aboutsummaryrefslogtreecommitdiffstats
path: root/gwtquery-core
diff options
context:
space:
mode:
authorManolo Carrasco <manolo@apache.org>2011-09-23 14:19:02 +0000
committerManolo Carrasco <manolo@apache.org>2011-09-23 14:19:02 +0000
commit6e92af38754491c1d98dcfb8bbc27ae0fb6407f1 (patch)
treeecff0aea21fc11ed57c6641dc9c06e61edc79e61 /gwtquery-core
parent9d85a74e5ce0dd8eea34977dafd02a4c1c2cee65 (diff)
downloadgwtquery-6e92af38754491c1d98dcfb8bbc27ae0fb6407f1.tar.gz
gwtquery-6e92af38754491c1d98dcfb8bbc27ae0fb6407f1.zip
use JSON.parse when available when parsing properties to avoid security issues
Diffstat (limited to 'gwtquery-core')
-rw-r--r--gwtquery-core/src/main/java/com/google/gwt/query/client/Properties.java29
-rw-r--r--gwtquery-core/src/main/java/com/google/gwt/query/client/js/JsUtils.java6
-rw-r--r--gwtquery-core/src/test/java/com/google/gwt/query/client/JreQueryCoreTest.java28
3 files changed, 30 insertions, 33 deletions
diff --git a/gwtquery-core/src/main/java/com/google/gwt/query/client/Properties.java b/gwtquery-core/src/main/java/com/google/gwt/query/client/Properties.java
index 3aefed30..125981e8 100644
--- a/gwtquery-core/src/main/java/com/google/gwt/query/client/Properties.java
+++ b/gwtquery-core/src/main/java/com/google/gwt/query/client/Properties.java
@@ -18,6 +18,7 @@ package com.google.gwt.query.client;
import com.google.gwt.core.client.JavaScriptObject;
import com.google.gwt.core.client.JsArrayMixed;
import com.google.gwt.query.client.js.JsCache;
+import com.google.gwt.query.client.js.JsUtils;
/**
* JSO for accessing Javascript objective literals used by GwtQuery functions.
@@ -25,14 +26,14 @@ import com.google.gwt.query.client.js.JsCache;
public class Properties extends JavaScriptObject {
public static Properties create() {
- return createImpl("({})");
+ return JsCache.create().cast();
}
public static Properties create(String properties) {
if (properties != null && !properties.isEmpty()) {
String p = wrapPropertiesString(properties);
try {
- return createImpl("({" + p + "})");
+ return JsUtils.parseJSON(p);
} catch (Exception e) {
System.err.println("Error creating Properties: \n> " + properties + "\n< " + p + "\n" + e.getMessage());
}
@@ -40,24 +41,26 @@ public class Properties extends JavaScriptObject {
return create();
}
- public static final native Properties createImpl(String properties) /*-{
- return eval(properties);
- }-*/;
-
public static String wrapPropertiesString(String s) {
String ret = s //
.replaceAll("\\s*/\\*[\\s\\S]*?\\*/\\s*", "") // Remove comments
.replaceAll("([:\\)\\(,;}{'\"])\\s+" , "$1") // Remove spaces
.replaceAll("\\s+([:\\)\\(,;}{'\"])" , "$1") // Remove spaces
- .replaceFirst("^[{\\(]+(|.*[^}\\)])[}\\)]+$", "$1") // Remove ({})
- .replaceAll("\\(\"([^\\)]+)\"\\)" , "($1)") // Remove quotes
- .replaceAll(",+([\\w-]+:+)" , ";$1") // put semicolon
- .replaceAll(":\\s*[\"']?([^'\"\\]};]*)[\"']?\\s*(;+|$)", ":\"$1\",") // put quotes to all values (even empty)
- .replaceAll("(^|[^\\w-$'])([\\w-]+):\"", "$1\"$2\":\"") // quote keys
+ .replaceFirst("^[\\(]+(.*)[\\)]+$", "$1") // Remove ()
+ .replaceAll("\\([\"']([^\\)]+)[\"']\\)" , "($1)") // Remove quotes
+ .replaceAll("[;,]+([\\w-]+):", ";$1:") // Change comma by semicolon
+ .replaceAll("([^,;])([\\]}])", "$1;$2") // Put control semicolon used below
+ .replaceAll(":\\s*[\"']?([^;\\{\\}\\[\\]\"']*)[\"']?\\s*([;,]+|$)", ":\"$1\";") // put quotes to all values (even empty)
+ .replaceAll("[;,]+([\\w-]+):", ";$1:") // Change semicolon by comma
+ .replaceAll("(^|[^\\w-$'])([\\w-]+):(['\"\\[{])", "$1\"$2\":$3") // quote keys
+ .replaceAll("(^|[^\\w-$'])([\\w-]+):(['\"\\[{])", "$1\"$2\":$3") // quote keys second pass
+ .replaceAll("(|[\\[\\]\\{\\},\\(])'([^']*)'", "$1\"$2\"") // Replace single-quote by double-quote
.replaceAll(";([^:]+):", ",$1:") // change semicolon
- .replaceAll(":\"(-?[\\d\\.]+|null|false|true)\",", ":$1,") // numbers do not need quote
- .replaceFirst("[,]+$", "") // remove endings
+ .replaceAll(";([^:]+):", ",$1:") // change semicolon second pass
+ .replaceAll(":\"(-?[\\d\\.]+|null|false|true)\"[;,]", ":$1,") // numbers do not need quote
+ .replaceAll("[;,]+([\\]\\}]|$)", "$1") // remove endings
;
+ ret = ret.matches("(^[\\[\\{].*[\\]\\}]$)") ? ret : "{" + ret + "}";
return ret;
}
diff --git a/gwtquery-core/src/main/java/com/google/gwt/query/client/js/JsUtils.java b/gwtquery-core/src/main/java/com/google/gwt/query/client/js/JsUtils.java
index 4145dd1e..bb923dcf 100644
--- a/gwtquery-core/src/main/java/com/google/gwt/query/client/js/JsUtils.java
+++ b/gwtquery-core/src/main/java/com/google/gwt/query/client/js/JsUtils.java
@@ -73,9 +73,13 @@ public class JsUtils {
public Properties parseJSON(String json) {
// No checks to the passed string so json should be
// a well-formed json string.
- return Properties.createImpl(json);
+ return evalImpl("(" + json + ")");
}
+ public static final native Properties evalImpl(String properties) /*-{
+ return eval(properties);
+ }-*/;
+
@Override
public native String XML2String(JavaScriptObject o) /*-{
return o.xml;
diff --git a/gwtquery-core/src/test/java/com/google/gwt/query/client/JreQueryCoreTest.java b/gwtquery-core/src/test/java/com/google/gwt/query/client/JreQueryCoreTest.java
index 2b3d7c00..e91190fb 100644
--- a/gwtquery-core/src/test/java/com/google/gwt/query/client/JreQueryCoreTest.java
+++ b/gwtquery-core/src/test/java/com/google/gwt/query/client/JreQueryCoreTest.java
@@ -34,32 +34,22 @@ public class JreQueryCoreTest extends GWTTestCase {
}
public void testWrapPropertiesString() {
- assertEquals("({})", Properties
+ assertEquals("{}", Properties
.wrapPropertiesString(""));
- assertEquals("({})", Properties
+ assertEquals("{}", Properties
.wrapPropertiesString("({})"));
- assertEquals("({border:'1px solid black'})", Properties
+ assertEquals("{\"border\":\"1px solid black\"}", Properties
.wrapPropertiesString("border:'1px solid black'"));
- assertEquals("({border:'1px solid black'})", Properties
- .wrapPropertiesString("(border:'1px solid black')"));
- assertEquals("({border:'1px solid black'})", Properties
- .wrapPropertiesString("{border:'1px solid black'}"));
- assertEquals("({border:'1px solid black'})", Properties
- .wrapPropertiesString("{border:'1px solid black'}"));
- assertEquals("({border:'1px solid black'})", Properties
- .wrapPropertiesString("(border:'1px solid black')"));
- assertEquals("({border:'1px solid black'})", Properties
- .wrapPropertiesString("{(border:'1px solid black')}"));
- assertEquals("({border:'1px solid black'})", Properties
- .wrapPropertiesString("({border:'1px solid black'})"));
- assertEquals("({b:'a',c:1,d:'url(https://test.com)',e:null,f:false})", Properties
+ assertEquals("{\"b\":\"a\",\"c\":1,\"d\":\"url(https://test.com)\",\"e\":null,\"f\":false}", Properties
.wrapPropertiesString("b: 'a'; c: 1, /*gg: aadf*/d: url('https://test.com');,e:null,f:false"));
- assertEquals("({color:'rgb(0,0,139)',background:'red'})", Properties
+ assertEquals("{\"color\":\"rgb(0,0,139)\",\"background\":\"red\"}", Properties
.wrapPropertiesString("color: 'rgb(0, 0,139)', background: red"));
- assertEquals("({width:'',top:''})", Properties
+ assertEquals("{\"width\":\"\",\"top\":\"\"}", Properties
.wrapPropertiesString("width: '' ; top:'' ;"));
- assertEquals("({'border-left':'solid'})", Properties
+ assertEquals("{\"border-left\":\"solid\"}", Properties
.wrapPropertiesString("border-left: solid"));
+ assertEquals("[{\"a\":1,\"b\":{\"a\":2,\"b\":{\"a\":3}},\"u\":\"url\",\"d\":2,\"t\":[\"hola\",\"adios\"],\"z\":true}]", Properties
+ .wrapPropertiesString("[{a:1, b:{a:2,b:{a:3}},u:url, d:'2','t':['hola','adios'], 'z': true}]"));
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-05 12:09:07 +0000