1 package org.apache.turbine.util; 2 3 4 /* 5 * Licensed to the Apache Software Foundation (ASF) under one 6 * or more contributor license agreements. See the NOTICE file 7 * distributed with this work for additional information 8 * regarding copyright ownership. The ASF licenses this file 9 * to you under the Apache License, Version 2.0 (the 10 * "License"); you may not use this file except in compliance 11 * with the License. You may obtain a copy of the License at 12 * 13 * http://www.apache.org/licenses/LICENSE-2.0 14 * 15 * Unless required by applicable law or agreed to in writing, 16 * software distributed under the License is distributed on an 17 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 18 * KIND, either express or implied. See the License for the 19 * specific language governing permissions and limitations 20 * under the License. 21 */ 22 23 24 import org.apache.ecs.Entities; 25 26 import org.apache.ecs.filter.CharacterFilter; 27 28 /** 29 * Some filter methods that have been orphaned in the Screen class. 30 * 31 * 32 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a> 33 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a> 34 * @version $Id: InputFilterUtils.java 615328 2008-01-25 20:25:05Z tv $ 35 */ 36 37 public abstract class InputFilterUtils 38 { 39 /** A HtmlFilter Object for the normal input filter */ 40 private static final CharacterFilter filter = htmlFilter(); 41 42 /** A HtmlFilter Object for the minimal input filter */ 43 private static final CharacterFilter minFilter = htmlMinFilter(); 44 45 /** 46 * This function can/should be used in any screen that will output 47 * User entered text. This will help prevent users from entering 48 * html (<SCRIPT>) tags that will get executed by the browser. 49 * 50 * @param s The string to prepare. 51 * @return A string with the input already prepared. 52 */ 53 public static String prepareText(String s) 54 { 55 return filter.process(s); 56 } 57 58 /** 59 * This function can/should be used in any screen that will output 60 * User entered text. This will help prevent users from entering 61 * html (<SCRIPT>) tags that will get executed by the browser. 62 * 63 * @param s The string to prepare. 64 * @return A string with the input already prepared. 65 */ 66 public static String prepareTextMinimum(String s) 67 { 68 return minFilter.process(s); 69 } 70 71 /** 72 * These attributes are supposed to be the default, but they are 73 * not, at least in ECS 1.2. Include them all just to be safe. 74 * 75 * @return A CharacterFilter to do HTML filtering. 76 */ 77 private static CharacterFilter htmlFilter() 78 { 79 CharacterFilter filter = new CharacterFilter(); 80 filter.addAttribute("\"", Entities.QUOT); 81 filter.addAttribute("'", Entities.LSQUO); 82 filter.addAttribute("&", Entities.AMP); 83 filter.addAttribute("<", Entities.LT); 84 filter.addAttribute(">", Entities.GT); 85 return filter; 86 } 87 88 /* 89 * We would like to filter user entered text that might be 90 * dynamically added, using javascript for example. But we do not 91 * want to filter all the above chars, so we will just disallow 92 * <. 93 * 94 * @return A CharacterFilter to do minimal HTML filtering. 95 */ 96 private static CharacterFilter htmlMinFilter() 97 { 98 CharacterFilter filter = new CharacterFilter(); 99 filter.removeAttribute(">"); 100 filter.removeAttribute("\""); 101 filter.removeAttribute("'"); 102 filter.removeAttribute("&"); 103 filter.addAttribute("<", Entities.LT); 104 return filter; 105 } 106 }