Permalink
Browse files

Merge branch 'release-1.1'

  • Loading branch information...
jonpasski committed Feb 22, 2013
2 parents 314cb7f + 963c684 commit 3c471bb4de9ac9e8a5ccde8d09372adc604bce3a
View
@@ -2,4 +2,5 @@ target
cov_build
trunk
run-analysis.sh
-README.html
+README.html
+*.versionsBackup
View
@@ -18,13 +18,16 @@ Users of Coverity Security Advisor get remediation guidance based on escaping ro
The [Escape class](https://github.com/coverity/coverity-security-library/tree/develop/coverity-escapers) contains several escapers for web content. These escaping functions help remedy common defects (mostly cross-site scripting) that occur when the data is inserted into HTML element, HTML attribute values, URI, JavaScript strings, SQL LIKE clauses, etc. More information are available in the [Escape directory](https://github.com/coverity/coverity-security-library/tree/develop/coverity-escapers).
-Before using any of these methods, you should understand the context (or nested contexts) in which the data is inserted. [Several examples](https://github.com/coverity/coverity-security-library/tree/develop/coverity-escapers/samples) are available in the repository, and more will be available on [our blog](https://communities.coverity.com/blogs/security).
+Before using any of these methods, you should understand the context (or nested contexts) in which the data is inserted. [Several mockup examples with explanation](https://github.com/coverity/coverity-security-library/tree/develop/coverity-escapers/samples/mockup-examples) are available in the repository, and more will be available on [our blog](https://communities.coverity.com/blogs/security).
+If you want to test the library to understand how it whistands security attacks, our [functional testsuite](https://github.com/coverity/coverity-security-library/tree/develop/coverity-escapers/samples/functional-testsuite) is the right app to build/deploy/test.
+
+Ready to use it? One last step is to have a look at [the latest javadoc](http://coverity.github.com/coverity-security-library) directly on github.
To include this library into your Maven project, add the following:
```xml
<dependency>
- <groupId>com.coverity</groupId>
+ <groupId>com.coverity.security</groupId>
<artifactId>coverity-escapers</artifactId>
<version>1.0</version>
</dependency>
@@ -21,16 +21,16 @@ use them! Just make sure you use them correctly :)
3. [HTML Contexts Examples](#main_contexts)
4. [Authors & License](#main_authors)
-# <a id="install"></a>Installation
+# <a id="install" name="install"></a>Installation
## Using Maven
To include this library into your Maven project, add the following to your pom:
```xml
<dependency>
- <groupId>com.coverity</groupId>
+ <groupId>com.coverity.security</groupId>
<artifactId>coverity-escapers</artifactId>
- <version>1.0.0</version>
+ <version>1.0</version>
</dependency>
```
@@ -56,7 +56,7 @@ The javadoc can be created directly from the Maven build:
$ mvn install
$ open ./coverity-escapers/target/apidocs/index.html
-# <a id="main_usage"></a> Usage
+# <a id="main_usage" name="main_usage"></a> Usage
## Example 1: XSS Defect in Java Servlet
@@ -146,7 +146,7 @@ ensure values are properly escaped for the HTML attribute value context.
Note that if you want to limit the number of EL functions imported, you can use the
`cov:htmlEscape` function instead of `fn:escapeXml`.
-# <a id="main_contexts"></a> Background Information
+# <a id="main_contexts" name="main_contexts"></a> Background Information
## Contexts
@@ -287,7 +287,7 @@ Injection examples:
```html
<style>
#clickme a {
- background-image: url('TAINTED_DATA_HERE');
+ background-image: url('/pull-image/?id=TAINTED_DATA_HERE');
}
</style>
<a id="clickme" href="http://www.example.com/?test=TAINTED_DATA_HERE">Click me!</a>
@@ -342,7 +342,7 @@ unquoted values in HTML or CSS. Rather, use the double or single quoted values.
is that unquoted values make it even more difficult to mitigate and are sometimes
web browser specific.
-# <a id="main_authors"></a> Authors
+# <a id="main_authors" name="main_authors"></a> Authors
The Escape library was developed by the [Coverity Security Research Lab](http://www.coverity.com) members:
* Romain Gaucher, [@rgaucher](https://twitter.com/rgaucher)
* Andy Chou, [@_achou](https://twitter.com/_achou)
@@ -6,15 +6,15 @@
<groupId>com.coverity.security</groupId>
<artifactId>coverity-escapers</artifactId>
<packaging>jar</packaging>
- <version>1.0</version>
+ <version>1.1</version>
<name>coverity-escapers</name>
<description>Open source library of HTML, JavaScript, and CSS escapers for use by Java applications</description>
<url>http://coverity.com/security</url>
<parent>
<groupId>com.coverity.security</groupId>
<artifactId>coverity-security-library</artifactId>
- <version>1.0</version>
+ <version>1.1</version>
</parent>
<licenses>
@@ -40,6 +40,11 @@
<name>Jon Passki</name>
<email>jpasski@coverity.com</email>
</developer>
+ <developer>
+ <id>kuza55</id>
+ <name>Alex Kouzemtchenko</name>
+ <email>akouzemtchenko@coverity.com</email>
+ </developer>
</developers>
<properties>
@@ -1,128 +1,133 @@
<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>com.coverity</groupId>
- <artifactId>csl-functional-test</artifactId>
- <name>csl-functional-test</name>
- <packaging>war</packaging>
- <version>1.0.0-BUILD-SNAPSHOT</version>
- <properties>
- <java-version>1.6</java-version>
- <org.springframework-version>3.1.0.RELEASE</org.springframework-version>
- <org.aspectj-version>1.6.9</org.aspectj-version>
- <org.slf4j-version>1.5.10</org.slf4j-version>
- </properties>
- <dependencies>
- <!-- Spring -->
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-context</artifactId>
- <version>${org.springframework-version}</version>
- <exclusions>
- <!-- Exclude Commons Logging in favor of SLF4j -->
- <exclusion>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-webmvc</artifactId>
- <version>${org.springframework-version}</version>
- </dependency>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
+ http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>com.coverity.security</groupId>
+ <artifactId>csl-functional-test</artifactId>
+ <name>csl-functional-test</name>
+ <packaging>war</packaging>
+ <!-- match the version in develop -->
+ <version>1.1</version>
+ <properties>
+ <java-version>1.6</java-version>
+ <org.springframework-version>3.1.0.RELEASE</org.springframework-version>
+ <org.aspectj-version>1.6.9</org.aspectj-version>
+ <org.slf4j-version>1.5.10</org.slf4j-version>
+ </properties>
+ <dependencies>
+ <!-- Spring -->
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-context</artifactId>
+ <version>${org.springframework-version}</version>
+ <exclusions>
+ <!-- Exclude Commons Logging in favor of SLF4j -->
+ <exclusion>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-webmvc</artifactId>
+ <version>${org.springframework-version}</version>
+ </dependency>
+
+ <!-- Add our own library from maven -->
<dependency>
<groupId>com.coverity.security</groupId>
<artifactId>coverity-escapers</artifactId>
- <version>1.0</version>
+ <version>1.1-SNAPSHOT</version>
</dependency>
- <!-- AspectJ -->
- <dependency>
- <groupId>org.aspectj</groupId>
- <artifactId>aspectjrt</artifactId>
- <version>${org.aspectj-version}</version>
- </dependency>
-
- <!-- Logging -->
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-api</artifactId>
- <version>${org.slf4j-version}</version>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>jcl-over-slf4j</artifactId>
- <version>${org.slf4j-version}</version>
- <scope>runtime</scope>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <version>${org.slf4j-version}</version>
- <scope>runtime</scope>
- </dependency>
- <dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- <version>1.2.15</version>
- <exclusions>
- <exclusion>
- <groupId>javax.mail</groupId>
- <artifactId>mail</artifactId>
- </exclusion>
- <exclusion>
- <groupId>javax.jms</groupId>
- <artifactId>jms</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.sun.jdmk</groupId>
- <artifactId>jmxtools</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.sun.jmx</groupId>
- <artifactId>jmxri</artifactId>
- </exclusion>
- </exclusions>
- <scope>runtime</scope>
- </dependency>
+ <!-- AspectJ -->
+ <dependency>
+ <groupId>org.aspectj</groupId>
+ <artifactId>aspectjrt</artifactId>
+ <version>${org.aspectj-version}</version>
+ </dependency>
+
+ <!-- Logging -->
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>${org.slf4j-version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>jcl-over-slf4j</artifactId>
+ <version>${org.slf4j-version}</version>
+ <scope>runtime</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ <version>${org.slf4j-version}</version>
+ <scope>runtime</scope>
+ </dependency>
+ <dependency>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ <version>1.2.15</version>
+ <exclusions>
+ <exclusion>
+ <groupId>javax.mail</groupId>
+ <artifactId>mail</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>javax.jms</groupId>
+ <artifactId>jms</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.jdmk</groupId>
+ <artifactId>jmxtools</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.jmx</groupId>
+ <artifactId>jmxri</artifactId>
+ </exclusion>
+ </exclusions>
+ <scope>runtime</scope>
+ </dependency>
- <!-- @Inject -->
- <dependency>
- <groupId>javax.inject</groupId>
- <artifactId>javax.inject</artifactId>
- <version>1</version>
- </dependency>
-
- <!-- Servlet -->
- <dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>servlet-api</artifactId>
- <version>2.5</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>javax.servlet.jsp</groupId>
- <artifactId>jsp-api</artifactId>
- <version>2.1</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>jstl</artifactId>
- <version>1.2</version>
- </dependency>
-
- <!-- Test -->
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>4.7</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
+ <!-- @Inject -->
+ <dependency>
+ <groupId>javax.inject</groupId>
+ <artifactId>javax.inject</artifactId>
+ <version>1</version>
+ </dependency>
+
+ <!-- Servlet -->
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ <version>2.5</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>javax.servlet.jsp</groupId>
+ <artifactId>jsp-api</artifactId>
+ <version>2.1</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>jstl</artifactId>
+ <version>1.2</version>
+ </dependency>
+
+ <!-- Test -->
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.7</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
<build>
<plugins>
<plugin>
@@ -8,20 +8,20 @@
@Controller
public class HomeController {
- // By default we go to the EL tests.
- @RequestMapping(value = "/", method = RequestMethod.GET)
- public String index(Model model) {
- return "test-el";
- }
+ // By default we go to the EL tests.
+ @RequestMapping(value = "/", method = RequestMethod.GET)
+ public String index(Model model) {
+ return "test-el";
+ }
- @RequestMapping(value = "/el", method = RequestMethod.GET)
- public String testEL(Model model) {
- return "test-el";
- }
-
- @RequestMapping(value = "/scriptlet", method = RequestMethod.GET)
- public String testJSP(Model model) {
- return "test-jsp";
- }
+ @RequestMapping(value = "/el", method = RequestMethod.GET)
+ public String testEL(Model model) {
+ return "test-el";
+ }
+
+ @RequestMapping(value = "/scriptlet", method = RequestMethod.GET)
+ public String testJSP(Model model) {
+ return "test-jsp";
+ }
}
Oops, something went wrong.

0 comments on commit 3c471bb

Please sign in to comment.