Changeset 33720

Show
Ignore:
Timestamp:
25.11.2019 20:08:31 (11 days ago)
Author:
ak19
Message:

Implemented Dr Bainbridge's suggestions based on Kathy's solution to preventing script elements in queries (like a close script tag, open script tag, alert(1), close script tag) from ending up live when a search is performed.

Location:
main/trunk/greenstone3
Files:
2 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/util/XSLTUtil.java

    r33295 r33720  
    752752        return str.replace("\"", "\\\""); 
    753753    } 
    754  
     754        public static String escapeAngleBrackets(String str) 
     755    { 
     756        if (str == null || str.length() < 1) 
     757        { 
     758            return null; 
     759        } 
     760        return str.replace("<", "&lt;").replace(">", "&gt;"); 
     761    } 
     762     
    755763    public static String escapeNewLinesAndQuotes(String str) 
    756764    { 
     
    761769        return escapeNewLines(escapeQuotes(str)); 
    762770    } 
    763  
     771     
     772    public static String escapeNewLinesQuotesAngleBracketsForJSString(String str) 
     773    { 
     774        // The \n and " becomes \\\n and \\\" 
     775        // but the <> are escaped/encoded for html, i.e. &gt; and &lt;   
     776        if (str == null || str.length() < 1) 
     777        { 
     778            return null; 
     779        } 
     780        return escapeAngleBrackets(escapeNewLines(escapeQuotes(str))); 
     781    } 
    764782    public static String getGlobalProperty(String name) 
    765783    { 
  • main/trunk/greenstone3/web/interfaces/default/transform/javascript-global-setup.xsl

    r33544 r33720  
    3434            <xsl:for-each select="/page/pageRequest/paramList/param"> 
    3535                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    36                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(@value)"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
     36                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(@value)"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    3737                <xsl:text disable-output-escaping="yes">name = name.replace(".", "_");</xsl:text> 
    3838                gs.cgiParams[name] = value;              
     
    7777            <xsl:for-each select="/page/pageResponse/metadataList/metadata"> 
    7878                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    79                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
     79                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    8080                <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    8181                addMetadataToList(name, value, gs.siteMetadata, lang); 
     
    8484            <xsl:for-each select="/page/pageResponse/collection/metadataList/metadata"> 
    8585                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    86                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
     86                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    8787                <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    8888                addMetadataToList(name, value, gs.collectionMetadata, lang); 
     
    9191            <xsl:for-each select="/page/pageResponse/document/metadataList/metadata"> 
    9292                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    93                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
     93                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    9494                <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    9595                addMetadataToList(name, value, gs.documentMetadata, lang); 
     
    103103                <xsl:for-each select="metadataList/metadata"> 
    104104                    <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    105                     <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
     105                    <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    106106                    <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text> 
    107107                    addMetadataToList(name, value, metaList, lang);