Skip to content

Commit

Permalink
Fixed (revel#1458) the undetected self-closing tags in isPureTextStrict
Browse files Browse the repository at this point in the history 
Fixed (revel#1458) the always uses STRICT mode in PureText.IsSatisFied
  • Loading branch information
@torden
torden committed Jul 12, 2019
1 parent e508ef2 commit 7f8a7d8
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 10 deletions.
19 changes: 15 additions & 4 deletions validators.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -498,9 +498,19 @@ func isPureTextStrict(str string) (bool, error) {
return false, errors.New("detect control character (DEL)")
}

//deny : html tag (< ~ >)
//deny : short tag (<~> <~ />)
if c == 60 {

for n := i + 2; n < l; n++ {
// 62 (>)
if str[n] == 62 {
return false, errors.New("detect tag (<(.*)+>)")
}
}
}

//deny : html tag (< ~ >)
if c == 60 {
ds := 0
for n := i; n < l; n++ {

Expand All @@ -517,8 +527,9 @@ func isPureTextStrict(str string) (bool, error) {
}
}

//deby : html encoded tag (&xxx;)
if c == 38 && i+1 <= l && str[i+1] != 35 {
//deny : html encoded(hex) tag (&xxx;)
// 38(&) , 35(#), 59(;)
if c == 38 && i+1 <= l {

max := i + 64
if max > l {
Expand Down Expand Up @@ -579,7 +590,7 @@ func (p PureText) IsSatisfied(obj interface{}) bool {
case STRICT:
ret, _ = isPureTextStrict(str)
case NORMAL:
ret, _ = isPureTextStrict(str)
ret, _ = isPureTextNormal(str)
}
return ret
}
Expand Down
19 changes: 13 additions & 6 deletions validators_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"strings"
"testing"
"time"

"github.com/revel/revel"
)

Expand Down Expand Up @@ -511,19 +512,22 @@ func TestPureTextNormal(t *testing.T) {
`Foo <!-- Bar --> Baz`: false,
`I <3 Ponies!`: true,
`I &#32; like Golang\t\n`: true,
`I &amp; like Golang\t\n`: false,
`I &amp; like Golang\t\n`: true,
`<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE log4j:configuration SYSTEM "log4j.dtd"> <log4j:configuration debug="true" xmlns:log4j='http://jakarta.apache.org/log4j/'> <appender name="console" class="org.apache.log4j.ConsoleAppender"> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n" /> </layout> </appender> <root> <level value="DEBUG" /> <appender-ref ref="console" /> </root> </log4j:configuration>`: false,
`I like Golang\r\n`: true,
`I like Golang\r\na`: true,
"I &#32; like Golang\t\n": true,
"I &amp; like Golang\t\n": false,
"I &amp; like Golang\t\n": true,
`ハイレゾ対応ウォークマン®、ヘッドホン、スピーカー「Winter Gift Collection ~Presented by JUJU~」をソニーストアにて販売開始`: true,
`VAIOパーソナルコンピューター type T TZシリーズ 無償点検・修理のお知らせとお詫び(2009年10月15日更新)`: true,
`把百度设为主页关于百度About Baidu百度推广`: true,
`%E6%8A%8A%E7%99%BE%E5%BA%A6%E8%AE%BE%E4%B8%BA%E4%B8%BB%E9%A1%B5%E5%85%B3%E4%BA%8E%E7%99%BE%E5%BA%A6About++Baidu%E7%99%BE%E5%BA%A6%E6%8E%A8%E5%B9%BF`: true,
`%E6%8A%8A%E7%99%BE%E5%BA%A6%E8%AE%BE%E4%B8%BA%E4%B8%BB%E9%A1%B5%E5%85%B3%E4%BA%8E%E7%99%BE%E5%BA%A6About%20%20Baidu%E7%99%BE%E5%BA%A6%E6%8E%A8%E5%B9%BF`: true,
`abcd/>qwdqwdoijhwer/>qwdojiqwdqwd</>qwdoijqwdoiqjd`: true,
`abcd/>qwdqwdoijhwer/>qwdojiqwdqwd</a>qwdoijqwdoiqjd`: false,
`<img src="Bar" onerror="alert(123)" />`: false,
`<img src="javascript:alert('abc')">`: false,
`&#x3C;img src=&#x22;javascript:alert(&#x27;abc&#x27;)&#x22;&#x3E;`: false,
}

tests := []Expect{}
Expand All @@ -544,25 +548,28 @@ func TestPureTextStrict(t *testing.T) {
`<script ?>qwdpijqwd</script>qd08j123lneqw\t\nqwedojiqwd\rqwdoihjqwd1d[08jaedl;jkqwd\r\nqdolijqdwqwd`: false,
`a\r\nb<script ?>qwdpijqwd</script>qd08j123lneqw\t\nqwedojiqwd\rqwdoihjqwd1d[08jaedl;jkqwd\r\nqdolijqdwqwd`: false,
`Foo<script type="text/javascript">alert(1337)</script>Bar`: false,
`Foo<12>Bar`: true,
`Foo<12>Bar`: false,
`Foo<>Bar`: true,
`Foo</br>Bar`: false,
`Foo <!-- Bar --> Baz`: false,
`I <3 Ponies!`: true,
`I &#32; like Golang\t\n`: true,
`I &#32; like Golang\t\n`: false,
`I &amp; like Golang\t\n`: false,
`<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE log4j:configuration SYSTEM "log4j.dtd"> <log4j:configuration debug="true" xmlns:log4j='http://jakarta.apache.org/log4j/'> <ender name="console" class="org.apache.log4j.ConsoleAppender"> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d{yyyy-MM-dd HH:mm:ss} %-5p 1}:%L - %m%n" /> </layout> </appender> <root> <level value="DEBUG" /> <appender-ref ref="console" /> </root> </log4j:configuration>`: false,
`I like Golang\r\n`: true,
`I like Golang\r\na`: true,
"I &#32; like Golang\t\n": true,
"I &#32; like Golang\t\n": false,
"I &amp; like Golang\t\n": false,
`ハイレゾ対応ウォークマン®、ヘッドホン、スピーカー「Winter Gift Collection ~Presented by JUJU~」をソニーストアにて販売開始`: true,
`VAIOパーソナルコンピューター type T TZシリーズ 無償点検・修理のお知らせとお詫び(2009年10月15日更新)`: true,
`把百度设为主页关于百度About Baidu百度推广`: true,
`%E6%8A%8A%E7%99%BE%E5%BA%A6%E8%AE%BE%E4%B8%BA%E4%B8%BB%E9%A1%B5%E5%85%B3%E4%BA%8E%E7%99%BE%E5%BA%A6About++Baidu%E7%99%BE%E5%BA%A6%E6%8E%A8%E5%B9%BF`: true,
`%E6%8A%8A%E7%99%BE%E5%BA%A6%E8%AE%BE%E4%B8%BA%E4%B8%BB%E9%A1%B5%E5%85%B3%E4%BA%8E%E7%99%BE%E5%BA%A6About%20%20Baidu%E7%99%BE%E5%BA%A6%E6%8E%A8%E5%B9%BF`: true,
`abcd/>qwdqwdoijhwer/>qwdojiqwdqwd</>qwdoijqwdoiqjd`: true,
`abcd/>qwdqwdoijhwer/>qwdojiqwdqwd</>qwdoijqwdoiqjd`: false,
`abcd/>qwdqwdoijhwer/>qwdojiqwdqwd</a>qwdoijqwdoiqjd`: false,
`<img src="Bar" onerror="alert(123)" />`: false,
`<img src="javascript:alert('abc')">`: false,
`&#x3C;img src=&#x22;javascript:alert(&#x27;abc&#x27;)&#x22;&#x3E;`: false,
}

tests := []Expect{}
Expand Down

0 comments on commit 7f8a7d8

Please sign in to comment.