Skip to content

Commit

Permalink
ZCS-16214: Decode Unicode escape sequences to detect obfuscated @import
Browse files Browse the repository at this point in the history
… statements and bumped the version of AntiSamy.
  • Loading branch information
ashishkataria86 committed Nov 28, 2024
1 parent 0fca632 commit e7d58f7
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 2 deletions.
2 changes: 1 addition & 1 deletion build.xml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
<property name='build.data.dir' value='${build.dir}/data/output' />
<property name='build.lib.dir' value='${build.dir}/lib' />

<property name='jar.file' value='${build.lib.dir}/${name}-${version}z2.jar'/>
<property name='jar.file' value='${build.lib.dir}/${name}-${version}z3.jar'/>

<target name='compile'
description="compiles the source"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,28 @@ public AntiSamyDOMScanner(Policy policy) {
public AntiSamyDOMScanner() throws PolicyException {
super();
}
// Method to decode the Unicode escape sequences
private String decodeUnicodeEscapes(String input) {
try {
StringBuffer decodedString = new StringBuffer();
String regex = "\\\\([0-9a-fA-F]{4})";
// Compile the regex
Pattern pattern = Pattern.compile(regex);
Matcher matcher = pattern.matcher(input);

// Find all matches and replace them with the decoded character
while (matcher.find()) {
String hexValue = matcher.group(1);
int unicodeValue = Integer.parseInt(hexValue, 16);
matcher.appendReplacement(decodedString, String.valueOf((char) unicodeValue));
}
matcher.appendTail(decodedString);
return decodedString.toString().replaceAll("\\\\", "");
} catch (Exception e) {
// If decoding fails, just return the original string
return input;
}
}

/**
* This is where the magic lives.
Expand Down Expand Up @@ -167,7 +189,7 @@ public CleanResults scan(String html) throws ScanException {
*/


final String trimmedHtml = html;
final String trimmedHtml = decodeUnicodeEscapes(html);

StringWriter out = new StringWriter();

Expand Down

0 comments on commit e7d58f7

Please sign in to comment.