From 3f343016602d9db14d9f2e2267252efa3e0a45b9 Mon Sep 17 00:00:00 2001 From: Lachlan Date: Thu, 8 Aug 2019 17:55:31 +1000 Subject: [PATCH] do not echo part content in MultiPartTest (#3942) * sanitize xml from multipart upload in MultiPartTest Signed-off-by: Lachlan Roberts * changes from review Signed-off-by: Lachlan Roberts * no longer echoing back part content Signed-off-by: Lachlan Roberts --- .../java/com/acme/test/MultiPartTest.java | 80 ++++++++++++++++--- 1 file changed, 69 insertions(+), 11 deletions(-) diff --git a/tests/test-webapps/test-servlet-spec/test-spec-webapp/src/main/java/com/acme/test/MultiPartTest.java b/tests/test-webapps/test-servlet-spec/test-spec-webapp/src/main/java/com/acme/test/MultiPartTest.java index b72a12faf6f..a2f8fdf2204 100644 --- a/tests/test-webapps/test-servlet-spec/test-spec-webapp/src/main/java/com/acme/test/MultiPartTest.java +++ b/tests/test-webapps/test-servlet-spec/test-spec-webapp/src/main/java/com/acme/test/MultiPartTest.java @@ -29,8 +29,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.Part; -import org.eclipse.jetty.util.IO; - /** * MultiPartTest * @@ -64,17 +62,13 @@ public class MultiPartTest extends HttpServlet out.println("

"); Collection parts = request.getParts(); - out.println("Parts: " + parts.size()); + out.println("Parts: " + parts.size() + "
"); for (Part p : parts) { - out.println("

" + p.getName() + "

"); - out.println("Size: " + p.getSize()); - if (p.getContentType() == null || p.getContentType().startsWith("text/plain")) - { - out.println("

"); - IO.copy(p.getInputStream(), out); - out.println("

"); - } + out.println("
PartName: " + sanitizeXmlString(p.getName())); + out.println("
Size: " + p.getSize()); + String contentType = p.getContentType(); + out.println("
ContentType: " + contentType); } out.println(""); out.println(""); @@ -109,4 +103,68 @@ public class MultiPartTest extends HttpServlet throw new ServletException(e); } } + + public static String sanitizeXmlString(String html) + { + if (html == null) + return null; + + int i = 0; + + // Are there any characters that need sanitizing? + loop: + for (; i < html.length(); i++) + { + char c = html.charAt(i); + switch (c) + { + case '&': + case '<': + case '>': + case '\'': + case '"': + break loop; + default: + if (Character.isISOControl(c) && !Character.isWhitespace(c)) + break loop; + } + } + // No characters need sanitizing, so return original string + if (i == html.length()) + return html; + + // Create builder with OK content so far + StringBuilder out = new StringBuilder(html.length() * 4 / 3); + out.append(html, 0, i); + + // sanitize remaining content + for (; i < html.length(); i++) + { + char c = html.charAt(i); + switch (c) + { + case '&': + out.append("&"); + break; + case '<': + out.append("<"); + break; + case '>': + out.append(">"); + break; + case '\'': + out.append("'"); + break; + case '"': + out.append("""); + break; + default: + if (Character.isISOControl(c) && !Character.isWhitespace(c)) + out.append('?'); + else + out.append(c); + } + } + return out.toString(); + } }