struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r927358 - in /struts/struts2/trunk/core/src: main/java/org/apache/struts2/views/util/UrlHelper.java test/java/org/apache/struts2/views/util/UrlHelperTest.java
Date Thu, 25 Mar 2010 12:02:05 GMT
Author: lukaszlenart
Date: Thu Mar 25 12:02:05 2010
New Revision: 927358

URL: http://svn.apache.org/viewvc?rev=927358&view=rev
Log:
Resolved WW-3410 - XSS vulnerability in UrlHelper.java

Modified:
    struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
    struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java

Modified: struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
URL: http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java?rev=927358&r1=927357&r2=927358&view=diff
==============================================================================
--- struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java (original)
+++ struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java Thu
Mar 25 12:02:05 2010
@@ -247,7 +247,7 @@ public class UrlHelper {
 
     private static String buildParameterSubstring(String name, String value) {
         StringBuilder builder = new StringBuilder();
-        builder.append(name);
+        builder.append(translateAndEncode(name));
         builder.append('=');
         builder.append(translateAndEncode(value));
 

Modified: struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java
URL: http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java?rev=927358&r1=927357&r2=927358&view=diff
==============================================================================
--- struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java
(original)
+++ struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java
Thu Mar 25 12:02:05 2010
@@ -101,11 +101,12 @@ public class UrlHelperTest extends Strut
     }
 
     public void testBuildParametersStringWithUrlHavingSomeExistingParameters() throws Exception
{
-        String expectedUrl = "http://localhost:8080/myContext/myPage.jsp?initParam=initValue&param1=value1&param2=value2";
+        String expectedUrl = "http://localhost:8080/myContext/myPage.jsp?initParam=initValue&param1=value1&param2=value2&param3%22%3CsCrIpT%3Ealert%281%29%3B%3C%2FsCrIpT%3E=value3";
 
         Map parameters = new LinkedHashMap();
         parameters.put("param1", "value1");
         parameters.put("param2", "value2");
+        parameters.put("param3\"<sCrIpT>alert(1);</sCrIpT>","value3");
 
         StringBuilder url = new StringBuilder("http://localhost:8080/myContext/myPage.jsp?initParam=initValue");
 



Mime
View raw message