[vf] URLENCODE is ignored as valid escape method #1100

2018-05-16 15:46:40 +02:00
parent c90061d067
commit 9a2ac14b05
2 changed files with 11 additions and 1 deletions
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
@@ -226,7 +226,7 @@ public class VfUnescapeElRule extends AbstractVfRule {
                    }

                    if (doesElContainAnyUnescapedIdentifiers(el,
-                            EnumSet.of(Escaping.JSINHTMLENCODE, Escaping.JSENCODE))) {
+                            EnumSet.of(Escaping.ANY))) {
                        isEL = true;
                        toReport.add(el);
                    }
--- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
+++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
@@ -654,5 +654,15 @@ NOW() is a safe call
 		<source-type>vf</source-type>
 	</test-code>

+	<test-code>
+		<description><![CDATA[
+URLENCODE is ignored as valid escape method #1100
+     ]]></description>
+		<expected-problems>0</expected-problems>
+		<code><![CDATA[
+<a onclick="openTab('/apex/Download?redirectUrl={!URLENCODE(downloadURL)}', 'test');">
+]]></code>
+		<source-type>vf</source-type>
+	</test-code>

 </test-data>