post-process generated javadocs as workaround for CVE-2013-1571 - based on Maven patch by Uwe Schindler - PR 55132

git-svn-id: https://svn.apache.org/repos/asf/ant/core/trunk@1496083 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 37 insertions, 0 deletions

diff --git a/src/resources/org/apache/tools/ant/taskdefs/javadoc-frame-injections-fix.txt b/src/resources/org/apache/tools/ant/taskdefs/javadoc-frame-injections-fix.txt
new file mode 100644
index 000000000..1f8c97a60
--- /dev/null
+++ b/src/resources/org/apache/tools/ant/taskdefs/javadoc-frame-injections-fix.txt
@@ -0,0 +1,37 @@
+    if (targetPage != "" && !validURL(targetPage))
+        targetPage = "undefined";
+    function validURL(url) {
+        var pos = url.indexOf(".html");
+        if (pos == -1 || pos != url.length - 5)
+            return false;
+        var allowNumber = false;
+        var allowSep = false;
+        var seenDot = false;
+        for (var i = 0; i < url.length - 5; i++) {
+            var ch = url.charAt(i);
+            if ('a' <= ch && ch <= 'z' ||
+                    'A' <= ch && ch <= 'Z' ||
+                    ch == '$' ||
+                    ch == '_') {
+                allowNumber = true;
+                allowSep = true;
+            } else if ('0' <= ch && ch <= '9'
+                    || ch == '-') {
+                if (!allowNumber)
+                     return false;
+            } else if (ch == '/' || ch == '.') {
+                if (!allowSep)
+                    return false;
+                allowNumber = false;
+                allowSep = false;
+                if (ch == '.')
+                     seenDot = true;
+                if (ch == '/' && seenDot)
+                     return false;
+            } else {
+                return false;
+            }
+        }
+        return true;
+    }
+    function loadFrames() {