Fix bobbylight#205: Follow OWASP recommendations for HTML encoding

Author: bobbylight

src/main/java/org/fife/ui/rsyntaxtextarea/RSyntaxUtilities.java

@@ -206,6 +206,18 @@ public static String escapeForHtml(String s,
 					sb.append(">");
 					lastWasSpace = false;
 					break;
+				case '\'':
+					sb.append("'");
+					lastWasSpace = false;
+					break;
+				case '"':
+					sb.append(""");
+					lastWasSpace = false;
+					break;
+				case '/': // OWASP-recommended even though unnecessary
+					sb.append("/");
+					lastWasSpace = false;
+					break;
 				default:
 					sb.append(ch);
 					lastWasSpace = false;

src/main/java/org/fife/ui/rsyntaxtextarea/TokenImpl.java

@@ -233,6 +233,12 @@ private StringBuilder appendHtmlLexeme(RSyntaxTextArea textArea,
 					sb.append(tabsToSpaces ? tabStr : "	");
 					lastWasSpace = false;
 					break;
+				case '&':
+					sb.append(text, lastI, i-lastI);
+					lastI = i+1;
+					sb.append("&");
+					lastWasSpace = false;
+					break;
 				case '<':
 					sb.append(text, lastI, i-lastI);
 					lastI = i+1;
@@ -245,6 +251,24 @@ private StringBuilder appendHtmlLexeme(RSyntaxTextArea textArea,
 					sb.append("&gt;");
 					lastWasSpace = false;
 					break;
+				case '\'':
+					sb.append(text, lastI, i-lastI);
+					lastI = i+1;
+					sb.append("&#39;");
+					lastWasSpace = false;
+					break;
+				case '"':
+					sb.append(text, lastI, i-lastI);
+					lastI = i+1;
+					sb.append("&#34;");
+					lastWasSpace = false;
+					break;
+				case '/': // OWASP-recommended to escape even though unnecessary
+					sb.append(text, lastI, i-lastI);
+					lastI = i+1;
+					sb.append("&#47;");
+					lastWasSpace = false;
+					break;
 				default:
 					lastWasSpace = false;
 					break;

src/test/java/org/fife/ui/rsyntaxtextarea/RSyntaxUtilitiesTest.java

@@ -0,0 +1,62 @@
+/*
+ * 12/10/2016
+ *
+ * This library is distributed under a modified BSD license.  See the included
+ * RSyntaxTextArea.License.txt file for details.
+ */
+package org.fife.ui.rsyntaxtextarea;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+
+/**
+ * Unit tests for the {@link RSyntaxUtilities} class.
+ *
+ * @author Robert Futrell
+ * @version 1.0
+ */
+public class RSyntaxUtilitiesTest {
+
+
+	@Test
+	public void testEscapeForHtml_nullInput() {
+		Assert.assertNull(RSyntaxUtilities.escapeForHtml(null, "<br>", true));
+	}
+
+
+	@Test
+	public void testEscapeForHtml_nullNewlineReplacement() {
+		Assert.assertEquals("", RSyntaxUtilities.escapeForHtml("\n", null, true));
+	}
+
+
+	@Test
+	public void testEscapeForHtml_happyPath() {
+		Assert.assertEquals("hello", RSyntaxUtilities.escapeForHtml("hello", "<br>", true));
+		Assert.assertEquals("2 &lt; 4", RSyntaxUtilities.escapeForHtml("2 < 4", "<br>", true));
+	}
+
+
+	@Test
+	public void testEscapeForHtml_problemChars() {
+		Assert.assertEquals(" <br>&amp;   &lt;&gt;&#39;&#34;&#47;",
+				RSyntaxUtilities.escapeForHtml(" \n&\t<>'\"/", "<br>", true));
+	}
+
+
+	@Test
+	public void testEscapeForHtml_multipleSpaces_inPreBlock() {
+		Assert.assertEquals("   ",
+				RSyntaxUtilities.escapeForHtml("   ", "<br>", true));
+	}
+
+
+	@Test
+	public void testEscapeForHtml_multipleSpaces_notInPreBlock() {
+		Assert.assertEquals(" &nbsp;&nbsp;",
+				RSyntaxUtilities.escapeForHtml("   ", "<br>", false));
+	}
+
+
+}

src/test/java/org/fife/ui/rsyntaxtextarea/TokenImplTest.java

@@ -0,0 +1,55 @@
+/*
+ * 12/10/2016
+ *
+ * This library is distributed under a modified BSD license.  See the included
+ * RSyntaxTextArea.License.txt file for details.
+ */
+package org.fife.ui.rsyntaxtextarea;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+
+/**
+ * Unit tests for the {@link TokenImpl} class.
+ *
+ * @author Robert Futrell
+ * @version 1.0
+ */
+public class TokenImplTest {
+
+
+	@Test
+	public void testGetHTMLRepresentation_happyPath() {
+
+		RSyntaxTextArea textArea = new RSyntaxTextArea();
+
+		char[] ch = "for".toCharArray();
+		TokenImpl token = new TokenImpl(ch, 0, 2, 0, TokenTypes.IDENTIFIER, 0);
+
+		// Don't bother checking font and other styles since it may be host-specific
+		String actual = token.getHTMLRepresentation(textArea);
+		Assert.assertTrue(actual.startsWith("<font"));
+		Assert.assertTrue(actual.endsWith(">for</font>"));
+
+	}
+
+
+	@Test
+	public void testGetHTMLRepresentation_problemChars() {
+
+		RSyntaxTextArea textArea = new RSyntaxTextArea();
+
+		char[] ch = " &\t<>'\"/".toCharArray();
+		TokenImpl token = new TokenImpl(ch, 0, ch.length - 1, 0, TokenTypes.IDENTIFIER, 0);
+
+		// Don't bother checking font and other styles since it may be host-specific
+		String actual = token.getHTMLRepresentation(textArea);
+		System.out.println(actual);
+		Assert.assertTrue(actual.startsWith("<font"));
+		Assert.assertTrue(actual.endsWith("> &amp;&#09;&lt;&gt;&#39;&#34;&#47;</font>"));
+
+	}
+
+
+}