From dfaf1fc1f6d8214bcabb9a613d53d0f0dc45352c Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Sun, 07 Sep 2014 11:43:33 -0400
Subject: [PATCH] XSS sanitize standard page url parameters

---
 src/main/java/com/gitblit/wicket/GitBlitWebApp.java |   24 +++++++++++++++++++++++-
 1 files changed, 23 insertions(+), 1 deletions(-)

diff --git a/src/main/java/com/gitblit/wicket/GitBlitWebApp.java b/src/main/java/com/gitblit/wicket/GitBlitWebApp.java
index 7291d03..38dbf57 100644
--- a/src/main/java/com/gitblit/wicket/GitBlitWebApp.java
+++ b/src/main/java/com/gitblit/wicket/GitBlitWebApp.java
@@ -46,6 +46,7 @@
 import com.gitblit.manager.IUserManager;
 import com.gitblit.tickets.ITicketService;
 import com.gitblit.transport.ssh.IPublicKeyManager;
+import com.gitblit.utils.XssFilter;
 import com.gitblit.wicket.pages.ActivityPage;
 import com.gitblit.wicket.pages.BlamePage;
 import com.gitblit.wicket.pages.BlobDiffPage;
@@ -57,6 +58,7 @@
 import com.gitblit.wicket.pages.DocPage;
 import com.gitblit.wicket.pages.DocsPage;
 import com.gitblit.wicket.pages.EditMilestonePage;
+import com.gitblit.wicket.pages.EditRepositoryPage;
 import com.gitblit.wicket.pages.EditTicketPage;
 import com.gitblit.wicket.pages.ExportTicketPage;
 import com.gitblit.wicket.pages.FederationRegistrationPage;
@@ -71,6 +73,7 @@
 import com.gitblit.wicket.pages.MyDashboardPage;
 import com.gitblit.wicket.pages.MyTicketsPage;
 import com.gitblit.wicket.pages.NewMilestonePage;
+import com.gitblit.wicket.pages.NewRepositoryPage;
 import com.gitblit.wicket.pages.NewTicketPage;
 import com.gitblit.wicket.pages.OverviewPage;
 import com.gitblit.wicket.pages.PatchPage;
@@ -92,9 +95,13 @@
 
 	private final Class<? extends WebPage> homePageClass = MyDashboardPage.class;
 
+	private final Class<? extends WebPage> newRepositoryPageClass = NewRepositoryPage.class;
+
 	private final Map<String, CacheControl> cacheablePages = new HashMap<String, CacheControl>();
 
 	private final IStoredSettings settings;
+
+	private final XssFilter xssFilter;
 
 	private final IRuntimeManager runtimeManager;
 
@@ -130,6 +137,7 @@
 
 		super();
 		this.settings = runtimeManager.getSettings();
+		this.xssFilter = runtimeManager.getXssFilter();
 		this.runtimeManager = runtimeManager;
 		this.pluginManager = pluginManager;
 		this.notificationManager = notificationManager;
@@ -207,6 +215,8 @@
 		mount("/proposal", ReviewProposalPage.class, "t");
 		mount("/registration", FederationRegistrationPage.class, "u", "n");
 
+		mount("/new", NewRepositoryPage.class);
+		mount("/edit", EditRepositoryPage.class, "r");
 		mount("/activity", ActivityPage.class, "r", "h");
 		mount("/lucene", LuceneSearchPage.class);
 		mount("/project", ProjectPage.class, "p");
@@ -245,7 +255,7 @@
 		if (!settings.getBoolean(Keys.web.mountParameters, true)) {
 			parameters = new String[] {};
 		}
-		mount(new GitblitParamUrlCodingStrategy(settings, location, clazz, parameters));
+		mount(new GitblitParamUrlCodingStrategy(settings, xssFilter, location, clazz, parameters));
 
 		// map the mount point to the cache control definition
 		if (clazz.isAnnotationPresent(CacheControl.class)) {
@@ -260,6 +270,10 @@
 	@Override
 	public Class<? extends WebPage> getHomePage() {
 		return homePageClass;
+	}
+
+	public Class<? extends WebPage> getNewRepositoryPage() {
+		return newRepositoryPageClass;
 	}
 
 	/* (non-Javadoc)
@@ -298,6 +312,14 @@
 	}
 
 	/* (non-Javadoc)
+	 * @see com.gitblit.wicket.Webapp#xssFilter()
+	 */
+	@Override
+	public XssFilter xssFilter() {
+		return xssFilter;
+	}
+
+	/* (non-Javadoc)
 	 * @see com.gitblit.wicket.Webapp#isDebugMode()
 	 */
 	@Override

--
Gitblit v1.9.1