_CONFIG_XML.equalsIgnoreCase(request.getRequestURI()) && xssFilter != null) {
+ protected void doGet(HttpServletRequest request, HttpServletResponse response) {
+ String pluginResource = request.getPathInfo();
+ String consoleRoot = request.getRequestURI().substring(0, request.getRequestURI().indexOf(pluginResource));
+ if (CSS_RESOURCES.contains(pluginResource)) {
+ streamResource(response, FilenameUtils.getName(pluginResource), "text/css");
+ } else if (JS_RESOURCES.contains(pluginResource)) {
+ streamResource(response, FilenameUtils.getName(pluginResource), "application/javascript");
+ } else if (URI_CONFIG_XHR.equalsIgnoreCase(pluginResource) && xssFilter != null) {
+ writeAntiSamyConfiguration(consoleRoot, response);
+ } else if (URI_CONFIG_XML.equalsIgnoreCase(pluginResource) && xssFilter != null) {
streamAntiSamyConfiguration(response);
- } else if (URI_BLOCKED_XHR.equalsIgnoreCase(request.getRequestURI())) {
+ } else if (URI_BLOCKED_XHR.equalsIgnoreCase(pluginResource)) {
generateInvalidUrlsJSONReport(response);
} else {
try {
PrintWriter printWriter = response.getWriter();
- printWriter.printf(LINK_TAG, RES_URI_XSS_CSS);
- printWriter.printf(SCRIPT_TAG, RES_URI_XSS_JS);
+ printWriter.printf(LINK_TAG, consoleRoot + RES_URI_XSS_CSS);
+ printWriter.printf(SCRIPT_TAG, consoleRoot + RES_URI_XSS_JS);
printWriter.println("<div id='xss-tabs'>");
printWriter.println("<ul>");
printWriter.println("<li id='blocked-tab'><a href='#blocked'><span>Status</span></a></li>");
if (xssFilter != null) {
printWriter.println(
- String.format("<li id='config-tab'><a href='%s'><span>Active Configuration</span></a></li>", URI_CONFIG_XHR));
+ String.format("<li id='config-tab'><a href='%s'><span>Active Configuration</span></a></li>",
+ consoleRoot + URI_CONFIG_XHR));
}
printWriter.println("</ul>");
printWriter.println("<div id='blocked'>");
@@ -169,17 +171,17 @@ public class XSSProtectionAPIWebConsolePlugin extends HttpServlet {
}
- private void writeAntiSamyConfiguration(HttpServletResponse response) {
+ private void writeAntiSamyConfiguration(String consoleRoot, HttpServletResponse response) {
response.setContentType("text/html");
XSSFilterImpl xssFilterImpl = (XSSFilterImpl) xssFilter;
XSSFilterImpl.AntiSamyPolicy antiSamyPolicy = xssFilterImpl.getActivePolicy();
if (antiSamyPolicy != null) {
try {
PrintWriter printWriter = response.getWriter();
- printWriter.printf(SCRIPT_TAG, RES_URI_CONFIG_JS);
+ printWriter.printf(SCRIPT_TAG, consoleRoot + RES_URI_CONFIG_JS);
printWriter.write("<div id='config'>");
- printWriter.printf(LINK_TAG, RES_URI_PRETTIFY_CSS);
- printWriter.printf(SCRIPT_TAG, RES_URI_PRETTIFY_JS);
+ printWriter.printf(LINK_TAG, consoleRoot + RES_URI_PRETTIFY_CSS);
+ printWriter.printf(SCRIPT_TAG, consoleRoot + RES_URI_PRETTIFY_JS);
printWriter.write("<p class='statline ui-state-highlight'>The current AntiSamy configuration ");
if (antiSamyPolicy.isEmbedded()) {
printWriter.write("is the default one embedded in the org.apache.sling.xss bundle.");