sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@apache.org
Subject svn commit: r1756802 - in /sling/trunk/bundles/extensions/xss/src: main/java/org/apache/sling/xss/impl/XSSFilterImpl.java main/resources/SLING-INF/content/config.xml test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
Date Thu, 18 Aug 2016 14:54:58 GMT
Author: radu
Date: Thu Aug 18 14:54:58 2016
New Revision: 1756802

URL: http://svn.apache.org/viewvc?rev=1756802&view=rev
Log:
SLING-4560 - XSSAPI#getValidHref is empty for valid Bengali or Hindi characters

* changed the href validation regexes to bring them closer to the regexes recommended
by RFC 3986
* added tests for the GB18030 characters which were not previously accepted

Modified:
    sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
    sling/trunk/bundles/extensions/xss/src/main/resources/SLING-INF/content/config.xml
    sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java

Modified: sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java?rev=1756802&r1=1756801&r2=1756802&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
(original)
+++ sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
Thu Aug 18 14:54:58 2016
@@ -58,8 +58,8 @@ public class XSSFilterImpl implements XS
     static final Attribute DEFAULT_HREF_ATTRIBUTE = new Attribute(
             "href",
             Arrays.asList(
-                    Pattern.compile("([\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!\\*\\(\\)]*|\\#(\\w)+)"),
-                    Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*")
+                    Pattern.compile("(?!.*javascript:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*"),
+                    Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?(\\s)*")
             ),
             Collections.<String>emptyList(),
             "removeAttribute", ""

Modified: sling/trunk/bundles/extensions/xss/src/main/resources/SLING-INF/content/config.xml
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/resources/SLING-INF/content/config.xml?rev=1756802&r1=1756801&r2=1756802&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss/src/main/resources/SLING-INF/content/config.xml (original)
+++ sling/trunk/bundles/extensions/xss/src/main/resources/SLING-INF/content/config.xml Thu
Aug 18 14:54:58 2016
@@ -67,9 +67,8 @@ http://www.w3.org/TR/html401/struct/glob
         <regexp name="htmlClass" value="[a-zA-Z0-9\s,\-_]+"/>
 
         <!-- Allow empty URL attributes with a '*'-quantifier instead of '+' for the first
part of the regexp -->
-        <regexp name="onsiteURL" value="([\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!\*\(\)]*|\#(\w)+)"/>
-        <regexp name="offsiteURL"
-                value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!\*\(\)]*(\s)*"/>
+        <regexp name="onsiteURL" value="(?!.*javascript:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/>
+        <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)(([^?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?(\s)*"/>
 
         <regexp name="boolean" value="(true|false)"/>
         <regexp name="singlePrintable" value="[a-zA-Z0-9]{1}"/>

Modified: sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java?rev=1756802&r1=1756801&r2=1756802&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
(original)
+++ sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
Thu Aug 18 14:54:58 2016
@@ -220,6 +220,8 @@ public class XSSAPIImplTest {
         String[][] testData = {
                 //         Href                                        Expected Result
                 //
+                {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
+                {"/etc/commerce/collections/⺁〡〢☉⊕〒", "/etc/commerce/collections/⺁〡〢☉⊕〒"},
                 {null, ""},
                 {"", ""},
                 {"simple", "simple"},



Mime
View raw message