[jboss-svn-commits] JBL Code SVN: r25705 - in labs/jbossesb/trunk/product: rosetta/tests/src/org/jboss/soa/esb/util and 1 other directories.
jboss-svn-commits at lists.jboss.org
jboss-svn-commits at lists.jboss.org
Wed Mar 18 05:02:17 EDT 2009
Author: beve
Date: 2009-03-18 05:02:17 -0400 (Wed, 18 Mar 2009)
New Revision: 25705
Added:
labs/jbossesb/trunk/product/rosetta/src/org/jboss/soa/esb/util/XssUtil.java
labs/jbossesb/trunk/product/rosetta/tests/src/org/jboss/soa/esb/util/XssUtilUnitTest.java
Modified:
labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/attribute.jsp
labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/index.jsp
labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/operations.jsp
labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/results.jsp
Log:
Work for https://jira.jboss.org/jira/browse/JBESB-2477
Added: labs/jbossesb/trunk/product/rosetta/src/org/jboss/soa/esb/util/XssUtil.java
===================================================================
--- labs/jbossesb/trunk/product/rosetta/src/org/jboss/soa/esb/util/XssUtil.java (rev 0)
+++ labs/jbossesb/trunk/product/rosetta/src/org/jboss/soa/esb/util/XssUtil.java 2009-03-18 09:02:17 UTC (rev 25705)
@@ -0,0 +1,63 @@
+/*
+ * JBoss, Home of Professional Open Source Copyright 2009, Red Hat Middleware
+ * LLC, and individual contributors by the @authors tag. See the copyright.txt
+ * in the distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.jboss.soa.esb.util;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Cross Site Scripting (XSS) util class.
+ * <p/>
+ *
+ * @author <a href="mailto:dbevenius at jboss.com">Daniel Bevenius</a>
+ */
+public final class XssUtil
+{
+ private static Pattern ampPattern = Pattern.compile("&");
+ private static Pattern quotePattern = Pattern.compile("[\"]");
+ private static Pattern openTagPattern = Pattern.compile("[<]|(%3C)");
+ private static Pattern closeTagPattern = Pattern.compile("[>]|(%3E)");
+
+ private XssUtil()
+ {
+ }
+
+ public static String escape(final String text)
+ {
+ String replace = replace(ampPattern, text, "&");
+ replace = replace(quotePattern, replace, """);
+ replace = replace(openTagPattern, replace, "<");
+ replace = replace(closeTagPattern, replace, ">");
+ return replace;
+ }
+
+ private static String replace(final Pattern pattern, final String text, final String replacement)
+ {
+ final Matcher m = pattern.matcher(text);
+ if (m.find())
+ {
+ return m.replaceAll(replacement);
+ }
+ return text;
+
+ }
+
+}
Added: labs/jbossesb/trunk/product/rosetta/tests/src/org/jboss/soa/esb/util/XssUtilUnitTest.java
===================================================================
--- labs/jbossesb/trunk/product/rosetta/tests/src/org/jboss/soa/esb/util/XssUtilUnitTest.java (rev 0)
+++ labs/jbossesb/trunk/product/rosetta/tests/src/org/jboss/soa/esb/util/XssUtilUnitTest.java 2009-03-18 09:02:17 UTC (rev 25705)
@@ -0,0 +1,95 @@
+/*
+ * JBoss, Home of Professional Open Source Copyright 2009, Red Hat Middleware
+ * LLC, and individual contributors by the @authors tag. See the copyright.txt
+ * in the distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.jboss.soa.esb.util;
+
+import static org.junit.Assert.*;
+import junit.framework.JUnit4TestAdapter;
+
+import org.junit.Test;
+
+/**
+ * Unit test for {@link XssUtil}.
+ * <p/>
+ *
+ * @author <a href="mailto:dbevenius at jboss.com">Daniel Bevenius</a>
+ */
+public class XssUtilUnitTest
+{
+ private String expectedUrl = "http://www.jboss.org/jbossesb/attribute.jsp?<script>alert('sometext')</script>";
+ private String expectedUrlNonClosingTags = "http://www.jboss.org/jbossesb/attribute.jsp?<script>alert('sometext')<script>";
+
+ @Test
+ public void escapeNoSpecialCharacters()
+ {
+ String url = "http://wwww.jboss.org/jbossesb/attribute.jsp";
+ String escaped = XssUtil.escape(url);
+ assertEquals(url, escaped);
+ }
+
+ @Test
+ public void escapeScriptTag()
+ {
+ String escaped = XssUtil.escape("http://www.jboss.org/jbossesb/attribute.jsp?<script>alert('sometext')</script>");
+ assertEquals(expectedUrl, escaped);
+ }
+
+ @Test
+ public void escapeScriptTagsWithOutClosingTag()
+ {
+ String escaped = XssUtil.escape("http://www.jboss.org/jbossesb/attribute.jsp?<script>alert('sometext')<script>");
+ assertEquals(expectedUrlNonClosingTags, escaped);
+ }
+
+ @Test
+ public void escapeUnicodeScriptTags()
+ {
+ String escaped = XssUtil.escape("http://www.jboss.org/jbossesb/attribute.jsp?%3Cscript%3Ealert('sometext')%3C/script%3E");
+ assertEquals(expectedUrl, escaped);
+ }
+
+ @Test
+ public void escapeUnicodeScriptTagsWithOutClosingTag()
+ {
+ String escaped = XssUtil.escape("http://www.jboss.org/jbossesb/attribute.jsp?%3Cscript%3Ealert('sometext')%3Cscript%3E");
+ assertEquals(expectedUrlNonClosingTags, escaped);
+ }
+
+ @Test
+ public void escapeQuote()
+ {
+ String escaped = XssUtil.escape("\"sometext\"");
+ assertEquals(""sometext"", escaped);
+
+ }
+
+ @Test
+ public void escapeBodyOnloadTag()
+ {
+ String escaped = XssUtil.escape("http://127.0.0.1:8080/jbossesb/attribute.jsp?servername=%22%3CBODY%20ONLOAD=alert(%27XSS%27)%3E%22&id=80");
+ assertEquals("http://127.0.0.1:8080/jbossesb/attribute.jsp?servername=%22<BODY%20ONLOAD=alert(%27XSS%27)>%22&id=80", escaped);
+ }
+
+ public static junit.framework.Test suite()
+ {
+ return new JUnit4TestAdapter(XssUtilUnitTest.class);
+ }
+
+}
Modified: labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/attribute.jsp
===================================================================
--- labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/attribute.jsp 2009-03-18 05:37:19 UTC (rev 25704)
+++ labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/attribute.jsp 2009-03-18 09:02:17 UTC (rev 25705)
@@ -13,7 +13,7 @@
org.jboss.soa.esb.monitoring.server.TimeSeriesChartProducer,
org.jfree.data.time.Minute,
org.jfree.chart.JFreeChart,
- org.apache.taglibs.standard.tag.common.core.Util
+ org.jboss.soa.esb.util.XssUtil;
"%>
<%!
private static int imagecounter = 0;
@@ -46,7 +46,7 @@
<hr>
<%
Long id = new Long(request.getParameter("id"));
-String servername = Util.escapeXml(request.getParameter("servername"));
+String servername = request.getParameter("servername");
int maxrecords = 10;
try {
maxrecords = Integer.parseInt(request.getParameter("maxrecords"));
@@ -105,7 +105,7 @@
<%
} else {
%>
-<h1><code><%=Util.escapeXml(attribute)%></code></h1>
+<h1><code><%=XssUtil.escape(attribute)%></code></h1>
<%
}
%><br>
@@ -120,7 +120,7 @@
</select> and the
list the last <input type="text" name="maxrecords" value="<%= maxrecords %>"></input> records
<input type="hidden" name="id" value="<%=id%>">
- <input type="hidden" name="servername" value="<%=servername%>">
+ <input type="hidden" name="servername" value="<%=XssUtil.escape(servername)%>">
<input type="submit" value="submit">
</form>
<hr>
@@ -128,7 +128,7 @@
<table>
<tr>
<th>Collection Date</th>
-<th><%=Util.escapeXml(attribute) %></th>
+<th><%=XssUtil.escape(attribute) %></th>
</tr>
<%
NumberFormat nf = NumberFormat.getInstance();
Modified: labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/index.jsp
===================================================================
--- labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/index.jsp 2009-03-18 05:37:19 UTC (rev 25704)
+++ labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/index.jsp 2009-03-18 09:02:17 UTC (rev 25705)
@@ -7,7 +7,7 @@
org.jboss.soa.esb.monitoring.MonitoringSessionFactory,
org.jboss.soa.esb.monitoring.pojo.*,
org.jboss.soa.esb.monitoring.server.StatisticsHelper,
- org.apache.taglibs.standard.tag.common.core.Util
+ org.jboss.soa.esb.util.XssUtil;
"%>
<html>
<head>
@@ -47,7 +47,7 @@
String serverName = (String) serverNames.get(i);
%>
<hr>
- <h1><code><%=Util.escapeXml(serverName)%></code></h1>
+ <h1><code><%=XssUtil.escape(serverName)%></code></h1>
<%
List objectNames = StatisticsHelper.getObjectNamesForServer(sess, serverName);
for (int j = 0; j < objectNames.size(); j++) {
@@ -59,7 +59,7 @@
List attributeNames = StatisticsHelper.getAttributes(sess, serverName, objectName);
for (int k = 0; k < attributeNames.size(); k++) {
JMXAttribute jmxattr = (JMXAttribute) attributeNames.get(k);
- String attributeName = Util.escapeXml(jmxattr.getAttribute());
+ String attributeName = XssUtil.escape(jmxattr.getAttribute());
%>
<li><a href="attribute.jsp?servername=<%=serverName%>&id=<%=jmxattr.getId()%>"><%=attributeName%></a></li>
<%
Modified: labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/operations.jsp
===================================================================
--- labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/operations.jsp 2009-03-18 05:37:19 UTC (rev 25704)
+++ labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/operations.jsp 2009-03-18 09:02:17 UTC (rev 25705)
@@ -8,7 +8,7 @@
org.jboss.soa.esb.monitoring.pojo.*,
org.jboss.soa.esb.monitoring.server.StatisticsHelper,
org.jboss.soa.esb.monitoring.server.OperationsHelper,
- org.apache.taglibs.standard.tag.common.core.Util
+ org.jboss.soa.esb.util.XssUtil
"%>
<html>
<head>
@@ -49,13 +49,13 @@
String serverName = (String) serverNames.get(i);
%>
<hr>
- <h1><code><%=Util.escapeXml(serverName)%></code></h1>
+ <h1><code><%=XssUtil.escape(serverName)%></code></h1>
<%
List objectNames = OperationsHelper.getObjectNamesForServer(sess, serverName);
for (int j = 0; j < objectNames.size(); j++) {
String objectName= (String) objectNames.get(j);
%>
- <li><b><%=Util.escapeXml(objectName)%></b></li>
+ <li><b><%=XssUtil.escape(objectName)%></b></li>
<ul>
<%
List operations = OperationsHelper.getOperations(sess, serverName, objectName);
@@ -64,7 +64,7 @@
String operation = jmxoper.getReturntype() + " " + jmxoper.getOperation()
+ " (" + jmxoper.getDescription() + ")";
%>
- <li><a href="invoke.jsp?id=<%=jmxoper.getId()%>"><%=Util.escapeXml(operation)%></a></li>
+ <li><a href="invoke.jsp?id=<%=jmxoper.getId()%>"><%=XssUtil.escape(operation)%></a></li>
<%
}
%>
Modified: labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/results.jsp
===================================================================
--- labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/results.jsp 2009-03-18 05:37:19 UTC (rev 25704)
+++ labs/jbossesb/trunk/product/tools/console/management-web/src/main/webapp/results.jsp 2009-03-18 09:02:17 UTC (rev 25705)
@@ -8,7 +8,7 @@
org.jboss.soa.esb.monitoring.pojo.*,
org.jboss.soa.esb.monitoring.server.StatisticsHelper,
org.jboss.soa.esb.monitoring.server.OperationsHelper,
- org.apache.taglibs.standard.tag.common.core.Util
+ org.jboss.soa.esb.util.XssUtil
"%>
<html>
<head>
@@ -49,7 +49,7 @@
String serverName = (String) serverNames.get(i);
%>
<hr>
- <h1><code><%=Util.escapeXml(serverName)%></code></h1>
+ <h1><code><%=XssUtil.escape(serverName)%></code></h1>
<%
List results = OperationsHelper.getOperationResults(sess, serverName);
for (int j = 0; j < results.size(); j++) {
@@ -57,9 +57,9 @@
%>
<li><b><%=jmxor.getStatdate()%></b></li>
<ul>
- <li><b>Result:</b> <%=Util.escapeXml(jmxor.getResult())%>
- <li><b>Object name:</b> <%=Util.escapeXml(jmxor.getOperation().getObjectname()) %>
- <li><b>Operation:</b> <%=Util.escapeXml(jmxor.getOperation().getReturntype())%> <%=Util.escapeXml(jmxor.getOperation().getOperation()) %>
+ <li><b>Result:</b> <%=XssUtil.escape(jmxor.getResult())%>
+ <li><b>Object name:</b> <%=XssUtil.escape(jmxor.getOperation().getObjectname()) %>
+ <li><b>Operation:</b> <%=XssUtil.escape(jmxor.getOperation().getReturntype())%> <%=XssUtil.escape(jmxor.getOperation().getOperation()) %>
</ul>
<%
}
More information about the jboss-svn-commits
mailing list