[jira] [Commented] (SLING-4560) XSSAPI#getValidHref is empty for valid Bengali or Hindi characters

Thu, 18 Aug 2016 15:43:40 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-4560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15427306#comment-15427306
 ] 

Lars Krapf commented on SLING-4560:
-----------------------------------

Hello [~radu.cotescu]

With this change {{onSiteURL}} will accept spaces and colons and thus does no 
longer filter external  (and/or " javascript:") URLs.

This could be caught by the following additional 
tests:{code:title=XSSAPIImplTest.testfilterHtml()} {"<a href=\" 
javascript:alert(23)\">space</a>","<a>space</a>"},
 {"<table background=\"http://www.google.com\";></table>", "<table></table>"},
{code}

Please note however, that the added test does not contain bengali / hindi 
characters. FWIW, I tried to come up with a hindi test using google translate:
{code:title=XSSAPIImplTest.testGetValidHref()}
   {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
  
{"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995",
 
"/etc/commerce/collections/\u09aa\u09b0\u09c0\u0995\u09cd\u09b7\u09be\u09ae\u09c2\u09b2\u0995"},
{code}

Nonetheless, the summary is correct, this test too fails with the old regexps. 
The reason for this is that the unicode "letter" character class \p{L} is 
matching single unicode *code points* only. To match any letter including 
diacritics, one might use \P{L}\p{M}*+. See also [1] ("Unicode Categories").

I've added a corresponding patch to the regexp (changing only the character 
class) and added a couple of tests. 

Note, The test provided by [~jck] *would still fail* even with this change, but 
AFAICT that's correct, since these characters are symbols and not letters. 

> XSSAPI#getValidHref is empty for valid Bengali or Hindi characters
> ------------------------------------------------------------------
>
>                 Key: SLING-4560
>                 URL: https://issues.apache.org/jira/browse/SLING-4560
>             Project: Sling
>          Issue Type: Bug
>          Components: XSS Protection API
>    Affects Versions: XSS Protection API 1.0.0
>            Reporter: Jean-Christophe Kautzmann
>            Assignee: Radu Cotescu
>             Fix For: XSS Protection API 1.0.14
>
>
> I added (locally) 2 test cases to 
> org.apache.sling.xss.impl.XSSAPIImplTest#testGetValidHref:
> {code}
> {"/etc/commerce/collections/中文", "/etc/commerce/collections/中文"},
> {"/etc/commerce/collections/⺁〡〢☉⊕〒", "/etc/commerce/collections/⺁〡〢☉⊕〒"},
> {code}
> the first test passes (chinese characters), the 2nd fails (bengali/hindi 
> characters) although it should pass as they are valid characters.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to