Skip to content
Permalink
Browse files

[FIX JENKINS-31616] Prohibit scheme-relative URLs

  • Loading branch information...
daniel-beck committed Dec 19, 2015
1 parent fa144c7 commit bf3758df15828bec772322fd7ad629df1d40571c
@@ -20,7 +20,7 @@
public static final PolicyFactory POLICY_DEFINITION;

private static final Pattern ONSITE_URL = Pattern.compile(
"(?:[\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!]+|\\#(\\w)+)");
"(?!//)(?:[\\p{L}\\p{N}\\\\\\.\\#@\\$%\\+&;\\-_~,\\?=/!]+|\\#(\\w)+)");
private static final Pattern OFFSITE_URL = Pattern.compile(
"\\s*(?:(?:ht|f)tps?://|mailto:)[\\p{L}\\p{N}]"
+ "[\\p{L}\\p{N}\\p{Zs}\\.\\#@\\$%\\+&;:\\-_~,\\?=/!\\(\\)]*\\s*");
@@ -48,6 +48,11 @@ public void testPolicy() {
assertReject("sun.com", "<form method='post' action='http://sun.com/'><input type='text' name='foo'><input type='password' name='pass'></form>");
}

@Test
public void testProtocolRelativeUrl() {
assertReject("action", "<form action='//example.org/evil.php'><input type='submit'/></form>");
}

private void assertIntact(String input) {
input = input.replace('\'','\"');
assertSanitize(input,input);

0 comments on commit bf3758d

Please sign in to comment.
You can’t perform that action at this time.