Author: thomas.heute(a)jboss.com
Date: 2009-02-23 06:29:43 -0500 (Mon, 23 Feb 2009)
New Revision: 12861
Modified:
modules/common/tags/JBP_COMMON_1_2_4/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java
modules/common/tags/JBP_COMMON_1_2_4/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java
Log:
More parameter validation
Modified:
modules/common/tags/JBP_COMMON_1_2_4/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java
===================================================================
---
modules/common/tags/JBP_COMMON_1_2_4/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java 2009-02-23
11:02:23 UTC (rev 12860)
+++
modules/common/tags/JBP_COMMON_1_2_4/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java 2009-02-23
11:29:43 UTC (rev 12861)
@@ -36,7 +36,7 @@
public class ParameterValidation
{
public final static Pattern CSS_DISTANCE =
Pattern.compile("\\d+\\W*(em|ex|px|in|cm|mm|pt|pc|%)?");
- public final static Pattern XSS_CHECK =
Pattern.compile("([^<>\\(\\)=\\\\](?!%5c))*", Pattern.CASE_INSENSITIVE);
+ public final static Pattern XSS_CHECK =
Pattern.compile("([^<>\\(\\)=\\\\](?<!%5C))*",
Pattern.CASE_INSENSITIVE);
/**
* Implements a behavior to be executed in case a value fails to be validated. Uses
the Chain of responsibility
Modified:
modules/common/tags/JBP_COMMON_1_2_4/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java
===================================================================
---
modules/common/tags/JBP_COMMON_1_2_4/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java 2009-02-23
11:02:23 UTC (rev 12860)
+++
modules/common/tags/JBP_COMMON_1_2_4/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java 2009-02-23
11:29:43 UTC (rev 12861)
@@ -100,14 +100,25 @@
public void testSanitizeFromPatternXSSCheck()
{
String defaultValue = "default";
+ assertEquals("foo",
ParameterValidation.sanitizeFromPattern("foo", ParameterValidation.XSS_CHECK,
defaultValue));
+ assertEquals("/foo/bar",
ParameterValidation.sanitizeFromPattern("/foo/bar",
ParameterValidation.XSS_CHECK, defaultValue));
+ assertEquals("testé",
ParameterValidation.sanitizeFromPattern("testé",
ParameterValidation.XSS_CHECK, defaultValue));
+ assertEquals("test�",
ParameterValidation.sanitizeFromPattern("test�", ParameterValidation.XSS_CHECK,
defaultValue));
+
assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("/foo/bar/\\/baz",
ParameterValidation.XSS_CHECK, defaultValue));
assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("/foo/bar/%5c/baz",
ParameterValidation.XSS_CHECK, defaultValue));
assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("/foo/bar/%5C/baz",
ParameterValidation.XSS_CHECK, defaultValue));
+ assertEquals(defaultValue, ParameterValidation.sanitizeFromPattern("%5C",
ParameterValidation.XSS_CHECK, defaultValue));
+ assertEquals(defaultValue, ParameterValidation.sanitizeFromPattern("%5C\t
", ParameterValidation.XSS_CHECK, defaultValue));
+ assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("\t\n%5c",
ParameterValidation.XSS_CHECK, defaultValue));
+ assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("/foo/bar/%5C",
ParameterValidation.XSS_CHECK, defaultValue));
+ assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("/foo/bar/%5c",
ParameterValidation.XSS_CHECK, defaultValue));
assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("http://qa.cwcportal.aviation.ge.com:80/portal/auth/portal/main/cwcportal-"
+
"Home/cwcportal-Home-LeftNavigationPortletWindow?action=1&org.apache.myfaces.portlet.MyFacesGenericPortlet.VIEW_ID=/pages/h"
+
"omeleftnavigation.jsp<script>window.open(\"http://3.211.64.16/XSS/
\", \"XSS\",\"width=550,height=290\")</script>",
ParameterValidation.XSS_CHECK, defaultValue));
assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("/foo/bar/</baz",
ParameterValidation.XSS_CHECK, defaultValue));
+
}
public void testSanitizeFromValuesNullValue()