All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.appng.api.support.XSSHelper Maven / Gradle / Ivy

/*
 * Copyright 2011-2021 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.appng.api.support;

import org.apache.commons.lang3.StringUtils;
import org.appng.api.Platform;
import org.appng.api.model.Properties;
import org.appng.forms.XSSUtil;
import org.jsoup.safety.Whitelist;
import org.owasp.esapi.ESAPI;

/**
 * Utility class for creating {@link XSSUtil}-instances.
 * 
 * @author Matthias Müller
 */
public class XSSHelper {

	/**
	 * Creates and returns a {@link XSSUtil}.
* If the boolean property {@code xssProtect} of the given {@link Properties} is {@code true}, a new {@link XSSUtil} * is being created. The list-type property {@code xssAllowedTags} can be used to allow additional tags and * attributes. The format is: * *
	 * <tag1> <attribute1a> <attribute1b>|<tag2> <attribute2a> <attribute2b>
	 * 
* *
* Example: * *
	 * h1|h2|a href class style|div align style
	 * 
* * @param platformProps * @param exceptions * * @return */ public static XSSUtil getXssUtil(Properties platformProps, String... exceptions) { XSSUtil util = null; if (platformProps.getBoolean(Platform.Property.XSS_PROTECT)) { Whitelist whitelist = Whitelist.basic(); for (String tag : platformProps.getList(Platform.Property.XSS_ALLOWED_TAGS, StringUtils.EMPTY, "\\|")) { String[] splitted = tag.split(StringUtils.SPACE); String name = splitted[0]; if (splitted.length > 1) { for (int i = 1; i < splitted.length; i++) { whitelist.addAttributes(name, splitted[i]); } } else { whitelist.addTags(name); } } util = new XSSUtil(ESAPI.encoder(), whitelist, exceptions); } return util; } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy