JS encoded and parsed JSON is safe

2017-04-12 15:53:24 -07:00
parent f2683c6cb4
commit 7a9ccb70df
2 changed files with 21 additions and 1 deletions
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
@ -93,7 +93,11 @@ public class VfUnescapeElRule extends AbstractVfRule {
            }
        } else {
            if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
-                addViolation(data, elExpression);
+                final boolean hasUnscaped = doesElContainAnyUnescapedIdentifiers(elExpression,
+                        EnumSet.of(Escaping.JSENCODE, Escaping.JSINHTMLENCODE));
+                if (!(jsonParse && !hasUnscaped)) {
+                    addViolation(data, elExpression);
+                }
            }
        }
    }
--- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
+++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
@ -605,4 +605,20 @@ JSON.parse method evaluates non quoted EL to unsafe XSS
 		<source-type>vf</source-type>
 	</test-code>

+	<test-code>
+		<description><![CDATA[
+JSON.parse method evaluates escaped EL to safe JSON
+     ]]></description>
+		<expected-problems>0</expected-problems>
+		<code><![CDATA[
+<apex:page>
+	<script>
+		var x = JSON.parse({!JSENCODE(yes)});
+	</script>
+</apex:page>
+]]></code>
+		<source-type>vf</source-type>
+	</test-code>
+
+
 </test-data>