Merge branch 'pr-1106'

2018-05-16 19:43:22 +02:00
parent 5dfdb5870e 0544441caa
commit fa24fa04af
3 changed files with 40 additions and 1 deletions
--- a/docs/pages/release_notes.md
+++ b/docs/pages/release_notes.md
@ -36,7 +36,11 @@ This is a bug fixing release.
    *   [#1098](https://github.com/pmd/pmd/pull/1098): \[java] Simplify LongInstantiation, IntegerInstantiation, ByteInstantiation, and ShortInstantiation using type resolution
 *   doc
    *   [#999](https://github.com/pmd/pmd/issues/999): \[doc] Add a header before the XPath expression in rules
+*   vf-security
+    *   [#1100](https://github.com/pmd/pmd/issues/1100): \[vf] URLENCODE is ignored as valid escape method

 ### API Changes

 ### External Contributions
+
+*   [#1106](https://github.com/pmd/pmd/pull/1106): \[vf] URLENCODE is ignored as valid escape method - [Robert Sösemann](https://github.com/rsoesemann)
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
@ -220,7 +220,7 @@ public class VfUnescapeElRule extends AbstractVfRule {
                    }

                    if (doesElContainAnyUnescapedIdentifiers(el,
-                            EnumSet.of(Escaping.JSINHTMLENCODE, Escaping.JSENCODE))) {
+                            EnumSet.of(Escaping.ANY))) {
                        isEL = true;
                        toReport.add(el);
                    }
--- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
+++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
@ -654,5 +654,40 @@ NOW() is a safe call
 		<source-type>vf</source-type>
 	</test-code>

+	<test-code>
+		<description><![CDATA[
+URLENCODE is ignored as valid escape method #1100
+     ]]></description>
+		<expected-problems>0</expected-problems>
+		<code><![CDATA[
+<a onclick="openTab('/apex/Download?redirectUrl={!URLENCODE(downloadURL)}', 'test');">
+]]></code>
+		<source-type>vf</source-type>
+	</test-code>
+
+    <test-code>
+        <description><![CDATA[
+a onclick snippet should be escaped #1100
+     ]]></description>
+        <expected-problems>1</expected-problems>
+        <code><![CDATA[
+<a onclick="openTab('/apex/Download?redirectUrl={!downloadURL}', 'test');">
+]]></code>
+        <source-type>vf</source-type>
+    </test-code>
+
+    <test-code>
+        <description><![CDATA[
+ensure all encoding methods are considered valid #1100
+     ]]></description>
+        <expected-problems>0</expected-problems>
+        <code><![CDATA[
+<a onclick="openTab('/apex/Download?redirectUrl={!URLENCODE(downloadURL)}', 'test');">
+<a onclick="openTab({!JSENCODE('/apex/Download?redirectUrl=' + downloadURL)}', 'test');">
+<a onclick="openTab({!JSINHTMLENCODE('/apex/Download?redirectUrl=' + downloadURL)}', 'test');">
+<a onclick="openTab({!HTMLENCODE('/apex/Download?redirectUrl=' + downloadURL)}', 'test');">
+]]></code>
+        <source-type>vf</source-type>
+    </test-code>

 </test-data>