Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vf] New Salesforce VisualForce language support #279

Merged
merged 56 commits into from Mar 1, 2017
Merged

[vf] New Salesforce VisualForce language support #279

Changes from 1 commit
Commits
Show all changes
56 commits
Select commit Hold shift + click to select a range
3dd69e5
Initial commit
sergeygorbaty Feb 14, 2017
9bf6c4d
Fixed CompilationUnit not getting called
sergeygorbaty Feb 14, 2017
d7e89d2
Fixed script tag and removed unneeded content AST node
sergeygorbaty Feb 14, 2017
b55b546
First rule
sergeygorbaty Feb 15, 2017
5370ffc
Cleanup
sergeygorbaty Feb 15, 2017
3a2b8c7
Support for mixed merge fields
sergeygorbaty Feb 15, 2017
5c91394
XSS in apex:outputText
sergeygorbaty Feb 15, 2017
47b29df
Fixed up parser unit tests
sergeygorbaty Feb 15, 2017
e8b8b5e
Renaming rules to security, fixing leading whitespaces
sergeygorbaty Feb 16, 2017
6974d53
Adding VF project
sergeygorbaty Feb 16, 2017
e619c28
Code style cleanup
sergeygorbaty Feb 16, 2017
b520331
One more unit test
sergeygorbaty Feb 16, 2017
f194fcd
Cleanup
sergeygorbaty Feb 16, 2017
53446c8
Adding support for html style tag
sergeygorbaty Feb 16, 2017
86ba85f
Fixed BOM and random spacing
sergeygorbaty Feb 16, 2017
475dd47
Get rid of last reference to #$
sergeygorbaty Feb 16, 2017
90af669
Grammar with support for VFEL methods
sergeygorbaty Feb 21, 2017
8af50fb
Small fixes
sergeygorbaty Feb 21, 2017
83dc8d6
Added support for DotExpression and Arguments list
sergeygorbaty Feb 21, 2017
b5235ba
Improved the rule to catch escaped values
sergeygorbaty Feb 21, 2017
1863bfb
Adding support for Content
sergeygorbaty Feb 21, 2017
276954d
Small renaming
sergeygorbaty Feb 22, 2017
e40aa19
Fixed floats support
sergeygorbaty Feb 22, 2017
442c7e2
Cleanup
sergeygorbaty Feb 22, 2017
7ba708f
Revert
sergeygorbaty Feb 22, 2017
c14ef0e
Improved dot notation and empty EL
sergeygorbaty Feb 22, 2017
f5a5920
Support for EL with no quotes
sergeygorbaty Feb 22, 2017
21355be
Support for optional args in EL
sergeygorbaty Feb 22, 2017
be7329e
Style fixes
sergeygorbaty Feb 22, 2017
ec456fe
Context aware escaping
sergeygorbaty Feb 22, 2017
6468659
Style check fixes
sergeygorbaty Feb 22, 2017
553c82b
Proper node reporting
sergeygorbaty Feb 22, 2017
78232a9
Reducing FPs with URLFor
sergeygorbaty Feb 22, 2017
58fc65e
small comment
sergeygorbaty Feb 22, 2017
35c7012
Reduced FPs with id and size
sergeygorbaty Feb 27, 2017
a99b45e
Fixing unit test order
sergeygorbaty Feb 27, 2017
76dda01
Merge remote-tracking branch 'origin/master' into VFSupport
sergeygorbaty Feb 27, 2017
cd2eb5d
Parser fix for EL in no quote context
sergeygorbaty Feb 27, 2017
d61bef2
space
sergeygorbaty Feb 27, 2017
1a20e2c
Fixing tests
sergeygorbaty Feb 27, 2017
3969644
Refactoring
sergeygorbaty Feb 27, 2017
5c30890
Adding VF to the list of supported languages
sergeygorbaty Feb 27, 2017
452bb8e
Reordering
sergeygorbaty Feb 28, 2017
a7cf531
Typo fix and tests
sergeygorbaty Feb 28, 2017
a4f77df
Additional negative test
sergeygorbaty Feb 28, 2017
6bafe94
Whitelisting of http
sergeygorbaty Feb 28, 2017
b0a1cfb
any case http
sergeygorbaty Feb 28, 2017
e2a6956
Whitelisting Labels
sergeygorbaty Feb 28, 2017
3bbd5ca
Literal starting with http
sergeygorbaty Feb 28, 2017
02e5440
Whitelisting ObjectType
sergeygorbaty Feb 28, 2017
5ebf17e
Small refactoring
sergeygorbaty Feb 28, 2017
329e51c
Adding a unit test and bug fix
sergeygorbaty Feb 28, 2017
a700612
Using EnumSet
sergeygorbaty Feb 28, 2017
64bd577
Moving Pattern to final static
sergeygorbaty Feb 28, 2017
ea0fcb6
Renamed Escaping
sergeygorbaty Feb 28, 2017
2af071a
Improving detection of safe resources
sergeygorbaty Mar 1, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 13 additions & 5 deletions ...visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
View file
Open in desktop
Expand Up @@ -114,7 +114,9 @@ private boolean startsWithSlashLiteral(final ASTElExpression elExpression) {
if (expression != null) {
final ASTLiteral literal = expression.getFirstChildOfType(ASTLiteral.class);
if (literal != null && literal.jjtGetChildIndex() == 0) {
if (literal.getImage().startsWith("'/") || literal.getImage().startsWith("\"/") || literal.getImage().toLowerCase().startsWith("'http") || literal.getImage().toLowerCase().startsWith("\"http") ) {
if (literal.getImage().startsWith("'/") || literal.getImage().startsWith("\"/")
|| literal.getImage().toLowerCase().startsWith("'http")
|| literal.getImage().toLowerCase().startsWith("\"http")) {
return true;
}
}
Expand Down Expand Up @@ -212,11 +214,17 @@ private boolean doesElContainAnyUnescapedIdentifiers(final ASTElExpression elExp
break;
}

if ("$ObjectType".equalsIgnoreCase(id.getImage()) || "$Label".equalsIgnoreCase(id.getImage()) || "$Resource".equalsIgnoreCase(id.getImage())
|| "URLFOR".equalsIgnoreCase(id.getImage()) || "$Site".equalsIgnoreCase(id.getImage())
|| "$Page".equalsIgnoreCase(id.getImage())) {
switch (id.getImage().toLowerCase()) {
case "$component":
case "$objecttype":
case "$label":
case "$resource":
case "urlfor":
case "$site":
case "$page":
isEscaped = true;
continue;
default:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are definitely missing a break here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup. Fixed.

isEscaped = false;
}

if (e.equals(ESCAPING.ANY)) {
Expand Down