Package org.apache.sling.xss.impl
Class XSSAPIImpl
- java.lang.Object
-
- org.apache.sling.xss.impl.XSSAPIImpl
-
-
Constructor Summary
Constructors Constructor Description XSSAPIImpl()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
activate()
protected void
deactivate()
String
encodeForCSSString(String source)
Encodes a source string for writing to CSS string content.String
encodeForHTML(String source)
Encodes a source string for HTML element content.String
encodeForHTMLAttr(String source)
Encodes a source string for writing to an HTML attribute value.String
encodeForJSString(String source)
Encodes a source string for writing to JavaScript string content.String
encodeForXML(String source)
Encodes a source string for XML element content.String
encodeForXMLAttr(String source)
Encodes a source string for writing to an XML attribute value.@NotNull String
filterHTML(String source)
Filters potentially user-contributed HTML to meet the AntiSamy policy rules currently in effect for HTML output (see the XSSFilter service for details).String
getValidCSSColor(String color, String defaultColor)
Validate a CSS color value.String
getValidDimension(String dimension, String defaultValue)
Validate a string which should contain a dimension, returning a default value if the source is empty, can't be parsed, or contains XSS risks.Double
getValidDouble(String source, double defaultValue)
Validate a string which should contain an double, returning a default value if the source isnull
, empty, can't be parsed, or contains XSS risks.@NotNull String
getValidHref(String url)
Sanitizes a URL for writing as an HTML href or src attribute value.Integer
getValidInteger(String integer, int defaultValue)
Validate a string which should contain an integer, returning a default value if the source isnull
, empty, can't be parsed, or contains XSS risks.String
getValidJSON(String json, String defaultJson)
Validate a JSON stringString
getValidJSToken(String token, String defaultValue)
Validate a Javascript token.Long
getValidLong(String source, long defaultValue)
Validate a string which should contain a long, returning a default value if the source isnull
, empty, can't be parsed, or contains XSS risks.String
getValidMultiLineComment(String comment, String defaultComment)
Validate multi-line comment to be used inside a <script>...</script> or <style>...</style> block.String
getValidStyleToken(String token, String defaultValue)
Validate a style/CSS token.String
getValidXML(String xml, String defaultXml)
Validate an XML string
-
-
-
Method Detail
-
activate
protected void activate()
-
deactivate
protected void deactivate()
-
getValidInteger
public Integer getValidInteger(String integer, int defaultValue)
Description copied from interface:XSSAPI
Validate a string which should contain an integer, returning a default value if the source isnull
, empty, can't be parsed, or contains XSS risks.- Specified by:
getValidInteger
in interfaceXSSAPI
- Parameters:
integer
- the source integerdefaultValue
- a default value if the source can't be used, isnull
or an empty string- Returns:
- a sanitized integer
- See Also:
XSSAPI.getValidInteger(String, int)
-
getValidLong
public Long getValidLong(String source, long defaultValue)
Description copied from interface:XSSAPI
Validate a string which should contain a long, returning a default value if the source isnull
, empty, can't be parsed, or contains XSS risks.- Specified by:
getValidLong
in interfaceXSSAPI
- Parameters:
source
- the source longdefaultValue
- a default value if the source can't be used, isnull
or an empty string- Returns:
- a sanitized integer
- See Also:
XSSAPI.getValidLong(String, long)
-
getValidDouble
public Double getValidDouble(String source, double defaultValue)
Description copied from interface:XSSAPI
Validate a string which should contain an double, returning a default value if the source isnull
, empty, can't be parsed, or contains XSS risks.- Specified by:
getValidDouble
in interfaceXSSAPI
- Parameters:
source
- the source doubledefaultValue
- a default value if the source can't be used, isnull
or an empty string- Returns:
- a sanitized double
- See Also:
XSSAPI.getValidDouble(String, double)
-
getValidDimension
public String getValidDimension(String dimension, String defaultValue)
Description copied from interface:XSSAPI
Validate a string which should contain a dimension, returning a default value if the source is empty, can't be parsed, or contains XSS risks. Allows integer dimensions and the keyword "auto".- Specified by:
getValidDimension
in interfaceXSSAPI
- Parameters:
dimension
- the source dimensiondefaultValue
- a default value if the source can't be used, isnull
or an empty string- Returns:
- a sanitized dimension
- See Also:
XSSAPI.getValidDimension(String, String)
-
getValidHref
@NotNull public @NotNull String getValidHref(String url)
Description copied from interface:XSSAPI
Sanitizes a URL for writing as an HTML href or src attribute value.- Specified by:
getValidHref
in interfaceXSSAPI
- Parameters:
url
- the source URL- Returns:
- a sanitized URL (possibly empty)
- See Also:
XSSAPI.getValidHref(String)
-
getValidJSToken
public String getValidJSToken(String token, String defaultValue)
Description copied from interface:XSSAPI
Validate a Javascript token. The value must be either a single identifier, a literal number, or a literal string.- Specified by:
getValidJSToken
in interfaceXSSAPI
- Parameters:
token
- the source tokendefaultValue
- a default value to use if the source isnull
, an empty string, or doesn't meet validity constraints.- Returns:
- a string containing a single identifier, a literal number, or a literal string token
- See Also:
XSSAPI.getValidJSToken(String, String)
-
getValidStyleToken
public String getValidStyleToken(String token, String defaultValue)
Description copied from interface:XSSAPI
Validate a style/CSS token. Valid CSS tokens are specified at http://www.w3.org/TR/css3-syntax/- Specified by:
getValidStyleToken
in interfaceXSSAPI
- Parameters:
token
- the source tokendefaultValue
- a default value to use if the source isnull
, an empty string, or doesn't meet validity constraints.- Returns:
- a string containing sanitized style token
- See Also:
XSSAPI.getValidStyleToken(String, String)
-
getValidCSSColor
public String getValidCSSColor(String color, String defaultColor)
Description copied from interface:XSSAPI
Validate a CSS color value. Color values as specified at http://www.w3.org/TR/css3-color/#colorunits are safe and definitively allowed. Vulnerable constructs will be disallowed. Currently known vulnerable constructs include url(...), expression(...), and anything with a semicolon.- Specified by:
getValidCSSColor
in interfaceXSSAPI
- Parameters:
color
- the color value to be used.defaultColor
- a default value to use if the input color value isnull
, an empty string, doesn't meet validity constraints.- Returns:
- a string a css color value.
- See Also:
XSSAPI.getValidCSSColor(String, String)
-
getValidMultiLineComment
public String getValidMultiLineComment(String comment, String defaultComment)
Description copied from interface:XSSAPI
Validate multi-line comment to be used inside a <script>...</script> or <style>...</style> block. Multi-line comment end block is disallowed.- Specified by:
getValidMultiLineComment
in interfaceXSSAPI
- Parameters:
comment
- the comment to be useddefaultComment
- a default value to use if the comment isnull
or not valid.- Returns:
- a valid multi-line comment
- See Also:
XSSAPI.getValidMultiLineComment(String, String)
-
getValidJSON
public String getValidJSON(String json, String defaultJson)
Description copied from interface:XSSAPI
Validate a JSON string- Specified by:
getValidJSON
in interfaceXSSAPI
- Parameters:
json
- the JSON string to validatedefaultJson
- the default value to use ifjson
isnull
or not valid- Returns:
- a valid JSON string
- See Also:
XSSAPI.getValidJSON(String, String)
-
getValidXML
public String getValidXML(String xml, String defaultXml)
Description copied from interface:XSSAPI
Validate an XML string- Specified by:
getValidXML
in interfaceXSSAPI
- Parameters:
xml
- the XML string to validatedefaultXml
- the default value to use ifxml
isnull
or not valid- Returns:
- a valid XML string
- See Also:
XSSAPI.getValidXML(String, String)
-
encodeForHTML
public String encodeForHTML(String source)
Description copied from interface:XSSAPI
Encodes a source string for HTML element content. DO NOT USE FOR WRITING ATTRIBUTE VALUES!- Specified by:
encodeForHTML
in interfaceXSSAPI
- Parameters:
source
- the input to encode- Returns:
- an encoded version of the source
- See Also:
XSSAPI.encodeForHTML(String)
-
encodeForHTMLAttr
public String encodeForHTMLAttr(String source)
Description copied from interface:XSSAPI
Encodes a source string for writing to an HTML attribute value. DO NOT USE FOR ACTIONABLE ATTRIBUTES (href, src, event handlers); YOU MUST USE A VALIDATOR FOR THOSE!- Specified by:
encodeForHTMLAttr
in interfaceXSSAPI
- Parameters:
source
- the input to encode- Returns:
- an encoded version of the source
- See Also:
XSSAPI.encodeForHTMLAttr(String)
-
encodeForXML
public String encodeForXML(String source)
Description copied from interface:XSSAPI
Encodes a source string for XML element content. DO NOT USE FOR WRITING ATTRIBUTE VALUES!- Specified by:
encodeForXML
in interfaceXSSAPI
- Parameters:
source
- the input to encode- Returns:
- an encoded version of the source
- See Also:
XSSAPI.encodeForXML(String)
-
encodeForXMLAttr
public String encodeForXMLAttr(String source)
Description copied from interface:XSSAPI
Encodes a source string for writing to an XML attribute value.- Specified by:
encodeForXMLAttr
in interfaceXSSAPI
- Parameters:
source
- the input to encode- Returns:
- an encoded version of the source
- See Also:
XSSAPI.encodeForXMLAttr(String)
-
encodeForJSString
public String encodeForJSString(String source)
Description copied from interface:XSSAPI
Encodes a source string for writing to JavaScript string content. DO NOT USE FOR WRITING TO ARBITRARY JAVASCRIPT; YOU MUST USE A VALIDATOR FOR THAT. (Encoding only ensures that the source material cannot break out of its context.)- Specified by:
encodeForJSString
in interfaceXSSAPI
- Parameters:
source
- the input to encode- Returns:
- an encoded version of the source
- See Also:
XSSAPI.encodeForJSString(String)
-
encodeForCSSString
public String encodeForCSSString(String source)
Description copied from interface:XSSAPI
Encodes a source string for writing to CSS string content. DO NOT USE FOR WRITING OUT ARBITRARY CSS TOKENS; YOU MUST USE A VALIDATOR FOR THAT! (Encoding only ensures the source string cannot break out of its context.)- Specified by:
encodeForCSSString
in interfaceXSSAPI
- Parameters:
source
- the input to encode- Returns:
- an encoded version of the source
- See Also:
XSSAPI.encodeForCSSString(String)
-
filterHTML
@NotNull public @NotNull String filterHTML(String source)
Description copied from interface:XSSAPI
Filters potentially user-contributed HTML to meet the AntiSamy policy rules currently in effect for HTML output (see the XSSFilter service for details).- Specified by:
filterHTML
in interfaceXSSAPI
- Parameters:
source
- a string containing the source HTML- Returns:
- a string containing the sanitized HTML which may be an empty string if
source
isnull
or empty - See Also:
XSSAPI.filterHTML(String)
-
-