[#1937] fix(router): make some improvement in router

framework/src/play/mvc/Router.java

@@ -509,11 +509,13 @@ public static ActionDefinition reverse(String action, Map<String, Object> args)
                                         try {
                                             queryString.append(URLEncoder.encode(key, encoding));
                                             queryString.append("=");
-                                            if (object.toString().startsWith(":")) {
-                                                queryString.append(object.toString());
-                                            } else {
-                                                queryString.append(URLEncoder.encode(object.toString() + "", encoding));
-                                            }
+                                            String objStr = object.toString();
+                                            // Special case to handle jsAction tag
+                                            if (objStr.startsWith(":")  && objStr.length() > 1) {
+                                              queryString.append(':');
+                                              objStr = objStr.substring(1);
+                                            } 
+                                            queryString.append(URLEncoder.encode(objStr + "", encoding));
                                             queryString.append("&");
                                         } catch (UnsupportedEncodingException ex) {
                                         }
@@ -524,11 +526,13 @@ public static ActionDefinition reverse(String action, Map<String, Object> args)
                                     try {
                                         queryString.append(URLEncoder.encode(key, encoding));
                                         queryString.append("=");
-                                        if (value.toString().startsWith(":")) {
-                                            queryString.append(value.toString());
-                                        } else {
-                                            queryString.append(URLEncoder.encode(value.toString() + "", encoding));
-                                        }
+                                        String objStr = value.toString();
+                                        // Special case to handle jsAction tag
+                                        if (objStr.startsWith(":") && objStr.length() > 1) {
+                                          queryString.append(':');
+                                          objStr = objStr.substring(1);
+                                        } 
+                                        queryString.append(URLEncoder.encode(objStr + "", encoding));
                                         queryString.append("&");
                                     } catch (UnsupportedEncodingException ex) {
                                     }

framework/src/play/templates/FastTags.java

@@ -76,7 +76,7 @@ public static void _jsAction(Map<?, ?> args, Closure body, PrintWriter out, Exec
         if(args.containsKey("customScript")){
             html += "val = " + args.get("customScript") + minimize;
         }
-        html += "pattern = pattern.replace(':'+key, val || '');"+ minimize;
+        html += "pattern = pattern.replace(':' + encodeURIComponent(key), val || '');"+ minimize;
         html += "}" + minimize;;
         html += "return pattern;" + minimize;;
         html += "}" + minimize;

samples-and-tests/just-test-cases/app/controllers/security/XssAttempts.java

@@ -0,0 +1,16 @@
+package controllers.security;
+
+import play.mvc.Controller;
+
+
+
+/**
+ * Test controller to check response to Xss attempt.
+ */
+public class XssAttempts extends Controller {
+
+  public static void testUrlParam(String url){  
+    render(url);
+  }
+
+}

samples-and-tests/just-test-cases/app/views/Users/showAll.html

@@ -3,11 +3,11 @@
 
 <script type="text/javascript" charset="${_response_encoding}" >
     var showUserAction = #{jsAction @Users.showId(':id')/}
-    var showUserNameAction = #{jsAction @Users.showName(':name'), encodeURI:false, minimize:true /}
+    // check accents in keys
+    var showUserNameAction = #{jsAction @Users.showName(':nâmë'), encodeURI:false, minimize:true /}
     var showUserNameActionEncodeURI = #{jsAction @Users.showName(':name'), encodeURI:true, minimize:false /}
     var showUserNameActionCustomScript= #{jsAction @Users.showName(':name'), customScript:"encodeURIComponent(val.replace('&amp;', '&'))", minimize:false /}
 
-
     $(document).ready(function() {
     	var html = ""
     	var id = 1;
@@ -23,7 +23,7 @@
           $('#content tbody').append(html);
 
           $('#' + ${user_index} + ' td').eq(1).load( showUserAction({id: "${user?.id}"}) );
-          $('#' + ${user_index} + ' td').eq(2).load( showUserNameAction({name: "${user?.name?.urlEncode()}"}) );
+          $('#' + ${user_index} + ' td').eq(2).load( showUserNameAction({nâmë: "${user?.name?.urlEncode()}"}) );
           $('#' + ${user_index} + ' td').eq(3).load( showUserNameActionEncodeURI({name:  "${user?.name}" }) ); 
           $('#' + ${user_index} + ' td').eq(4).load( showUserNameActionCustomScript({name:  "${user?.name}" }) ); 
           id = "${user?.id}";
@@ -39,7 +39,7 @@
        html += "</tr>";
        $('#content tbody').append(html);
        $('#' + 'javascript_add' + ' td').eq(1).load( showUserAction({id: id}) );
-       $('#' + 'javascript_add' + ' td').eq(2).load( showUserNameAction({name: encodeURIComponent("name with special characters [c c ; %20 , / ? : @ & = + $ #]") }) );
+       $('#' + 'javascript_add' + ' td').eq(2).load( showUserNameAction({nâmë: encodeURIComponent("name with special characters [c c ; %20 , / ? : @ & = + $ #]") }) );
        $('#' + 'javascript_add' + ' td').eq(3).load( showUserNameActionEncodeURI({name:  "name with special characters [c c ; %20 , / ? : @ & = + $ #]" }) );  
        $('#' + 'javascript_add' + ' td').eq(4).load( showUserNameActionCustomScript({name:  "name with special characters [c c ; %20 , / ? : @ & = + $ #]" }) );
     });

samples-and-tests/just-test-cases/app/views/security/XssAttempts/testUrlParam.html

@@ -0,0 +1,8 @@
+#{extends 'main.html' /}
+#{set title:'Home' /}
+
+URL param value : ${url} <br/>
+
+XSS test on &lt;a&gt;
+<a href="@{security.XssAttempts.testUrlParam(url)}">actionxsstest</a>
+

samples-and-tests/just-test-cases/conf/routes

@@ -59,6 +59,7 @@ GET         static2.foo.com/x                staticDir:public2/assets2
 #bug in router.reverse
 GET         /notmatch/{name}/{action}        Application.{action}
 GET         /index2                          Application.index2
+GET         /xsstest                         security.XssAttempts.testUrlParam
 
 # Catch all
 *           /async/{controller}/{action}    async.{controller}.{action}

samples-and-tests/just-test-cases/test/security/XssAttempts/xssAttempts.test.html

@@ -0,0 +1,14 @@
+#{selenium 'Test xss attack'}
+   %{ def customCode = "\"><script>alert(\"toto\");</script>" ; }%
+
+   open('@{security.XssAttempts.testUrlParam(customCode )}')    
+   assertHtmlSource('*href="/xsstest?url=${customCode.urlEncode()}*')
+
+   open('@{security.XssAttempts.testUrlParam(":" + customCode )}')    
+   assertHtmlSource('*href="/xsstest?url=:${customCode.urlEncode()}*')
+#{/selenium}
+#{selenium 'Test xss attack'}
+  open('@{security.XssAttempts.testUrlParam(':"><script>alert("oh")</script>')}')
+  // assert that script tags are properly escaped
+  assertAttribute('xpath=//a[1]@href','/xsstest?url=:%22%3E%3Cscript%3Ealert%28%22oh%22%29%3C%2Fscript%3E')
+#{/selenium}

samples-and-tests/just-test-cases/test/xssurltest.test.html

@@ -0,0 +1,7 @@
+#{selenium 'Test xss attack'}
+
+  open('@{security.XssAttempts.testUrlParam(':"><script>alert("oh")</script>')}')
+  // assert that script tags are properly escaped
+  assertAttribute('xpath=//a[1]@href','/xsstest?url=:%22%3E%3Cscript%3Ealert%28%22oh%22%29%3C%2Fscript%3E')
+
+#{/selenium}