/** * Apply strict sanitization rules to a HTML string. * * @param input the (potentially) tainted HTML to sanitize * @return sanitized HTML */ public static String sanitize(final String input) { return sanitize(input, false); }
/** * Apply sanitization rules to a HTML string. * * @param input the (potentially) tainted HTML to sanitize * @param lax if true use the lax policy, otherwise use the strict policy * @return sanitized HTML */ public static String sanitize(final String input, final boolean lax) { return sanitize(input, lax ? LAX_POLICY : STRICT_POLICY); }
/** * @param text the output text to sanitize * @return the sanitized text */ public static String sanitizeOutputText(final String text) { if (Util.empty(text)) { return text; } return sanitize(text, true); }
/** * @param text the input text to sanitize * @return the sanitized text */ public static String sanitizeInputText(final String text) { if (Util.empty(text)) { return text; } return sanitize(text); }
@Test public void testSanitizeOpenBracketEscaped() { String testString = WebUtilities.OPEN_BRACKET_ESCAPE; Assert.assertEquals(testString, HtmlSanitizerUtil.sanitize(testString)); }
@Test public void testSanitizerTaintedAttribute() throws ScanException, PolicyException { Assert.assertEquals(SIMPLE_HTML, HtmlSanitizerUtil.sanitize(TAINTED_ATTRIBUTE)); }
@Test public void testSanitizerGoodStyle() throws ScanException, PolicyException { String input = "<p style=\"text-decoration: line-through;padding-left: 20.0px;\">content</p>"; Assert.assertEquals(input, HtmlSanitizerUtil.sanitize(input)); }
@Test public void testSanitizerGoodServerLocalLink() throws ScanException, PolicyException { String input = "<a href=\"/path/file.html\">Link</a>"; Assert.assertEquals(input, HtmlSanitizerUtil.sanitize(input)); }
@Test public void testSanitizerFilteredLinkBadHref() throws ScanException, PolicyException { String input = "<a href=\"page here\">Hello</a>"; String expected = "Hello"; Assert.assertEquals(expected, HtmlSanitizerUtil.sanitize(input)); }
@Test public void testSanitizerAddCloseTags() throws ScanException, PolicyException { String input = "<ul><li>unclosed li<li>second unclosed li</ul>"; String expected = "<ul><li>unclosed li</li><li>second unclosed li</li></ul>"; Assert.assertEquals(expected, HtmlSanitizerUtil.sanitize(input)); }
@Test public void testStrictSanitizerElement() throws ScanException, PolicyException { String input = "<input name=\"foo\" type=\"text\" value=\"bar\"/>"; Assert.assertEquals("", HtmlSanitizerUtil.sanitize(input, false)); }
@Test public void testSanitizerGoodAttribute() throws ScanException, PolicyException { String input = "<p title=\"Hello\">content</p>"; Assert.assertEquals(input, HtmlSanitizerUtil.sanitize(input)); }
@Test public void testSanitizerGoodAttributeBadValue() throws ScanException, PolicyException { String input = "<p title=\"???\">content</p>"; String expected = "<p>content</p>"; Assert.assertEquals(expected, HtmlSanitizerUtil.sanitize(input)); }
@Test public void testSanitizerFilteredElement() throws ScanException, PolicyException { String input = "<body>Hello <p>goodbye</p></body>"; String expected = "Hello <p>goodbye</p>"; Assert.assertEquals(expected, HtmlSanitizerUtil.sanitize(input)); }
@Test public void testSanitizeCloseBracketEscaped() { String testString = WebUtilities.CLOSE_BRACKET_ESCAPE; Assert.assertEquals(testString, HtmlSanitizerUtil.sanitize(testString)); }
@Test public void testSanitizerStyleBadDecoration() throws ScanException, PolicyException { String input = "<p style=\"text-decoration: all;\">content</p>"; String expected = "<p style=\"\">content</p>"; Assert.assertEquals(expected, HtmlSanitizerUtil.sanitize(input)); }
@Test public void testSanitizerGoodLocalLink() throws ScanException, PolicyException { String input = "<a href=\"path/file.html\">Link</a>"; Assert.assertEquals(input, HtmlSanitizerUtil.sanitize(input)); }
@Test public void testLaxScanFilteredLinkBadHref() throws ScanException, PolicyException { String input = "<a href=\"page here\">Hello</a>"; String expected = "Hello"; Assert.assertEquals(expected, HtmlSanitizerUtil.sanitize(input, true)); }
@Test public void testLaxScanFilteredElement() throws ScanException, PolicyException { String input = "<div>Hello<form>goodbye</form></div>"; String expected = "<div>Hellogoodbye</div>"; Assert.assertEquals(expected, HtmlSanitizerUtil.sanitize(input, true)); }
@Test public void testSanitizeCloseBracket() { String testString = "}"; Assert.assertEquals(WebUtilities.CLOSE_BRACKET_ESCAPE, HtmlSanitizerUtil.sanitize(testString)); } }