JCRVLT-117 Potential XSS problem in org.apache.jackrabbit.vault.util.HtmlProgressListener
git-svn-id: https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/trunk@1744116 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/vault-core/src/main/java/org/apache/jackrabbit/vault/util/HtmlProgressListener.java b/vault-core/src/main/java/org/apache/jackrabbit/vault/util/HtmlProgressListener.java
index cf3eaab..6f250b0 100644
--- a/vault-core/src/main/java/org/apache/jackrabbit/vault/util/HtmlProgressListener.java
+++ b/vault-core/src/main/java/org/apache/jackrabbit/vault/util/HtmlProgressListener.java
@@ -23,8 +23,7 @@
import org.apache.jackrabbit.vault.fs.api.ProgressTrackerListener;
/**
- * <code>HtmlProgrressTrackerListener</code>...
- *
+ * <code>HtmlProgressTrackerListener</code> implements a progress tracker listener that writes the progress in HTML.
*/
public class HtmlProgressListener implements ProgressTrackerListener {
@@ -68,6 +67,9 @@
private void print(Mode mode, String action, String path, String msg) {
try {
+ action = Text.encodeIllegalXMLCharacters(action);
+ path = Text.encodeIllegalXMLCharacters(path);
+ msg = msg == null ? null : Text.encodeIllegalXMLCharacters(msg);
out.write("<span class=\"");
out.write(action);
out.write("\">");
diff --git a/vault-core/src/test/java/org/apache/jackrabbit/vault/util/HtmlProgressListenerTest.java b/vault-core/src/test/java/org/apache/jackrabbit/vault/util/HtmlProgressListenerTest.java
new file mode 100644
index 0000000..f0d97ba
--- /dev/null
+++ b/vault-core/src/test/java/org/apache/jackrabbit/vault/util/HtmlProgressListenerTest.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.vault.util;
+
+import java.io.StringWriter;
+
+import org.apache.jackrabbit.vault.fs.api.ProgressTrackerListener;
+import org.junit.Test;
+
+import junit.framework.TestCase;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ *
+ */
+public class HtmlProgressListenerTest {
+
+ @Test
+ public void testSimpleOnMessage() {
+ StringWriter out = new StringWriter();
+ HtmlProgressListener l = new HtmlProgressListener(out);
+ l.setNoScrollTo(true);
+ l.onMessage(ProgressTrackerListener.Mode.PATHS, "A", "/content/foo");
+ assertEquals("<span class=\"A\"><b>A</b> /content/foo</span><br>\r\n", out.toString());
+ }
+
+ @Test
+ public void testXSSOnMessage() {
+ StringWriter out = new StringWriter();
+ HtmlProgressListener l = new HtmlProgressListener(out);
+ l.setNoScrollTo(true);
+ l.onMessage(ProgressTrackerListener.Mode.PATHS, "A", "<script>alert('hello');</script>");
+ assertEquals("<span class=\"A\"><b>A</b> <script>alert('hello');</script></span><br>\r\n", out.toString());
+ }
+
+ @Test
+ public void testSimpleOnError() {
+ StringWriter out = new StringWriter();
+ HtmlProgressListener l = new HtmlProgressListener(out);
+ l.setNoScrollTo(true);
+ l.onError(ProgressTrackerListener.Mode.PATHS, "/content/foo", new Exception("Test Exception"));
+ assertEquals("<span class=\"E\"><b>E</b> /content/foo (java.lang.Exception: Test Exception)</span><br>\r\n", out.toString());
+ }
+
+ @Test
+ public void testXSSOnError() {
+ StringWriter out = new StringWriter();
+ HtmlProgressListener l = new HtmlProgressListener(out);
+ l.setNoScrollTo(true);
+ l.onError(ProgressTrackerListener.Mode.PATHS, "/content/foo", new Exception("<script>alert('hello');</script>"));
+ assertEquals("<span class=\"E\"><b>E</b> /content/foo (java.lang.Exception: <script>alert('hello');</script>)</span><br>\r\n", out.toString());
+ }
+
+
+}
\ No newline at end of file
