Skip to content
Permalink
Browse files

Merge pull request #4 from daniel-beck/JENKINS-31616

[FIX JENKINS-31616] Prohibit scheme-relative URLs
  • Loading branch information
christ66 committed Jun 7, 2016
2 parents d4c3533 + bf3758d commit 3f7c587cde27d59d4d549f5a5a5c15ddf66631e4
@@ -20,7 +20,7 @@
public static final PolicyFactory POLICY_DEFINITION;

private static final Pattern ONSITE_URL = Pattern.compile(
"(?:[\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!]+|\\#(\\w)+)");
"(?!//)(?:[\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!]+|\\#(\\w)+)");
private static final Pattern OFFSITE_URL = Pattern.compile(
"\\s*(?:(?:ht|f)tps?://|mailto:)[\\p{L}\\p{N}]"
+ "[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\(\\)]*\\s*");
@@ -48,6 +48,11 @@ public void testPolicy() {
assertReject("sun.com", "<form method='post' action='http://sun.com/'><input type='text' name='foo'><input type='password' name='pass'></form>");
}

@Test
public void testProtocolRelativeUrl() {
assertReject("action", "<form action='//example.org/evil.php'><input type='submit'/></form>");
}

private void assertIntact(String input) {
input = input.replace('\'','\"');
assertSanitize(input,input);

0 comments on commit 3f7c587

Please sign in to comment.
You can’t perform that action at this time.