From 9752944dd41f9de3c85fd2c2234bbda935d86ca7 Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Mon, 8 Jul 2013 13:44:02 +0200
Subject: [PATCH] OO-652: solve escaping issue, in red screen too
---
pom.xml | 4 ++--
.../core/_i18n/LocalStrings_de.properties | 1 +
.../core/_i18n/LocalStrings_en.properties | 1 +
.../impl/elements/AbstractTextElement.java | 2 +-
.../core/logging/OLATRuntimeException.java | 7 +++++--
.../olat/core/util/filter/FilterFactory.java | 10 ++++++++++
.../filter/impl/OWASPAntiSamyXSSFilter.java | 13 ++++++++++---
.../impl/_resources/antisamy-tinymce.xml | 2 ++
.../login/auth/OLATAuthentcationForm.java | 10 ++++++++--
.../core/util/filter/impl/XSSFilterTest.java | 19 +++++++++++++++++--
10 files changed, 57 insertions(+), 12 deletions(-)
diff --git a/pom.xml b/pom.xml
index a1d1f7b2a8a..dd604378755 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1647,12 +1647,12 @@
<dependency>
<groupId>net.sourceforge.nekohtml</groupId>
<artifactId>nekohtml</artifactId>
- <version>1.9.14</version>
+ <version>1.9.16</version>
</dependency>
<dependency>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
- <version>1.4.4</version>
+ <version>1.5.2</version>
</dependency>
<dependency>
<groupId>org.w3c.css</groupId>
diff --git a/src/main/java/org/olat/core/_i18n/LocalStrings_de.properties b/src/main/java/org/olat/core/_i18n/LocalStrings_de.properties
index 75940b27c1b..b85acb90027 100644
--- a/src/main/java/org/olat/core/_i18n/LocalStrings_de.properties
+++ b/src/main/java/org/olat/core/_i18n/LocalStrings_de.properties
@@ -14,6 +14,7 @@ edit=Editieren
error.header=Fehler
error.jpbwrapper.renderfailed=Die Komponente kann nicht mehr dargestellt werden. Bitte rufen Sie die Komponente erneut auf.
error.noformpostdata=Achtung\! Durch ein Problem Ihres Browsers wurden nicht alle Daten hochgeladen. Dr\u00FCcken Sie bitte den Zur\u00FCck-Knopf und versuchen Sie es nochmals.
+error.post.method.mandatory=Benutzt ein Browser
expand=Vergr\u00F6ssern
finish=Fertigstellen
form.checkall=Alle ausw\u00E4hlen
diff --git a/src/main/java/org/olat/core/_i18n/LocalStrings_en.properties b/src/main/java/org/olat/core/_i18n/LocalStrings_en.properties
index 1c4a544afc7..ad309742da3 100644
--- a/src/main/java/org/olat/core/_i18n/LocalStrings_en.properties
+++ b/src/main/java/org/olat/core/_i18n/LocalStrings_en.properties
@@ -14,6 +14,7 @@ edit=Edit
error.header=Error
error.jpbwrapper.renderfailed=This component cannot be displayed anymore. Please start component again.
error.noformpostdata=Attention\! Due to problems concerning your browser some data could not be transferred. Please use the "Back" button and try again.
+error.post.method.mandatory=Use a browser!
expand=Expand
finish=Finish
form.checkall=Select all
diff --git a/src/main/java/org/olat/core/gui/components/form/flexible/impl/elements/AbstractTextElement.java b/src/main/java/org/olat/core/gui/components/form/flexible/impl/elements/AbstractTextElement.java
index cc5ea2cbb66..55650db204c 100644
--- a/src/main/java/org/olat/core/gui/components/form/flexible/impl/elements/AbstractTextElement.java
+++ b/src/main/java/org/olat/core/gui/components/form/flexible/impl/elements/AbstractTextElement.java
@@ -129,7 +129,7 @@ public abstract class AbstractTextElement extends FormItemImpl implements TextEl
* @see org.olat.core.gui.components.form.flexible.elements.TextElement#getValue()
*/
public String getValue() {
- Filter xssFilter = FilterFactory.getXSSFilter(value.length() + 1);
+ Filter xssFilter = FilterFactory.getXSSFilterForTextField(value.length() + 1);
return getValue(xssFilter);
}
diff --git a/src/main/java/org/olat/core/logging/OLATRuntimeException.java b/src/main/java/org/olat/core/logging/OLATRuntimeException.java
index ff8ec665cb4..4ec9ea47562 100644
--- a/src/main/java/org/olat/core/logging/OLATRuntimeException.java
+++ b/src/main/java/org/olat/core/logging/OLATRuntimeException.java
@@ -19,6 +19,9 @@
*/
package org.olat.core.logging;
+
+import org.olat.core.util.filter.FilterFactory;
+
/**
* Description:<br />
* Thrown if an unrecoverable error occurs. These Exceptions get caught by the Servlet. The user
@@ -89,7 +92,7 @@ public class OLATRuntimeException extends RuntimeException {
* @param th
* @return HTML fragment.
*/
- public static StringBuilder throwableToHtml(Throwable th) {
+ public static String throwableToHtml(Throwable th) {
StringBuilder sb = new StringBuilder("<br />");
if (th == null) {
sb.append("n/a");
@@ -107,7 +110,7 @@ public class OLATRuntimeException extends RuntimeException {
ca = ca.getCause();
}
}
- return sb;
+ return FilterFactory.getXSSFilter(10000).filter(sb.toString());
}
private static void toHtml(StringBuilder sb, Throwable th) {
diff --git a/src/main/java/org/olat/core/util/filter/FilterFactory.java b/src/main/java/org/olat/core/util/filter/FilterFactory.java
index 658cd2ce313..db73543d886 100644
--- a/src/main/java/org/olat/core/util/filter/FilterFactory.java
+++ b/src/main/java/org/olat/core/util/filter/FilterFactory.java
@@ -80,6 +80,16 @@ public class FilterFactory {
// currently the XSS filter is statefull
return new OWASPAntiSamyXSSFilter(maxLength, false);
}
+
+ /**
+ *
+ * @param maxLength
+ * @return
+ */
+ public static Filter getXSSFilterForTextField(int maxLength) {
+ // currently the XSS filter is statefull
+ return new OWASPAntiSamyXSSFilter(maxLength, false, false);
+ }
/**
* Get a filter to add a mapper base url to relative media links in HTML
diff --git a/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java b/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
index aaa595d531f..be549129e6a 100644
--- a/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
+++ b/src/main/java/org/olat/core/util/filter/impl/OWASPAntiSamyXSSFilter.java
@@ -57,14 +57,20 @@ public class OWASPAntiSamyXSSFilter extends LogDelegator implements Filter {
private static boolean jUnitDebug;
private CleanResults cr;
private final int maxLength;
+ private final boolean entityEncodeIntlChars;
/**
* @param maxLength
* @param junitDebug
*/
public OWASPAntiSamyXSSFilter(int maxLength, boolean junitDebug){
+ this(maxLength, true, junitDebug);
+ }
+
+ public OWASPAntiSamyXSSFilter(int maxLength, boolean entityEncodeIntlChars, boolean junitDebug){
OWASPAntiSamyXSSFilter.jUnitDebug = junitDebug;
this.maxLength = maxLength;
+ this.entityEncodeIntlChars = entityEncodeIntlChars;
}
/**
@@ -110,7 +116,10 @@ public class OWASPAntiSamyXSSFilter extends LogDelegator implements Filter {
InputStream inStream = this.getClass().getResourceAsStream(fPath);
policy = Policy.getInstance(inStream);
if(maxLength > 0) {
- policy.setDirective("maxInputSize", Integer.toString(maxLength));
+ policy = policy.cloneWithDirective("maxInputSize", Integer.toString(maxLength));
+ }
+ if(!entityEncodeIntlChars) {
+ policy = policy.cloneWithDirective("entityEncodeIntlChars", "false");
}
} catch (PolicyException e) {
if (jUnitDebug) System.err.println("Policy file not found/readable/valid!");
@@ -157,6 +166,4 @@ public class OWASPAntiSamyXSSFilter extends LogDelegator implements Filter {
}
return errors;
}
-
-
}
diff --git a/src/main/java/org/olat/core/util/filter/impl/_resources/antisamy-tinymce.xml b/src/main/java/org/olat/core/util/filter/impl/_resources/antisamy-tinymce.xml
index 81aee18fd68..edeba7bff46 100644
--- a/src/main/java/org/olat/core/util/filter/impl/_resources/antisamy-tinymce.xml
+++ b/src/main/java/org/olat/core/util/filter/impl/_resources/antisamy-tinymce.xml
@@ -14,6 +14,8 @@
<directive name="embedStyleSheets" value="false" />
<directive name="useXHTML" value="true" />
<directive name="formatOutput" value="false" />
+ <directive name="entityEncodeIntlChars" value="true" />
+ <directive name="preserveSpace" value="true" />
</directives>
<common-regexps>
diff --git a/src/main/java/org/olat/login/auth/OLATAuthentcationForm.java b/src/main/java/org/olat/login/auth/OLATAuthentcationForm.java
index 5ad54ec1bea..21829c3c943 100644
--- a/src/main/java/org/olat/login/auth/OLATAuthentcationForm.java
+++ b/src/main/java/org/olat/login/auth/OLATAuthentcationForm.java
@@ -63,8 +63,14 @@ public class OLATAuthentcationForm extends FormBasicController {
@Override
public boolean validateFormLogic(UserRequest ureq) {
boolean valid = true;
- valid = valid && !login.isEmpty("lf.error.loginempty");
- valid = valid && !pass.isEmpty("lf.error.passempty");
+ login.clearError();
+ //only POST is allowed
+ if(!"POST".equals(ureq.getHttpReq().getMethod())) {
+ login.setErrorKey("error.post.method.mandatory", null);
+ valid = false;
+ }
+ valid &= !login.isEmpty("lf.error.loginempty");
+ valid &= !pass.isEmpty("lf.error.passempty");
return valid;
}
diff --git a/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java b/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
index c9f3af18fa6..cf32657ad70 100644
--- a/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
+++ b/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
@@ -58,7 +58,11 @@ public class XSSFilterTest {
}
private void t(String input, String result) {
- String filterRes = vFilter.filter(input);
+ t(input, result, vFilter);
+ }
+
+ private void t(String input, String result, Filter f) {
+ String filterRes = f.filter(input);
if (filterRes == result || filterRes.equals(result)){
counter ++;
System.out.println("------------------------------------------------");
@@ -252,7 +256,18 @@ public class XSSFilterTest {
String input = "<br>";
String output = "<br />";
t(input,output);
-
+ }
+
+ @Test
+ public void test_rawText() {
+ OWASPAntiSamyXSSFilter intlFilter = new OWASPAntiSamyXSSFilter(-1, false, true);
+ t("Stéphane Rossé", "Stéphane Rossé", intlFilter);
+ }
+
+ @Test
+ public void test_rawTextAttaqu() {
+ OWASPAntiSamyXSSFilter intlFilter = new OWASPAntiSamyXSSFilter(-1, false, true);
+ t("<script>alert('hello');<//script>", "<script>alert('hello');<//script>", intlFilter);
}
}
--
GitLab