001package org.apache.turbine.util; 002 003 004/* 005 * Licensed to the Apache Software Foundation (ASF) under one 006 * or more contributor license agreements. See the NOTICE file 007 * distributed with this work for additional information 008 * regarding copyright ownership. The ASF licenses this file 009 * to you under the Apache License, Version 2.0 (the 010 * "License"); you may not use this file except in compliance 011 * with the License. You may obtain a copy of the License at 012 * 013 * http://www.apache.org/licenses/LICENSE-2.0 014 * 015 * Unless required by applicable law or agreed to in writing, 016 * software distributed under the License is distributed on an 017 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 018 * KIND, either express or implied. See the License for the 019 * specific language governing permissions and limitations 020 * under the License. 021 */ 022 023 024import org.apache.ecs.Entities; 025 026import org.apache.ecs.filter.CharacterFilter; 027 028/** 029 * Some filter methods that have been orphaned in the Screen class. 030 * 031 * 032 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a> 033 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a> 034 * @version $Id: InputFilterUtils.java 615328 2008-01-25 20:25:05Z tv $ 035 */ 036 037public abstract class InputFilterUtils 038{ 039 /** A HtmlFilter Object for the normal input filter */ 040 private static final CharacterFilter filter = htmlFilter(); 041 042 /** A HtmlFilter Object for the minimal input filter */ 043 private static final CharacterFilter minFilter = htmlMinFilter(); 044 045 /** 046 * This function can/should be used in any screen that will output 047 * User entered text. This will help prevent users from entering 048 * html (<SCRIPT>) tags that will get executed by the browser. 049 * 050 * @param s The string to prepare. 051 * @return A string with the input already prepared. 052 */ 053 public static String prepareText(String s) 054 { 055 return filter.process(s); 056 } 057 058 /** 059 * This function can/should be used in any screen that will output 060 * User entered text. This will help prevent users from entering 061 * html (<SCRIPT>) tags that will get executed by the browser. 062 * 063 * @param s The string to prepare. 064 * @return A string with the input already prepared. 065 */ 066 public static String prepareTextMinimum(String s) 067 { 068 return minFilter.process(s); 069 } 070 071 /** 072 * These attributes are supposed to be the default, but they are 073 * not, at least in ECS 1.2. Include them all just to be safe. 074 * 075 * @return A CharacterFilter to do HTML filtering. 076 */ 077 private static CharacterFilter htmlFilter() 078 { 079 CharacterFilter filter = new CharacterFilter(); 080 filter.addAttribute("\"", Entities.QUOT); 081 filter.addAttribute("'", Entities.LSQUO); 082 filter.addAttribute("&", Entities.AMP); 083 filter.addAttribute("<", Entities.LT); 084 filter.addAttribute(">", Entities.GT); 085 return filter; 086 } 087 088 /* 089 * We would like to filter user entered text that might be 090 * dynamically added, using javascript for example. But we do not 091 * want to filter all the above chars, so we will just disallow 092 * <. 093 * 094 * @return A CharacterFilter to do minimal HTML filtering. 095 */ 096 private static CharacterFilter htmlMinFilter() 097 { 098 CharacterFilter filter = new CharacterFilter(); 099 filter.removeAttribute(">"); 100 filter.removeAttribute("\""); 101 filter.removeAttribute("'"); 102 filter.removeAttribute("&"); 103 filter.addAttribute("<", Entities.LT); 104 return filter; 105 } 106}