Author: snoopdave
Date: Sun Oct 6 13:25:17 2013
New Revision: 1529617
URL: http://svn.apache.org/r1529617
Log:
Clean text in strings used in Struts actions, prevent usage of ${} expressions
Modified:
roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/struts2/util/UIAction.java
roller/branches/roller_5.0/weblogger-web/src/test/java/org/apache/roller/weblogger/ui/struts2/util/UIActionTest.java
Modified:
roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/struts2/util/UIAction.java
URL:
http://svn.apache.org/viewvc/roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/struts2/util/UIAction.java?rev=1529617&r1=1529616&r2=1529617&view=diff
==============================================================================
---
roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/struts2/util/UIAction.java
(original)
+++
roller/branches/roller_5.0/weblogger-web/src/main/java/org/apache/roller/weblogger/ui/struts2/util/UIAction.java
Sun Oct 6 13:25:17 2013
@@ -35,9 +35,12 @@ import org.apache.struts2.interceptor.Re
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
+import java.util.Set;
+import java.util.HashSet;
/**
* Extends the Struts2 ActionSupport class to add in support for handling an
@@ -56,7 +59,7 @@ public abstract class UIAction extends A
// a common result name used to indicate the result should list some data
public static final String LIST = "list";
-
+
// the authenticated user accessing this action, or null if client is not
logged in
private User authenticatedUser = null;
@@ -168,58 +171,58 @@ public abstract class UIAction extends A
value = WebloggerRuntimeConfig.getProperty(key);
}
- return (value == null) ? 0 : new Integer(value);
+ return (value == null) ? 0 : Integer.valueOf(value);
}
@Override
public String getText(String aTextName) {
- return super.getText(cleanText(aTextName));
+ return super.getText(cleanTextKey(aTextName));
}
@Override
public String getText(String aTextName, String defaultValue) {
- return super.getText(cleanText(aTextName), cleanText(defaultValue));
+ return super.getText(cleanTextKey(aTextName),
cleanTextKey(defaultValue));
}
@Override
public String getText(String aTextName, String defaultValue, String obj) {
- return super.getText(cleanText(aTextName), cleanText(defaultValue),
cleanText(obj));
+ return super.getText(cleanTextKey(aTextName),
cleanTextKey(defaultValue), cleanTextArg(obj));
}
@Override
public String getText(String aTextName, List<?> args) {
List<Object> cleanedArgs = new ArrayList<Object>(args.size());
for (Object el : args) {
- cleanedArgs.add(el instanceof String ? cleanText((String) el) :
el);
+ cleanedArgs.add(el instanceof String ? cleanTextArg((String) el) :
el);
}
- return super.getText(cleanText(aTextName), cleanedArgs);
+ return super.getText(cleanTextKey(aTextName), cleanedArgs);
}
@Override
public String getText(String key, String[] args) {
String[] cleanedArgs = new String[args.length];
for (int i = 0; i < args.length; ++i) {
- cleanedArgs[i] = cleanText(args[i]);
+ cleanedArgs[i] = cleanTextArg(args[i]);
}
- return super.getText(cleanText(key), cleanedArgs);
+ return super.getText(cleanTextKey(key), cleanedArgs);
}
@Override
public String getText(String aTextName, String defaultValue, List<?> args)
{
List<Object> cleanedArgs = new ArrayList<Object>(args.size());
for (Object el : args) {
- cleanedArgs.add(el instanceof String ? cleanText((String) el) :
el);
+ cleanedArgs.add(el instanceof String ? cleanTextArg((String) el) :
el);
}
- return super.getText(cleanText(aTextName), cleanText(defaultValue),
cleanedArgs);
+ return super.getText(cleanTextKey(aTextName),
cleanTextKey(defaultValue), cleanedArgs);
}
@Override
public String getText(String key, String defaultValue, String[] args) {
String[] cleanedArgs = new String[args.length];
for (int i = 0; i < args.length; ++i) {
- cleanedArgs[i] = cleanText(args[i]);
+ cleanedArgs[i] = cleanTextArg(args[i]);
}
- return super.getText(cleanText(key), cleanText(defaultValue),
cleanedArgs);
+ return super.getText(cleanTextKey(key), cleanTextKey(defaultValue),
cleanedArgs);
}
public void addError(String errorKey) {
@@ -387,40 +390,20 @@ public abstract class UIAction extends A
return opts;
}
- private static String cleanDollarExpressions(String s) {
- // Remove ${ } expressions; handcoded automaton
- StringBuilder cleaned = new StringBuilder(s.length());
- boolean skipping = false;
- int braceDepth = 0;
- int p = 0;
- char prior = ' ';
- while (p < s.length()) {
- char c = s.charAt(p);
- switch (c) {
- case '{':
- ++braceDepth;
- skipping = skipping || (prior == '$');
- break;
- case '}':
- if (braceDepth > 0) --braceDepth;
- break;
- default:
- }
- if (!skipping) {
- if (prior == '$') cleaned.append(prior);
- if (c != '$') cleaned.append(c);
- }
- skipping = skipping && (braceDepth > 0);
- prior = c;
- ++p;
- }
- if (prior == '$') cleaned.append(prior); // string had final $ held
in prior
- return cleaned.toString();
+ private static Set OPEN_CHARS = new HashSet(Arrays.asList('$', '%'));
+
+ private static String cleanExpressions(String s) {
+ return (s == null || s.contains("${") || s.contains("%{")) ? "" : s;
}
- public static String cleanText(String s) {
+ public static String cleanTextKey(String s) {
if (s == null || s.isEmpty()) return s;
// escape HTML
- return StringEscapeUtils.escapeHtml(cleanDollarExpressions(s));
+ return StringEscapeUtils.escapeHtml(cleanExpressions(s));
+ }
+
+ public static String cleanTextArg(String s) {
+ if (s == null || s.isEmpty()) return s;
+ return StringEscapeUtils.escapeHtml(s);
}
}
\ No newline at end of file
Modified:
roller/branches/roller_5.0/weblogger-web/src/test/java/org/apache/roller/weblogger/ui/struts2/util/UIActionTest.java
URL:
http://svn.apache.org/viewvc/roller/branches/roller_5.0/weblogger-web/src/test/java/org/apache/roller/weblogger/ui/struts2/util/UIActionTest.java?rev=1529617&r1=1529616&r2=1529617&view=diff
==============================================================================
---
roller/branches/roller_5.0/weblogger-web/src/test/java/org/apache/roller/weblogger/ui/struts2/util/UIActionTest.java
(original)
+++
roller/branches/roller_5.0/weblogger-web/src/test/java/org/apache/roller/weblogger/ui/struts2/util/UIActionTest.java
Sun Oct 6 13:25:17 2013
@@ -34,30 +34,33 @@ public class UIActionTest extends TestCa
}
public void testCleanTextEmpty() {
- assertEquals(null,UIAction.cleanText(null));
- assertEquals("",UIAction.cleanText(""));
+ assertEquals(null,UIAction.cleanTextKey(null));
+ assertEquals("",UIAction.cleanTextKey(""));
+ assertEquals(null,UIAction.cleanTextArg(null));
+ assertEquals("",UIAction.cleanTextArg(""));
}
- public void testCleanTextDollarExpressions() {
- assertEquals(null,UIAction.cleanText(null));
- assertEquals("",UIAction.cleanText(""));
- assertEquals("a",UIAction.cleanText("a"));
- assertEquals("$",UIAction.cleanText("$"));
- assertEquals("{",UIAction.cleanText("{"));
- assertEquals("}",UIAction.cleanText("}"));
- assertEquals("",UIAction.cleanText("${"));
- assertEquals("text$",UIAction.cleanText("text$"));
- assertEquals("text something more", UIAction.cleanText("text
something ${ more } ${ and more } more"));
- assertEquals("text more", UIAction.cleanText("text ${ something ${
more } ${ and more } } more"));
- assertEquals("text %{1} text %{2} more", UIAction.cleanText("text %{1}
text${2} %{2} more"));
- assertEquals("already { clean }", UIAction.cleanText("already { clean
}"));
- assertEquals("$signs but not immediately followed by { braces }",
UIAction.cleanText("$signs but not immediately followed by { braces }"));
- assertEquals("clean", UIAction.cleanText("${part { }
}clean${anything}"));
+ public void testCleanTextKey() {
+ assertEquals(null,UIAction.cleanTextKey(null));
+ assertEquals("",UIAction.cleanTextKey(""));
+ assertEquals("a",UIAction.cleanTextKey("a"));
+ assertEquals("$",UIAction.cleanTextKey("$"));
+ assertEquals("%",UIAction.cleanTextKey("%"));
+ assertEquals("%$",UIAction.cleanTextKey("%$"));
+ assertEquals("{",UIAction.cleanTextKey("{"));
+ assertEquals("}",UIAction.cleanTextKey("}"));
+ assertEquals("",UIAction.cleanTextKey("${"));
+ assertEquals("",UIAction.cleanTextKey("%{"));
+ assertEquals("text$",UIAction.cleanTextKey("text$"));
+ assertEquals("text%",UIAction.cleanTextKey("text%"));
+ assertEquals("", UIAction.cleanTextKey("something ${foo} more"));
+ assertEquals("", UIAction.cleanTextKey("something %{foo} more"));
+ assertEquals("", UIAction.cleanTextKey("something %{foo} more"));
}
- public void testCleanTextHtml() {
- assertEquals("<i>some
text</i>",UIAction.cleanText("<i>some text</i>"));
- assertEquals("<i>some </i>",UIAction.cleanText("<i>some
${text}</i>")); // combined
+ public void testCleanTextArg() {
+ assertEquals("<i>some
text</i>",UIAction.cleanTextArg("<i>some text</i>"));
+ assertEquals("<i>some
${text}</i>",UIAction.cleanTextArg("<i>some ${text}</i>"));
}
}
\ No newline at end of file
