META-INF.java-encoder-advanced.tld Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of encoder-jsp Show documentation
Show all versions of encoder-jsp Show documentation
The OWASP Encoder JSP package contains JSP tag definitions and TLDs to allow
easy use of the OWASP Encoder Project's core API. The TLDs contain both tag
definitions and JSP EL functions.
OWASP Java Encoder Project
1.0
java-encoder
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#advanced
Encodes data for an XML CDATA section. On the chance that the input
contains a terminating
"]]>", it will be replaced by
"]]>]]<![CDATA[>".
As with all XML contexts, characters that are invalid according to the
XML specification will be replaced by a space character. Caller must
provide the CDATA section boundaries.
forCDATA
forCDATA
org.owasp.encoder.tag.ForCDATATag
empty
The value to be written out
value
true
true
java.lang.String
This method encodes for HTML text content. It does not escape
quotation characters and is thus unsafe for use with
HTML attributes. Use either forHtml or forHtmlAttribute for those
methods.
forHtmlContent
forHtmlContent
org.owasp.encoder.tag.ForHtmlContentTag
empty
value to be written out
value
true
true
java.lang.String
Encodes for XML and XHTML attribute content.
forXmlAttribute
forXmlAttribute
org.owasp.encoder.tag.ForXmlAttributeTag
empty
value to be written out
value
true
true
java.lang.String
Encodes for XML and XHTML.
forXml
forXml
org.owasp.encoder.tag.ForXmlTag
empty
value to be written out
value
true
true
java.lang.String
Encodes for a JavaScript string. It is safe for use in HTML
script attributes (such as onclick), script
blocks, JSON files, and JavaScript source. The caller MUST
provide the surrounding quotation characters for the string.
Since this performs additional encoding so it can work in all
of the JavaScript contexts listed, it may be slightly less
efficient then using one of the methods targetted to a specific
JavaScript context: forJavaScriptAttribute,
forJavaScriptBlock, or forJavaScriptSource.
Unless you are interested in saving a few bytes of output or
are writing a framework on top of this library, it is recommend
that you use this method over the others.
forJavaScript
forJavaScript
org.owasp.encoder.tag.ForJavaScriptTag
empty
value to be written out
value
true
true
java.lang.String
This method encodes for JavaScript strings contained within
HTML script attributes (such as onclick). It is
NOT safe for use in script blocks. The caller MUST provide the
surrounding quotation characters. This method performs the
same encode as Encode.forJavaScript(String) with the
exception that / is not escaped.
forJavaScriptAttribute
forJavaScriptAttribute
org.owasp.encoder.tag.ForJavaScriptAttributeTag
empty
value to be written out
value
true
true
java.lang.String
This method encodes for JavaScript strings contained within
HTML script blocks. It is NOT safe for use in script
attributes (such as onclick). The caller must
provide the surrounding quotation characters. This method
performs the same encode as Encode.forJavaScript(String)} with
the exception that " and ' are encoded as \" and \' respectively.
forJavaScriptBlock
forJavaScriptBlock
org.owasp.encoder.tag.ForJavaScriptBlockTag
empty
value to be written out
value
true
true
java.lang.String
This method encodes for JavaScript strings contained within
a JavaScript or JSON file. This method is NOT safe for
use in ANY context embedded in HTML. The caller must
provide the surrounding quotation characters. This method
performs the same encode as Encode.forJavaScript(String) with
the exception that / and & are not escaped and " and ' are
encoded as \" and \' respectively.
forJavaScriptSource
forJavaScriptSource
org.owasp.encoder.tag.ForJavaScriptSourceTag
empty
value to be written out
value
true
true
java.lang.String
Encodes for unquoted HTML attribute values. forHtml(String) or
forHtmlAttribute(String) should usually be preferred over this
method as quoted attributes are XHTML compliant.
forHtmlUnquotedAttribute
forHtmlUnquotedAttribute
org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag
empty
value to be written out
value
true
true
java.lang.String
Performs percent-encoding of a URL according to RFC 3986. The provided
URL is assumed to a valid URL. This method does not do any checking on
the quality or safety of the URL itself. In many applications it may
be better to use java.net.URI instead. Note: this is a
particularly dangerous context to put untrusted content in, as for
example a "javascript:" URL provided by a malicious user would be
"properly" escaped, and still execute.
forUri
forUri
org.owasp.encoder.tag.ForUriTag
empty
value to be written out
value
true
true
java.lang.String
Encodes for CSS URL contexts. The context must be surrounded by "url()". It
is safe for use in both style blocks and attributes in HTML. Note: this does
not do any checking on the quality or safety of the URL itself. The caller
should insure that the URL is safe for embedding (e.g. input validation) by
other means.
forCssUrl
forCssUrl
org.owasp.encoder.tag.ForCssUrlTag
empty
value to be written out
value
true
true
java.lang.String
Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS.
(X)HTML comments may be interpreted by browsers as something
other than a comment, typically in vendor specific extensions
(e.g. <--if[IE]-->.
For (X)HTML it is recommend that unsafe content never be included
in a comment.
forXmlComment
forXmlComment
org.owasp.encoder.tag.ForXmlCommentTag
empty
value to be written out
value
true
true
java.lang.String
Encodes for HTML text attributes.
forHtmlAttribute
forHtmlAttribute
org.owasp.encoder.tag.ForHtmlAttributeTag
empty
value to be written out
value
true
true
java.lang.String
Encodes for (X)HTML text content and text attributes.
forHtml
forHtml
org.owasp.encoder.tag.ForHtmlTag
empty
value to be written out
value
true
true
java.lang.String
Encodes for HTML text content. It does not escape
quotation characters and is thus unsafe for use with
HTML attributes. Use either forHtml or forHtmlAttribute for those
methods.
forXmlContent
forXmlContent
org.owasp.encoder.tag.ForXmlContentTag
empty
value to be written out
value
true
true
java.lang.String
Performs percent-encoding for a component of a URI, such as a query
parameter name or value, path or query-string. In particular this
method insures that special characters in the component do not get
interpreted as part of another component.
forUriComponent
forUriComponent
org.owasp.encoder.tag.ForUriComponentTag
empty
value to be written out
value
true
true
java.lang.String
Encodes for CSS strings. The context must be surrounded by quotation characters.
It is safe for use in both style blocks and attributes in HTML.
forCssString
forCssString
org.owasp.encoder.tag.ForCssStringTag
empty
value to be written out
value
true
true
java.lang.String
Encodes for (X)HTML text content and text attributes.
forHtml
forHtml
org.owasp.encoder.Encode
java.lang.String forHtml(java.lang.String)
forHtml(unsafeData)
This method encodes for HTML text content. It does not escape
quotation characters and is thus unsafe for use with
HTML attributes. Use either forHtml or forHtmlAttribute for those
methods.
forHtmlContent
forHtmlContent
org.owasp.encoder.Encode
java.lang.String forHtmlContent(java.lang.String)
forHtmlContent(unsafeData)
Encodes for HTML text attributes.
forHtmlAttribute
org.owasp.encoder.Encode
java.lang.String forHtmlAttribute(java.lang.String)
forHtmlAttribute(unsafeData)
Encodes for unquoted HTML attribute values. forHtml(String) or
forHtmlAttribute(String) should usually be preferred over this
method as quoted attributes are XHTML compliant.
forHtmlUnquotedAttribute
forHtmlUnquotedAttribute
org.owasp.encoder.Encode
java.lang.String forHtmlUnquotedAttribute(java.lang.String)
forHtmlUnquotedAttribute(unsafeData)
Encodes for CSS strings. The context must be surrounded by quotation characters.
It is safe for use in both style blocks and attributes in HTML.
forCssString
forCssString
org.owasp.encoder.Encode
java.lang.String forCssString(java.lang.String)
forCssString(unsafeData)
Encodes for CSS URL contexts. The context must be surrounded by "url()". It
is safe for use in both style blocks and attributes in HTML. Note: this does
not do any checking on the quality or safety of the URL itself. The caller
should insure that the URL is safe for embedding (e.g. input validation) by
other means.
forCssUrl
forCssUrl
org.owasp.encoder.Encode
java.lang.String forCssUrl(java.lang.String)
forCssUrl(unsafeData)
Performs percent-encoding of a URL according to RFC 3986. The provided
URL is assumed to a valid URL. This method does not do any checking on
the quality or safety of the URL itself. In many applications it may
be better to use java.net.URI instead. Note: this is a
particularly dangerous context to put untrusted content in, as for
example a "javascript:" URL provided by a malicious user would be
"properly" escaped, and still execute.
forUri
forUri
org.owasp.encoder.Encode
java.lang.String forUri(java.lang.String)
forUri(unsafeData)
Performs percent-encoding for a component of a URI, such as a query
parameter name or value, path or query-string. In particular this
method insures that special characters in the component do not get
interpreted as part of another component.
forUriComponent
forUriComponent
org.owasp.encoder.Encode
java.lang.String forUriComponent(java.lang.String)
forUriComponent(unsafeData)
Encodes for XML and XHTML.
forXml
forXml
org.owasp.encoder.Encode
java.lang.String forXml(java.lang.String)
forXml(unsafeData)
Encodes for HTML text content. It does not escape
quotation characters and is thus unsafe for use with
HTML attributes. Use either forHtml or forHtmlAttribute for those
methods.
forXmlContent
forXmlContent
org.owasp.encoder.Encode
java.lang.String forXmlContent(java.lang.String)
forXmlContent(unsafeData)
Encodes for XML and XHTML attribute content.
forXmlAttribute
forXmlAttribute
org.owasp.encoder.Encode
java.lang.String forXmlAttribute(java.lang.String)
forXmlAttribute(unsafeData)
Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS.
(X)HTML comments may be interpreted by browsers as something
other than a comment, typically in vendor specific extensions
(e.g. <--if[IE]-->.
For (X)HTML it is recommend that unsafe content never be included
in a comment.
forXmlComment
org.owasp.encoder.Encode
java.lang.String forXmlComment(java.lang.String)
forXmlComment(unsafeData)
Encodes data for an XML CDATA section. On the chance that the input
contains a terminating
"]]>", it will be replaced by
"]]>]]<![CDATA[>".
As with all XML contexts, characters that are invalid according to the
XML specification will be replaced by a space character. Caller must
provide the CDATA section boundaries.
forCDATA
forCDATA
org.owasp.encoder.Encode
java.lang.String forCDATA(java.lang.String)
forCDATA(unsafeData)
Encodes for a JavaScript string. It is safe for use in HTML
script attributes (such as onclick), script
blocks, JSON files, and JavaScript source. The caller MUST
provide the surrounding quotation characters for the string.
Since this performs additional encoding so it can work in all
of the JavaScript contexts listed, it may be slightly less
efficient then using one of the methods targetted to a specific
JavaScript context: forJavaScriptAttribute,
forJavaScriptBlock, or forJavaScriptSource.
Unless you are interested in saving a few bytes of output or
are writing a framework on top of this library, it is recommend
that you use this method over the others.
forJavaScript
forJavaScript
org.owasp.encoder.Encode
java.lang.String forJavaScript(java.lang.String)
forJavaScript(unsafeData)
This method encodes for JavaScript strings contained within
HTML script attributes (such as onclick). It is
NOT safe for use in script blocks. The caller MUST provide the
surrounding quotation characters. This method performs the
same encode as Encode.forJavaScript(String) with the
exception that / is not escaped.
forJavaScriptAttribute
forJavaScriptAttribute
org.owasp.encoder.Encode
java.lang.String forJavaScriptAttribute(java.lang.String)
forJavaScriptAttribute(unsafeData)
This method encodes for JavaScript strings contained within
HTML script blocks. It is NOT safe for use in script
attributes (such as onclick). The caller must
provide the surrounding quotation characters. This method
performs the same encode as Encode.forJavaScript(String)} with
the exception that " and ' are encoded as \" and \' respectively.
forJavaScriptBlock
forJavaScriptBlock
org.owasp.encoder.Encode
java.lang.String forJavaScriptBlock(java.lang.String)
forJavaScriptBlock(unsafeData)
This method encodes for JavaScript strings contained within
a JavaScript or JSON file. This method is NOT safe for
use in ANY context embedded in HTML. The caller must
provide the surrounding quotation characters. This method
performs the same encode as Encode.forJavaScript(String) with
the exception that / and & are not escaped and " and ' are
encoded as \" and \' respectively.
forJavaScriptSource
forJavaScriptSource
org.owasp.encoder.Encode
java.lang.String forJavaScriptSource(java.lang.String)
<%@page contentType="text/javascript; charset=UTF-8"%>
var data = '${forJavaScriptSource(unsafeData)}';