private String applyXSSFilter(String text, MarkupContext xssContext) { switch (xssContext) { case ATTRIBUTE: return xssApi.encodeForHTMLAttr(text); case COMMENT: case TEXT: return xssApi.encodeForHTML(text); case ATTRIBUTE_NAME: return escapeAttributeName(text); return xssApi.getValidHref(text); case SCRIPT_TOKEN: return xssApi.getValidJSToken(text, ""); case STYLE_TOKEN: return xssApi.getValidStyleToken(text, ""); case SCRIPT_STRING: return xssApi.encodeForJSString(text); case STYLE_STRING: return xssApi.encodeForCSSString(text); case SCRIPT_COMMENT: case STYLE_COMMENT: return xssApi.getValidMultiLineComment(text, ""); case ELEMENT_NAME: return escapeElementName(text); case HTML: return xssApi.filterHTML(text);
/** * Protect a Map representing Form Errors. * * @param errors * @return */ protected final Map<String, String> getProtectedErrors(final Map<String, String> errors) { final Map<String, String> protectedErrors = new HashMap<String, String>(); // Protect data for HTML for (final Map.Entry<String, String> entry : errors.entrySet()) { protectedErrors.put(entry.getKey(), xss.encodeForHTML(entry.getValue())); } return protectedErrors; }
@Override protected JsonObject createEmptyWidget(String rteName) { JsonObject object = new JsonObject(); object.addProperty("xtype", "richtext"); object.addProperty("name", "./" + xssApi.encodeForJSString(rteName)); object.addProperty("hideLabel", true); object.addProperty("jcr:primaryType", "cq:Widget"); return object; }
private void appendHiddenTag(StringBuilder html, String name, String value) { html.append("<input type=\"hidden\" name=\"").append(name).append("\" value=\"") .append(xss.encodeForHTMLAttr(value)).append("\"/>\n"); }
/** * Get a valid href. This does not use the standard XSS API due to a bug * impacting CQ 5.6.1 (and earlier). Internal bug reference: GRANITE-4193 * * @param xssAPI the XSSAPI * @param source the source string * @return the encoded string */ @Function public static CharSequence getValidHref(XSSAPI xssAPI, String source) { return xssAPI.getValidHref(source); }
/** * Filter a string for HTML. * * @param xssAPI the XSSAPI * @param source the source string * @return the encoded string */ @Function public static CharSequence filterHTML(XSSAPI xssAPI, String source) { return xssAPI.filterHTML(source); }
/** * Validate a Javascript token. The value must be either a single identifier, a literal number, * or a literal string. * * @param xssAPI the XSSAPI * @param token the source token * @param defaultValue a default value to use if the source doesn't meet validity constraints. * @return a string containing a single identifier, a literal number, or a literal string token */ @Function public static String getValidJSToken(XSSAPI xssAPI, String token, String defaultValue) { return xssAPI.getValidJSToken(token, defaultValue); }
/** * Protect a Map representing Form Errors. * * @param errors * @return */ protected final Map<String, String> getProtectedErrors(final Map<String, String> errors) { final Map<String, String> protectedErrors = new HashMap<String, String>(); // Protect data for HTML for (final Map.Entry<String, String> entry : errors.entrySet()) { protectedErrors.put(entry.getKey(), xss.encodeForHTML(entry.getValue())); } return protectedErrors; }
@Override protected JsonObject createEmptyWidget(String propertyName) { JsonObject object = new JsonObject(); object.addProperty("xtype", "tags"); object.addProperty("name", "./" + xssApi.encodeForJSString(propertyName)); object.addProperty("fieldLabel", "Tags/Keywords"); object.addProperty("jcr:primaryType", "cq:Widget"); return object; }
/** * Protect a Map representing Form Data. * * @param data * @return */ protected final Map<String, String> getProtectedData(final Map<String, String> data) { final Map<String, String> protectedData = new HashMap<String, String>(); // Protect data for HTML Attributes for (final Map.Entry<String, String> entry : data.entrySet()) { protectedData.put(entry.getKey(), xss.encodeForHTMLAttr(entry.getValue())); } return protectedData; }
/** * Encode a string for HTML. * * @param xssAPI the XSSAPI * @param source the source string * @return the encoded string */ @Function public static CharSequence encodeForHTML(XSSAPI xssAPI, String source) { return xssAPI.encodeForHTML(source); }
/** * Encode a string for an JavaScript string. * * @param xssAPI the XSSAPI * @param source the source string * @return the encoded string */ @Function public static CharSequence encodeForJSString(XSSAPI xssAPI, String source) { return xssAPI.encodeForJSString(source); }
/** * Protect a Map representing Form Data. * * @param data * @return */ protected final Map<String, String> getProtectedData(final Map<String, String> data) { final Map<String, String> protectedData = new HashMap<String, String>(); // Protect data for HTML Attributes for (final Map.Entry<String, String> entry : data.entrySet()) { protectedData.put(entry.getKey(), xss.encodeForHTMLAttr(entry.getValue())); } return protectedData; }
/** * Use to encapsulate new-style (XSSAPI-based) encoding for HTML element content. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForHTML(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForHTML(source); }
/** * Use to encapsulate new-style (XSSAPI-based) encoding for JavaScript strings. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForJSString(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForJSString(source); }
/** * Encode a string for an HTML attribute. * * @param xssAPI the XSSAPI * @param source the source string * @return the encoded string */ @Function public static CharSequence encodeForHTMLAttr(XSSAPI xssAPI, String source) { return xssAPI.encodeForHTMLAttr(source); }
private void printPropertyValue(final PrintWriter pw, final String name, final Object value) { pw.print(xssApi.encodeForHTML(name)); pw.print(": <b>"); if ( value.getClass().isArray() ) { Object[] values = (Object[])value; pw.print('['); for (int i = 0; i < values.length; i++) { if (i > 0) { pw.print(", "); } pw.print(xssApi.encodeForHTML(values[i].toString())); } pw.print(']'); } else { pw.print(xssApi.encodeForHTML(value.toString())); } pw.print("</b><br />"); }
@Activate @SuppressWarnings("squid:S1149") protected final void activate(ComponentContext ctx) { Dictionary<?, ?> config = ctx.getProperties(); color = PropertiesUtil.toString(config.get(PROP_COLOR), ""); cssOverride = PropertiesUtil.toString(config.get(PROP_CSS_OVERRIDE), ""); innerHTML = PropertiesUtil.toString(config.get(PROP_INNER_HTML), ""); innerHTML = new StrSubstitutor(StrLookup.systemPropertiesLookup()).replace(innerHTML); // Only write CSS variable if cssOverride or color is provided if (StringUtils.isNotBlank(cssOverride)) { css = cssOverride; } else if (StringUtils.isNotBlank(color)) { css = createCss(color); } titlePrefix = xss.encodeForJSString( PropertiesUtil.toString(config.get(PROP_TITLE_PREFIX), "").toString()); if (StringUtils.isNotBlank(css) || StringUtils.isNotBlank(titlePrefix)) { Dictionary<String, String> filterProps = new Hashtable<String, String>(); filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_PATTERN, "/"); filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_CONTEXT_SELECT, "(" + HttpWhiteboardConstants.HTTP_WHITEBOARD_CONTEXT_NAME + "=*)"); filterRegistration = ctx.getBundleContext().registerService(Filter.class.getName(), this, filterProps); } excludedWCMModes = PropertiesUtil.toStringArray(config.get(PROP_EXCLUDED_WCMMODES),DEFAULT_EXCLUDED_WCMMODES); }
/** * Use to encapsulate new-style (XSSAPI-based) encoding for HTML attribute values. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForHTMLAttr(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForHTMLAttr(source); }
private void printResourceInfo(final PrintWriter pw, final Resource r) { pw.print("<h1>Resource dumped by "); pw.print(xssApi.encodeForHTML(getClass().getSimpleName())); pw.println("</h1>"); pw.print("<p>Resource path: <b>"); pw.print(xssApi.encodeForHTML(r.getPath())); pw.println("</b></p>"); pw.print("<p>Resource metadata: <b>"); pw.print(xssApi.encodeForHTML(String.valueOf(r.getResourceMetadata()))); pw.println("</b></p>"); pw.print("<p>Resource type: <b>"); pw.print(xssApi.encodeForHTML(r.getResourceType())); pw.println("</b></p>"); String resourceSuperType = r.getResourceResolver().getParentResourceType(r); if (resourceSuperType == null) { resourceSuperType = "-"; } pw.print("<p>Resource super type: <b>"); pw.print(xssApi.encodeForHTML(resourceSuperType)); pw.println("</b></p>"); }