diff options
| author | James Moger <james.moger@gitblit.com> | 2014-09-06 13:14:38 -0400 |
|---|---|---|
| committer | James Moger <james.moger@gitblit.com> | 2014-09-07 11:43:40 -0400 |
| commit | 209dbdd49a89d6e3cebf61e860c779a1d8561dd9 (patch) | |
| tree | 30eeadea1f31fff55fcd21965bfd843a45e94608 /src/main/java/com/gitblit/wicket/SafeTextModel.java | |
| parent | dfaf1fc1f6d8214bcabb9a613d53d0f0dc45352c (diff) | |
| download | gitblit-209dbdd49a89d6e3cebf61e860c779a1d8561dd9.tar.gz gitblit-209dbdd49a89d6e3cebf61e860c779a1d8561dd9.zip | |
Implement a SafeTextModel and use that for fields vulnerable to XSS
Diffstat (limited to 'src/main/java/com/gitblit/wicket/SafeTextModel.java')
| -rw-r--r-- | src/main/java/com/gitblit/wicket/SafeTextModel.java | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/src/main/java/com/gitblit/wicket/SafeTextModel.java b/src/main/java/com/gitblit/wicket/SafeTextModel.java new file mode 100644 index 00000000..aef7e97a --- /dev/null +++ b/src/main/java/com/gitblit/wicket/SafeTextModel.java @@ -0,0 +1,96 @@ +package com.gitblit.wicket; + +import org.apache.wicket.model.IModel; +import org.apache.wicket.model.Model; +import org.apache.wicket.util.lang.Objects; +import org.parboiled.common.StringUtils; +import org.slf4j.LoggerFactory; + +public class SafeTextModel implements IModel<String> { + + private static final long serialVersionUID = 1L; + + public enum Mode { + relaxed, none + } + + private final Mode mode; + + private String value; + + public static SafeTextModel none() { + return new SafeTextModel(Mode.none); + } + + public static SafeTextModel none(String value) { + return new SafeTextModel(Mode.none); + } + + public static SafeTextModel relaxed() { + return new SafeTextModel(Mode.relaxed); + } + + public static SafeTextModel relaxed(String value) { + return new SafeTextModel(Mode.relaxed); + } + + public SafeTextModel(Mode mode) { + this.mode = mode; + } + + public SafeTextModel(String value, Mode mode) { + this.value = value; + this.mode = mode; + } + + @Override + public void detach() { + } + + @Override + public String getObject() { + if (StringUtils.isEmpty(value)) { + return value; + } + String safeValue; + switch (mode) { + case none: + safeValue = GitBlitWebApp.get().xssFilter().none(value); + break; + default: + safeValue = GitBlitWebApp.get().xssFilter().relaxed(value); + break; + } + if (!value.equals(safeValue)) { + LoggerFactory.getLogger(getClass()).warn("XSS filter trigggered on suspicious form field value {}", + value); + } + return safeValue; + } + + @Override + public void setObject(String input) { + this.value = input; + } + + @Override + public int hashCode() + { + return Objects.hashCode(value); + } + + @Override + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (!(obj instanceof Model<?>)) + { + return false; + } + Model<?> that = (Model<?>)obj; + return Objects.equal(value, that.getObject()); + } +} |