More test coverage

2017-03-02 15:51:57 -08:00
parent 32762c48d1
commit 6137baf615
2 changed files with 15 additions and 2 deletions
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
@ -142,7 +142,7 @@ public class VfUnescapeElRule extends AbstractVfRule {
                if (attrText != null) {
                    if (0 == attrText.jjtGetChildIndex()) {
                        if (attrText.getImage().startsWith("/")
-                                || attrText.getImage().toLowerCase().startsWith("http")) {
+                                || attrText.getImage().toLowerCase().startsWith("http") || attrText.getImage().toLowerCase().startsWith("mailto")) {
                            startingWithSlashText = true;
                        }
                    }
--- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
+++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
@ -143,15 +143,28 @@ EL in JS on-event handler - stored XSS
 		<source-type>vf</source-type>
 	</test-code>

+	<test-code>
+		<description><![CDATA[
+EL in img JS src handler - no XSS 
+     ]]></description>
+		<expected-problems>0</expected-problems>
+		<code><![CDATA[
+<apex:page>
+<img src="{!XSSHere}" />
+ </apex:page>
+]]></code>
+		<source-type>vf</source-type>
+	</test-code>

 	<test-code>
 		<description><![CDATA[
 EL in JS src handler - stored XSS 
     ]]></description>
-		<expected-problems>1</expected-problems>
+		<expected-problems>2</expected-problems>
 		<code><![CDATA[
 <apex:page>
 <iframe src="{!XSSHere}" />
+<a href="{!XSSHere}" />
 </apex:page>
 ]]></code>
 		<source-type>vf</source-type>