diff options
author | mikesamuel <mikesamuel@ad8eed46-c659-4a31-e19d-951d88f54425> | 2014-05-14 16:33:20 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-05-14 16:33:20 +0000 |
commit | 8b9b463cd9e32bf59c7ac5ee95211e3d5fe6d1a8 (patch) | |
tree | 621720abcefd868f057329ad5f54463624e34f28 | |
parent | 9fe9a934404e8397eb392fd38d31d4e3e93fa916 (diff) | |
parent | 7d0755627f174ec9d5f148bd9fa3a5cc732edb3f (diff) | |
download | sanitizer-8b9b463cd9e32bf59c7ac5ee95211e3d5fe6d1a8.tar.gz |
am 7d075562: fix issue 24: protocol whitelisting not case-insensitive
* commit '7d0755627f174ec9d5f148bd9fa3a5cc732edb3f':
fix issue 24: protocol whitelisting not case-insensitive
-rw-r--r-- | src/main/org/owasp/html/FilterUrlByProtocolAttributePolicy.java | 3 | ||||
-rw-r--r-- | src/tests/org/owasp/html/SanitizersTest.java | 27 |
2 files changed, 29 insertions, 1 deletions
diff --git a/src/main/org/owasp/html/FilterUrlByProtocolAttributePolicy.java b/src/main/org/owasp/html/FilterUrlByProtocolAttributePolicy.java index 855d45c..48c9723 100644 --- a/src/main/org/owasp/html/FilterUrlByProtocolAttributePolicy.java +++ b/src/main/org/owasp/html/FilterUrlByProtocolAttributePolicy.java @@ -77,7 +77,8 @@ public class FilterUrlByProtocolAttributePolicy implements AttributePolicy { } break protocol_loop; case ':': - if (!protocols.contains(s.substring(0, i))) { return null; } + String protocol = Strings.toLowerCase(s.substring(0, i)); + if (!protocols.contains(protocol)) { return null; } break protocol_loop; } } diff --git a/src/tests/org/owasp/html/SanitizersTest.java b/src/tests/org/owasp/html/SanitizersTest.java index 50c0353..052ab02 100644 --- a/src/tests/org/owasp/html/SanitizersTest.java +++ b/src/tests/org/owasp/html/SanitizersTest.java @@ -158,6 +158,11 @@ public class SanitizersTest extends TestCase { "<a href=\"https://example.com/x.html\"" + " onclick=\"alert(1337)\">Link text</a>")); assertEquals( + "<a href=\"HTTPS://example.com/x.html\" rel=\"nofollow\">Link text</a>", + s.sanitize( + "<a href=\"HTTPS://example.com/x.html\"" + + " onclick=\"alert(1337)\">Link text</a>")); + assertEquals( "<a href=\"//example.com/x.html\" rel=\"nofollow\">Link text</a>", s.sanitize( "<a href=\"//example.com/x.html\"" @@ -175,6 +180,28 @@ public class SanitizersTest extends TestCase { } @Test + public static final void testExplicitlyAllowedProtocolsAreCaseInsensitive() { + // Issue 24. + PolicyFactory s = new HtmlPolicyBuilder() + .allowElements("a") + .allowAttributes("href").onElements("a") + .allowStandardUrlProtocols() + .allowUrlProtocols("file") // Don't try this at home + .toFactory(); + String input = ( + "<a href='file:///etc/passwd'>Copy and paste this into email</a>" + + "<a href='FILE:///etc/passwd'>Or this one</a>" + + "<a href='F\u0130LE:///etc/passwd'>not with Turkish dotted I's</a>" + + "<a href='fail:///etc/passed'>The fail protocol needs to happen</a>"); + String want = ( + "<a href=\"file:///etc/passwd\">Copy and paste this into email</a>" + + "<a href=\"FILE:///etc/passwd\">Or this one</a>" + + "not with Turkish dotted I's" + + "The fail protocol needs to happen"); + assertEquals(want, s.sanitize(input)); + } + + @Test public static final void testIssue9StylesInTables() { String input = "" + "<table style=\"color: rgb(0, 0, 0);" |