[cvs] expresso commit by lhamel: allow parens () in URL

JCorporate Ltd jcorp at jcorporate.com
Sat Jul 29 21:58:08 UTC 2006 

Log Message:
-----------
allow parens () in URL

Modified Files:
--------------
    expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/security/filters:
        HtmlPlusURLFilter.java

Revision Data
-------------
Index: HtmlPlusURLFilter.java
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/security/filters/HtmlPlusURLFilter.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/core/security/filters/HtmlPlusURLFilter.java -Lexpresso-web/WEB-INF/src/com/jcorporate/expresso/core/security/filters/HtmlPlusURLFilter.java -u -r1.9 -r1.10
--- expresso-web/WEB-INF/src/com/jcorporate/expresso/core/security/filters/HtmlPlusURLFilter.java
+++ expresso-web/WEB-INF/src/com/jcorporate/expresso/core/security/filters/HtmlPlusURLFilter.java
@@ -157,7 +157,7 @@
      * Return true if the url has a valid prefix, like http://
      *
      * @param url
-     * @return
+     * @return true if prefix is in list of approved prefixes
      */
     public static boolean hasValidUrlPrefix(String url) {
         boolean valid = false;
@@ -249,7 +249,6 @@
                     break;
                 }
             }
-
         }
 
         if (hIndex >= 0) {
@@ -306,12 +305,10 @@
                 linksAfter = insertHrefTags(s.substring(endIndex));
             }
 
-
-            return linksBefore + link.toString() + linksAfter;
-
-        } else {
-            return result;
+            result = linksBefore + link.toString() + linksAfter;
         }
+
+        return result;
     }
 
     /**
@@ -391,7 +388,6 @@
      * 80-FF hex (non-ascii, by definition not legal)
      * <p/>
      * For extra safety, let's not allow the following (add later if needed)
-     * quote (%27), left paren (%28), right paren (%29)
      * left bracket (7B), right bracket (7D)
      * <p/>
      * Okay to allow as encoded (might be misunderstood within URLS):s
@@ -409,7 +405,8 @@
      */
     private static boolean isSafeURLEncoding(char c1, char c2) {
         String[] allowedEncodings = {"20", "21", "22", "23", "24", "25",
-                                     "26", "2A", "2B", "2C", "2D", "2E", "2F",
+                                     "26", "27", "28", "29",
+                                     "2A", "2B", "2C", "2D", "2E", "2F",
                                      "3A", "3B", "3D", "3F", "40", "7C",
                                      "5C", "7E"};

More information about the cvs mailing list