From ec0ae9541c4d42c55a505730971fe42d4e446d29 Mon Sep 17 00:00:00 2001
From: Alan Davis <alan.davis@alfresco.com>
Date: Wed, 19 Feb 2014 12:01:07 +0000
Subject: [PATCH] Merged HEAD-BUG-FIX (Cloud/4.3) to HEAD (Cloud/4.3)    62517:
 Merged V4.2-BUG-FIX (4.2.2) to HEAD-BUG-FIX (Cloud/4.3)       62259: Merged
 DEV to V4.2-BUG-FIX       61593 : MNT-10642 : Alfresco Explorer has
 javascript vulnerability opening HTML files        Before opening HTML files
 via Alfresco Explorer remove javascript using StringUtils       62178 :
 MNT-10642 : Alfresco Explorer has javascript vulnerability opening HTML files
        Was corrected code

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@62790 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../servlet/BaseDownloadContentServlet.java   | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/source/java/org/alfresco/web/app/servlet/BaseDownloadContentServlet.java b/source/java/org/alfresco/web/app/servlet/BaseDownloadContentServlet.java
index ae20e69175..15b953ef3d 100644
--- a/source/java/org/alfresco/web/app/servlet/BaseDownloadContentServlet.java
+++ b/source/java/org/alfresco/web/app/servlet/BaseDownloadContentServlet.java
@@ -50,6 +50,7 @@ import org.alfresco.web.app.Application;
 import org.apache.commons.logging.Log;
 import org.springframework.extensions.surf.util.URLDecoder;
 import org.springframework.extensions.surf.util.URLEncoder;
+import org.springframework.extensions.webscripts.ui.common.StringUtils;
 
 /**
  * Base class for the download content servlets. Provides common
@@ -340,6 +341,32 @@ public abstract class BaseDownloadContentServlet extends BaseServlet
                   res.setContentType(mimetype);
                   res.setCharacterEncoding(reader.getEncoding());
                   
+                  // MNT-10642 Alfresco Explorer has javascript vulnerability opening HTML files
+                  if (req.getRequestURI().contains("/d/d/") && (mimetype.equals("text/html") || mimetype.equals("application/xhtml+xml") || mimetype.equals("text/xml")))
+                  {
+                       String content = reader.getContentString();
+
+                       if (mimetype.equals("text/html") || mimetype.equals("application/xhtml+xml"))
+                       {
+                            // process with HTML stripper
+                            content = StringUtils.stripUnsafeHTMLTags(content, false);
+                       }
+                       else if (mimetype.equals("text/xml") && mimetype.equals("text/x-component"))
+                       {
+                            // IE supports "behaviour" which means that css can load a .htc file that could
+                            // contain XSS code in the form of jscript, vbscript etc, to stop it form being
+                            // evaluated we set the contient type to text/plain
+                            res.setContentType("text/plain");
+                       }
+
+                       String encoding = reader.getEncoding();
+                       byte[] bytes = encoding != null ? content.getBytes(encoding) : content.getBytes();
+                       res.setContentLength(bytes.length);
+                       res.getOutputStream().write(bytes);
+
+                       return;
+                  }
+                        
                   // return the complete entity range
                   long size = reader.getSize();
                   res.setHeader(HEADER_CONTENT_RANGE, "bytes 0-" + Long.toString(size-1L) + "/" + Long.toString(size));