001    package org.apache.turbine.util;
002    
003    
004    /*
005     * Licensed to the Apache Software Foundation (ASF) under one
006     * or more contributor license agreements.  See the NOTICE file
007     * distributed with this work for additional information
008     * regarding copyright ownership.  The ASF licenses this file
009     * to you under the Apache License, Version 2.0 (the
010     * "License"); you may not use this file except in compliance
011     * with the License.  You may obtain a copy of the License at
012     *
013     *   http://www.apache.org/licenses/LICENSE-2.0
014     *
015     * Unless required by applicable law or agreed to in writing,
016     * software distributed under the License is distributed on an
017     * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
018     * KIND, either express or implied.  See the License for the
019     * specific language governing permissions and limitations
020     * under the License.
021     */
022    
023    
024    import org.apache.ecs.Entities;
025    
026    import org.apache.ecs.filter.CharacterFilter;
027    
028    /**
029     * Some filter methods that have been orphaned in the Screen class.
030     *
031     *
032     * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
033     * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
034     * @version $Id: InputFilterUtils.java 615328 2008-01-25 20:25:05Z tv $
035     */
036    
037    public abstract class InputFilterUtils
038    {
039        /** A HtmlFilter Object for the normal input filter */
040        private static final CharacterFilter filter = htmlFilter();
041    
042        /** A HtmlFilter Object for the minimal input filter */
043        private static final CharacterFilter minFilter = htmlMinFilter();
044    
045        /**
046         * This function can/should be used in any screen that will output
047         * User entered text.  This will help prevent users from entering
048         * html (<SCRIPT>) tags that will get executed by the browser.
049         *
050         * @param s The string to prepare.
051         * @return A string with the input already prepared.
052         */
053        public static String prepareText(String s)
054        {
055            return filter.process(s);
056        }
057    
058        /**
059         * This function can/should be used in any screen that will output
060         * User entered text.  This will help prevent users from entering
061         * html (<SCRIPT>) tags that will get executed by the browser.
062         *
063         * @param s The string to prepare.
064         * @return A string with the input already prepared.
065         */
066        public static String prepareTextMinimum(String s)
067        {
068            return minFilter.process(s);
069        }
070    
071        /**
072         * These attributes are supposed to be the default, but they are
073         * not, at least in ECS 1.2.  Include them all just to be safe.
074         *
075         * @return A CharacterFilter to do HTML filtering.
076         */
077        private static CharacterFilter htmlFilter()
078        {
079            CharacterFilter filter = new CharacterFilter();
080            filter.addAttribute("\"", Entities.QUOT);
081            filter.addAttribute("'", Entities.LSQUO);
082            filter.addAttribute("&", Entities.AMP);
083            filter.addAttribute("<", Entities.LT);
084            filter.addAttribute(">", Entities.GT);
085            return filter;
086        }
087    
088        /*
089         * We would like to filter user entered text that might be
090         * dynamically added, using javascript for example.  But we do not
091         * want to filter all the above chars, so we will just disallow
092         * <.
093         *
094         * @return A CharacterFilter to do minimal HTML filtering.
095         */
096        private static CharacterFilter htmlMinFilter()
097        {
098            CharacterFilter filter = new CharacterFilter();
099            filter.removeAttribute(">");
100            filter.removeAttribute("\"");
101            filter.removeAttribute("'");
102            filter.removeAttribute("&");
103            filter.addAttribute("<", Entities.LT);
104            return filter;
105        }
106    }