Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChris Goldthorpe2011-02-23 17:46:23 -0500
committerChris Goldthorpe2011-02-23 17:46:23 -0500
commit7671604f0f7c92f5630992d60de43a9df265989d (patch)
tree0958ebb77fa296630d27a9ac2ec0609bb071cea6
parent06b7e13e8ea2c9097d4f20eebd55417e5e865fa5 (diff)
downloadeclipse.platform.ua-7671604f0f7c92f5630992d60de43a9df265989d.tar.gz
eclipse.platform.ua-7671604f0f7c92f5630992d60de43a9df265989d.tar.xz
eclipse.platform.ua-7671604f0f7c92f5630992d60de43a9df265989d.zip
Bug 338028 - [Webapp][Security] UrlUtil.HtmlEncode() should encode more characters
-rw-r--r--org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/UrlUtil.java36
-rw-r--r--org.eclipse.ua.tests/help/org/eclipse/ua/tests/help/webapp/AllWebappTests.java1
-rw-r--r--org.eclipse.ua.tests/help/org/eclipse/ua/tests/help/webapp/HtmlCoderTest.java115
3 files changed, 143 insertions, 9 deletions
diff --git a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/UrlUtil.java b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/UrlUtil.java
index f307bb282..770835042 100644
--- a/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/UrlUtil.java
+++ b/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/UrlUtil.java
@@ -32,15 +32,9 @@ import org.eclipse.core.runtime.Platform;
import org.eclipse.help.internal.HelpPlugin;
import org.eclipse.help.internal.base.BaseHelpSystem;
import org.eclipse.help.internal.base.HelpBasePlugin;
-import org.eclipse.help.internal.base.util.TString;
import org.eclipse.help.internal.util.ProductPreferences;
public class UrlUtil {
- // XML escaped characters mapping
- private static final String invalidXML[] = {"&", ">", "<", "\"", "'"}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ //$NON-NLS-5$
- // Note that we have to use &#39; instead of &apos; because &apos; does not work in all versions of IE
- private static final String escapedXML[] = {
- "&amp;", "&gt;", "&lt;", "&quot;", "&#39;"}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ //$NON-NLS-5$
// for Safari build 125.1 finds version 125
static final Pattern safariPattern = Pattern.compile(
@@ -101,9 +95,33 @@ public class UrlUtil {
return null;
}
- for (int i = 0; i < invalidXML.length; i++)
- str = TString.change(str, invalidXML[i], escapedXML[i]);
- return str;
+ StringBuffer result = new StringBuffer();
+ for (int i = 0 ; i < str.length(); i++) {
+ appendEncodedChar(result, str.charAt(i));
+ }
+ return result.toString();
+ }
+
+ private static void appendEncodedChar(StringBuffer result, char ch) {
+ if (needsEncoding(ch)) {
+ int chInt = ch;
+ result.append("&#" + chInt + ';'); //$NON-NLS-1$
+ return;
+ }
+ result.append(ch);
+ }
+
+ private static boolean needsEncoding(char ch) {
+ if (ch > 255) {
+ return false;
+ }
+ if (Character.isLetterOrDigit(ch)) {
+ return false;
+ }
+ if ( ch == ' ' || ch == '_') {
+ return false;
+ }
+ return true;
}
public static boolean isLocalRequest(HttpServletRequest request) {
diff --git a/org.eclipse.ua.tests/help/org/eclipse/ua/tests/help/webapp/AllWebappTests.java b/org.eclipse.ua.tests/help/org/eclipse/ua/tests/help/webapp/AllWebappTests.java
index 3d8caeea7..2858d8b49 100644
--- a/org.eclipse.ua.tests/help/org/eclipse/ua/tests/help/webapp/AllWebappTests.java
+++ b/org.eclipse.ua.tests/help/org/eclipse/ua/tests/help/webapp/AllWebappTests.java
@@ -38,6 +38,7 @@ public class AllWebappTests extends TestSuite {
suite.addTestSuite(HelpServerInterrupt.class);
suite.addTestSuite(ParallelServerAccessTest.class);
suite.addTestSuite(HelpServerBinding.class);
+ suite.addTestSuite(HtmlCoderTest.class);
//$JUnit-END$
return suite;
}
diff --git a/org.eclipse.ua.tests/help/org/eclipse/ua/tests/help/webapp/HtmlCoderTest.java b/org.eclipse.ua.tests/help/org/eclipse/ua/tests/help/webapp/HtmlCoderTest.java
new file mode 100644
index 000000000..f83fec8e8
--- /dev/null
+++ b/org.eclipse.ua.tests/help/org/eclipse/ua/tests/help/webapp/HtmlCoderTest.java
@@ -0,0 +1,115 @@
+/*******************************************************************************
+ * Copyright (c) 2010 IBM Corporation and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * IBM Corporation - initial API and implementation
+ *******************************************************************************/
+
+package org.eclipse.ua.tests.help.webapp;
+
+import junit.framework.TestCase;
+
+import org.eclipse.help.internal.webapp.data.UrlUtil;
+
+public class HtmlCoderTest extends TestCase {
+
+ public void testEncodeEmpty() {
+ String encoded = UrlUtil.htmlEncode(null);
+ assertNull(encoded);
+ }
+
+ /**
+ * Verify that alpha characters are not encoded
+ */
+ public void testEncodeAlpha() {
+ final String letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+ String encoded = UrlUtil.htmlEncode(letters);
+ assertEquals(letters, encoded);
+ }
+
+ /**
+ * Verify that alpha characters are not encoded
+ */
+ public void testEncodeNumeric() {
+ final String numbers = "1234567890";
+ String encoded = UrlUtil.htmlEncode(numbers);
+ assertEquals(numbers, encoded);
+ }
+
+ /**
+ * Verify that space is not encoded
+ */
+ public void testEncodeSpace() {
+ final String spaces = " ";
+ String encoded = UrlUtil.htmlEncode(spaces);
+ assertEquals(spaces, encoded);
+ }
+
+ /**
+ * Verify that quote is encoded
+ */
+ public void testEncodeQuote() {
+ final String source = "\'";
+ String encoded = UrlUtil.htmlEncode(source);
+ assertNotSame(source, encoded);
+ }
+
+ /**
+ * Verify that less than is encoded
+ */
+ public void testEncodeLt() {
+ final String source = "<";
+ String encoded = UrlUtil.htmlEncode(source);
+ assertNotSame(source, encoded);
+ }
+
+ /**
+ * Verify that greater than is encoded
+ */
+ public void testEncodeGt() {
+ final String source = ">";
+ String encoded = UrlUtil.htmlEncode(source);
+ assertNotSame(source, encoded);
+ }
+
+ /**
+ * Verify that ampersand is encoded
+ */
+ public void testEncodeAmp() {
+ final String source = "&";
+ String encoded = UrlUtil.htmlEncode(source);
+ assertNotSame(source, encoded);
+ }
+
+ /**
+ * Verify that ampersand is encoded
+ */
+ public void testEncodeBackslash() {
+ final String source = "\\";
+ String encoded = UrlUtil.htmlEncode(source);
+ assertNotSame(source, encoded);
+ }
+
+ /**
+ * Verify that newline is encoded
+ */
+ public void testEncodeNewline() {
+ final String source = "\n";
+ String encoded = UrlUtil.htmlEncode(source);
+ assertNotSame(source, encoded);
+ }
+
+ /**
+ * Verify that CR is encoded
+ */
+ public void testEncodeCarriageReturn() {
+ final String source = "\r";
+ String encoded = UrlUtil.htmlEncode(source);
+ assertNotSame(source, encoded);
+ }
+
+}

Back to the top