Author: lukaszlenart
Date: Tue Mar 20 09:10:37 2012
New Revision: 1302803
URL: http://svn.apache.org/viewvc?rev=1302803&view=rev
Log:
Adds better way to handle JavaScript injection into request parameters
Modified:
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java
Modified:
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java?rev=1302803&r1=1302802&r2=1302803&view=diff
==============================================================================
---
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
(original)
+++
struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java
Tue Mar 20 09:10:37 2012
@@ -27,6 +27,7 @@ import com.opensymphony.xwork2.util.Text
import com.opensymphony.xwork2.util.ValueStack;
import com.opensymphony.xwork2.util.logging.Logger;
import com.opensymphony.xwork2.util.logging.LoggerFactory;
+import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.struts2.ServletActionContext;
import org.apache.struts2.StrutsConstants;
@@ -176,8 +177,8 @@ public class UrlHelper {
String result = link.toString();
- while (result.indexOf("<script>") > 0){
- result = result.replaceAll("<script>", "script");
+ if (StringUtils.containsIgnoreCase(result, "<script")){
+ result = StringEscapeUtils.escapeEcmaScript(result);
}
try {
result = encodeResult ? response.encodeURL(result) : result;
Modified:
struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java?rev=1302803&r1=1302802&r2=1302803&view=diff
==============================================================================
---
struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java
(original)
+++
struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/UrlHelperTest.java
Tue Mar 20 09:10:37 2012
@@ -21,26 +21,21 @@
package org.apache.struts2.views.util;
-import com.mockobjects.dynamic.C;
import com.mockobjects.dynamic.Mock;
import com.opensymphony.xwork2.ActionContext;
-import com.opensymphony.xwork2.conversion.impl.XWorkConverter;
import com.opensymphony.xwork2.inject.Container;
import com.opensymphony.xwork2.inject.Scope.Strategy;
-import com.opensymphony.xwork2.util.ValueStack;
+import org.apache.struts2.StrutsConstants;
+import org.apache.struts2.StrutsTestCase;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.struts2.StrutsConstants;
-import org.apache.struts2.StrutsTestCase;
-
/**
* Test case for UrlHelper.
@@ -116,6 +111,22 @@ public class UrlHelperTest extends Strut
expectedUrl, url.toString());
}
+ public void testBuildParametersStringWithJavaScriptInjected() throws
Exception {
+ String expectedUrl =
"http://localhost:8080/myContext/myPage.jsp?initParam=initValue&param1=value1&param2=value2&param3%22%3Cscript+type%3D%22text%2Fjavascript%22%3Ealert%281%29%3B%3C%2Fscript%3E=value3";;
+
+ Map parameters = new LinkedHashMap();
+ parameters.put("param1", "value1");
+ parameters.put("param2", "value2");
+ parameters.put("param3\"<script
type=\"text/javascript\">alert(1);</script>","value3");
+
+ StringBuilder url = new
StringBuilder("http://localhost:8080/myContext/myPage.jsp?initParam=initValue";);
+
+ UrlHelper.buildParametersString(parameters, url);
+
+ assertEquals(
+ expectedUrl, url.toString());
+ }
+
public void testForceAddNullSchemeHostAndPort() throws Exception {
String expectedUrl =
"http://localhost/contextPath/path1/path2/myAction.action";;
