JBoss Portal SVN: r12831 - in modules/common/trunk/common/src: test/java/org/jboss/portal/test/common/util and 1 other directory. - portal-commits

Wednesday, 18 February 2009


Author: chris.laprun(a)jboss.com
Date: 2009-02-18 19:10:12 -0500 (Wed, 18 Feb 2009)
New Revision: 12831

Modified:
  
modules/common/trunk/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java
  
modules/common/trunk/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java
Log:
- Improved XSS detection pattern.
- Added test case.

Modified:
modules/common/trunk/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java
===================================================================
---
modules/common/trunk/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java	2009-02-18
15:51:04 UTC (rev 12830)
+++
modules/common/trunk/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java	2009-02-19
00:10:12 UTC (rev 12831)
@@ -36,7 +36,7 @@
 public class ParameterValidation
 {
    public final static Pattern CSS_DISTANCE =
Pattern.compile("\\d+\\W*(em|ex|px|in|cm|mm|pt|pc|%)?");
-   public final static Pattern XSS_CHECK =
Pattern.compile("[^<>\\(\\)=]*");
+   public final static Pattern XSS_CHECK =
Pattern.compile("([^<>\\(\\)=\\\\](?!%5c))*", Pattern.CASE_INSENSITIVE);
 
    /**
     * Implements a behavior to be executed in case a value fails to be validated. Uses
the Chain of responsibility

Modified:
modules/common/trunk/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java
===================================================================
---
modules/common/trunk/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java	2009-02-18
15:51:04 UTC (rev 12830)
+++
modules/common/trunk/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java	2009-02-19
00:10:12 UTC (rev 12831)
@@ -97,6 +97,19 @@
       assertEquals(defaultValue, ParameterValidation.sanitizeFromPattern("",
ParameterValidation.CSS_DISTANCE, defaultValue));
    }
 
+   public void testSanitizeFromPatternXSSCheck()
+   {
+      String defaultValue = "default";
+      assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("/foo/bar/\\/baz",
ParameterValidation.XSS_CHECK, defaultValue));
+      assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("/foo/bar/%5c/baz",
ParameterValidation.XSS_CHECK, defaultValue));
+      assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("/foo/bar/%5C/baz",
ParameterValidation.XSS_CHECK, defaultValue));
+      assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("http://qa.cwcportal.aviation.ge.com:80/portal/auth/portal/main/cwcportal-"
+
+        
"Home/cwcportal-Home-LeftNavigationPortletWindow?action=1&org.apache.myfaces.portlet.MyFacesGenericPortlet.VIEW_ID=/pages/h"
+
+        
"omeleftnavigation.jsp<script>window.open(\"http://3.211.64.16/XSS/
\", \"XSS\",\"width=550,height=290\")</script>",
+         ParameterValidation.XSS_CHECK, defaultValue));
+      assertEquals(defaultValue,
ParameterValidation.sanitizeFromPattern("/foo/bar/</baz",
ParameterValidation.XSS_CHECK, defaultValue));
+   }
+
    public void testSanitizeFromValuesNullValue()
    {
       String defaultValue = "default";


    

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

JBoss Portal SVN: r12831 - in modules/common/trunk/common/src: test/java/org/jboss/portal/test/common/util and 1 other directory.