XSSAPIImplTest.java

radu Thu, 21 Jan 2016 09:20:06 -0800

Author: radu
Date: Thu Jan 21 17:19:35 2016
New Revision: 1726027

URL: http://svn.apache.org/viewvc?rev=1726027&view=rev
Log:
SLING-5445 - XSSAPI#encodeForJSString is too restrictive


* replaced call to Encode.forJavaScript with call to Encode.forJavaScriptSource

Modified:
    
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
    
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java

Modified: 
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java?rev=1726027&r1=1726026&r2=1726027&view=diff
==============================================================================
--- 
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
 (original)
+++ 
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
 Thu Jan 21 17:19:35 2016
@@ -412,7 +412,7 @@ public class XSSAPIImpl implements XSSAP
      */
     @Override
     public String encodeForJSString(String source) {
-        return source == null ? null : Encode.forJavaScript(source);
+        return source == null ? null : Encode.forJavaScriptSource(source);
     }
 
     /**

Modified: 
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java?rev=1726027&r1=1726026&r2=1726027&view=diff
==============================================================================
--- 
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
 (original)
+++ 
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
 Thu Jan 21 17:19:35 2016
@@ -378,10 +378,10 @@ public class XSSAPIImplTest {
                 {null, null},
                 {"simple", "simple"},
 
-                {"break\"out", "break\\x22out"},
-                {"break'out", "break\\x27out"},
-
-                {"</script>", "<\\/script>"}
+                {"break\"out", "break\\\"out"},
+                {"break'out", "break\\'out"},
+                {"'alert(document.cookie)", "\\'alert(document.cookie)"},
+                {"2014-04-22T10:11:24.002+01:00", 
"2014-04-22T10:11:24.002+01:00"}
         };
 
         for (String[] aTestData : testData) {
@@ -408,7 +408,7 @@ public class XSSAPIImplTest {
                 {"\"literal string\"", "\"literal string\""},
                 {"'literal string'", "'literal string'"},
                 {"\"bad literal'", RUBBISH},
-                {"'literal'); junk'", "'literal\\x27); junk'"},
+                {"'literal'); junk'", "'literal\\'); junk'"},
 
                 {"1200", "1200"},
                 {"3.14", "3.14"},

svn commit: r1726027 - in /sling/trunk/bundles/extensions/xss/src: main/java/org/apache/sling/xss/impl/XSSAPIImpl.java test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java

Reply via email to