Author: chris.laprun(a)jboss.com Date: 2009-02-21 10:23:55 -0500 (Sat, 21 Feb 2009) New Revision: 12853 Modified: modules/common/trunk/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java modules/common/trunk/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java Log: - Once more... Maybe, we should just remove all punctuation chars except - and _? Modified: modules/common/trunk/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java =================================================================== --- modules/common/trunk/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java 2009-02-21 14:26:05 UTC (rev 12852) +++ modules/common/trunk/common/src/main/java/org/jboss/portal/common/util/ParameterValidation.java 2009-02-21 15:23:55 UTC (rev 12853) @@ -36,7 +36,7 @@ public class ParameterValidation { public final static Pattern CSS_DISTANCE = Pattern.compile("\\d+\\W*(em|ex|px|in|cm|mm|pt|pc|%)?"); - public final static Pattern XSS_CHECK = Pattern.compile("([^<>\\(\\)=\\\\]^(?!%5C))*", Pattern.CASE_INSENSITIVE); + public final static Pattern XSS_CHECK = Pattern.compile("([^<>\\(\\)=\\\\](?<!%5C))*", Pattern.CASE_INSENSITIVE); /** * Implements a behavior to be executed in case a value fails to be validated. Uses the Chain of responsibility Modified: modules/common/trunk/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java =================================================================== --- modules/common/trunk/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java 2009-02-21 14:26:05 UTC (rev 12852) +++ modules/common/trunk/common/src/test/java/org/jboss/portal/test/common/util/ParameterValidationTestCase.java 2009-02-21 15:23:55 UTC (rev 12853) @@ -100,6 +100,11 @@ public void testSanitizeFromPatternXSSCheck() { String defaultValue = "default"; + assertEquals("foo", ParameterValidation.sanitizeFromPattern("foo", ParameterValidation.XSS_CHECK, defaultValue)); + assertEquals("/foo/bar", ParameterValidation.sanitizeFromPattern("/foo/bar", ParameterValidation.XSS_CHECK, defaultValue)); + assertEquals("test&eacute;", ParameterValidation.sanitizeFromPattern("test&eacute;", ParameterValidation.XSS_CHECK, defaultValue)); + assertEquals("test�", ParameterValidation.sanitizeFromPattern("test�", ParameterValidation.XSS_CHECK, defaultValue)); + assertEquals(defaultValue, ParameterValidation.sanitizeFromPattern("/foo/bar/\\/baz", ParameterValidation.XSS_CHECK, defaultValue)); assertEquals(defaultValue, ParameterValidation.sanitizeFromPattern("/foo/bar/%5c/baz", ParameterValidation.XSS_CHECK, defaultValue)); assertEquals(defaultValue, ParameterValidation.sanitizeFromPattern("/foo/bar/%5C/baz", ParameterValidation.XSS_CHECK, defaultValue)); @@ -113,6 +118,7 @@ "omeleftnavigation.jsp<script>window.open(\"http://3.211.64.16/XSS/ \", \"XSS\",\"width=550,height=290\")</script>", ParameterValidation.XSS_CHECK, defaultValue)); assertEquals(defaultValue, ParameterValidation.sanitizeFromPattern("/foo/bar/</baz", ParameterValidation.XSS_CHECK, defaultValue)); + } public void testSanitizeFromValuesNullValue()