001package org.apache.turbine.util;
002
003
004/*
005 * Licensed to the Apache Software Foundation (ASF) under one
006 * or more contributor license agreements.  See the NOTICE file
007 * distributed with this work for additional information
008 * regarding copyright ownership.  The ASF licenses this file
009 * to you under the Apache License, Version 2.0 (the
010 * "License"); you may not use this file except in compliance
011 * with the License.  You may obtain a copy of the License at
012 *
013 *   http://www.apache.org/licenses/LICENSE-2.0
014 *
015 * Unless required by applicable law or agreed to in writing,
016 * software distributed under the License is distributed on an
017 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
018 * KIND, either express or implied.  See the License for the
019 * specific language governing permissions and limitations
020 * under the License.
021 */
022
023
024import org.apache.ecs.Entities;
025
026import org.apache.ecs.filter.CharacterFilter;
027
028/**
029 * Some filter methods that have been orphaned in the Screen class.
030 *
031 *
032 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
033 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
034 * @version $Id: InputFilterUtils.java 615328 2008-01-25 20:25:05Z tv $
035 */
036
037public abstract class InputFilterUtils
038{
039    /** A HtmlFilter Object for the normal input filter */
040    private static final CharacterFilter filter = htmlFilter();
041
042    /** A HtmlFilter Object for the minimal input filter */
043    private static final CharacterFilter minFilter = htmlMinFilter();
044
045    /**
046     * This function can/should be used in any screen that will output
047     * User entered text.  This will help prevent users from entering
048     * html (<SCRIPT>) tags that will get executed by the browser.
049     *
050     * @param s The string to prepare.
051     * @return A string with the input already prepared.
052     */
053    public static String prepareText(String s)
054    {
055        return filter.process(s);
056    }
057
058    /**
059     * This function can/should be used in any screen that will output
060     * User entered text.  This will help prevent users from entering
061     * html (<SCRIPT>) tags that will get executed by the browser.
062     *
063     * @param s The string to prepare.
064     * @return A string with the input already prepared.
065     */
066    public static String prepareTextMinimum(String s)
067    {
068        return minFilter.process(s);
069    }
070
071    /**
072     * These attributes are supposed to be the default, but they are
073     * not, at least in ECS 1.2.  Include them all just to be safe.
074     *
075     * @return A CharacterFilter to do HTML filtering.
076     */
077    private static CharacterFilter htmlFilter()
078    {
079        CharacterFilter filter = new CharacterFilter();
080        filter.addAttribute("\"", Entities.QUOT);
081        filter.addAttribute("'", Entities.LSQUO);
082        filter.addAttribute("&", Entities.AMP);
083        filter.addAttribute("<", Entities.LT);
084        filter.addAttribute(">", Entities.GT);
085        return filter;
086    }
087
088    /*
089     * We would like to filter user entered text that might be
090     * dynamically added, using javascript for example.  But we do not
091     * want to filter all the above chars, so we will just disallow
092     * <.
093     *
094     * @return A CharacterFilter to do minimal HTML filtering.
095     */
096    private static CharacterFilter htmlMinFilter()
097    {
098        CharacterFilter filter = new CharacterFilter();
099        filter.removeAttribute(">");
100        filter.removeAttribute("\"");
101        filter.removeAttribute("'");
102        filter.removeAttribute("&");
103        filter.addAttribute("<", Entities.LT);
104        return filter;
105    }
106}