Changeset 33720 for main


Ignore:
Timestamp:
2019-11-25T20:08:31+13:00 (4 years ago)
Author:
ak19
Message:

Implemented Dr Bainbridge's suggestions based on Kathy's solution to preventing script elements in queries (like a close script tag, open script tag, alert(1), close script tag) from ending up live when a search is performed.

Location:
main/trunk/greenstone3
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • main/trunk/greenstone3/src/java/org/greenstone/gsdl3/util/XSLTUtil.java

    r33295 r33720  
    752752        return str.replace("\"", "\\\"");
    753753    }
    754 
     754        public static String escapeAngleBrackets(String str)
     755    {
     756        if (str == null || str.length() < 1)
     757        {
     758            return null;
     759        }
     760        return str.replace("<", "&lt;").replace(">", "&gt;");
     761    }
     762   
    755763    public static String escapeNewLinesAndQuotes(String str)
    756764    {
     
    761769        return escapeNewLines(escapeQuotes(str));
    762770    }
    763 
     771   
     772    public static String escapeNewLinesQuotesAngleBracketsForJSString(String str)
     773    {
     774        // The \n and " becomes \\\n and \\\"
     775        // but the <> are escaped/encoded for html, i.e. &gt; and &lt; 
     776        if (str == null || str.length() < 1)
     777        {
     778            return null;
     779        }
     780        return escapeAngleBrackets(escapeNewLines(escapeQuotes(str)));
     781    }
    764782    public static String getGlobalProperty(String name)
    765783    {

  • main/trunk/greenstone3/web/interfaces/default/transform/javascript-global-setup.xsl

    r33544 r33720  
    3434            <xsl:for-each select="/page/pageRequest/paramList/param">
    3535                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    36                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(@value)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
     36                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(@value)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    3737                <xsl:text disable-output-escaping="yes">name = name.replace(".", "_");</xsl:text>
    3838                gs.cgiParams[name] = value;             
     
    7777            <xsl:for-each select="/page/pageResponse/metadataList/metadata">
    7878                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    79                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
     79                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    8080                <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    8181                addMetadataToList(name, value, gs.siteMetadata, lang);
     
    8484            <xsl:for-each select="/page/pageResponse/collection/metadataList/metadata">
    8585                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    86                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
     86                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    8787                <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    8888                addMetadataToList(name, value, gs.collectionMetadata, lang);
     
    9191            <xsl:for-each select="/page/pageResponse/document/metadataList/metadata">
    9292                <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    93                 <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
     93                <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    9494                <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    9595                addMetadataToList(name, value, gs.documentMetadata, lang);
     
    103103                <xsl:for-each select="metadataList/metadata">
    104104                    <xsl:text disable-output-escaping="yes">name = "</xsl:text><xsl:value-of select="@name"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    105                     <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesAndQuotes(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
     105                    <xsl:text disable-output-escaping="yes">value = "</xsl:text><xsl:value-of disable-output-escaping="yes" select="util:escapeNewLinesQuotesAngleBracketsForJSString(.)"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    106106                    <xsl:text disable-output-escaping="yes">lang = "</xsl:text><xsl:value-of select="@lang"/><xsl:text disable-output-escaping="yes">";</xsl:text>
    107107                    addMetadataToList(name, value, metaList, lang);
Note: See TracChangeset for help on using the changeset viewer.