From d8d174075a7b8e2145225b4d6dd7392717c6b170 Mon Sep 17 00:00:00 2001 From: devxb Date: Tue, 28 Feb 2023 15:57:46 +0900 Subject: [PATCH] =?UTF-8?q?feat=20:=20XssFilter=20String=20Extension=20?= =?UTF-8?q?=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - XssFilter String Extension 추가. - 관련 테스트 코드 추가. --- .../.gradle/7.4/checksums/checksums.lock | Bin 0 -> 17 bytes .../.gradle/7.4/checksums/md5-checksums.bin | Bin 0 -> 18847 bytes .../.gradle/7.4/checksums/sha1-checksums.bin | Bin 0 -> 21467 bytes .../dependencies-accessors.lock | Bin 0 -> 17 bytes .../7.4/dependencies-accessors/gc.properties | 0 .../7.4/executionHistory/executionHistory.bin | Bin 0 -> 76245 bytes .../executionHistory/executionHistory.lock | Bin 0 -> 17 bytes .../.gradle/7.4/fileChanges/last-build.bin | Bin 0 -> 1 bytes .../.gradle/7.4/fileHashes/fileHashes.bin | Bin 0 -> 20197 bytes .../.gradle/7.4/fileHashes/fileHashes.lock | Bin 0 -> 17 bytes .../7.4/fileHashes/resourceHashesCache.bin | Bin 0 -> 18701 bytes .../.gradle/7.4/gc.properties | 0 .../buildOutputCleanup.lock | Bin 0 -> 17 bytes .../buildOutputCleanup/cache.properties | 2 + .../buildOutputCleanup/outputFiles.bin | Bin 0 -> 19253 bytes .../.gradle/file-system.probe | Bin 0 -> 8 bytes .../.gradle/vcs-1/gc.properties | 0 xss-extension-string/.idea/.gitignore | 3 + xss-extension-string/.idea/compiler.xml | 6 + xss-extension-string/.idea/gradle.xml | 16 ++ .../.idea/jarRepositories.xml | 25 ++ xss-extension-string/.idea/jpa-buddy.xml | 6 + xss-extension-string/.idea/misc.xml | 10 + .../.idea/sonarlint/issuestore/index.pb | 0 xss-extension-string/.idea/uiDesigner.xml | 124 ++++++++++ xss-extension-string/.idea/vcs.xml | 6 + xss-extension-string/build.gradle | 54 ++++ .../gradle/wrapper/gradle-wrapper.properties | 5 + xss-extension-string/gradlew | 234 ++++++++++++++++++ xss-extension-string/gradlew.bat | 89 +++++++ xss-extension-string/settings.gradle | 2 + .../org/stage/xss/string/StringXssFilter.java | 32 +++ .../StringXssFilteringException.java | 9 + .../stage/xss/string/StringXssFilterTest.java | 83 +++++++ .../src/test/resources/xss-invalid1.html | 13 + .../src/test/resources/xss-invalid2.html | 3 + .../src/test/resources/xss-invalid3.html | 71 ++++++ .../src/test/resources/xss-invalid4.html | 1 + 38 files changed, 794 insertions(+) create mode 100644 xss-extension-string/.gradle/7.4/checksums/checksums.lock create mode 100644 xss-extension-string/.gradle/7.4/checksums/md5-checksums.bin create mode 100644 xss-extension-string/.gradle/7.4/checksums/sha1-checksums.bin create mode 100644 xss-extension-string/.gradle/7.4/dependencies-accessors/dependencies-accessors.lock create mode 100644 xss-extension-string/.gradle/7.4/dependencies-accessors/gc.properties create mode 100644 xss-extension-string/.gradle/7.4/executionHistory/executionHistory.bin create mode 100644 xss-extension-string/.gradle/7.4/executionHistory/executionHistory.lock create mode 100644 xss-extension-string/.gradle/7.4/fileChanges/last-build.bin create mode 100644 xss-extension-string/.gradle/7.4/fileHashes/fileHashes.bin create mode 100644 xss-extension-string/.gradle/7.4/fileHashes/fileHashes.lock create mode 100644 xss-extension-string/.gradle/7.4/fileHashes/resourceHashesCache.bin create mode 100644 xss-extension-string/.gradle/7.4/gc.properties create mode 100644 xss-extension-string/.gradle/buildOutputCleanup/buildOutputCleanup.lock create mode 100644 xss-extension-string/.gradle/buildOutputCleanup/cache.properties create mode 100644 xss-extension-string/.gradle/buildOutputCleanup/outputFiles.bin create mode 100644 xss-extension-string/.gradle/file-system.probe create mode 100644 xss-extension-string/.gradle/vcs-1/gc.properties create mode 100644 xss-extension-string/.idea/.gitignore create mode 100644 xss-extension-string/.idea/compiler.xml create mode 100644 xss-extension-string/.idea/gradle.xml create mode 100644 xss-extension-string/.idea/jarRepositories.xml create mode 100644 xss-extension-string/.idea/jpa-buddy.xml create mode 100644 xss-extension-string/.idea/misc.xml create mode 100644 xss-extension-string/.idea/sonarlint/issuestore/index.pb create mode 100644 xss-extension-string/.idea/uiDesigner.xml create mode 100644 xss-extension-string/.idea/vcs.xml create mode 100644 xss-extension-string/build.gradle create mode 100644 xss-extension-string/gradle/wrapper/gradle-wrapper.properties create mode 100755 xss-extension-string/gradlew create mode 100644 xss-extension-string/gradlew.bat create mode 100644 xss-extension-string/settings.gradle create mode 100644 xss-extension-string/src/main/java/org/stage/xss/string/StringXssFilter.java create mode 100644 xss-extension-string/src/main/java/org/stage/xss/string/exception/StringXssFilteringException.java create mode 100644 xss-extension-string/src/test/java/org/stage/xss/string/StringXssFilterTest.java create mode 100644 xss-extension-string/src/test/resources/xss-invalid1.html create mode 100644 xss-extension-string/src/test/resources/xss-invalid2.html create mode 100644 xss-extension-string/src/test/resources/xss-invalid3.html create mode 100644 xss-extension-string/src/test/resources/xss-invalid4.html diff --git a/xss-extension-string/.gradle/7.4/checksums/checksums.lock b/xss-extension-string/.gradle/7.4/checksums/checksums.lock new file mode 100644 index 0000000000000000000000000000000000000000..9b6808334f16c7c5e653629037a3650eeaaefaf5 GIT binary patch literal 17 UcmZQ>dN0=Sr(Sy^0|dkX05*XHo&W#< literal 0 HcmV?d00001 diff --git a/xss-extension-string/.gradle/7.4/checksums/md5-checksums.bin b/xss-extension-string/.gradle/7.4/checksums/md5-checksums.bin new file mode 100644 index 0000000000000000000000000000000000000000..67c874813ae82a8886470bfd4362b94adbd0b90c GIT binary patch literal 18847 zcmeI%|0`W_9LMosd|v1De*Ah&f)Ek% zM?Hk|BkX+13IPNVKmY**5I_I{1Q0*~0R#|0009ILKmY**Zi+yeG{|jbn2312ZxQ@b z5R!tVMZjos=GOX9j!k)7kgNSam^RGKyF26dmHf#=E&tje_PatYAN*F5O5JbOa?5eAqjvvUle#}p%eA|de^Q=tMF0T= z5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0 z;QtgzmBx;h&S>8mqVs-m+N#4Bti8@6d#t%w5Oi(su2Z98qd%1Hi5DA=yQ{{uZzGA` z6^}jFHa#LYx|`i<uxiQvpbbUjt-KcmwRT^|Jto_Tj zecK>6JP%HR=G-Eb}$u0-bHaGWM|qhv@K!$I;!oXC)_DWa4^M~YO& zL{yTY;gxVpbEccf&~(+^+uF;0-*eo5{PRA~`>gdm_TJCu?9cwK{oU&f&tt8P7$&js zJK3gGjD*T8;y^eE!`2Go2bwt(%)=_ibsxdYmPPRY2WOHk_WIN^D*!j6LZ0hs zjroc6oCMsuX^KbRYqDQ!BM&%L6LOZS_T#o}{b0atj3Ccj7ii?0-@0jB46$TTjyAF}p$$`9<$vaV_mqi2ITnX~}MAuyD)`kZ1 z{GTCjIp*Qwyh~?0$sa@B>Zgzqzt}e)aN8QlA1aH|YLg9B$m>J=y}j2^)c?`H5&@_3 zz!y4;n>vg3tW*WuItB8s=1Y{ApcV)6I=?~Q{o$tqbpZ=Bo?0W{d9WUf#E9BPfJ8^kA;I=VS zoZ>3>G9=>?d7a@Y-qUj1xLQ{caGOxbc@HJEs2RP9C$D2S#dE|fv;K%%4Y-{*RHHFePdxJ_qU!Pc_-v5<^dOZ z-uL(eZfOX)YF{Ynl3ZYBx2*~?eD1(&S2LR zFXmidoC0bc768`LC*0PKBT24t*@51IZa1EFjU0&;HoxOYS|z}u60_Vn?(4Z%pK+}I zFFGf4%2$P1rw{L5*|-Z>QQLs!rq69@h9~Z07=K8NUzshKY~)%spvr@F+ZH6hZ&Vx$$XzFY_)BzV(Gni))YEPodFh`oE>fvHjVW(uRZKp;6QfU zi+a_^bMF6A$Hv!)5NWX0KrMp1`8+J&LDt&7|)LOdagH9#r;dvfliGAa?q#{gnhx0}ILim~=jJqt7P6};o zBCT{_DTHuaaTnf7Dl91Xi4hPz7$2dhaGMs1uc0A&n8*ay!g_A&utVNF=Uush(RLnk zTaIlJHOkp{6x1rL29|6dx7DM3_15aFbN(ykzs6+phsAvAJ#7xG3v^%!KH|30yrRZl zFS@r>BCPj$9X&D8_**-Rw8$}UImm6rdpp0`(<@`B(K~#Z+4nNzK|m*-9dTdD?x5DP z6Wmr&o7lu1wIlDm^n&O~&#%2IBF;Knw;W7uYs4*lL`4!~9dC;|@C}Fc?mIDR!BZFoCz+*10v^dU>_%@bvlwb!`C`J_$On6tFH4 z?_s>DPSZnw$CABg)4%Sva~wbNrG9*9Z^Wl6(!x_A+LF`whNFjG-L!}-+UmC0rD>s= z_a1rNtadg4R*4efVAxMv@C}DmmD_2sGw0We^}j9h$~JiF8#L%OLR#df=&~=|mep7k zqyN;Cj=4@j(fTr1f)@wplTSIro~VRjLKFCgqt>`ZrjMz${QDNamrGc(O!q3;I()qj zF*Y(6OiGx@H1EoddF!`1HUxJs@SLxhRpu1Cdt|5+SSOQ#H6Q;(;H;&f{Og=-i<}^# z9s6q&kHrkio2L<@7q6A253D7`njMZFR=A{l*9=K@l`TlPA;YxLv6MJ4Kw6JUOM=@< zW7GJb-@BD^=HnAvpJumfO4^0jfpzLKu;jbBtypy(F&k%|oDO!uI7`9ncr5F#DX>l# zleLVvE%76INhVUuch0M7DDDl9UF}*i_&aXlq{roCEqq*ZKCk?tTl3D?);CD^|NCKT zf`w+fW(hG4qf_%@iIIf2>3TRbOQLAwSEUJs=FRaha>HueMUR)2U74)K)+D|a{-M^) ztcoI<^TT5ww0HQO5BbB^8_Szo#ZoKt)m@gkuYdV(4q z&YpFBhmRyY!_skbM2XgM*V4YNd0adoQmgE4nmJ?LS#>@3A%#innhpLNhiG%B85=XR z;-t3^_%Bmo`WjBinOX!o^h)~f2eoLQK&|O|m>D)Itff>gBT(_K=2A%hGo4d&-6pNt r+up#MZG!JPGMt&k7|h_66~8Nt$!)L?Zed_fK-CbXZiBrXnDSkYsy7ER>^3ldAHQW6SJaxRQ|M4vr=rq)PAg2MU6y zAOa#)5D-C{fFNCpAfQqN6!^d0O>)T<;KCgozkl>|B-!lDzPy=v^JeDzzOSCiR2sYO z`_GjAU#axBk#`XdL^Kf5Ktux(4Ma2$(Lh845e-B%5Ya$H0}%~GG!W51L<12GL^Kf5 zKtux(4Ma5XzoLOQ@Iwk4Kc;jIi}t2O7n2Du3U40!XvEAK%=y0#8egYg_MaboS9yGF zjRV~Z8rL_l{_B>GC;pl=DEcwudecPzbzCm@wx!rd(~av5Yx}RaXfZjl$dD7OjO*X` z@L%`8!u1b~?;`(3G!W51L<12GL^Kf5Ktux(4Ma2$(Lh845e-B%5Ya$H0}%~GG!W51 zL<12GL^Kf5Ktux(4Ma2$(Lh845e-B%5Ya$H0}%~GG!W51L<12GL^Kf5Ktux(4Ma2$ z(Lh845e-B%5YfQBXn=xvfQs-}R{NWhmYR~nb@7lcw?d_M>e`L#>P~RRsV*<_)pgVK znbRF-i*t)gBC?4ths`T`5;K6s+@~?KV8IxOK&eU(EU2 zdHlr+miw;3w8

C&iJdw36Kpmp8U@tUDz+R!($!Qrw8B?0-kbDgq(N98anQ5)dZ{ zl*Hn^sL%vK3LHZ)SfL|tmH)l=T*@dO_lA#roH2)a=9HN3?M#My-nXdR?BHcDo0; zQynt$_2ovfUVwn~mbl<0KXyLvoUk5`OC`a9Isi;}e(;F{Z!9G8QOh5%h`@Jtgn^ticX z>nl6oEL5{!t$I6eFWK|Y@-KhGx0Z??+(~rTcO)Y7TFZkF$L{Y&K8^W@9Y|rqrfiz? z+0E)_-W&hl<$}!pVg3EOCgi8PqoPN;+)fysUI+5%!ftw~!lnyj!X}JZf1=;Hj$7Y( zwc^lENBq0&tS<9rbM#P;KDc#pPd%8XHepM5wSDzi)R3Z!D!sYBR9mrsf4!Lpz8-A` z>sS>`WwrO=58|k*b(z9>-KhzwlABWF(p=7DSJyaK66x_eI(0TorMaDHNtT02b|$%? z$JiQ+sbXE@{TjZH{CWx%HArGg{`sPM2m8Jta+9+abT|d}?cM+#U3=jFZhcUxhYbNq22`oTtbL z|5XJ^DRJh&P5MV)r6oHk}Y%!0Y3)W3Alsf5fVh4B2+}q^ z!kLjn`omYrb>3ziPafoB$cc)A=o#bAx&|_Qbp&EzgTdw3-$b0I&Vv5%(JCjvM9IP~aeOQ1t zS2$jfaGXXwbYo6oIi8^;0?`VkNCY9!&>=#)a7aDD9eI2u^keFQ@z=a1Yks$;YT@Ex zcI3MaL!an8q6JVc2dg8I=5UeYI8vo~0Y)Lo(i}yKU_e-r43Rx(*m;`@OE*5(@s~;s zi{Ezi{ONtmjl5C2&uCZ^eZAdhJXk_jc~X&~3*(GRa|$IRlAu{h!3mBe2#%8#M2jKP zXQ(Pz_nC}H&P`w^F#*h*XcLo@onDx>oXPggm#pASfXSw8jGYmX#M21j3QMpQ1r~*- zMM=b2Mx}V3m$f-YR!AkAT3`e~EyfUdXK43#rj$7|d0GAXKlLd%_g~AQ+-M8G?x53q zVJ&56;DIDzR}sY#GS7g4k$9P91+dYSL@Bty;7FylsYj7;S;*x9v+m^8G$xVSpSPJ@tWq2ghs>+GDj9`u=5XlmxiqoQks}eyW5iAdfGk#g2 zWQd$-*{i*0tS{JhLcuEQ5CUaO+q5fG(JfY2m_;$RiN`yJi*eWh)W!U zb0R|$45CDs6)6%CA%#PPeR_Y^xEH``lI+L&Tl@S*15E0 zUv7%6dvHD#6VNRM39*vEk%*RAf&p)ikvXjclZeL|2K3J(-mhZaj|=X$J8ri4a7x29 zwUok%m(l*RuUR&PC2E?OlxX)PiwQ`72Lln%_srj-w4W@;!_uP9Ve`!kn&fmR?YVR(tJi7uB&zTc9?IEBJ50+k-bF-mFj0V4 z1ZInqWSHt`0_S;>Qb>wpC7R7pTw5DJaYJfnHQVRI9{UylWZa)8Hd))xwfq>C)P`K0 zQWDdJB*2%YSUXZ^R^bU5fgev3qzF?0cyBb$NDQwEln9Q6s*#iGL=5%g{iC6ioai6<5>0>-K|maFI0y$T3li2GvW&~5AR|eV z!FfOo3Mv{hiFC z=RftHsd9OB(bLJlyOzo}Oa5A`|c-efmM8{U1cyZ>>C&!(6 zYQd=a9asFfRL;HAEZmR>vp~mojGJ8a_Nqg366P-(y6W7TUio-=j`f*V;fAfsZo>8i8&wopE?4+_xZc=A;;_NO1qPrjdPuE9t zVUFEwc6#+N^2IMMTzut9(Gr8b;dS5#vMk5C75-?<^Q-Kq%2(RHcgNv@S0CX;Iaa(e zRq0B#kH^-1|KPNDj@?MgxzWqK{?2AGo!d)t?A+c%yHB?{`kJF%sb4;9U#M07UXWwk zU%6Gw^33|eAMJ|zV~KbAANg`Qj=jUWbL*VNEa>-9b9FI} z4er;w5mol^`=@vRSkN>3KeHc&r8qVRpRh@AZQ1q4xoa(poG;NMzb?eF;V;jt@^zVy z_O|Al|I&Zhwb$~+G8{{~F(A2Z?`vO-+Bp;RrlFS z`}$44ylo+U4toTa;26LD$@jMPz-@ca#*}Tmu*Z=6wgAU&ytl9i*}P|2`;BUqMvNX! z_d)?zYx@BDd}qkSpLxw^%=b~!ip+4a+0Tzq5JGxE4)edjNGqVt>e%Rkd+Vg6Zq zV_b=IH=eHlO~RGu>{XdJzN(jR7v9*!Z@+6euhwR#smeU%lMOh5wL4zg9X;TsbEhk| zc>kq3Eq4XL3hAd7E!*O{^lpde8~87Hr=z}5R~hNR2zx92!rLAV z2L^O4bkE06BwXuhX4ox|+vQN*WB+uJ4cou0-#ET30mn z2Su6&>iy8vA0Qg0K}JtB4GDBb^Xv?I4e5(|l_u;XX7%esmYA!VCf?XydwhXy6aQWM z)o=LF$D&MF(JJjbragUu-_q;$-|sHE*1$YILwz=19dFma_(8+I-yfFBwS0DUr+4}r zb^Kfu>UeX)2d@fmT&r00#D#VB%SK;=OOrRdW5}0?NvosFRhb?$EEX<(I{u0APYz#P zZ(QY(X-SS<#o$sSnmaaqX00ds2p_L*(tsA>()kYEJ3bZr(WyVnTh%?2EVrXS_M3({ zl#FyNuwfCJr+8f{-t;!gF!$uTeK6W6AcWnpR33X4<}SSj;RiMUY0ciZsWBx76r{dj zVnz**p6>ra@kmsVJLB)zoX5jFyWe3*6V&^%l6@ka+@(64DW1AI;?Ni-qE|HUdLUAJ zlUy2jL&H5b)~vK&8mn_O24n5+Yhg% z;V`T92OMTo0saX1D>Eg5NmW&eNsaFo=k&T1cPg8tcoMw{t~4KHePym7C?hz`Ahf@) zDQ!k)Ld_#M%m@xM0MHD=VUmA85bKg@{=FYBP_HZsYwYY><9ceh1IJ74xXN|7eb&70 ze%wI4(qs8a8Cg0DQP_?GrnfIquM|G??$X)O1wLPIUT{w?q5k_KpxgTe-ChpuA@=}V zhSs@f(5=-AF0v2$NAi+L0_03p83In~6#)*x!K>jJS&~#0$qGP;Rgw%G-v@(t^?Gs{ zIhT{);rj`B1|B{cRx5N$Np^T`ol;y54d1MPvid$*T_PZ&HJBFP zRGtT{h0Fmi8a!MQV8lGd$bbaIB{gIB(BKw&1xDW(w&CW`N^56!;wyi8tFo6_5C$Af z846L$QfkrF= zt`ZI&zRHUv!OA$z!50(+q67-+vw<(#!#t#3&414Pb8OF=PS?6k!dXksJqSNAu4_`F zw&|W8W9Gl0LIEKIr9geY z_5NF@s#fpy=b^Q0e!Tt5o)V{8TQY1Y-lI)Qa>@w~uM?u+^;cN%1}%H-Gz1hvfFCT1 zfhw(krFB+C|ZCA zL?9s;O)#QZ2%J+@N>(XSQK_Jku;hf2h7z5#%bEUDTqUII=P&Ggee>xsMTAkQwYA;% zY786FCV+sj4Fy3Qj3VF&$tprx{F%ZL1P-C&5TeTBB+n>3$A*-Jt_fug5hoX4zCUHl zB7PZP>@&LBjgeutGtksPq^ZXXfm=auwa_u#4l!FWZY6TrVf?d&WUnJN1MxuMlFvkGUWg#53`9YK3&K;fL`W(pQ#?z8$)b6l z;b;k5Czd2Yoqk4xkXm%J>a$eU+g2ZV`_hkn3iKPazEZP<&0)B7TFXmmUSL#Glr+2c z&T6~`gQ$mbA_*Z$g~>>SLmxrlU=9Vj6^WG*95x`Bt~f!2IQgKmnlVj};@q(P#J`C( zw#*zp|Kql2Ctq$B#-ctuA+3NlO!mS&Z-~nAG$n`-R1QX;Lo`LPB*aY;GA*(YcnT_p z6BGgVK!ZiqYX}v1_NKwT`V8vHyPp5IS>HlM3t0Zm@pyuh8(XR<0=pEjH~9#=;+)R7 zL~wnR6}Qu&ST#Szj>8mA;sgbgJ?|?34j`Nk0v!)9+pys0!B2q@T1AAz5;*yRsChW) z0a68mQbVe;W>u9j0KM^>9oRbs|JnDG05<;h=9Szhzy0pIWa6wcmXUf4UxbQ0j}V%QbDpT3gFCy77w<*-?aJa!;Zha zTcXFNHd_nES6XGc9tz96$Ayct3uzNQNw9EBvJ0?C5d{d5#$l5WA(4V3NCsYI7Dxyv zUJw)wD`pU4M@)d~VkqgRxBmo@Q@>SKFtXX$^bgfTNuM$(v z$L8GscxdpAOrhnE26zLr^*{R3Lg&=CmzG-j!m805D}|@>hXUQe3Jlx*&xYS;kNA4t zum4QwIb}k4XE}Kf+`yLfpR?lUg?%fpDwfczVAIcs=6BczcCr;YwZJylrYX<0ytbhC znycZ3nLiNFMuaE91N&zhp&@ww_f27#i6`NahihQ7JB-=9_2?IlnCm0n`m*8vk^dvi z4>><*xu>~NKf*S64RZmifyG^@JmcGDqhG&O`;dER`{@zBiU9L$o{~uZPw`cRH?3y? z_xMk|a}lC}EgLuYTfFeVXF9AH_SVy=%x@854V{$pzTg=VVhtY-F^`}b5n_$|;a@{{Ca_%YkH{1Q_iNNl=|3dCVGB7l2+~~)a7HVl9 zaJfpkuXlZxbH(O0AOpKJX6dmmO_x~yShDuO%z6WBZ^-dhxF%u%g%NmjUvLZz=hITH zb1L-njPv}w@#W%|@;?{@J6r#!Q&Wqt=u-X0!e&bMzb@sR;!sm$oJ8tIF82cY z!rv!0cB~d&3#a2Jf}j+z&b@CC2G+Un-j0>pS9qq@jF$12ZI@byN8c3$yU2*4&{pHQ z0>Qv~A0ANmP{~avuoAtaCLTC7BjoOt@WrD_<&>X*7ud6Hrk&i=a5z4p zx$BQ{Radsm#|%z6-+}kLYhnN!5pdYjFXaX30_#?FQ{g@vAQ{7{`C|2#aH1y(@0ejTr0V^_kSzq_UUXPoUpv(A|_xNEr%rqKAw^i9p| zS?4lPY_tYgGeA%@j=BHt8F+fytu4|svtq}8pZrB(vzBW1uEcAB3LXggTHwcF!%jCU zy!r6VQLkV>y>{{9>L2nk`I;tlw&ZK($yv3CPF-Tc#0G0$nH*bgkW@OQ#9ub|Yx6cO z1Ino{p9eCniS{p^d*;c*_w)&R%jbP zM$TcImJTrmAgg-zS0nqkk1w>PA6j;YjI8GSs4HVC*#eW?z(}g)o2^XPWXKxYN=x<( z2xw#;8}yCF4A}xA@1pvQ3BKykGS4E@^x$hLu0)3nY0EueDc~h8t>DK&zZ~`*Y+A-p zTfI#84Q|w|Zj(0kVuGKm-KsxgYS1I#qQN^_H(qpmkT+^zo7VNMeDE!fWH~WKK`}`# zZyL}fdd%jb=@mqO8@l_McN1GWP*6*V>PSu%6CDa+i}xlaMqx){v7*(Nbt*99=)#^8 z4}CYyJUY`&4_8pqCupA^Tb&{P7~gBccYSA1UB2zT5J8Qb9TFpi9L(Nij0HYZDXfUmBgRlBO*h zH=^G^&}PZN&kJp0<9?g(H){=EU!M+xer?7K?z4SmG#)YtTWR7*MvaX55vFuahn`~Q zC_UM^&bF*2@3wh#l5blU-u?t%ZNS2;O|gM0Ow)W{7-`m z(~Aw$)^olb<^`u@P=eN`zVC*$jcM7cQS)Z8L@YnppDTS>lGwE&5?!qv-H>S*guVqn z4AnD~i*CqyUedHYsM>&Dp$@+q!No{P)bG_ip&(Ue>^M`>YlQ|>xTBx*{CHxKr4 z8<#Zcbmzfs8QO$8Y}d~YXKUOB;)z@MsN;Mzu$dCdPw?|5`?MaD3^}Wjr&xM&d*2tW z#W=VcxZUpuWxCz>g>m~}H`02$r=)4qJ@&$&?$=uMB(yZj2PrONADrrYgnzL4O6c=p zNz;!RA8XvLnY2K2Y0qg8puvW(5>bEv+oX15a7D5 zAf;8%ny*6DnwpiZTHz(ld#g64aS z9To~2lHEb+3-9ve5XCPvs=Jfo{SsHZYsEky5QkbKnA|*;?6l;s&8D~32mX(X?#bjA>;v^i-03{2j=?bqrLH$Q|BL+yuV+HS-WSMc^tPj-x1_r%(b zZ<+Qi_|VAJqPK|)9D!HL=?#)Y&-z- zmdloyBB$B4f2?2)0dB$qzZ``FlZzlT9I$hfbPiec`~KYUw?BUzys`4qqZfX-npD~H zNCsg?VLKZyyNM@Gsj-s1_PsftK4bYabc*sVvFyNQ8V}x#zL-ZID`|(V3+)vc5wwL^ zh5(#wGkjY`r_0B*i#Qo*O9T!9tsgHU3a8)#Ns){o(U6Cp2D)I_GYjPg2EV}#+b>!z z@MzA@uF(D2eYcN)abv>%$Itxw?yP0+hsjBQuRp@~19B@BK<%>^yY4@e((5V#q>E2&z``5`cN9Vp>w81+Q>#UmFGYzw%8)U^T)ENAXR z}z@w?-VP75_*OUv?DFiT$?hU!PLo#`@<6^;q)=B#lUTc}M+Y$E#XO37f0O z9;F@&gLF`vfgT9|KomCm;^4lmo!#I1OX>M~sUP2YISf8W-{1x`aHq=O&YQ4hvl(l3N8P5-1gR28^8C=8q1Ba{E@p!YxTR& ziAH`IzaPs2B`~kiRO1ZJs5GZgG9n3@m4LGvsAR!8lodpa{;2wptX#gTg1zyWNtKrU z`NCq^^2D!?7aiWiAjly(+3C%|EE%}u3v!@rjGYl6a}kYz|CR-gXo^%-NW=g+ zU|67G=E0R!ah#MDGM#QbJq@c?3)oDk#b9b1SNZVGCe^#_tMOU88%>t)`Xo#bB|}^I zb*K09+)5e|{p4~-?_EEYpSN@S&{a2YQ(^E+W-&PZqRLJ{3v~7Ra|Nh~;s}{%U|y1V z8P*E8Dg(u}f&(2MB)3q3RbG*BS;fT7#nsmqyhr&dQRC3g;4Sfq8aF!&hn zAh5Qy^r`l~SP7!Alt#~Xu6b~J`-Qc>+O>H`*`Z-f@^_FEi0hNJv}`(m0-}(JIK(P2 z&M2N>fuR|fIA9eOf$W|EN^u#e+DSzC)v6Z`QRN@ZkD z>%b&}Wf%kc=OO8VF=lmw@(>NzUE6O+?ZV3`^UFV+>++_jSD4iNX<|~M-IFXPApITK zocm%Yh{8(k`)(3_rQ$cPfxE^eUHjx*c?1YBssn)B{imjVvuIbZQiY#t&^nC$TTOX+7W5y5 zb^7enfnC3h?o;ZIm^y{8cWn}8asyAEh5bii3!~Sat^WG-S^VR}c6G1GoC{M#7$kX? ze_?^;t;)>@?=I8m@TOS<-e~ngnC+Zrq5o0X)w#b7_Pnf?U!a%=6)8=X340g=%1zJx zqQ7=Q+Q|Z(BM3ImPB1+1RFe#FRa1zjaUOAyUX>FxdUMEHg9M48B*=jWjKD#K!RLg+ zhF|o3>pe4ujU4?|+XYu^eL4I;Yr8M=c`Odd`R^Cx@vE_JJ z4u@~U#PD?tv9(Bj(Z1Qa)P+^9k9ir@E)ozkkX%T(;VqJ}w|47u_q@4}zb;&#;FpY|R; z*0H(0%=Z&5Igj|fgWK6jPV_sSK%xywgmn>)I2;hlDlk^V`IihCj7UL7k_4pNBw_-2 zn4xHhLo~C&vK79#7wVk!PU-anZ~RrsWSW()@-BGJ zG8aYb{CeCA3)aqS{E>P;tK$bv0T6{1HC-(Kx^>2Xd&N}zu*s#F#ltYC*+tmr770KU zmhk*9k}`ST@*QJLiAC5V<-%AOXD4J{&;UeXgWEK<)H%`WLr+-~F@t*PU(2SjEUHuL z1ZZE6!(&f>2a8NQWQ9;vhGQWI7$kXyyz45*5MVtacNIf&6wApHbYIBjLAPVbq zw93Ra6(`oZ+;``{E8cK_V9B>U1yR_#v#rbgck2FiB7LsNm@j@Q9>%<-jW>T9o(wr1 zzzNWD@#IEIh#^mZ|Id~h?agdYVKw18xb&f>gh;zhdyj0Ke2C~pmvUa&N?Q2*g4cW) zA!?bTy&i%xl0-*xBtHhH%7}n1Nyu--3W($F8h%tyU#PL1L7uosehedTy#F*M=lpU2J^oO8CTEY>sGV$1x;S-i?2oQ6P4S(XVcpA!0I2K%r1;1SP!=|O-{AV)Id1!q3T%pPIs9wja|U<%34#76=QQ+j!iO(}(-lZLwtK$TLc{?Kx*n^oyET5UfZV7(F6A3{bn6 z;&lQ{LWSJSkP6;_FA30p6^<7q9H$Wv9tfwf91kY|1fms6kqAPdp>v0LA0hPwxqvsD zonAeReDRA57hkzjw8UU<&dJ^H$$tuRU?XW@>}`Or!efW1(5{j_x1%5Y*2d^6bglxg zB57bUMxpq}ST2IDB57bC`rWVB+yY!h(!ltTM|lLcill+LFQ8Q<4UA24BrCZOvWldE zffG4gV0lFnDUl#VfO_J9td%4c?`K(!hk5aU;**Rgs)3 zc3xlrZptVEj*zS(1R<`n!a)jqL`ncvXK|8e6rN-4K6sX~!%hMw$XMY%YB^PMzO2=j zCO$+|C^9OSU{zS%cb@t8+7>lt+4VL9qc5a%$w1D1559eNC%w52s*2=NiR4mov@bQt<}xUcdrD2_nQ~s3O53nxa^eCKW=aMOGBy0}p$}0znCODb0(lQi`Ia z889r+C+r9l#-Vh^Tq^kmLWR|M?laG8Lrc|)now}Y&^jO2jwE@pb#{6*yssq62^wTq zd)56P=n`6c+C`ioDI73svdG93&Cn26231L9;s!GU0f2V}CygMXN06@2KE zOi5neoONvDf%=EJ?I+*uwCJhJO`|5ja#eJvL1KWEM6V}6d1|_u$Nb>FdJ;kVzKb-cT#_bap&W(%b+iVmz8@Jtv0w(Pr zM*aQAW9^SWy)x#=krh{mrABARzo`+h+KlHnaY9N0AY3;6{Xn$ld>u&4t*2#v14c9VnvLbE*6BxNCP&Ps9yN5m@d;^EIGVa(}L!qu!DlS z`UHIG>m|JssMvnh{u$kt>Q-~7A>hF$O#M1}%tH)S*gAn2BbR)!;Kf>VM|?2ALOwfV zYF*tncw>FMYl6 zr~UPQ?A)fp&_cBF=zmK%x7VM`jEiP)7S11Nxji_hjn0Zu=hJH_zQ2 zD-!+L-FQ_qbe;!;;?t2+!9&h8DBq1a^WxSqty){NY?`b{Kw)3NgdO_f{WSwt67x%U zdTLbv7PoMtwKn$Cdh&=Xg=)XCZ1e6hoA!U&?AvKaHG2Hma?WI%Ua}^6yWEAATh_4O q9jo1I(VW>v&-r+^)~ch7U@)5plP4X00F`PB2xm$ literal 0 HcmV?d00001 diff --git a/xss-extension-string/.gradle/7.4/fileChanges/last-build.bin b/xss-extension-string/.gradle/7.4/fileChanges/last-build.bin new file mode 100644 index 0000000000000000000000000000000000000000..f76dd238ade08917e6712764a16a22005a50573d GIT binary patch literal 1 IcmZPo000310RR91 literal 0 HcmV?d00001 diff --git a/xss-extension-string/.gradle/7.4/fileHashes/fileHashes.bin b/xss-extension-string/.gradle/7.4/fileHashes/fileHashes.bin new file mode 100644 index 0000000000000000000000000000000000000000..58aeb0be14dfc17f5c6ad5a746088c6dd6e028a8 GIT binary patch literal 20197 zcmeI3TTl~M7=SmRQVj6i|YIl8P4` z@B)LPPz3^G0~iTN>i{YdH1>jw0~n|dG%bS4I9i2na`r%z^}#0}I{(fj?tJdIXU~^S zUfAPF5GC;$bZ02F`%Pyh-*0Vn_kpa2wr0#E=7 z{9g(LlM^vOlVREGsCJl11hL$Z+_BDbowAqxF$NPaWTcc}ajQv~$LxGQ?U?QX=k?hj)MWNQ)klVRTImgjW2@z^WG1C*HG5XDQoQbZnz zbL}v1tsb#W@$!$N&fkK$tjmG@uty$`xKAhM_wtg5w)oz^iFlwD=6z2Bn|p#ETT#cC zVm|8BYvvvK!k#*RH0EP10lhzZotdn7i~%8%*+vJBYX+8}rp;XXh04Y~)bqxrVtn ze{t0VbI~^H_|p?yXC;$bZ z02F`%Pyh-*0Vn_kpa2wr0#E=7KmjNK1)u;FfC5ke3P1rU00p1`6o3Ly017|>C;$bZ z02F`%Pyh-*fe%^0ksQp9e9c$AjD&p*?Kg`MGYtqAM~`J<-2Z z(>QzcV)fg_0}=TbBu?8t9bSSA*T0Z4D54t$xi|VVlv`zCZq`Ck?i=!{eAO7PezNocUbUdIhbka@@6VeZ#2>MrKlOt>K(&0uv1TMyr2gVpueFmzSz zX)I(+3!@ul?CYy@#0)#))awq9e7$z{7!!t$kZ!yxPYi7?jZCgh92(3jihO~L^ied1 z=@Gh--ut4Y%Dv@Ixu>CRs$04ZGLn}g!$3+mVm<4_$E2YmE|Jvn#p60tWKa*^6Ud22Dx5F`>NhGkNkGr>V4-iX}s?|CXM%< z$E5MDd93RBc8lNUot33A+gAm*IFa8u^83+Yjc5LvKJybCb1(Nj9`2z$rtwFDO7#7h zFo;WZV-C+zVRG-OUxCT_{p;BM3pK`I9C$=G7S)T>b~;97*!^=N#4*`fu3-@Ro9V{v zUT@a z5cF9+udn>=f#=;l!SjUrE7itCUA;GS!+FKH#n6V^O`KMRM_Sdz5{)r*jNfs$uj;OF zp1tebg52i2RapXH2<+zV;+pdx9CRqo&8OjQisc|SkvPNd1K`7)PL?o LM!IUv+0uUjfwo>c literal 0 HcmV?d00001 diff --git a/xss-extension-string/.gradle/7.4/fileHashes/fileHashes.lock b/xss-extension-string/.gradle/7.4/fileHashes/fileHashes.lock new file mode 100644 index 0000000000000000000000000000000000000000..d1b7403bcff1286a2b1e661c275d2f514aa2aa8b GIT binary patch literal 17 TcmZR!H+)r9?6N_R0RkKWDK{N=Lra+<)if9PKz=8$`DWWvYIfE!65+X>bh=?G9a8QRL z8u~d!L*|gxAlMYO7#L_xfzeQQ<{cLIAH@5C=k9x-`#!_-S|1*V5N1P39-=yo)shMU z1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R;YwfLq##uCf`kRZ}kXK_Ob}q@s4|%w$N1 z8-G$EoIA?-L3S>9d26@WE6bb(C4ZTG7->G=4axbUlIyz@SFdARopL^|B+Yx3v2H_%hOcyZit t?C_NG>W;Kl487U9bdSTQu^R0`LfsL+3qMD`Qa)4EyLmlvSib6D`3CA&mK6X1 literal 0 HcmV?d00001 diff --git a/xss-extension-string/.gradle/7.4/gc.properties b/xss-extension-string/.gradle/7.4/gc.properties new file mode 100644 index 0000000..e69de29 diff --git a/xss-extension-string/.gradle/buildOutputCleanup/buildOutputCleanup.lock b/xss-extension-string/.gradle/buildOutputCleanup/buildOutputCleanup.lock new file mode 100644 index 0000000000000000000000000000000000000000..f2eb09acdbb185b44d1779b825f8d1f012cc756c GIT binary patch literal 17 UcmZS1+VJ?>j0+W23=m)k07GO2j{pDw literal 0 HcmV?d00001 diff --git a/xss-extension-string/.gradle/buildOutputCleanup/cache.properties b/xss-extension-string/.gradle/buildOutputCleanup/cache.properties new file mode 100644 index 0000000..b65c44a --- /dev/null +++ b/xss-extension-string/.gradle/buildOutputCleanup/cache.properties @@ -0,0 +1,2 @@ +#Tue Feb 28 14:45:48 KST 2023 +gradle.version=7.4 diff --git a/xss-extension-string/.gradle/buildOutputCleanup/outputFiles.bin b/xss-extension-string/.gradle/buildOutputCleanup/outputFiles.bin new file mode 100644 index 0000000000000000000000000000000000000000..1ddd5e86dea2ca7e1a778947700ef5af3a52c0b2 GIT binary patch literal 19253 zcmeI&Z%7ky9LMo9#WfRa(oD0m64X+2p(DzP7=il}W{P5Fj#_1*B(>6d5T)rN{1=#0 z3{-^qCls^BpSSeZxf56Xihsw-A&M)uV(8HQLk)x z9+KpvGqNtGUM1^GC<(myiSjLVJUu~BTTTJZ!6~WX^4YOjy&>QwHMoD?@g?FRX z+)#XvpCkWD2S#dDZFj~+@qAa7Q@3pNd}3_$+Rv{0mioK*aYjqh_cTDVO`2q@h^@a#-91&%Z0fG?VC(&i*7p{nR(VV!kV_)B~QTY89_FTGn?`4{5)gqmGOiV{yS4s!BcI z<;SQew-;x|W%Qd_zf1k#7eRV$T3`+9*Ql$H$V#GPFE#O9nN9uZ+9_dhTvZU?6^E%G z56gBlt{bEtMg8>09#hv?4Re;8sOPr&hPjGGLu`(g`uVipaG^f3oL$#Ioqjpa#fd+L zZwNpD0uX=z1Rwwb2tWV=5P$##AOHafKmY;|fB*y_009U<00Izz00bZa0SG_<0uX=z z1Rwwb2teRp6bQH7w9xjM|6{Pz{Flcs#TNdm;@BP9pS6_Y*t6SDc5IIQS&mKqU1!

+ + + + + \ No newline at end of file diff --git a/xss-extension-string/.idea/gradle.xml b/xss-extension-string/.idea/gradle.xml new file mode 100644 index 0000000..ba1ec5c --- /dev/null +++ b/xss-extension-string/.idea/gradle.xml @@ -0,0 +1,16 @@ + + + + + + \ No newline at end of file diff --git a/xss-extension-string/.idea/jarRepositories.xml b/xss-extension-string/.idea/jarRepositories.xml new file mode 100644 index 0000000..f5a0c5d --- /dev/null +++ b/xss-extension-string/.idea/jarRepositories.xml @@ -0,0 +1,25 @@ + + + + + + + + + + + + + \ No newline at end of file diff --git a/xss-extension-string/.idea/jpa-buddy.xml b/xss-extension-string/.idea/jpa-buddy.xml new file mode 100644 index 0000000..966d5f5 --- /dev/null +++ b/xss-extension-string/.idea/jpa-buddy.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/xss-extension-string/.idea/misc.xml b/xss-extension-string/.idea/misc.xml new file mode 100644 index 0000000..fb0e218 --- /dev/null +++ b/xss-extension-string/.idea/misc.xml @@ -0,0 +1,10 @@ + + + + + + + + + \ No newline at end of file diff --git a/xss-extension-string/.idea/sonarlint/issuestore/index.pb b/xss-extension-string/.idea/sonarlint/issuestore/index.pb new file mode 100644 index 0000000..e69de29 diff --git a/xss-extension-string/.idea/uiDesigner.xml b/xss-extension-string/.idea/uiDesigner.xml new file mode 100644 index 0000000..2b63946 --- /dev/null +++ b/xss-extension-string/.idea/uiDesigner.xml @@ -0,0 +1,124 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/xss-extension-string/.idea/vcs.xml b/xss-extension-string/.idea/vcs.xml new file mode 100644 index 0000000..6c0b863 --- /dev/null +++ b/xss-extension-string/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/xss-extension-string/build.gradle b/xss-extension-string/build.gradle new file mode 100644 index 0000000..88f30c3 --- /dev/null +++ b/xss-extension-string/build.gradle @@ -0,0 +1,54 @@ +import org.springframework.boot.gradle.plugin.SpringBootPlugin + +plugins { + id 'org.springframework.boot' version '2.7.1' apply false + id 'io.spring.dependency-management' version '1.1.0' + id 'java' + id 'maven-publish' +} + +group = 'com.github.xss-stage' +version '1.1' + +sourceCompatibility = 1.8 +targetCompatibility = 1.8 + +repositories { + mavenCentral() + maven {url 'https://jitpack.io'} +} + +dependencyManagement { + imports { + mavenBom SpringBootPlugin.BOM_COORDINATES + } +} + +dependencies { + implementation 'com.github.xss-stage:xss-core:1.1' + + implementation 'com.navercorp.lucy:lucy-xss:1.6.3' // License Apache 2.0 + + implementation 'org.springframework.boot:spring-boot-starter' + testImplementation 'org.springframework.boot:spring-boot-starter-test' + + testImplementation 'org.junit.jupiter:junit-jupiter-api:5.8.1' + testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.8.1' +} + +test { + useJUnitPlatform() +} + +publishing { + publications { + maven(MavenPublication) { + from components.java + } + } +} + +wrapper { + gradleVersion = "7.3.3" + distributionType = Wrapper.DistributionType.ALL +} \ No newline at end of file diff --git a/xss-extension-string/gradle/wrapper/gradle-wrapper.properties b/xss-extension-string/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 0000000..41dfb87 --- /dev/null +++ b/xss-extension-string/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.4-bin.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/xss-extension-string/gradlew b/xss-extension-string/gradlew new file mode 100755 index 0000000..1b6c787 --- /dev/null +++ b/xss-extension-string/gradlew @@ -0,0 +1,234 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit + +APP_NAME="Gradle" +APP_BASE_NAME=${0##*/} + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/xss-extension-string/gradlew.bat b/xss-extension-string/gradlew.bat new file mode 100644 index 0000000..107acd3 --- /dev/null +++ b/xss-extension-string/gradlew.bat @@ -0,0 +1,89 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/xss-extension-string/settings.gradle b/xss-extension-string/settings.gradle new file mode 100644 index 0000000..30dc208 --- /dev/null +++ b/xss-extension-string/settings.gradle @@ -0,0 +1,2 @@ +rootProject.name = 'xss-extension-string' + diff --git a/xss-extension-string/src/main/java/org/stage/xss/string/StringXssFilter.java b/xss-extension-string/src/main/java/org/stage/xss/string/StringXssFilter.java new file mode 100644 index 0000000..853cb16 --- /dev/null +++ b/xss-extension-string/src/main/java/org/stage/xss/string/StringXssFilter.java @@ -0,0 +1,32 @@ +package org.stage.xss.string; + +import com.nhncorp.lucy.security.xss.XssPreventer; +import org.springframework.context.annotation.Scope; +import org.springframework.context.annotation.ScopedProxyMode; +import org.springframework.stereotype.Component; +import org.stage.xss.core.spi.XssFilter; +import org.stage.xss.string.exception.StringXssFilteringException; + +@Component +@Scope(proxyMode = ScopedProxyMode.TARGET_CLASS) +public class StringXssFilter implements XssFilter{ + + private static final String FILTER_NAME = "string"; + + StringXssFilter(){} + + @Override + public String getFilterName(){ + return FILTER_NAME; + } + + @Override + public

P doFilter(Object dirty, Class

cast){ + try{ + return cast.cast(XssPreventer.escape(dirty.toString())); + } catch (Exception e){ + throw new StringXssFilteringException(dirty.getClass().getSimpleName()); + } + } + +} diff --git a/xss-extension-string/src/main/java/org/stage/xss/string/exception/StringXssFilteringException.java b/xss-extension-string/src/main/java/org/stage/xss/string/exception/StringXssFilteringException.java new file mode 100644 index 0000000..2c52a44 --- /dev/null +++ b/xss-extension-string/src/main/java/org/stage/xss/string/exception/StringXssFilteringException.java @@ -0,0 +1,9 @@ +package org.stage.xss.string.exception; + +public final class StringXssFilteringException extends RuntimeException{ + + public StringXssFilteringException(String target){ + super("Cannot filtering \"" + target + "\""); + } + +} diff --git a/xss-extension-string/src/test/java/org/stage/xss/string/StringXssFilterTest.java b/xss-extension-string/src/test/java/org/stage/xss/string/StringXssFilterTest.java new file mode 100644 index 0000000..5e9eb21 --- /dev/null +++ b/xss-extension-string/src/test/java/org/stage/xss/string/StringXssFilterTest.java @@ -0,0 +1,83 @@ +package org.stage.xss.string; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotEquals; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit.jupiter.SpringExtension; + +@ExtendWith(SpringExtension.class) +@ContextConfiguration(classes = {StringXssFilter.class}) +class StringXssFilterTest{ + + private static final String INVALID_1 = read("./src/test/resources/xss-invalid1.html"); + private static final String INVALID_2 = read("./src/test/resources/xss-invalid2.html"); + private static final String INVALID_3 = read("./src/test/resources/xss-invalid3.html"); + private static final String INVALID_4 = read("./src/test/resources/xss-invalid4.html"); + + @Autowired + private StringXssFilter stringXssFilter; + + private static String read(String filePath){ + Path path = Paths.get(filePath); + StringBuilder sb = new StringBuilder(); + try{ + Files.readAllLines(path).forEach(sb::append); + } catch (IOException ioe){ + throw new IllegalStateException("Cannot read file from path \"" + filePath + "\""); + } + return sb.toString(); + } + + @Test + @DisplayName("String Xss 필터링 성공 테스트 - INVALID_1") + void FILTERING_XSS_STRING_SUCCESS_TEST_INVALID_1(){ + // when + String result = stringXssFilter.doFilter(INVALID_1, String.class); + + // then + assertNotEquals(INVALID_1, result); + } + + @Test + @DisplayName("String Xss 필터링 성공 테스트 - INVALID_2") + void FILTERING_XSS_STRING_SUCCESS_TEST_INVALID_2(){ + // when + String result = stringXssFilter.doFilter(INVALID_2, String.class); + + // then + assertNotEquals(INVALID_2, result); + } + + @Test + @DisplayName("String Xss 필터링 성공 테스트 - INVALID_3") + void FILTERING_XSS_STRING_SUCCESS_TEST_INVALID_3(){ + // when + String result = stringXssFilter.doFilter(INVALID_3, String.class); + + // then + assertNotEquals(INVALID_3, result); + } + + @Test + @DisplayName("String Xss 필터링 성공 테스트 - INVALID_4") + void FILTERING_XSS_STRING_SUCCESS_TEST_INVALID_4(){ + // given + String expected = "<SCRIPT>alert("테스트!!!");</SCRIPT>"; + + // when + String result = stringXssFilter.doFilter(INVALID_4, String.class); + + // then + assertEquals(expected, result); + } + +} diff --git a/xss-extension-string/src/test/resources/xss-invalid1.html b/xss-extension-string/src/test/resources/xss-invalid1.html new file mode 100644 index 0000000..c60295b --- /dev/null +++ b/xss-extension-string/src/test/resources/xss-invalid1.html @@ -0,0 +1,13 @@ +#

태그 사용 + + + 제품 정보 + + + +

제품 정보

+   +

+ + \ No newline at end of file diff --git a/xss-extension-string/src/test/resources/xss-invalid2.html b/xss-extension-string/src/test/resources/xss-invalid2.html new file mode 100644 index 0000000..cbbd425 --- /dev/null +++ b/xss-extension-string/src/test/resources/xss-invalid2.html @@ -0,0 +1,3 @@ +# 무의미한 attribute를 계속 반복하는 경우. 부자가 되고 싶다면 반드시 이 곳을 +참고 +하세요. \ No newline at end of file diff --git a/xss-extension-string/src/test/resources/xss-invalid3.html b/xss-extension-string/src/test/resources/xss-invalid3.html new file mode 100644 index 0000000..f72d18f --- /dev/null +++ b/xss-extension-string/src/test/resources/xss-invalid3.html @@ -0,0 +1,71 @@ +# HTML element 중첩 시키고 그 안에 태그를 하나 닫아 주지 않는 경우. + + + + +
+ + + + +
+ + + + +
+ + + + +
+ + + + +
+ + + + +
+ + + + +
+ + + + +
+ + + + +
+ + + + +
+ + + + +
+ + + +
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file diff --git a/xss-extension-string/src/test/resources/xss-invalid4.html b/xss-extension-string/src/test/resources/xss-invalid4.html new file mode 100644 index 0000000..984b778 --- /dev/null +++ b/xss-extension-string/src/test/resources/xss-invalid4.html @@ -0,0 +1 @@ + \ No newline at end of file