Skip to content
Permalink
Browse files Browse the repository at this point in the history
Update JavaScriptUtils
Add escaping for <, >, and PS/LS line terminators

Issue: SPR-9983
  • Loading branch information
rstoyanchev committed Feb 15, 2013
1 parent 63bff1f commit 7a7df66
Show file tree
Hide file tree
Showing 2 changed files with 95 additions and 7 deletions.
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2008 the original author or authors.
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -21,21 +21,21 @@
* Escapes based on the JavaScript 1.5 recommendation.
*
* <p>Reference:
* <a href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Literals#String_Literals">
* Core JavaScript 1.5 Guide
* </a>
* <a href="https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Values,_variables,_and_literals#String_literals">
* JavaScript Guide</a> on Mozilla Developer Network.
*
* @author Juergen Hoeller
* @author Rob Harrop
* @author Rossen Stoyanchev
* @since 1.1.1
*/
public class JavaScriptUtils {

/**
* Turn special characters into escaped characters conforming to JavaScript.
* Handles complete character set defined in HTML 4.01 recommendation.
* Turn JavaScript special characters into escaped characters.
*
* @param input the input string
* @return the escaped string
* @return the string with escaped characters
*/
public static String javaScriptEscape(String input) {
if (input == null) {
Expand Down Expand Up @@ -73,6 +73,27 @@ else if (c == '\r') {
else if (c == '\f') {
filtered.append("\\f");
}
else if (c == '\b') {
filtered.append("\\b");
}
// No '\v' in Java, use octal value for VT ascii char
else if (c == '\013') {
filtered.append("\\v");
}
else if (c == '<') {
filtered.append("\\u003C");
}
else if (c == '>') {
filtered.append("\\u003E");
}
// Unicode for PS (line terminator in ECMA-262)
else if (c == '\u2028') {
filtered.append("\\u2028");
}
// Unicode for LS (line terminator in ECMA-262)
else if (c == '\u2029') {
filtered.append("\\u2029");
}
else {
filtered.append(c);
}
Expand Down
@@ -0,0 +1,67 @@
/*
* Copyright 2004-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package org.springframework.web.util;

import static org.junit.Assert.*;

import java.io.UnsupportedEncodingException;

import org.junit.Test;

/**
* Test fixture for {@link JavaScriptUtils}.
*
* @author Rossen Stoyanchev
*/
public class JavaScriptUtilsTests {

@Test
public void escape() {
StringBuilder sb = new StringBuilder();
sb.append('"');
sb.append("'");
sb.append("\\");
sb.append("/");
sb.append("\t");
sb.append("\n");
sb.append("\r");
sb.append("\f");
sb.append("\b");
sb.append("\013");
assertEquals("\\\"\\'\\\\\\/\\t\\n\\n\\f\\b\\v", JavaScriptUtils.javaScriptEscape(sb.toString()));
}

// SPR-9983

@Test
public void escapePsLsLineTerminators() {
StringBuilder sb = new StringBuilder();
sb.append('\u2028');
sb.append('\u2029');
String result = JavaScriptUtils.javaScriptEscape(sb.toString());

assertEquals("\\u2028\\u2029", result);
}

// SPR-9983

@Test
public void escapeLessThanGreaterThanSigns() throws UnsupportedEncodingException {
assertEquals("\\u003C\\u003E", JavaScriptUtils.javaScriptEscape("<>"));
}

}

1 comment on commit 7a7df66

@ngbalk
Copy link

@ngbalk ngbalk commented on 7a7df66 Feb 8, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this commit intended to resolve CVE-2013-6430?
http://pivotal.io/security/cve-2013-6430

Please sign in to comment.