All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.primefaces.shaded.owasp.encoder.CSSEncoder Maven / Gradle / Ivy

There is a newer version: 14.0.7
Show newest version
// Copyright (c) 2012 Jeff Ichnowski
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions
// are met:
//
//     * Redistributions of source code must retain the above
//       copyright notice, this list of conditions and the following
//       disclaimer.
//
//     * Redistributions in binary form must reproduce the above
//       copyright notice, this list of conditions and the following
//       disclaimer in the documentation and/or other materials
//       provided with the distribution.
//
//     * Neither the name of the OWASP nor the names of its
//       contributors may be used to endorse or promote products
//       derived from this software without specific prior written
//       permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
// OF THE POSSIBILITY OF SUCH DAMAGE.

package org.primefaces.shaded.owasp.encoder;

import java.nio.CharBuffer;
import java.nio.charset.CoderResult;

/**
 * CSSEncoder -- Encoder for Cascading-Style-Sheet string and URI contexts.
 * Other contexts, such as color, number (w/unit), etc... are not good targets
 * for "encoding" (e.g. you cannot encode the string "XYZ" into a number),
 * they should instead by validated through other means (such as regular
 * expressions).
 */
class CSSEncoder extends Encoder {

    /** Number of bits in a {@code long}. */
    static final int LONG_BITS = 64;

    /** Length of hex encoding with trailing space {@code "\## "}. */
    static final int HEX_ENCODED_LENGTH = 4;

    /**
     * Encoding mode of operation--specified the set of characters that
     * required encoding.
     */
    enum Mode {
        /**
         * String contexts.  Characters between quotes.
         *
         * 
         *   Not allowed: \n \r \f \\ " '  (everything else is allowed)
         *   Allows: "\\{nl}" (escaped newline)
         * 
*/ STRING(new ASCIIBits().set(' ', '~').clear("\"\'<&/\\>")), /** * URL context. Characters inside a "url(...)". * *
         *   Allowed: [!#$%&*-\[\]-~]|{nonascii}|{escape}
         *   Escapes: \\[0-9a-f]{1,6}(\s?)
         *            \\[^\n\r\f0-9a-f]
         * 
*/ URL(new ASCIIBits().set("!#$%").set('*', '[').set(']', '~').clear("/<>")), // In both contexts above '<' is added to protect embedded