jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tri...@apache.org
Subject svn commit: r1744116 - in /jackrabbit/commons/filevault/trunk/vault-core/src: main/java/org/apache/jackrabbit/vault/util/HtmlProgressListener.java test/java/org/apache/jackrabbit/vault/util/HtmlProgressListenerTest.java
Date Mon, 16 May 2016 19:26:39 GMT
Author: tripod
Date: Mon May 16 19:26:38 2016
New Revision: 1744116

URL: http://svn.apache.org/viewvc?rev=1744116&view=rev
Log:
JCRVLT-117 Potential XSS problem in org.apache.jackrabbit.vault.util.HtmlProgressListener

Added:
    jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/util/HtmlProgressListenerTest.java
Modified:
    jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/util/HtmlProgressListener.java

Modified: jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/util/HtmlProgressListener.java
URL: http://svn.apache.org/viewvc/jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/util/HtmlProgressListener.java?rev=1744116&r1=1744115&r2=1744116&view=diff
==============================================================================
--- jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/util/HtmlProgressListener.java
(original)
+++ jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/util/HtmlProgressListener.java
Mon May 16 19:26:38 2016
@@ -23,8 +23,7 @@ import java.io.Writer;
 import org.apache.jackrabbit.vault.fs.api.ProgressTrackerListener;
 
 /**
- * <code>HtmlProgrressTrackerListener</code>...
- *
+ * <code>HtmlProgressTrackerListener</code> implements a progress tracker listener
that writes the progress in HTML.
  */
 public class HtmlProgressListener implements ProgressTrackerListener {
 
@@ -68,6 +67,9 @@ public class HtmlProgressListener implem
 
     private void print(Mode mode, String action, String path, String msg) {
         try {
+            action = Text.encodeIllegalXMLCharacters(action);
+            path = Text.encodeIllegalXMLCharacters(path);
+            msg = msg == null ? null : Text.encodeIllegalXMLCharacters(msg);
             out.write("<span class=\"");
             out.write(action);
             out.write("\">");

Added: jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/util/HtmlProgressListenerTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/util/HtmlProgressListenerTest.java?rev=1744116&view=auto
==============================================================================
--- jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/util/HtmlProgressListenerTest.java
(added)
+++ jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/util/HtmlProgressListenerTest.java
Mon May 16 19:26:38 2016
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.vault.util;
+
+import java.io.StringWriter;
+
+import org.apache.jackrabbit.vault.fs.api.ProgressTrackerListener;
+import org.junit.Test;
+
+import junit.framework.TestCase;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ *
+ */
+public class HtmlProgressListenerTest {
+
+    @Test
+    public void testSimpleOnMessage() {
+        StringWriter out = new StringWriter();
+        HtmlProgressListener l = new HtmlProgressListener(out);
+        l.setNoScrollTo(true);
+        l.onMessage(ProgressTrackerListener.Mode.PATHS, "A", "/content/foo");
+        assertEquals("<span class=\"A\"><b>A</b>&nbsp;/content/foo</span><br>\r\n",
out.toString());
+    }
+
+    @Test
+    public void testXSSOnMessage() {
+        StringWriter out = new StringWriter();
+        HtmlProgressListener l = new HtmlProgressListener(out);
+        l.setNoScrollTo(true);
+        l.onMessage(ProgressTrackerListener.Mode.PATHS, "A", "<script>alert('hello');</script>");
+        assertEquals("<span class=\"A\"><b>A</b>&nbsp;&lt;script&gt;alert(&apos;hello&apos;);&lt;/script&gt;</span><br>\r\n",
out.toString());
+    }
+
+    @Test
+    public void testSimpleOnError() {
+        StringWriter out = new StringWriter();
+        HtmlProgressListener l = new HtmlProgressListener(out);
+        l.setNoScrollTo(true);
+        l.onError(ProgressTrackerListener.Mode.PATHS, "/content/foo", new Exception("Test
Exception"));
+        assertEquals("<span class=\"E\"><b>E</b>&nbsp;/content/foo
(java.lang.Exception: Test Exception)</span><br>\r\n", out.toString());
+    }
+
+    @Test
+    public void testXSSOnError() {
+        StringWriter out = new StringWriter();
+        HtmlProgressListener l = new HtmlProgressListener(out);
+        l.setNoScrollTo(true);
+        l.onError(ProgressTrackerListener.Mode.PATHS, "/content/foo", new Exception("<script>alert('hello');</script>"));
+        assertEquals("<span class=\"E\"><b>E</b>&nbsp;/content/foo
(java.lang.Exception: &lt;script&gt;alert(&apos;hello&apos;);&lt;/script&gt;)</span><br>\r\n",
out.toString());
+    }
+
+
+}
\ No newline at end of file



Mime
View raw message