Changeset 4726


Ignore:
Timestamp:
Jan 13, 2009, 1:09:26 PM (13 years ago)
Author:
Nicklas Nordborg
Message:

Fixes #1231: HTML.encodeTags() should not allow attributes in "safe" tags

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.9-stable/src/clients/web/net/sf/basedb/clients/web/util/HTML.java

    r4512 r4726  
    8181    This pattern can be used to fins HTML tags. It will match both
    8282    start and end tags. The entire tag with attributes are put in the
    83     $1 group and the tag name in the $2 group.
    84   */
    85   public static final Pattern TAG_REGEXP = Pattern.compile("<(/?([a-zA-Z]+)[^>]*)>");
     83    $1 group, the tag name in the $2 group and the attributes in $3.
     84  */
     85  public static final Pattern TAG_REGEXP = Pattern.compile("<(/?([a-zA-Z]+)\\s*([^>]*))>");
    8686
    8787
     
    307307      if (safeTags.matcher(m.group(2)).matches())
    308308      {
    309         m.appendReplacement(sb, "$0");
     309        if (m.group(1).startsWith("/"))
     310        {
     311          m.appendReplacement(sb, "</$2>");
     312        }
     313        else
     314        {
     315          m.appendReplacement(sb, "<$2>");
     316        }
    310317      }
    311318      else
Note: See TracChangeset for help on using the changeset viewer.