Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.0/Cloud)

88003: Merged DEV to HEAD-BUG-FIX (5.0.1) 85764: ACE-1925 : Intra-Wiki links to pages with umlaut characters are not shown as existing - Added to unescapeHtml title Wiki page. 87724: ACE-1925 : Intra-Wiki links to pages with umlaut characters are not shown as existing - Added unit test xss injections. git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@94557 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-21 18:09:20 +00:00 · 2015-01-31 09:50:16 +00:00
parent f0e0c17824
commit 47e7e002a1
2 changed files with 30 additions and 1 deletions
--- a/source/test-java/org/alfresco/repo/web/scripts/wiki/WikiRestApiTest.java
+++ b/source/test-java/org/alfresco/repo/web/scripts/wiki/WikiRestApiTest.java
@@ -19,6 +19,8 @@
 package org.alfresco.repo.web.scripts.wiki;

 import java.util.Date;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;

 import javax.transaction.UserTransaction;

@@ -41,6 +43,7 @@ import org.alfresco.service.cmr.wiki.WikiPageInfo;
 import org.alfresco.service.cmr.wiki.WikiService;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.PropertyMap;
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.json.JSONArray;
@@ -976,4 +979,29 @@ public class WikiRestApiTest extends BaseWebScriptTest
            }
        }
    }
+    
+    public void testXSSInjection() throws Exception
+    { 
+    	WikiPageInfo wikiPage = null;
+    	WikiPageInfo wikiPageNew = null;
+    	try{
+    		wikiPage = this.wikiService.createWikiPage(SITE_SHORT_NAME_WIKI, "test_wiki", "[[Test]]");
+    		wikiPageNew = this.wikiService.createWikiPage(SITE_SHORT_NAME_WIKI, "Test", "test_content");
+    		Pattern LINK_PATTERN_MATCH = Pattern.compile("\\[\\[([^\\|\\]]+)");
+    		Matcher m = LINK_PATTERN_MATCH.matcher(wikiPage.getContents());
+    		while (m.find())
+    		{
+    			String link = m.group(1); 
+    			link += "?title=<script>alert('xss');</script>";
+    			WikiPageInfo wikiPage2 = this.wikiService.getWikiPage(SITE_SHORT_NAME_WIKI, link);
+    			WikiPageInfo wikiPage1 = this.wikiService.getWikiPage(SITE_SHORT_NAME_WIKI, StringEscapeUtils.unescapeHtml(link));
+    			assertEquals(wikiPage2, wikiPage1);
+    		}
+      
+    	}
+    	finally{
+    		 this.wikiService.deleteWikiPage(wikiPage); 
+    		 this.wikiService.deleteWikiPage(wikiPageNew); 
+    	}
+    }
 }