mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
Merged V2.1 to HEAD
6515: Fix for AWC-1362 (system error page when clicking on space that doesn't exist in navigator) 6516: Fix for AR-1688 - Vista 6518: Fix for AWC-1479, AWC-1199 and AWC-426 (javascript insertion into forum posts security related fixes) limit to subset of safe tags for posting 6519: Fix AR-1690 Web Scripts url.args is missing even though it's documented in WIKI 6520: Fix for AWC-1271 (component generator config ignored for associations) 6521: Fix AWC-1492 Some included javascript files in template/webscripts use the wrong app context path i.e. /alfresco when the app is called /alfzip 6522: Build fix 6523: - Fix rendering of tasks with no description in office portlets 6524: Added thread pool for index merging (AR-1633, AR-1579) 6525: One more fix for rendering of tasks with no description in office portlets 6527: Renamed axis jar to reflect version number. 6528: WebServices query cache refactoring git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@6741 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Derek Hulley
@@ -34,9 +34,11 @@ import java.text.SimpleDateFormat;
|
||||
import java.util.Calendar;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.faces.application.FacesMessage;
|
||||
import javax.faces.component.NamingContainer;
|
||||
@@ -102,7 +104,45 @@ public final class Utils
|
||||
|
||||
private static final Map<String, String> s_fileExtensionMap = new HashMap<String, String>(89, 1.0f);
|
||||
|
||||
private static Log logger = LogFactory.getLog(Utils.class);
|
||||
private static final Log logger = LogFactory.getLog(Utils.class);
|
||||
|
||||
private static final Set<String> safeTags = new HashSet<String>();
|
||||
|
||||
static
|
||||
{
|
||||
safeTags.add("p");
|
||||
safeTags.add("/p");
|
||||
safeTags.add("b");
|
||||
safeTags.add("/b");
|
||||
safeTags.add("i");
|
||||
safeTags.add("/i");
|
||||
safeTags.add("br");
|
||||
safeTags.add("ul");
|
||||
safeTags.add("/ul");
|
||||
safeTags.add("ol");
|
||||
safeTags.add("/ol");
|
||||
safeTags.add("li");
|
||||
safeTags.add("/li");
|
||||
safeTags.add("h1");
|
||||
safeTags.add("/h1");
|
||||
safeTags.add("h2");
|
||||
safeTags.add("/h2");
|
||||
safeTags.add("h3");
|
||||
safeTags.add("/h3");
|
||||
safeTags.add("h4");
|
||||
safeTags.add("/h4");
|
||||
safeTags.add("h5");
|
||||
safeTags.add("/h5");
|
||||
safeTags.add("h6");
|
||||
safeTags.add("/h6");
|
||||
safeTags.add("span");
|
||||
safeTags.add("/span");
|
||||
safeTags.add("a");
|
||||
safeTags.add("/a");
|
||||
safeTags.add("img");
|
||||
safeTags.add("font");
|
||||
safeTags.add("/font");
|
||||
}
|
||||
|
||||
/**
|
||||
* Private constructor
|
||||
@@ -256,6 +296,92 @@ public final class Utils
|
||||
return buf.toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Strip unsafe HTML tags from a string - only leaves most basic formatting tags
|
||||
* and encodes or strips the remaining characters.
|
||||
*
|
||||
* @param s HTML string to strip tags from
|
||||
*
|
||||
* @return safe string
|
||||
*/
|
||||
public static String stripUnsafeHTMLTags(String s)
|
||||
{
|
||||
s = s.replace("onclick", "$");
|
||||
s = s.replace("onmouseover", "$");
|
||||
s = s.replace("onmouseout", "$");
|
||||
s = s.replace("onmousemove", "$");
|
||||
s = s.replace("onfocus", "$");
|
||||
s = s.replace("onblur", "$");
|
||||
StringBuilder buf = new StringBuilder(s.length());
|
||||
char[] chars = s.toCharArray();
|
||||
for (int i=0; i<chars.length; i++)
|
||||
{
|
||||
if (chars[i] == '<')
|
||||
{
|
||||
// found a tag?
|
||||
int endMatchIndex = -1;
|
||||
int endTagIndex = -1;
|
||||
if (i < chars.length - 2)
|
||||
{
|
||||
for (int x=(i + 1); x<chars.length; x++)
|
||||
{
|
||||
if (chars[x] == ' ' && endMatchIndex == -1)
|
||||
{
|
||||
// keep track of the match point for comparing tags in the safeTags set
|
||||
endMatchIndex = x;
|
||||
}
|
||||
else if (chars[x] == '>')
|
||||
{
|
||||
endTagIndex = x;
|
||||
break;
|
||||
}
|
||||
else if (chars[x] == '<')
|
||||
{
|
||||
// found another angle bracket - not a tag def so we can safely output to here
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (endTagIndex != -1)
|
||||
{
|
||||
// found end of the tag to match
|
||||
String tag = s.substring(i + 1, endTagIndex).toLowerCase();
|
||||
String matchTag = tag;
|
||||
if (endMatchIndex != -1)
|
||||
{
|
||||
matchTag = s.substring(i + 1, endMatchIndex).toLowerCase();
|
||||
}
|
||||
if (safeTags.contains(matchTag))
|
||||
{
|
||||
// safe tag - append to buffer
|
||||
buf.append('<').append(tag).append('>');
|
||||
}
|
||||
// inc counter to skip past whole tag
|
||||
i = endTagIndex;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
String enc = null;
|
||||
switch (chars[i])
|
||||
{
|
||||
case '"': enc = """; break;
|
||||
case '&': enc = "&"; break;
|
||||
case '<': enc = "<"; break;
|
||||
case '>': enc = ">"; break;
|
||||
|
||||
default:
|
||||
if (((int)chars[i]) >= 0x80)
|
||||
{
|
||||
//encode all non basic latin characters
|
||||
enc = "&#" + ((int)chars[i]) + ";";
|
||||
}
|
||||
break;
|
||||
}
|
||||
buf.append(enc == null ? chars[i] : enc);
|
||||
}
|
||||
return buf.toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Replace one string instance with another within the specified string
|
||||
*
|
||||
@@ -337,8 +463,12 @@ public final class Utils
|
||||
String line = reader.readLine();
|
||||
while (line != null)
|
||||
{
|
||||
parsedContent.append(line).append("<br/>");
|
||||
parsedContent.append(line);
|
||||
line = reader.readLine();
|
||||
if (line != null)
|
||||
{
|
||||
parsedContent.append("<br>");
|
||||
}
|
||||
}
|
||||
|
||||
replaced = parsedContent.toString();
|
||||
|
||||
Reference in New Issue
Block a user