View Javadoc

1   package org.apache.turbine.util;
2   
3   /*
4    * Copyright 2001-2005 The Apache Software Foundation.
5    *
6    * Licensed under the Apache License, Version 2.0 (the "License")
7    * you may not use this file except in compliance with the License.
8    * You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  import org.apache.ecs.Entities;
20  
21  import org.apache.ecs.filter.CharacterFilter;
22  
23  /***
24   * Some filter methods that have been orphaned in the Screen class.
25   *
26   *
27   * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
28   * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
29   * @version $Id: InputFilterUtils.java 264148 2005-08-29 14:21:04Z henning $
30   */
31  
32  public abstract class InputFilterUtils
33  {
34      /*** A HtmlFilter Object for the normal input filter */
35      private static final CharacterFilter filter = htmlFilter();
36  
37      /*** A HtmlFilter Object for the minimal input filter */
38      private static final CharacterFilter minFilter = htmlMinFilter();
39  
40      /***
41       * This function can/should be used in any screen that will output
42       * User entered text.  This will help prevent users from entering
43       * html (<SCRIPT>) tags that will get executed by the browser.
44       *
45       * @param s The string to prepare.
46       * @return A string with the input already prepared.
47       */
48      public static String prepareText(String s)
49      {
50          return filter.process(s);
51      }
52  
53      /***
54       * This function can/should be used in any screen that will output
55       * User entered text.  This will help prevent users from entering
56       * html (<SCRIPT>) tags that will get executed by the browser.
57       *
58       * @param s The string to prepare.
59       * @return A string with the input already prepared.
60       */
61      public static String prepareTextMinimum(String s)
62      {
63          return minFilter.process(s);
64      }
65  
66      /***
67       * These attributes are supposed to be the default, but they are
68       * not, at least in ECS 1.2.  Include them all just to be safe.
69       *
70       * @return A CharacterFilter to do HTML filtering.
71       */
72      private static CharacterFilter htmlFilter()
73      {
74          CharacterFilter filter = new CharacterFilter();
75          filter.addAttribute("\"", Entities.QUOT);
76          filter.addAttribute("'", Entities.LSQUO);
77          filter.addAttribute("&", Entities.AMP);
78          filter.addAttribute("<", Entities.LT);
79          filter.addAttribute(">", Entities.GT);
80          return filter;
81      }
82  
83      /*
84       * We would like to filter user entered text that might be
85       * dynamically added, using javascript for example.  But we do not
86       * want to filter all the above chars, so we will just disallow
87       * <.
88       *
89       * @return A CharacterFilter to do minimal HTML filtering.
90       */
91      private static CharacterFilter htmlMinFilter()
92      {
93          CharacterFilter filter = new CharacterFilter();
94          filter.removeAttribute(">");
95          filter.removeAttribute("\"");
96          filter.removeAttribute("'");
97          filter.removeAttribute("&");
98          filter.addAttribute("<", Entities.LT);
99          return filter;
100     }
101 }