Skip to content

Commit

Permalink
Fix XSS vulnerability in message list and view
Browse files Browse the repository at this point in the history 
git-svn-id: https://svn.apache.org/repos/asf/james/hupa/trunk@1373762 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
@manolo
manolo committed Aug 16, 2012
1 parent 852edab commit aff28a8
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 7 deletions.
1 change: 1 addition & 0 deletions client/src/main/java/org/apache/hupa/client/HupaCallback.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,5 +117,6 @@ public void onSuccess(T result) {
*/
public void callbackError(Throwable caught) {
System.out.println("HupaCallBack Error: " + caught);
caught.printStackTrace();
}
}
5 changes: 3 additions & 2 deletions client/src/main/java/org/apache/hupa/client/mvp/IMAPMessageListView.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -363,7 +363,7 @@ public void renderRowValue(Message rowValue,
dtformat = DateTimeFormat.getFormat("dd.MMM.yyyy HH:mm");
}

view.setHTML(dtformat.format(rDate));
view.setText(dtformat.format(rDate));
view.setHorizontalAlignment(HorizontalPanel.ALIGN_RIGHT);
}

Expand Down Expand Up @@ -528,7 +528,7 @@ public void renderRowValue(E rowValue,
if (cellValue == null || cellValue.length() < 1) {
view.setHTML("&nbsp");
} else {
view.setHTML(cellValue);
view.setText(cellValue);
}
}

Expand Down Expand Up @@ -791,6 +791,7 @@ public void fillSearchOracle(ArrayList<Message> messages) {
}

public void setExpandLoading(boolean expanding) {
System.out.println("SSS " + expanding);
if (expanding) {
loading.show();
} else {
Expand Down
2 changes: 0 additions & 2 deletions server/src/main/java/org/apache/hupa/server/handler/GetMessageDetailsHandler.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,8 +137,6 @@ protected MessageDetails mimeToDetails(MimeMessage message, String folderName, l

boolean isHTML = handleParts(message, con, sbPlain, attachmentList);

System.out.println(isHTML);

if (isHTML) {
mDetails.setText(filterHtmlDocument(sbPlain.toString(), folderName, uid));
} else {
Expand Down
6 changes: 3 additions & 3 deletions server/src/main/java/org/apache/hupa/server/utils/RegexPatterns.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,9 @@ public class RegexPatterns {

public static final Pattern regex_unneededTags = Pattern.compile("(?si)(</?(html|body)[^>]*?>)");
public static final String repl_unneededTags = "";
public static final String EVENT_ATTR_REGEX = "(?:on[dbl]*click)|(?:onmouse[a-z]+)|(?:onkey[a-z]+)";
public static final Pattern regex_badAttrs = Pattern.compile("(?si)(<\\w+[^<>]*)\\s+("+ EVENT_ATTR_REGEX + ")=[\"']?([^\\s<>]+?)[\"']?([\\s>])");

public static final String EVENT_ATTR_REGEX = "(?:on[a-z]+)";
public static final Pattern regex_badAttrs = Pattern.compile("(?si)(<\\w+[^<>]*)(?:[\"']|\\s+)("+ EVENT_ATTR_REGEX + ")=[\"']?([^\\s<>]+?)[\"']?([\\s>])");
public static final String repl_badAttrs = "$1$4";

public static final Pattern regex_orphandHttpLinks = Pattern.compile("(?si)(?!.*<a\\s?[^>]*?>.+</a\\s*>.*)(<[^<]*?>[^<>]*)" + HTML_LINK_REGEXP + "([^<>]*<[^>]*?>)");
Expand Down
9 changes: 9 additions & 0 deletions server/src/test/java/org/apache/hupa/server/utils/RegexPatternsTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,15 @@ public void testRegexBadAttributes() {
txt = "... <div attr=a onClick=\"something('');\" attr=b onMouseOver=whatever attr=c onKeyup=\"\" /> ...";
res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs);
assertEquals("... <div attr=a attr=b attr=c /> ...", res);


txt = "... <img src='1.jpg' onerror=javascript:alert(\"img-onerror-javascript:XSS\")> ...";
res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs);
assertEquals("... <img src='1.jpg'> ...", res);

txt = "... <img src=\"1.jpg\" onerror=javascript:alert(\"img-onerror-javascript:XSS\")> ...";
res = RegexPatterns.replaceAllRecursive(txt, RegexPatterns.regex_badAttrs, RegexPatterns.repl_badAttrs);
assertEquals("... <img src=\"1.jpg\"> ...", res);
}

public void testRegexHtmlLinks() {
Expand Down

0 comments on commit aff28a8

Please sign in to comment.