sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pa...@apache.org
Subject svn commit: r1794381 - in /sling/trunk/bundles/extensions/xss.compat: ./ src/main/java/org/apache/sling/xss/ src/main/java/org/apache/sling/xss/impl/ src/main/resources/SLING-INF/content/ src/test/java/org/apache/sling/xss/impl/
Date Mon, 08 May 2017 14:29:02 GMT
Author: pauls
Date: Mon May  8 14:29:02 2017
New Revision: 1794381

URL: http://svn.apache.org/viewvc?rev=1794381&view=rev
Log:
Merge latest released tag xss 1.0.18 into compat

Modified:
    sling/trunk/bundles/extensions/xss.compat/   (props changed)
    sling/trunk/bundles/extensions/xss.compat/pom.xml
    sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/XSSAPI.java
    sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
    sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
    sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/package-info.java
    sling/trunk/bundles/extensions/xss.compat/src/main/resources/SLING-INF/content/config.xml
    sling/trunk/bundles/extensions/xss.compat/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java

Propchange: sling/trunk/bundles/extensions/xss.compat/
------------------------------------------------------------------------------
--- svn:mergeinfo (added)
+++ svn:mergeinfo Mon May  8 14:29:02 2017
@@ -0,0 +1,2 @@
+/sling/tags/org.apache.sling.xss-1.0.18:1785246-1794379
+/sling/trunk/bundles/extensions/xss:1726619-1785244

Modified: sling/trunk/bundles/extensions/xss.compat/pom.xml
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss.compat/pom.xml?rev=1794381&r1=1794380&r2=1794381&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss.compat/pom.xml (original)
+++ sling/trunk/bundles/extensions/xss.compat/pom.xml Mon May  8 14:29:02 2017
@@ -23,7 +23,7 @@
     <parent>
         <groupId>org.apache.sling</groupId>
         <artifactId>sling</artifactId>
-        <version>26</version>
+        <version>28</version>
         <relativePath />
     </parent>
 
@@ -236,17 +236,13 @@
 
         <dependency>
             <groupId>javax.servlet</groupId>
-            <artifactId>servlet-api</artifactId>
+            <artifactId>javax.servlet-api</artifactId>
             <scope>provided</scope>
         </dependency>
 
         <dependency>
             <groupId>org.osgi</groupId>
-            <artifactId>org.osgi.core</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.osgi</groupId>
-            <artifactId>org.osgi.compendium</artifactId>
+            <artifactId>osgi.core</artifactId>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
@@ -255,7 +251,7 @@
         <dependency>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.api</artifactId>
-            <version>2.2.0</version>
+            <version>2.11.0</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -265,6 +261,12 @@
             <scope>provided</scope>
         </dependency>
         <dependency>
+          <groupId>org.apache.sling</groupId>
+          <artifactId>org.apache.sling.serviceusermapper</artifactId>
+          <version>1.2.0</version>
+          <scope>provided</scope>
+        </dependency>
+        <dependency>
             <groupId>com.google.code.findbugs</groupId>
             <artifactId>jsr305</artifactId>
             <version>2.0.0</version>
@@ -277,14 +279,13 @@
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-all</artifactId>
-            <version>1.8.4</version>
-            <type>jar</type>
+            <version>1.10.19</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.powermock</groupId>
             <artifactId>powermock-api-mockito</artifactId>
-            <version>1.5.5</version>
+            <version>1.6.5</version>
             <scope>test</scope>
         </dependency>
         <dependency>

Modified: sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/XSSAPI.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/XSSAPI.java?rev=1794381&r1=1794380&r2=1794381&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/XSSAPI.java
(original)
+++ sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/XSSAPI.java
Mon May  8 14:29:02 2017
@@ -68,6 +68,17 @@ public interface XSSAPI {
     Long getValidLong(@Nullable String source,long defaultValue);
 
     /**
+     * Validate a string which should contain an double, returning a default value if the
source is
+     * {@code null}, empty, can't be parsed, or contains XSS risks.
+     *
+     * @param source      the source double
+     * @param defaultValue a default value if the source can't be used, is {@code null} or
an empty string
+     * @return a sanitized double
+     */
+    @Nullable
+    Double getValidDouble(@Nullable String source, double defaultValue);
+
+    /**
      * Validate a string which should contain a dimension, returning a default value if the
source is
      * empty, can't be parsed, or contains XSS risks.  Allows integer dimensions and the
keyword "auto".
      *

Modified: sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java?rev=1794381&r1=1794380&r2=1794381&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
(original)
+++ sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
Mon May  8 14:29:02 2017
@@ -21,6 +21,7 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import javax.annotation.Nonnull;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 
@@ -43,6 +44,8 @@ import org.owasp.esapi.Validator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.InputSource;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.XMLReader;
 
 @Component
@@ -65,6 +68,13 @@ public class XSSAPIImpl implements XSSAP
         factory = SAXParserFactory.newInstance();
         factory.setValidating(false);
         factory.setNamespaceAware(true);
+        try {
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",
false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities",
false);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        } catch (Exception e) {
+            LOGGER.error("SAX parser configuration error: " + e.getMessage(), e);
+        }
     }
 
     @Deactivate
@@ -114,6 +124,23 @@ public class XSSAPIImpl implements XSSAP
     }
 
     /**
+     * @see org.apache.sling.xss.XSSAPI#getValidDouble(String, double)
+     */
+    @Override
+    public Double getValidDouble(String source, double defaultValue) {
+        if (source != null && source.length() > 0) {
+            try {
+                return validator.getValidDouble("XSS", source, 0d, Double.MAX_VALUE, false);
+            } catch (Exception e) {
+                // ignore
+            }
+        }
+
+        // fall through to default if empty, null, or validation failure
+        return defaultValue;
+    }
+
+    /**
      * @see org.apache.sling.xss.XSSAPI#getValidDimension(String, String)
      */
     @Override
@@ -412,7 +439,7 @@ public class XSSAPIImpl implements XSSAP
      */
     @Override
     public String encodeForJSString(String source) {
-        return source == null ? null : Encode.forJavaScriptSource(source);
+        return source == null ? null : Encode.forJavaScript(source).replace("\\-", "\\u002D");
     }
 
     /**

Modified: sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java?rev=1794381&r1=1794380&r2=1794381&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
(original)
+++ sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
Mon May  8 14:29:02 2017
@@ -19,25 +19,28 @@ package org.apache.sling.xss.impl;
 import java.io.InputStream;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.regex.Pattern;
 
 import org.apache.felix.scr.annotations.Activate;
 import org.apache.felix.scr.annotations.Component;
+import org.apache.felix.scr.annotations.Properties;
 import org.apache.felix.scr.annotations.Property;
 import org.apache.felix.scr.annotations.Reference;
 import org.apache.felix.scr.annotations.Service;
-import org.apache.sling.api.SlingConstants;
 import org.apache.sling.api.resource.LoginException;
 import org.apache.sling.api.resource.Resource;
 import org.apache.sling.api.resource.ResourceResolver;
 import org.apache.sling.api.resource.ResourceResolverFactory;
+import org.apache.sling.api.resource.observation.ExternalResourceChangeListener;
+import org.apache.sling.api.resource.observation.ResourceChange;
+import org.apache.sling.api.resource.observation.ResourceChangeListener;
+import org.apache.sling.serviceusermapping.ServiceUserMapped;
 import org.apache.sling.xss.ProtectionContext;
 import org.apache.sling.xss.XSSFilter;
-import org.osgi.service.event.Event;
-import org.osgi.service.event.EventConstants;
-import org.osgi.service.event.EventHandler;
 import org.owasp.validator.html.model.Attribute;
 import org.owasp.validator.html.model.Tag;
 import org.slf4j.Logger;
@@ -48,9 +51,12 @@ import org.slf4j.LoggerFactory;
  * <a href="http://code.google.com/p/owaspantisamy/">http://code.google.com/p/owaspantisamy/</a>.
  */
 @Component(immediate = true)
-@Service(value = {EventHandler.class, XSSFilter.class})
-@Property(name = EventConstants.EVENT_TOPIC, value = {"org/apache/sling/api/resource/Resource/*"})
-public class XSSFilterImpl implements XSSFilter, EventHandler {
+@Service(value = {ResourceChangeListener.class, XSSFilter.class})
+@Properties({
+    @Property(name = ResourceChangeListener.CHANGES, value = {"ADDED", "CHANGED", "REMOVED"}),
+    @Property(name = ResourceChangeListener.PATHS, value = XSSFilterImpl.DEFAULT_POLICY_PATH)
+})
+public class XSSFilterImpl implements XSSFilter, ResourceChangeListener, ExternalResourceChangeListener
{
 
     private static final Logger LOGGER = LoggerFactory.getLogger(XSSFilterImpl.class);
 
@@ -58,14 +64,15 @@ public class XSSFilterImpl implements XS
     static final Attribute DEFAULT_HREF_ATTRIBUTE = new Attribute(
             "href",
             Arrays.asList(
-                    Pattern.compile("([\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!\\*\\(\\)]*|\\#(\\w)+)"),
-                    Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)[\\p{L}\\p{N}]+[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*")
+                    Pattern.compile("([\\p{L}\\p{M}*+\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!\\*\\(\\)]*|\\#(\\w)+)"),
+                    Pattern.compile("(\\s)*((ht|f)tp(s?)://|mailto:)[\\p{L}\\p{M}*+\\p{N}]+[\\p{L}\\p{M}*+\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\*\\(\\)]*(\\s)*")
             ),
             Collections.<String>emptyList(),
             "removeAttribute", ""
     );
 
-    private static final String DEFAULT_POLICY_PATH = "sling/xss/config.xml";
+    public static final String DEFAULT_POLICY_PATH = "sling/xss/config.xml";
+    private static final String EMBEDDED_POLICY_PATH = "SLING-INF/content/config.xml";
     private static final int DEFAULT_POLICY_CACHE_SIZE = 128;
     private PolicyHandler defaultHandler;
     private Attribute hrefAttribute;
@@ -80,12 +87,16 @@ public class XSSFilterImpl implements XS
     @Reference
     private ResourceResolverFactory resourceResolverFactory = null;
 
+    @Reference
+    private ServiceUserMapped serviceUserMapped;
+
     @Override
-    public void handleEvent(final Event event) {
-        final String path = (String) event.getProperty(SlingConstants.PROPERTY_PATH);
-        if (path.endsWith("/" + DEFAULT_POLICY_PATH)) {
-            LOGGER.debug("Detected policy file change at {}. Updating default handler.",
path);
-            updateDefaultHandler();
+    public void onChange(List<ResourceChange> resourceChanges) {
+        for (ResourceChange change : resourceChanges) {
+            if (change.getPath().endsWith(DEFAULT_POLICY_PATH)) {
+                LOGGER.info("Detected policy file change ({}) at {}. Updating default handler.",
change.getType().name(), change.getPath());
+                updateDefaultHandler();
+            }
         }
     }
 
@@ -111,37 +122,40 @@ public class XSSFilterImpl implements XS
         updateDefaultHandler();
     }
 
-    private void updateDefaultHandler() {
-        ResourceResolver adminResolver = null;
+    private synchronized void updateDefaultHandler() {
+        this.defaultHandler = null;
+        ResourceResolver xssResourceResolver = null;
         try {
-            adminResolver = resourceResolverFactory.getAdministrativeResourceResolver(null);
-            Resource policyResource = adminResolver.getResource(DEFAULT_POLICY_PATH);
+            xssResourceResolver = resourceResolverFactory.getServiceResourceResolver(null);
+            Resource policyResource = xssResourceResolver.getResource(DEFAULT_POLICY_PATH);
             if (policyResource != null) {
-                InputStream policyStream = policyResource.adaptTo(InputStream.class);
-                if (policyStream != null) {
-                    try {
-                        if (defaultHandler == null) {
-                            setDefaultHandler(new PolicyHandler(policyStream));
-                            policyStream.close();
+                try (InputStream policyStream = policyResource.adaptTo(InputStream.class))
{
+                    setDefaultHandler(new PolicyHandler(policyStream));
+                    LOGGER.info("Installed default policy from {}.", policyResource.getPath());
+                } catch (Exception e) {
+                    Throwable[] suppressed = e.getSuppressed();
+                    if (suppressed.length > 0) {
+                        for (Throwable t : suppressed) {
+                            LOGGER.error("Unable to load policy from " + policyResource.getPath(),
t);
                         }
-                    } catch (Exception e) {
-                        LOGGER.error("Unable to load policy from " + policyResource.getPath(),
e);
                     }
+                    LOGGER.error("Unable to load policy from " + policyResource.getPath(),
e);
                 }
             } else {
                 // the content was not installed but the service is active; let's use the
embedded file for the default handler
-                LOGGER.debug("Could not find a policy file at the default location {}. Attempting
to use the default resource embedded in" +
+                LOGGER.warn("Could not find a policy file at the default location {}. Attempting
to use the default resource embedded in" +
                         " the bundle.", DEFAULT_POLICY_PATH);
-                InputStream policyStream = this.getClass().getClassLoader().getResourceAsStream("SLING-INF/content/config.xml");
-                if (policyStream != null) {
-                    try {
-                        if (defaultHandler == null) {
-                            setDefaultHandler(new PolicyHandler(policyStream));
-                            policyStream.close();
+                try (InputStream policyStream = this.getClass().getClassLoader().getResourceAsStream(EMBEDDED_POLICY_PATH))
{
+                    setDefaultHandler(new PolicyHandler(policyStream));
+                    LOGGER.info("Installed default policy from the embedded {} file from
the bundle.", EMBEDDED_POLICY_PATH);
+                } catch (Exception e) {
+                    Throwable[] suppressed = e.getSuppressed();
+                    if (suppressed.length > 0) {
+                        for (Throwable t : suppressed) {
+                            LOGGER.error("Unable to load policy from embedded policy file.",
t);
                         }
-                    } catch (Exception e) {
-                        LOGGER.error("Unable to load policy from embedded policy file.",
e);
                     }
+                    LOGGER.error("Unable to load policy from embedded policy file.", e);
                 }
             }
             if (defaultHandler == null) {
@@ -150,8 +164,8 @@ public class XSSFilterImpl implements XS
         } catch (LoginException e) {
             LOGGER.error("Unable to load the default policy file.", e);
         } finally {
-            if (adminResolver != null) {
-                adminResolver.close();
+            if (xssResourceResolver != null) {
+                xssResourceResolver.close();
             }
         }
     }
@@ -249,5 +263,4 @@ public class XSSFilterImpl implements XS
         }
         return isValid;
     }
-
 }

Modified: sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/package-info.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/package-info.java?rev=1794381&r1=1794380&r2=1794381&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/package-info.java
(original)
+++ sling/trunk/bundles/extensions/xss.compat/src/main/java/org/apache/sling/xss/package-info.java
Mon May  8 14:29:02 2017
@@ -17,9 +17,9 @@
 /**
  * XSS Protection Service
  *
- * @version 1.1.0
+ * @version 1.2.0
  */
-@Version("1.1.1")
+@Version("1.2.0")
 package org.apache.sling.xss;
 
 import aQute.bnd.annotation.Version;

Modified: sling/trunk/bundles/extensions/xss.compat/src/main/resources/SLING-INF/content/config.xml
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss.compat/src/main/resources/SLING-INF/content/config.xml?rev=1794381&r1=1794380&r2=1794381&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss.compat/src/main/resources/SLING-INF/content/config.xml
(original)
+++ sling/trunk/bundles/extensions/xss.compat/src/main/resources/SLING-INF/content/config.xml
Mon May  8 14:29:02 2017
@@ -67,9 +67,8 @@ http://www.w3.org/TR/html401/struct/glob
         <regexp name="htmlClass" value="[a-zA-Z0-9\s,\-_]+"/>
 
         <!-- Allow empty URL attributes with a '*'-quantifier instead of '+' for the first
part of the regexp -->
-        <regexp name="onsiteURL" value="([\p{L}\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!\*\(\)]*|\#(\w)+)"/>
-        <regexp name="offsiteURL"
-                value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{N}]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!\*\(\)]*(\s)*"/>
+        <regexp name="onsiteURL" value="([\p{L}\p{M}*+\p{N}\\\.\#@\$%\+&amp;;\-_~,\?=/!\*\(\)]*|\#(\w)+)"/>
+        <regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[\p{L}\p{M}*+\p{N}]+[\p{L}\p{M}*+\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!\*\(\)]*(\s)*"/>
 
         <regexp name="boolean" value="(true|false)"/>
         <regexp name="singlePrintable" value="[a-zA-Z0-9]{1}"/>

Modified: sling/trunk/bundles/extensions/xss.compat/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss.compat/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java?rev=1794381&r1=1794380&r2=1794381&view=diff
==============================================================================
--- sling/trunk/bundles/extensions/xss.compat/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
(original)
+++ sling/trunk/bundles/extensions/xss.compat/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
Mon May  8 14:29:02 2017
@@ -204,7 +204,9 @@ public class XSSAPIImplTest {
                 {"<strike>strike</strike>", "<strike>strike</strike>"},
                 {"<s>s</s>", "<s>s</s>"},
 
-                {"<a href=\"\">empty href</a>", "<a href=\"\">empty href</a>"}
+                {"<a href=\"\">empty href</a>", "<a href=\"\">empty href</a>"},
+                {"<a href=\" javascript:alert(23)\">space</a>","<a>space</a>"},
+                {"<table background=\"http://www.google.com\"></table>", "<table></table>"},
         };
 
         for (String[] aTestData : testData) {
@@ -220,6 +222,8 @@ public class XSSAPIImplTest {
         String[][] testData = {
                 //         Href                                        Expected Result
                 //
+                {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
+                {"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995",
"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995"},
                 {null, ""},
                 {"", ""},
                 {"simple", "simple"},
@@ -341,6 +345,28 @@ public class XSSAPIImplTest {
     }
 
     @Test
+    public void testGetValidDouble() {
+        String[][] testData = {
+                //         Source                                        Expected Result
+                //
+                {null, "123"},
+                {"100.5", "100.5"},
+                {"0", "0"},
+
+                {"junk", "123"},
+                {"", "123"},
+                {"null", "123"}
+        };
+
+        for (String[] aTestData : testData) {
+            String source = aTestData[0];
+            Double expected = (aTestData[1] != null) ? new Double(aTestData[1]) : null;
+
+            TestCase.assertEquals("Validating double '" + source + "'", expected, xssAPI.getValidDouble(source,
123));
+        }
+    }
+
+    @Test
     public void testGetValidDimension() {
         String[][] testData = {
                 //         Source                                        Expected Result
@@ -378,10 +404,13 @@ public class XSSAPIImplTest {
                 {null, null},
                 {"simple", "simple"},
 
-                {"break\"out", "break\\\"out"},
-                {"break'out", "break\\'out"},
-                {"'alert(document.cookie)", "\\'alert(document.cookie)"},
-                {"2014-04-22T10:11:24.002+01:00", "2014-04-22T10:11:24.002+01:00"}
+                {"break\"out", "break\\x22out"},
+                {"break'out", "break\\x27out"},
+
+                {"</script>", "<\\/script>"},
+
+                {"'alert(document.cookie)", "\\x27alert(document.cookie)"},
+                {"2014-04-22T10:11:24.002+01:00", "2014\\u002D04\\u002D22T10:11:24.002+01:00"}
         };
 
         for (String[] aTestData : testData) {
@@ -408,7 +437,7 @@ public class XSSAPIImplTest {
                 {"\"literal string\"", "\"literal string\""},
                 {"'literal string'", "'literal string'"},
                 {"\"bad literal'", RUBBISH},
-                {"'literal'); junk'", "'literal\\'); junk'"},
+                {"'literal'); junk'", "'literal\\x27); junk'"},
 
                 {"1200", "1200"},
                 {"3.14", "3.14"},
@@ -648,6 +677,10 @@ public class XSSAPIImplTest {
                 {
                         "<t><w>xyz</t></w>",
                         RUBBISH_XML
+                },
+                {
+                        "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM \"http://nonExistentHost:1234/\"><test/>",
+                        "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM \"http://nonExistentHost:1234/\"><test/>"
                 }
         };
         for (String[] aTestData : testData) {



Mime
View raw message