org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator Maven / Gradle / Ivy
/*
* Hibernate Validator, declare and validate application constraints
*
* License: Apache License, Version 2.0
* See the license.txt file in the root directory or .
*/
package org.hibernate.validator.internal.constraintvalidators.hv;
import java.util.Iterator;
import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext;
import org.hibernate.validator.constraints.SafeHtml;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Element;
import org.jsoup.parser.Parser;
import org.jsoup.safety.Cleaner;
import org.jsoup.safety.Whitelist;
/**
* Validate that the string does not contain malicious code.
*
* It uses JSoup as the underlying parser/sanitizer library.
*
* @author George Gastaldi
* @author Hardy Ferentschik
* @author Marko Bekhta
*/
public class SafeHtmlValidator implements ConstraintValidator {
private Whitelist whitelist;
private String baseURI;
@Override
public void initialize(SafeHtml safeHtmlAnnotation) {
switch ( safeHtmlAnnotation.whitelistType() ) {
case BASIC:
whitelist = Whitelist.basic();
break;
case BASIC_WITH_IMAGES:
whitelist = Whitelist.basicWithImages();
break;
case NONE:
whitelist = Whitelist.none();
break;
case RELAXED:
whitelist = Whitelist.relaxed();
break;
case SIMPLE_TEXT:
whitelist = Whitelist.simpleText();
break;
}
baseURI = safeHtmlAnnotation.baseURI();
whitelist.addTags( safeHtmlAnnotation.additionalTags() );
for ( SafeHtml.Tag tag : safeHtmlAnnotation.additionalTagsWithAttributes() ) {
whitelist.addTags( tag.name() );
if ( tag.attributes().length > 0 ) {
whitelist.addAttributes( tag.name(), tag.attributes() );
}
for ( SafeHtml.Attribute attribute : tag.attributesWithProtocols() ) {
whitelist.addAttributes( tag.name(), attribute.name() );
if ( attribute.protocols().length > 0 ) {
whitelist.addProtocols( tag.name(), attribute.name(), attribute.protocols() );
}
}
}
}
@Override
public boolean isValid(CharSequence value, ConstraintValidatorContext context) {
if ( value == null ) {
return true;
}
return new Cleaner( whitelist ).isValid( getFragmentAsDocument( value ) );
}
/**
* Returns a document whose {@code } element contains the given HTML fragment.
*/
private Document getFragmentAsDocument(CharSequence value) {
// using the XML parser ensures that all elements in the input are retained, also if they actually are not allowed at the given
// location; E.g. a element isn't allowed directly within the element, so it would be used by the default HTML parser.
// we need to retain it though to apply the given white list properly; See HV-873
Document fragment = Jsoup.parse( value.toString(), baseURI, Parser.xmlParser() );
Document document = Document.createShell( baseURI );
// add the fragment's nodes to the body of resulting document
Iterator nodes = fragment.children().iterator();
while ( nodes.hasNext() ) {
document.body().appendChild( nodes.next() );
}
return document;
}
}
© 2015 - 2024 Weber Informatics LLC | Privacy Policy