From f9c661ef5d2a422f246b3a089bee06470ae1d431 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Sun, 07 Sep 2014 12:04:12 -0400
Subject: [PATCH] Merged #164 "Sanitize page parameters for XSS vulerabilities"
---
src/main/java/com/gitblit/wicket/GitBlitWebApp.java | 14 +++++++++++++-
1 files changed, 13 insertions(+), 1 deletions(-)
diff --git a/src/main/java/com/gitblit/wicket/GitBlitWebApp.java b/src/main/java/com/gitblit/wicket/GitBlitWebApp.java
index f63ff3d..38dbf57 100644
--- a/src/main/java/com/gitblit/wicket/GitBlitWebApp.java
+++ b/src/main/java/com/gitblit/wicket/GitBlitWebApp.java
@@ -46,6 +46,7 @@
import com.gitblit.manager.IUserManager;
import com.gitblit.tickets.ITicketService;
import com.gitblit.transport.ssh.IPublicKeyManager;
+import com.gitblit.utils.XssFilter;
import com.gitblit.wicket.pages.ActivityPage;
import com.gitblit.wicket.pages.BlamePage;
import com.gitblit.wicket.pages.BlobDiffPage;
@@ -100,6 +101,8 @@
private final IStoredSettings settings;
+ private final XssFilter xssFilter;
+
private final IRuntimeManager runtimeManager;
private final IPluginManager pluginManager;
@@ -134,6 +137,7 @@
super();
this.settings = runtimeManager.getSettings();
+ this.xssFilter = runtimeManager.getXssFilter();
this.runtimeManager = runtimeManager;
this.pluginManager = pluginManager;
this.notificationManager = notificationManager;
@@ -251,7 +255,7 @@
if (!settings.getBoolean(Keys.web.mountParameters, true)) {
parameters = new String[] {};
}
- mount(new GitblitParamUrlCodingStrategy(settings, location, clazz, parameters));
+ mount(new GitblitParamUrlCodingStrategy(settings, xssFilter, location, clazz, parameters));
// map the mount point to the cache control definition
if (clazz.isAnnotationPresent(CacheControl.class)) {
@@ -308,6 +312,14 @@
}
/* (non-Javadoc)
+ * @see com.gitblit.wicket.Webapp#xssFilter()
+ */
+ @Override
+ public XssFilter xssFilter() {
+ return xssFilter;
+ }
+
+ /* (non-Javadoc)
* @see com.gitblit.wicket.Webapp#isDebugMode()
*/
@Override
--
Gitblit v1.9.1