From 1f906357067c5256314d6c899e76c86f60f7f559 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Lievremont Date: Mon, 12 May 2014 18:43:58 +0200 Subject: [PATCH] SONAR-4681 SONAR-5295 Escape HTML before markdown interpolation --- sonar-markdown/pom.xml | 4 ++++ .../main/java/org/sonar/markdown/HtmlBlockquoteChannel.java | 5 +++-- .../src/main/java/org/sonar/markdown/Markdown.java | 3 ++- .../src/test/java/org/sonar/markdown/MarkdownTest.java | 6 ++++-- .../main/java/org/sonar/server/text/RubyTextService.java | 4 +--- 5 files changed, 14 insertions(+), 8 deletions(-) diff --git a/sonar-markdown/pom.xml b/sonar-markdown/pom.xml index 49f615bd35b..d28e9542fbd 100644 --- a/sonar-markdown/pom.xml +++ b/sonar-markdown/pom.xml @@ -18,6 +18,10 @@ org.codehaus.sonar sonar-channel + + commons-lang + commons-lang + org.slf4j slf4j-api diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java index c236e15a19f..286e7e58c80 100644 --- a/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java +++ b/sonar-markdown/src/main/java/org/sonar/markdown/HtmlBlockquoteChannel.java @@ -65,7 +65,7 @@ class HtmlBlockquoteChannel extends Channel { private class QuotedLineElementChannel extends RegexChannel { protected QuotedLineElementChannel() { - super(">\\s[^\r\n]*+"); + super(">\\s[^\r\n]*+"); } @Override @@ -80,7 +80,8 @@ class HtmlBlockquoteChannel extends Channel { private int searchIndexOfFirstCharacter(CharSequence token) { for (int index = 0; index < token.length(); index++) { - if (token.charAt(index) == '>') { + if (token.charAt(index) == '&') { + index += 4; while (++ index < token.length()) { if (token.charAt(index) != ' ') { return index; diff --git a/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java b/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java index 5323a3966d5..3d932c62bc5 100644 --- a/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java +++ b/sonar-markdown/src/main/java/org/sonar/markdown/Markdown.java @@ -19,6 +19,7 @@ */ package org.sonar.markdown; +import org.apache.commons.lang.StringEscapeUtils; import org.sonar.channel.ChannelDispatcher; import org.sonar.channel.CodeReader; @@ -53,6 +54,6 @@ public final class Markdown { } public static String convertToHtml(String input) { - return new Markdown().convert(input); + return new Markdown().convert(StringEscapeUtils.escapeHtml(input)); } } diff --git a/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java b/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java index 909fda8c539..462bee37175 100644 --- a/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java +++ b/sonar-markdown/src/test/java/org/sonar/markdown/MarkdownTest.java @@ -67,8 +67,10 @@ public class MarkdownTest { @Test public void shouldDecorateBlockquote() { - assertThat(Markdown.convertToHtml("> Yesterday it worked\n> Today it is not working\r\n> Software is like that\r")) - .isEqualTo("
Yesterday it worked
\nToday it is not working
\r\nSoftware is like that
\r
"); + assertThat(Markdown.convertToHtml("> Yesterday
it worked\n> Today it is not working\r\n> Software is like that\r")) + .isEqualTo("
Yesterday <br/> it worked
\nToday it is not working
\r\nSoftware is like that
\r
"); + assertThat(Markdown.convertToHtml("HTML elements should not be quoted!")) + .isEqualTo("HTML elements should <em>not</em> be quoted!"); } @Test diff --git a/sonar-server/src/main/java/org/sonar/server/text/RubyTextService.java b/sonar-server/src/main/java/org/sonar/server/text/RubyTextService.java index a150c53c5b6..7d04ecea691 100644 --- a/sonar-server/src/main/java/org/sonar/server/text/RubyTextService.java +++ b/sonar-server/src/main/java/org/sonar/server/text/RubyTextService.java @@ -19,7 +19,6 @@ */ package org.sonar.server.text; -import org.apache.commons.lang.StringEscapeUtils; import org.sonar.api.ServerComponent; import org.sonar.markdown.Markdown; import org.sonar.server.source.HtmlSourceDecorator; @@ -46,8 +45,7 @@ public class RubyTextService implements ServerComponent { // TODO add ruby example public String markdownToHtml(String markdown) { - // TODO move HTML escaping to sonar-markdown - return Markdown.convertToHtml(StringEscapeUtils.escapeHtml(markdown)); + return Markdown.convertToHtml(markdown); } // TODO add ruby example -- 2.39.5