Author: taylor
Date: Wed Mar 10 01:42:57 2021
New Revision: 1887401
URL: http://svn.apache.org/viewvc?rev=1887401&view=rev
Log:
improve XXS url attack filter
Modified:
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
Modified:
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java?rev=1887401&r1=1887400&r2=1887401&view=diff
==============================================================================
---
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
(original)
+++
portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/engine/servlet/XXSUrlAttackFilter.java
Wed Mar 10 01:42:57 2021
@@ -99,7 +99,11 @@ public class XXSUrlAttackFilter implemen
// catch
'jspage=/responsive/my-account2.psml%22;alert(/xss/);%22'
String[] parts = value.split("&");
for (String part : parts) {
- String queryValue =
part.split("=")[1].replaceAll("%22", "\"");
+ String[] segments = part.split("=");
+ if (segments.length <= 1) {
+ continue;
+ }
+ String queryValue = segments[1].replaceAll("%22", "\"");
if (queryValue.matches("^\"(.*)\"$")) {
// properly quoted query value
} else if (queryValue.indexOf('"') != -1) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
