commit 4b1e5710d184205116e0e144b4501feb998e40b6
author gwt.mirrorbot@gmail.com <gwt.mirrorbot@gmail.com@8db76d5a-ed1c-0410-87a9-c151d255dfc7> Tue Nov 27 00:09:55 2012 +0000
committer gwt.mirrorbot@gmail.com <gwt.mirrorbot@gmail.com@8db76d5a-ed1c-0410-87a9-c151d255dfc7> Tue Nov 27 00:09:55 2012 +0000
tree ce96b71e4156ff8b918f34bd852c9cadd0ca4dbb
parent dc5954c77601225da8df8450d2d61a744d1c9c9b

Avoid XSS vulnerability by being stricter about how the script element
is created.

Change-Id: I186915ac978fe02fd0bbb93ae8c9a9dd6d8e9d5b
Review-Link: https://gwt-review.googlesource.com/#/c/1250/


git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@11385 8db76d5a-ed1c-0410-87a9-c151d255dfc7

user/src/com/google/gwt/junit/public/junit-standards.html

diff --git a/user/src/com/google/gwt/junit/public/junit-standards.html b/user/src/com/google/gwt/junit/public/junit-standards.html
index 490ee0c..0d6fe07 100644
--- a/user/src/com/google/gwt/junit/public/junit-standards.html
+++ b/user/src/com/google/gwt/junit/public/junit-standards.html
@@ -47,12 +47,12 @@
 }
 
 function loadSelectionScript() {
-  var moduleName = document.location.href;
+  var moduleName = location.pathname;
   var pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(0, pos);
   pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(pos + 1);
-  document.write("<script language='javascript' src='" + moduleName + ".nocache.js'><\/script>");
+  document.write('<script language="javascript" src="' + encodeURIComponent(moduleName) + '.nocache.js"><\/script>');
 }
 loadSelectionScript();
 -->

user/src/com/google/gwt/junit/public/junit.html

diff --git a/user/src/com/google/gwt/junit/public/junit.html b/user/src/com/google/gwt/junit/public/junit.html
index efb2d26..e58ebce 100644
--- a/user/src/com/google/gwt/junit/public/junit.html
+++ b/user/src/com/google/gwt/junit/public/junit.html
@@ -45,12 +45,12 @@
 }
 
 function loadSelectionScript() {
-  var moduleName = document.location.href;
+  var moduleName = location.pathname;
   var pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(0, pos);
   pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(pos + 1);
-  document.write("<script language='javascript' src='" + moduleName + ".nocache.js'></script>");
+  document.write('<script language="javascript" src="' + encodeURIComponent(moduleName) + '.nocache.js"><\/script>');
 }
 loadSelectionScript();
 -->

user/test/com/google/gwt/i18n/public_es_AR/junit-standards.html

diff --git a/user/test/com/google/gwt/i18n/public_es_AR/junit-standards.html b/user/test/com/google/gwt/i18n/public_es_AR/junit-standards.html
index 1ae3c80..a998bc9 100644
--- a/user/test/com/google/gwt/i18n/public_es_AR/junit-standards.html
+++ b/user/test/com/google/gwt/i18n/public_es_AR/junit-standards.html
@@ -53,12 +53,12 @@
 }
 
 function loadSelectionScript() {
-  var moduleName = document.location.href;
+  var moduleName = location.pathname;
   var pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(0, pos);
   pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(pos + 1);
-  document.write("<script language='javascript' src='" + moduleName + ".nocache.js'><\/script>");
+  document.write('<script language="javascript" src="' + encodeURIComponent(moduleName) + '.nocache.js"><\/script>');
 }
 loadSelectionScript();
 -->

user/test/com/google/gwt/i18n/public_es_AR/junit.html

diff --git a/user/test/com/google/gwt/i18n/public_es_AR/junit.html b/user/test/com/google/gwt/i18n/public_es_AR/junit.html
index e30fb7b..31c0114 100644
--- a/user/test/com/google/gwt/i18n/public_es_AR/junit.html
+++ b/user/test/com/google/gwt/i18n/public_es_AR/junit.html
@@ -52,12 +52,12 @@
 }
 
 function loadSelectionScript() {
-  var moduleName = document.location.href;
+  var moduleName = location.pathname;
   var pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(0, pos);
   pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(pos + 1);
-  document.write("<script language='javascript' src='" + moduleName + ".nocache.js'></script>");
+  document.write('<script language="javascript" src="' + encodeURIComponent(moduleName) + '.nocache.js"><\/script>');
 }
 loadSelectionScript();
 -->

user/test/com/google/gwt/i18n/public_es_MX/junit-standards.html

diff --git a/user/test/com/google/gwt/i18n/public_es_MX/junit-standards.html b/user/test/com/google/gwt/i18n/public_es_MX/junit-standards.html
index da44249..db0b393 100644
--- a/user/test/com/google/gwt/i18n/public_es_MX/junit-standards.html
+++ b/user/test/com/google/gwt/i18n/public_es_MX/junit-standards.html
@@ -53,12 +53,12 @@
 }
 
 function loadSelectionScript() {
-  var moduleName = document.location.href;
+  var moduleName = location.pathname;
   var pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(0, pos);
   pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(pos + 1);
-  document.write("<script language='javascript' src='" + moduleName + ".nocache.js'><\/script>");
+  document.write('<script language="javascript" src="' + encodeURIComponent(moduleName) + '.nocache.js"><\/script>');
 }
 loadSelectionScript();
 -->

user/test/com/google/gwt/i18n/public_es_MX/junit.html

diff --git a/user/test/com/google/gwt/i18n/public_es_MX/junit.html b/user/test/com/google/gwt/i18n/public_es_MX/junit.html
index 0de069d..924012c 100644
--- a/user/test/com/google/gwt/i18n/public_es_MX/junit.html
+++ b/user/test/com/google/gwt/i18n/public_es_MX/junit.html
@@ -52,12 +52,12 @@
 }
 
 function loadSelectionScript() {
-  var moduleName = document.location.href;
+  var moduleName = location.pathname;
   var pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(0, pos);
   pos = moduleName.lastIndexOf('/');
   moduleName = moduleName.substr(pos + 1);
-  document.write("<script language='javascript' src='" + moduleName + ".nocache.js'></script>");
+  document.write('<script language="javascript" src="' + encodeURIComponent(moduleName) + '.nocache.js"><\/script>');
 }
 loadSelectionScript();
 -->