// Copyright (C) 2014 Tom <tw201207@gmail.com> // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package com.googlesource.gerrit.plugins.gitblit.app; import com.gitblit.utils.XssFilter; /** * This no-op XssFilter is called from GitblitParamUrlCodingStrategy to sanitize URL parameters by removing HTML entities. However, this is the wrong place to * attempt XSS prevention. XSS prevention must be done when returning input data to the client, not here. If we do it here, we end up mangling the parameters * and then passing them to JGit, which will fail. See https://code.google.com/p/gitblit/issues/detail?id=526 . The correct way to harden GitBlit against XSS * attempts would be to use JSoup to generate HTML. (Build the DOM, then serialize it to a string via {@link org.jsoup.nodes.Element#toString() * Element.toString()}.) * * @author Tom <tw201207@gmail.com> */ public class NullXssFilter implements XssFilter { @Override public String none(String input) { return input; } @Override public String relaxed(String input) { return input; } }