phoedos/pmd
1
1
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'pr-1106'

Browse Source
This commit is contained in:
Andreas Dangel
2018-05-16 19:43:22 +02:00
parent 5dfdb5870e 0544441caa
commit fa24fa04af
3 changed files with 40 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/pages/release_notes.md
View File

@ -36,7 +36,11 @@ This is a bug fixing release.
* [#1098](https://github.com/pmd/pmd/pull/1098): \[java] Simplify LongInstantiation, IntegerInstantiation, ByteInstantiation, and ShortInstantiation using type resolution * [#1098](https://github.com/pmd/pmd/pull/1098): \[java] Simplify LongInstantiation, IntegerInstantiation, ByteInstantiation, and ShortInstantiation using type resolution
* doc * doc
* [#999](https://github.com/pmd/pmd/issues/999): \[doc] Add a header before the XPath expression in rules * [#999](https://github.com/pmd/pmd/issues/999): \[doc] Add a header before the XPath expression in rules
* vf-security
* [#1100](https://github.com/pmd/pmd/issues/1100): \[vf] URLENCODE is ignored as valid escape method
### API Changes ### API Changes
### External Contributions ### External Contributions
* [#1106](https://github.com/pmd/pmd/pull/1106): \[vf] URLENCODE is ignored as valid escape method - [Robert Sösemann](https://github.com/rsoesemann)

2
pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
View File

@ -220,7 +220,7 @@ public class VfUnescapeElRule extends AbstractVfRule {
} }
if (doesElContainAnyUnescapedIdentifiers(el, if (doesElContainAnyUnescapedIdentifiers(el,
EnumSet.of(Escaping.JSINHTMLENCODE, Escaping.JSENCODE))) { EnumSet.of(Escaping.ANY))) {
isEL = true; isEL = true;
toReport.add(el); toReport.add(el);
} }

35
pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
View File

@ -654,5 +654,40 @@ NOW() is a safe call
<source-type>vf</source-type> <source-type>vf</source-type>
</test-code> </test-code>
<test-code>
<description><![CDATA[
URLENCODE is ignored as valid escape method #1100
]]></description>
<expected-problems>0</expected-problems>
<code><![CDATA[
<a onclick="openTab('/apex/Download?redirectUrl={!URLENCODE(downloadURL)}', 'test');">
]]></code>
<source-type>vf</source-type>
</test-code>
<test-code>
<description><![CDATA[
a onclick snippet should be escaped #1100
]]></description>
<expected-problems>1</expected-problems>
<code><![CDATA[
<a onclick="openTab('/apex/Download?redirectUrl={!downloadURL}', 'test');">
]]></code>
<source-type>vf</source-type>
</test-code>
<test-code>
<description><![CDATA[
ensure all encoding methods are considered valid #1100
]]></description>
<expected-problems>0</expected-problems>
<code><![CDATA[
<a onclick="openTab('/apex/Download?redirectUrl={!URLENCODE(downloadURL)}', 'test');">
<a onclick="openTab({!JSENCODE('/apex/Download?redirectUrl=' + downloadURL)}', 'test');">
<a onclick="openTab({!JSINHTMLENCODE('/apex/Download?redirectUrl=' + downloadURL)}', 'test');">
<a onclick="openTab({!HTMLENCODE('/apex/Download?redirectUrl=' + downloadURL)}', 'test');">
]]></code>
<source-type>vf</source-type>
</test-code>
</test-data> </test-data>