org.apache.sling.scripting.jsp.taglib.EncodeTag Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.sling.scripting.jsp.taglib;
import java.io.IOException;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.BodyTagSupport;
import org.apache.commons.lang.StringUtils;
import org.apache.sling.scripting.jsp.taglib.helpers.XSSSupport;
import org.apache.sling.scripting.jsp.taglib.helpers.XSSSupport.ENCODING_MODE;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Tag for writing properly XSS encoded text to the response using the OWASP
* ESAPI for supporting a number of encoding modes.
*/
public class EncodeTag extends BodyTagSupport {
private static final long serialVersionUID = 5673936481350419997L;
private static final Logger log = LoggerFactory.getLogger(EncodeTag.class);
private String value;
private String defaultValue;
private ENCODING_MODE mode;
private boolean readBody = false;
/*
* (non-Javadoc)
*
* @see javax.servlet.jsp.tagext.TagSupport#doEndTag()
*/
@Override
public int doEndTag() throws JspException {
log.trace("doEndTag");
if (readBody) {
if (bodyContent != null && bodyContent.getString() != null) {
String encoded = XSSSupport.encode(bodyContent.getString(),
mode);
write(encoded);
}
}
return EVAL_PAGE;
}
/*
* (non-Javadoc)
*
* @see javax.servlet.jsp.tagext.BodyTagSupport#doStartTag()
*/
@Override
public int doStartTag() throws JspException {
int res = SKIP_BODY;
String unencoded = value;
if (unencoded == null) {
unencoded = defaultValue;
}
if (unencoded != null) {
String encoded = XSSSupport.encode(unencoded, mode);
write(encoded);
} else {
readBody = true;
res = EVAL_BODY_BUFFERED;
}
return res;
}
/**
* @return the default value
*/
public String getDefault() {
return defaultValue;
}
/**
* @return the mode
*/
public String getMode() {
return mode.toString();
}
/**
* @return the value
*/
public String getValue() {
return value;
}
/**
* @param defaultValue
* the default value to set
*/
public void setDefault(String defaultValue) {
this.defaultValue = defaultValue;
}
/**
* @param mode
* the mode to set
*/
public void setMode(String mode) {
this.mode = XSSSupport.getEncodingMode(mode);
}
/**
* @param value
* the value to set
*/
public void setValue(String value) {
this.value = value;
}
/**
* Writes the encoded text to the response.
*
* @param encoded
* the encoded text to write to the page
* @throws JspException
*/
private void write(String encoded) throws JspException {
if (!StringUtils.isEmpty(encoded)) {
try {
pageContext.getOut().write(encoded);
} catch (IOException e) {
log.error("Exception writing escaped content to page", e);
throw new JspException(
"Exception writing escaped content to page", e);
}
}
}
}