diff options
| author | James Moger <james.moger@gitblit.com> | 2014-09-07 10:04:12 -0600 |
|---|---|---|
| committer | James Moger <james.moger@gitblit.com> | 2014-09-07 10:04:12 -0600 |
| commit | f9c661ef5d2a422f246b3a089bee06470ae1d431 (patch) | |
| tree | 7222494b243068e7894fc6b1bff70916fe274bc2 /src/main/java/com/gitblit/wicket/SafeTextModel.java | |
| parent | 90eb5a08ddd6a3a246e8b73da9524c304838928a (diff) | |
| parent | 7fdc298cf06c3d88d4fd9fd158fb4d32edac12a0 (diff) | |
| download | gitblit-f9c661ef5d2a422f246b3a089bee06470ae1d431.tar.gz gitblit-f9c661ef5d2a422f246b3a089bee06470ae1d431.zip | |
Merged #164 "Sanitize page parameters for XSS vulerabilities"
Diffstat (limited to 'src/main/java/com/gitblit/wicket/SafeTextModel.java')
| -rw-r--r-- | src/main/java/com/gitblit/wicket/SafeTextModel.java | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/src/main/java/com/gitblit/wicket/SafeTextModel.java b/src/main/java/com/gitblit/wicket/SafeTextModel.java new file mode 100644 index 00000000..aef7e97a --- /dev/null +++ b/src/main/java/com/gitblit/wicket/SafeTextModel.java @@ -0,0 +1,96 @@ +package com.gitblit.wicket; + +import org.apache.wicket.model.IModel; +import org.apache.wicket.model.Model; +import org.apache.wicket.util.lang.Objects; +import org.parboiled.common.StringUtils; +import org.slf4j.LoggerFactory; + +public class SafeTextModel implements IModel<String> { + + private static final long serialVersionUID = 1L; + + public enum Mode { + relaxed, none + } + + private final Mode mode; + + private String value; + + public static SafeTextModel none() { + return new SafeTextModel(Mode.none); + } + + public static SafeTextModel none(String value) { + return new SafeTextModel(Mode.none); + } + + public static SafeTextModel relaxed() { + return new SafeTextModel(Mode.relaxed); + } + + public static SafeTextModel relaxed(String value) { + return new SafeTextModel(Mode.relaxed); + } + + public SafeTextModel(Mode mode) { + this.mode = mode; + } + + public SafeTextModel(String value, Mode mode) { + this.value = value; + this.mode = mode; + } + + @Override + public void detach() { + } + + @Override + public String getObject() { + if (StringUtils.isEmpty(value)) { + return value; + } + String safeValue; + switch (mode) { + case none: + safeValue = GitBlitWebApp.get().xssFilter().none(value); + break; + default: + safeValue = GitBlitWebApp.get().xssFilter().relaxed(value); + break; + } + if (!value.equals(safeValue)) { + LoggerFactory.getLogger(getClass()).warn("XSS filter trigggered on suspicious form field value {}", + value); + } + return safeValue; + } + + @Override + public void setObject(String input) { + this.value = input; + } + + @Override + public int hashCode() + { + return Objects.hashCode(value); + } + + @Override + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (!(obj instanceof Model<?>)) + { + return false; + } + Model<?> that = (Model<?>)obj; + return Objects.equal(value, that.getObject()); + } +} |