View Javadoc

1   package org.apache.turbine.util;
2   
3   
4   /*
5    * Licensed to the Apache Software Foundation (ASF) under one
6    * or more contributor license agreements.  See the NOTICE file
7    * distributed with this work for additional information
8    * regarding copyright ownership.  The ASF licenses this file
9    * to you under the Apache License, Version 2.0 (the
10   * "License"); you may not use this file except in compliance
11   * with the License.  You may obtain a copy of the License at
12   *
13   *   http://www.apache.org/licenses/LICENSE-2.0
14   *
15   * Unless required by applicable law or agreed to in writing,
16   * software distributed under the License is distributed on an
17   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
18   * KIND, either express or implied.  See the License for the
19   * specific language governing permissions and limitations
20   * under the License.
21   */
22  
23  
24  import org.apache.ecs.Entities;
25  
26  import org.apache.ecs.filter.CharacterFilter;
27  
28  /**
29   * Some filter methods that have been orphaned in the Screen class.
30   *
31   *
32   * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
33   * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
34   * @version $Id: InputFilterUtils.java 615328 2008-01-25 20:25:05Z tv $
35   */
36  
37  public abstract class InputFilterUtils
38  {
39      /** A HtmlFilter Object for the normal input filter */
40      private static final CharacterFilter filter = htmlFilter();
41  
42      /** A HtmlFilter Object for the minimal input filter */
43      private static final CharacterFilter minFilter = htmlMinFilter();
44  
45      /**
46       * This function can/should be used in any screen that will output
47       * User entered text.  This will help prevent users from entering
48       * html (<SCRIPT>) tags that will get executed by the browser.
49       *
50       * @param s The string to prepare.
51       * @return A string with the input already prepared.
52       */
53      public static String prepareText(String s)
54      {
55          return filter.process(s);
56      }
57  
58      /**
59       * This function can/should be used in any screen that will output
60       * User entered text.  This will help prevent users from entering
61       * html (<SCRIPT>) tags that will get executed by the browser.
62       *
63       * @param s The string to prepare.
64       * @return A string with the input already prepared.
65       */
66      public static String prepareTextMinimum(String s)
67      {
68          return minFilter.process(s);
69      }
70  
71      /**
72       * These attributes are supposed to be the default, but they are
73       * not, at least in ECS 1.2.  Include them all just to be safe.
74       *
75       * @return A CharacterFilter to do HTML filtering.
76       */
77      private static CharacterFilter htmlFilter()
78      {
79          CharacterFilter filter = new CharacterFilter();
80          filter.addAttribute("\"", Entities.QUOT);
81          filter.addAttribute("'", Entities.LSQUO);
82          filter.addAttribute("&", Entities.AMP);
83          filter.addAttribute("<", Entities.LT);
84          filter.addAttribute(">", Entities.GT);
85          return filter;
86      }
87  
88      /*
89       * We would like to filter user entered text that might be
90       * dynamically added, using javascript for example.  But we do not
91       * want to filter all the above chars, so we will just disallow
92       * <.
93       *
94       * @return A CharacterFilter to do minimal HTML filtering.
95       */
96      private static CharacterFilter htmlMinFilter()
97      {
98          CharacterFilter filter = new CharacterFilter();
99          filter.removeAttribute(">");
100         filter.removeAttribute("\"");
101         filter.removeAttribute("'");
102         filter.removeAttribute("&");
103         filter.addAttribute("<", Entities.LT);
104         return filter;
105     }
106 }