diff --git a/pom.xml b/pom.xml
index a1d1f7b2a8a5c58e45e9f410a296a0003ef7d03a..dd60437875596b286c87bc7e48c58473eb19692d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1647,12 +1647,12 @@
<dependency>
<groupId>net.sourceforge.nekohtml</groupId>
<artifactId>nekohtml</artifactId>
- <version>1.9.14</version>
+ <version>1.9.16</version>
</dependency>
<dependency>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
- <version>1.4.4</version>
+ <version>1.5.2</version>
</dependency>
<dependency>
<groupId>org.w3c.css</groupId>
diff --git a/src/main/java/org/olat/core/_i18n/LocalStrings_de.properties b/src/main/java/org/olat/core/_i18n/LocalStrings_de.properties
index 75940b27c1be527a4a1c3ad9fbe149ddc250b7a5..b85acb9002758819678a6d9dd185119f90fb3bae 100644
--- a/src/main/java/org/olat/core/_i18n/LocalStrings_de.properties
+++ b/src/main/java/org/olat/core/_i18n/LocalStrings_de.properties
@@ -14,6 +14,7 @@ edit=Editieren
error.header=Fehler
error.jpbwrapper.renderfailed=Die Komponente kann nicht mehr dargestellt werden. Bitte rufen Sie die Komponente erneut auf.
error.noformpostdata=Achtung\! Durch ein Problem Ihres Browsers wurden nicht alle Daten hochgeladen. Dr\u00FCcken Sie bitte den Zur\u00FCck-Knopf und versuchen Sie es nochmals.
+error.post.method.mandatory=Benutzt ein Browser
expand=Vergr\u00F6ssern
finish=Fertigstellen
form.checkall=Alle ausw\u00E4hlen
diff --git a/src/main/java/org/olat/core/_i18n/LocalStrings_en.properties b/src/main/java/org/olat/core/_i18n/LocalStrings_en.properties
index 1c4a544afc7ed83bb94fdf42ad17d296f5cc4e66..ad309742da3dc0f5b4748fc73724018695d65549 100644
--- a/src/main/java/org/olat/core/_i18n/LocalStrings_en.properties
+++ b/src/main/java/org/olat/core/_i18n/LocalStrings_en.properties
@@ -14,6 +14,7 @@ edit=Edit
error.header=Error
error.jpbwrapper.renderfailed=This component cannot be displayed anymore. Please start component again.
error.noformpostdata=Attention\! Due to problems concerning your browser some data could not be transferred. Please use the "Back" button and try again.
+error.post.method.mandatory=Use a browser!
expand=Expand
finish=Finish
form.checkall=Select all
diff --git a/src/main/java/org/olat/core/gui/components/form/flexible/impl/elements/AbstractTextElement.java b/src/main/java/org/olat/core/gui/components/form/flexible/impl/elements/AbstractTextElement.java
index cc5ea2cbb66115dc7ce476038be69062bcf73137..55650db204cddcb29d920211dc43f108c8c7d195 100644
--- a/src/main/java/org/olat/core/gui/components/form/flexible/impl/elements/AbstractTextElement.java
+++ b/src/main/java/org/olat/core/gui/components/form/flexible/impl/elements/AbstractTextElement.java
@@ -129,7 +129,7 @@ public abstract class AbstractTextElement extends FormItemImpl implements TextEl
* @see org.olat.core.gui.components.form.flexible.elements.TextElement#getValue()
*/
public String getValue() {
- Filter xssFilter = FilterFactory.getXSSFilter(value.length() + 1);
+ Filter xssFilter = FilterFactory.getXSSFilterForTextField(value.length() + 1);
return getValue(xssFilter);
}
diff --git a/src/main/java/org/olat/core/logging/OLATRuntimeException.java b/src/main/java/org/olat/core/logging/OLATRuntimeException.java
index ff8ec665cb4049c92d3290dcf5b9e12f97ae8516..4ec9ea47562aebbf9c2a48c9f0d4be68bd75eca5 100644
--- a/src/main/java/org/olat/core/logging/OLATRuntimeException.java
+++ b/src/main/java/org/olat/core/logging/OLATRuntimeException.java
@@ -19,6 +19,9 @@
*/
package org.olat.core.logging;
+
+import org.olat.core.util.filter.FilterFactory;
+
/**
* Description:<br />
* Thrown if an unrecoverable error occurs. These Exceptions get caught by the Servlet. The user
@@ -89,7 +92,7 @@ public class OLATRuntimeException extends RuntimeException {
* @param th
* @return HTML fragment.
*/
- public static StringBuilder throwableToHtml(Throwable th) {
+ public static String throwableToHtml(Throwable th) {
StringBuilder sb = new StringBuilder("<br />");
if (th == null) {
sb.append("n/a");
@@ -107,7 +110,7 @@ public class OLATRuntimeException extends RuntimeException {
ca = ca.getCause();
}
}
- return sb;
+ return FilterFactory.getXSSFilter(10000).filter(sb.toString());
}
private static void toHtml(StringBuilder sb, Throwable th) {
diff --git a/src/main/java/org/olat/core/util/filter/FilterFactory.java b/src/main/java/org/olat/core/util/filter/FilterFactory.java
index 658cd2ce3138a535c67e22744055bee9f778fa4f..db73543d88665fdd3f164774a9b53d3c8d7f5f56 100644
--- a/src/main/java/org/olat/core/util/filter/FilterFactory.java
+++ b/src/main/java/org/olat/core/util/filter/FilterFactory.java
@@ -80,6 +80,16 @@ public class FilterFactory {
// currently the XSS filter is statefull
return new OWASPAntiSamyXSSFilter(maxLength, false);
}
+
+ /**
+ *
+ * @param maxLength
+ * @return
+ */
+ public static Filter getXSSFilterForTextField(int maxLength) {
+ // currently the XSS filter is statefull
+ return new OWASPAntiSamyXSSFilter(maxLength, false, false);
+ }
/**
* Get a filter to add a mapper base url to relative media links in HTML
diff --git a/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java b/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
index aaa595d531fc5e7e74693ecc9f61adabdcbd9710..be549129e6a6b0806afc55056478985b8537767b 100644
--- a/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
+++ b/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
@@ -57,14 +57,20 @@ public class OWASPAntiSamyXSSFilter extends LogDelegator implements Filter {
private static boolean jUnitDebug;
private CleanResults cr;
private final int maxLength;
+ private final boolean entityEncodeIntlChars;
/**
* @param maxLength
* @param junitDebug
*/
public OWASPAntiSamyXSSFilter(int maxLength, boolean junitDebug){
+ this(maxLength, true, junitDebug);
+ }
+
+ public OWASPAntiSamyXSSFilter(int maxLength, boolean entityEncodeIntlChars, boolean junitDebug){
OWASPAntiSamyXSSFilter.jUnitDebug = junitDebug;
this.maxLength = maxLength;
+ this.entityEncodeIntlChars = entityEncodeIntlChars;
}
/**
@@ -110,7 +116,10 @@ public class OWASPAntiSamyXSSFilter extends LogDelegator implements Filter {
InputStream inStream = this.getClass().getResourceAsStream(fPath);
policy = Policy.getInstance(inStream);
if(maxLength > 0) {
- policy.setDirective("maxInputSize", Integer.toString(maxLength));
+ policy = policy.cloneWithDirective("maxInputSize", Integer.toString(maxLength));
+ }
+ if(!entityEncodeIntlChars) {
+ policy = policy.cloneWithDirective("entityEncodeIntlChars", "false");
}
} catch (PolicyException e) {
if (jUnitDebug) System.err.println("Policy file not found/readable/valid!");
@@ -157,6 +166,4 @@ public class OWASPAntiSamyXSSFilter extends LogDelegator implements Filter {
}
return errors;
}
-
-
}
diff --git a/src/main/java/org/olat/core/util/filter/impl/_resources/antisamy-tinymce.xml b/src/main/java/org/olat/core/util/filter/impl/_resources/antisamy-tinymce.xml
index 81aee18fd68903d8502950a37516a8f7a5f8630b..edeba7bff46b1d61ef4def6acf99669f15387ccb 100644
--- a/src/main/java/org/olat/core/util/filter/impl/_resources/antisamy-tinymce.xml
+++ b/src/main/java/org/olat/core/util/filter/impl/_resources/antisamy-tinymce.xml
@@ -14,6 +14,8 @@
<directive name="embedStyleSheets" value="false" />
<directive name="useXHTML" value="true" />
<directive name="formatOutput" value="false" />
+ <directive name="entityEncodeIntlChars" value="true" />
+ <directive name="preserveSpace" value="true" />
</directives>
<common-regexps>
diff --git a/src/main/java/org/olat/login/auth/OLATAuthentcationForm.java b/src/main/java/org/olat/login/auth/OLATAuthentcationForm.java
index 5ad54ec1beaa0e00dbf505ab5ab811eeac7e9c9c..21829c3c943ba12eef493e49b53ba39e02b9e056 100644
--- a/src/main/java/org/olat/login/auth/OLATAuthentcationForm.java
+++ b/src/main/java/org/olat/login/auth/OLATAuthentcationForm.java
@@ -63,8 +63,14 @@ public class OLATAuthentcationForm extends FormBasicController {
@Override
public boolean validateFormLogic(UserRequest ureq) {
boolean valid = true;
- valid = valid && !login.isEmpty("lf.error.loginempty");
- valid = valid && !pass.isEmpty("lf.error.passempty");
+ login.clearError();
+ //only POST is allowed
+ if(!"POST".equals(ureq.getHttpReq().getMethod())) {
+ login.setErrorKey("error.post.method.mandatory", null);
+ valid = false;
+ }
+ valid &= !login.isEmpty("lf.error.loginempty");
+ valid &= !pass.isEmpty("lf.error.passempty");
return valid;
}
diff --git a/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java b/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
index c9f3af18fa66469b2ea323c928f70016ae7a7c8d..cf32657ad70d5d5186d633d6fc7562e195dc372f 100644
--- a/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
+++ b/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
@@ -58,7 +58,11 @@ public class XSSFilterTest {
}
private void t(String input, String result) {
- String filterRes = vFilter.filter(input);
+ t(input, result, vFilter);
+ }
+
+ private void t(String input, String result, Filter f) {
+ String filterRes = f.filter(input);
if (filterRes == result || filterRes.equals(result)){
counter ++;
System.out.println("------------------------------------------------");
@@ -252,7 +256,18 @@ public class XSSFilterTest {
String input = "<br>";
String output = "<br />";
t(input,output);
-
+ }
+
+ @Test
+ public void test_rawText() {
+ OWASPAntiSamyXSSFilter intlFilter = new OWASPAntiSamyXSSFilter(-1, false, true);
+ t("Stéphane Rossé", "Stéphane Rossé", intlFilter);
+ }
+
+ @Test
+ public void test_rawTextAttaqu() {
+ OWASPAntiSamyXSSFilter intlFilter = new OWASPAntiSamyXSSFilter(-1, false, true);
+ t("<script>alert('hello');<//script>", "<script>alert('hello');<//script>", intlFilter);
}
}