/** * Use to encapsulate new-style (XSSAPI-based) encoding for XML element content. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForXML(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForXML(source); }
/** * Use to encapsulate new-style (XSSAPI-based) encoding for XML attribute values. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForXMLAttr(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForXMLAttr(source); }
/** * Use to encapsulate new-style (XSSAPI-based) encoding for HTML attribute values. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForHTMLAttr(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForHTMLAttr(source); }
/** * Use to encapsulate new-style (XSSAPI-based) encoding for HTML element content. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForHTML(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForHTML(source); }
@Override protected JsonObject createEmptyWidget(String rteName) { JsonObject object = new JsonObject(); object.addProperty("xtype", "richtext"); object.addProperty("name", "./" + xssApi.encodeForJSString(rteName)); object.addProperty("hideLabel", true); object.addProperty("jcr:primaryType", "cq:Widget"); return object; }
/** * Encode a string for HTML. * * @param xssAPI the XSSAPI * @param source the source string * @return the encoded string */ @Function public static CharSequence encodeForHTML(XSSAPI xssAPI, String source) { return xssAPI.encodeForHTML(source); }
/** * Use to encapsulate new-style (XSSAPI-based) encoding for JavaScript strings. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForJSString(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForJSString(source); }
private void appendHiddenTag(StringBuilder html, String name, String value) { html.append("<input type=\"hidden\" name=\"").append(name).append("\" value=\"") .append(xss.encodeForHTMLAttr(value)).append("\"/>\n"); }
/** * Get a valid href. This does not use the standard XSS API due to a bug * impacting CQ 5.6.1 (and earlier). Internal bug reference: GRANITE-4193 * * @param xssAPI the XSSAPI * @param source the source string * @return the encoded string */ @Function public static CharSequence getValidHref(XSSAPI xssAPI, String source) { return xssAPI.getValidHref(source); }
/** * Filter a string for HTML. * * @param xssAPI the XSSAPI * @param source the source string * @return the encoded string */ @Function public static CharSequence filterHTML(XSSAPI xssAPI, String source) { return xssAPI.filterHTML(source); }
/** * Validate a Javascript token. The value must be either a single identifier, a literal number, * or a literal string. * * @param xssAPI the XSSAPI * @param token the source token * @param defaultValue a default value to use if the source doesn't meet validity constraints. * @return a string containing a single identifier, a literal number, or a literal string token */ @Function public static String getValidJSToken(XSSAPI xssAPI, String token, String defaultValue) { return xssAPI.getValidJSToken(token, defaultValue); }
/** * Validate a string which should contain an integer, returning a default value if the source is * empty, can't be parsed, or contains XSS risks. * * @param xssAPI the XSSAPI * @param integer the source integer * @param defaultValue a default value if the source can't be used * @return a sanitized integer */ @Function public static Integer getValidInteger(XSSAPI xssAPI, String integer, int defaultValue) { return xssAPI.getValidInteger(integer, defaultValue); }
/** * Validate a string which should contain a dimension, returning a default value if the source is * empty, can't be parsed, or contains XSS risks. Allows integer dimensions and the keyword "auto". * * @param xssAPI the XSSAPI * @param dimension the source dimension * @param defaultValue a default value if the source can't be used * @return a sanitized dimension */ @Function public static String getValidDimension(XSSAPI xssAPI, String dimension, String defaultValue) { return xssAPI.getValidDimension(dimension, defaultValue); }
@Override protected JsonObject createEmptyWidget(String propertyName) { JsonObject object = new JsonObject(); object.addProperty("xtype", "tags"); object.addProperty("name", "./" + xssApi.encodeForJSString(propertyName)); object.addProperty("fieldLabel", "Tags/Keywords"); object.addProperty("jcr:primaryType", "cq:Widget"); return object; }
/** * Protect a Map representing Form Errors. * * @param errors * @return */ protected final Map<String, String> getProtectedErrors(final Map<String, String> errors) { final Map<String, String> protectedErrors = new HashMap<String, String>(); // Protect data for HTML for (final Map.Entry<String, String> entry : errors.entrySet()) { protectedErrors.put(entry.getKey(), xss.encodeForHTML(entry.getValue())); } return protectedErrors; }
/** * Encode a string for an HTML attribute. * * @param xssAPI the XSSAPI * @param source the source string * @return the encoded string */ @Function public static CharSequence encodeForHTMLAttr(XSSAPI xssAPI, String source) { return xssAPI.encodeForHTMLAttr(source); }
/** * Encode a string for an JavaScript string. * * @param xssAPI the XSSAPI * @param source the source string * @return the encoded string */ @Function public static CharSequence encodeForJSString(XSSAPI xssAPI, String source) { return xssAPI.encodeForJSString(source); }
public final String getFormInputsHTML(final Form form, final String... keys) { // The form objects data and errors should be xssProtected before being passed into this method StringBuffer html = new StringBuffer(); html.append("<input type=\"hidden\" name=\"").append(FormHelper.FORM_NAME_INPUT).append("\" value=\"") .append(xss.encodeForHTMLAttr(form.getName())).append("\"/>\n"); final String resourcePath = form.getResourcePath(); html.append("<input type=\"hidden\" name=\"").append(FormHelper.FORM_RESOURCE_INPUT).append("\" value=\"") .append(xss.encodeForHTMLAttr(resourcePath)).append("\"/>\n"); for (final String key : keys) { if (form.has(key)) { html.append("<input type=\"hidden\" name=\"").append(key).append("\" value=\"") .append(form.get(key)).append("\"/>\n"); } } return html.toString(); }
@Override protected JSONObject createEmptyWidget(String propertyName) throws JSONException { JSONObject object = new JSONObject(); object.put("xtype", "tags"); object.put("name", "./" + xssApi.encodeForJSString(propertyName)); object.put("fieldLabel", "Tags/Keywords"); object.put("jcr:primaryType", "cq:Widget"); return object; }
@Override protected JSONObject createEmptyWidget(String rteName) throws JSONException { JSONObject object = new JSONObject(); object.put("xtype", "richtext"); object.put("name", "./" + xssApi.encodeForJSString(rteName)); object.put("hideLabel", true); object.put("jcr:primaryType", "cq:Widget"); return object; }