diff options
author | Greg Wilkins | 2015-05-29 10:12:57 +0000 |
---|---|---|
committer | Greg Wilkins | 2015-05-29 10:12:57 +0000 |
commit | 4472b614b94550c167dab5c2e3f3362368d4dba0 (patch) | |
tree | 4d55d152c2ae33d18569877473a7146dbfd68384 /jetty-util | |
parent | 0db541889bae3767d2e10c7799451807136766ff (diff) | |
download | org.eclipse.jetty.project-4472b614b94550c167dab5c2e3f3362368d4dba0.tar.gz org.eclipse.jetty.project-4472b614b94550c167dab5c2e3f3362368d4dba0.tar.xz org.eclipse.jetty.project-4472b614b94550c167dab5c2e3f3362368d4dba0.zip |
468747 - XSS vulnerability in HttpSpiContextHandler
Diffstat (limited to 'jetty-util')
3 files changed, 83 insertions, 3 deletions
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java b/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java index 07d85de3ce..e82b8c9387 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/StringUtil.java @@ -733,5 +733,73 @@ public class StringUtil return s.substring(1,s.length()-1).split(" *, *"); } + + public static String sanitizeXmlString(String html) + { + if (html==null) + return null; + + int i=0; + + // Are there any characters that need sanitizing? + loop: for (;i<html.length();i++) + { + char c=html.charAt(i); + + switch(c) + { + case '&' : + case '<' : + case '>' : + case '\'': + case '"': + break loop; + + default: + if (Character.isISOControl(c) && !Character.isWhitespace(c)) + break loop; + } + } + + // No characters need sanitizing, so return original string + if (i==html.length()) + return html; + + // Create builder with OK content so far + StringBuilder out = new StringBuilder(html.length()*4/3); + out.append(html,0,i); + + // sanitize remaining content + for (;i<html.length();i++) + { + char c=html.charAt(i); + + switch(c) + { + case '&' : + out.append("&"); + break; + case '<' : + out.append("<"); + break; + case '>' : + out.append(">"); + break; + case '\'': + out.append("'"); + break; + case '"': + out.append("""); + break; + + default: + if (Character.isISOControl(c) && !Character.isWhitespace(c)) + out.append('?'); + else + out.append(c); + } + } + return out.toString(); + } } diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java index 6fa97109a6..073072018f 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/Resource.java @@ -613,7 +613,7 @@ public abstract class Resource implements ResourceFactory, Closeable private static String deTag(String raw) { - return StringUtil.replace( StringUtil.replace(raw,"<","<"), ">", ">"); + return StringUtil.sanitizeXmlString(raw); } /* ------------------------------------------------------------ */ diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java index 1f78960308..8c4b05f8ee 100644 --- a/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java +++ b/jetty-util/src/test/java/org/eclipse/jetty/util/StringUtilTest.java @@ -201,7 +201,8 @@ public class StringUtilTest } @Test - public void testIsBlank() { + public void testIsBlank() + { Assert.assertTrue(StringUtil.isBlank(null)); Assert.assertTrue(StringUtil.isBlank("")); Assert.assertTrue(StringUtil.isBlank("\r\n")); @@ -216,7 +217,8 @@ public class StringUtilTest } @Test - public void testIsNotBlank() { + public void testIsNotBlank() + { Assert.assertFalse(StringUtil.isNotBlank(null)); Assert.assertFalse(StringUtil.isNotBlank("")); Assert.assertFalse(StringUtil.isNotBlank("\r\n")); @@ -229,4 +231,14 @@ public class StringUtilTest Assert.assertTrue(StringUtil.isNotBlank(".")); Assert.assertTrue(StringUtil.isNotBlank(";\n")); } + + @Test + public void testSanitizeHTML() + { + assertEquals(null,StringUtil.sanitizeXmlString(null)); + assertEquals("",StringUtil.sanitizeXmlString("")); + assertEquals("<&>",StringUtil.sanitizeXmlString("<&>")); + assertEquals("Hello <Cruel> World",StringUtil.sanitizeXmlString("Hello <Cruel> World")); + assertEquals("Hello ? World",StringUtil.sanitizeXmlString("Hello \u0000 World")); + } } |