Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
xxadev
jenkins
提交
48b29ea5
J
jenkins
项目概览
xxadev
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
48b29ea5
编写于
3月 05, 2012
作者:
K
Kohsuke Kawaguchi
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Added more tests and discovered a couple more issues.
上级
ff8268da
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
92 addition
and
2 deletion
+92
-2
core/src/main/java/hudson/markup/MyspacePolicy.java
core/src/main/java/hudson/markup/MyspacePolicy.java
+4
-2
core/src/test/java/hudson/markup/MyspacePolicyTest.java
core/src/test/java/hudson/markup/MyspacePolicyTest.java
+88
-0
未找到文件。
core/src/main/java/hudson/markup/MyspacePolicy.java
浏览文件 @
48b29ea5
...
...
@@ -58,7 +58,7 @@ public class MyspacePolicy {
tag
(
"select"
,
"multiple"
);
tag
(
"option"
,
"value"
,
"label"
,
"selected"
);
tag
(
"textarea"
);
tag
(
"h1,h2,h3,h4,h5,h6,p,i,b,u,strong,em,small,big,pre,code,cite,samp,sub,sup,strike,center,lockquote"
);
tag
(
"h1,h2,h3,h4,h5,h6,p,i,b,u,strong,em,small,big,pre,code,cite,samp,sub,sup,strike,center,
b
lockquote"
);
tag
(
"hr,br,col"
);
tag
(
"font"
,
"color"
,
"face"
,
"size"
);
tag
(
"a"
,
"nohref"
,
"rel"
);
...
...
@@ -66,6 +66,7 @@ public class MyspacePolicy {
tag
(
"span,div"
);
tag
(
"img"
,
"src"
,
ONSITE_OR_OFFSITE_URL
,
"hspace"
,
"vspace"
);
tag
(
"iframe"
,
"src"
);
tag
(
"link"
,
"type"
,
"rel"
);
tag
(
"ul,ol,li,dd,dl,dt,thead,tbody,tfoot"
);
tag
(
"table"
,
"noresize"
);
...
...
@@ -73,12 +74,13 @@ public class MyspacePolicy {
tag
(
"colgroup"
,
"span"
);
tag
(
"col"
,
"span"
);
tag
(
"fieldset,legend"
);
allowStandardUrlProtocols
();
}}.
toFactory
();
}
public
static
void
main
(
String
[]
args
)
throws
IOException
{
// Fetch the HTML to sanitize.
String
html
=
"<
button name='foo' value='xyz' disabled='true'>abc</button><br><script>foo</script
>"
;
String
html
=
"<
a href='http://www.google.com/'>Google</a><img src='http://www.yahoo.com'
>"
;
// Set up an output channel to receive the sanitized HTML.
HtmlStreamRenderer
renderer
=
HtmlStreamRenderer
.
create
(
System
.
out
,
...
...
core/src/test/java/hudson/markup/MyspacePolicyTest.java
0 → 100644
浏览文件 @
48b29ea5
package
hudson.markup
;
import
com.google.common.base.Throwables
;
import
org.junit.Assert
;
import
org.junit.Test
;
import
org.owasp.html.Handler
;
import
org.owasp.html.HtmlSanitizer
;
import
org.owasp.html.HtmlStreamRenderer
;
import
java.io.IOException
;
/**
* @author Kohsuke Kawaguchi
*/
public
class
MyspacePolicyTest
extends
Assert
{
@Test
public
void
testPolicy
()
{
assertIntact
(
"<a href='http://www.cloudbees.com'>CB</a>"
);
assertIntact
(
"<a href='relative/link'>relative</a>"
);
assertIntact
(
"<a href='mailto:kk@kohsuke.org'>myself</a>"
);
assertReject
(
"javascript"
,
"<a href='javascript:alert(5)'>test</a>"
);
assertIntact
(
"<img src='http://www.cloudbees.com'>"
);
assertIntact
(
"<img src='relative/test.png'>"
);
assertIntact
(
"<img src='relative/test.png'>"
);
assertReject
(
"javascript"
,
"<img src='javascript:alert(5)'>"
);
assertIntact
(
"<b><i><u><strike>basic tag</strike></u></i></b>"
);
assertIntact
(
"<div><p>basic block tags</p></div>"
);
assertIntact
(
"<ul><li>1</li><li>2</li><li>3</li></ul>"
);
assertIntact
(
"<ol><li>x</li></ol>"
);
assertIntact
(
"<dl><dt>abc</dt><dd>foo</dd></dl>"
);
assertIntact
(
"<table><tr><th>header</th></tr><tr><td>something</td></tr></table>"
);
assertIntact
(
"<h1>title</h1><blockquote>blurb</blockquote>"
);
assertIntact
(
"<iframe src='nested'></iframe>"
);
assertIntact
(
"<iframe src='http://kohsuke.org'></iframe>"
);
assertReject
(
"javascript"
,
"<iframe src='javascript:foo'></iframe>"
);
assertReject
(
"script"
,
"<script>window.alert(5);</script>"
);
assertReject
(
"script"
,
"<script src='http://foo/evil.js'></script>"
);
assertReject
(
"script"
,
"<script src='relative.js'></script>"
);
assertIntact
(
"<style>H1 { display:none; }</style>"
);
assertIntact
(
"<link rel='stylesheet' type='text/css' href='http://www.microsoft.com/'>"
);
assertIntact
(
"<div style='background-color:white'>inline CSS</div>"
);
assertIntact
(
"<br><hr>"
);
assertIntact
(
"<form method='post' action='http://sun.com/'><input type='text' name='foo'><input type='password' name='pass'></form>"
);
}
private
void
assertIntact
(
String
input
)
{
input
=
input
.
replace
(
'\''
,
'\"'
);
assertSanitize
(
input
,
input
);
}
private
void
assertReject
(
String
problematic
,
String
input
)
{
String
out
=
sanitize
(
input
);
assertFalse
(
out
,
out
.
contains
(
problematic
));
}
private
void
assertSanitize
(
String
expected
,
String
input
)
{
assertEquals
(
expected
,
sanitize
(
input
));
}
private
String
sanitize
(
String
input
)
{
StringBuilder
buf
=
new
StringBuilder
();
HtmlStreamRenderer
renderer
=
HtmlStreamRenderer
.
create
(
buf
,
// Receives notifications on a failure to write to the output.
new
Handler
<
IOException
>()
{
public
void
handle
(
IOException
ex
)
{
Throwables
.
propagate
(
ex
);
// System.out suppresses IOExceptions
}
},
// Our HTML parser is very lenient, but this receives notifications on
// truly bizarre inputs.
new
Handler
<
String
>()
{
public
void
handle
(
String
x
)
{
throw
new
AssertionError
(
x
);
}
}
);
HtmlSanitizer
.
sanitize
(
input
,
MyspacePolicy
.
POLICY_DEFINITION
.
apply
(
renderer
));
return
buf
.
toString
();
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录