001 package org.apache.turbine.util;
002
003
004 /*
005 * Licensed to the Apache Software Foundation (ASF) under one
006 * or more contributor license agreements. See the NOTICE file
007 * distributed with this work for additional information
008 * regarding copyright ownership. The ASF licenses this file
009 * to you under the Apache License, Version 2.0 (the
010 * "License"); you may not use this file except in compliance
011 * with the License. You may obtain a copy of the License at
012 *
013 * http://www.apache.org/licenses/LICENSE-2.0
014 *
015 * Unless required by applicable law or agreed to in writing,
016 * software distributed under the License is distributed on an
017 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
018 * KIND, either express or implied. See the License for the
019 * specific language governing permissions and limitations
020 * under the License.
021 */
022
023
024 import org.apache.ecs.Entities;
025
026 import org.apache.ecs.filter.CharacterFilter;
027
028 /**
029 * Some filter methods that have been orphaned in the Screen class.
030 *
031 *
032 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
033 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
034 * @version $Id: InputFilterUtils.java 615328 2008-01-25 20:25:05Z tv $
035 */
036
037 public abstract class InputFilterUtils
038 {
039 /** A HtmlFilter Object for the normal input filter */
040 private static final CharacterFilter filter = htmlFilter();
041
042 /** A HtmlFilter Object for the minimal input filter */
043 private static final CharacterFilter minFilter = htmlMinFilter();
044
045 /**
046 * This function can/should be used in any screen that will output
047 * User entered text. This will help prevent users from entering
048 * html (<SCRIPT>) tags that will get executed by the browser.
049 *
050 * @param s The string to prepare.
051 * @return A string with the input already prepared.
052 */
053 public static String prepareText(String s)
054 {
055 return filter.process(s);
056 }
057
058 /**
059 * This function can/should be used in any screen that will output
060 * User entered text. This will help prevent users from entering
061 * html (<SCRIPT>) tags that will get executed by the browser.
062 *
063 * @param s The string to prepare.
064 * @return A string with the input already prepared.
065 */
066 public static String prepareTextMinimum(String s)
067 {
068 return minFilter.process(s);
069 }
070
071 /**
072 * These attributes are supposed to be the default, but they are
073 * not, at least in ECS 1.2. Include them all just to be safe.
074 *
075 * @return A CharacterFilter to do HTML filtering.
076 */
077 private static CharacterFilter htmlFilter()
078 {
079 CharacterFilter filter = new CharacterFilter();
080 filter.addAttribute("\"", Entities.QUOT);
081 filter.addAttribute("'", Entities.LSQUO);
082 filter.addAttribute("&", Entities.AMP);
083 filter.addAttribute("<", Entities.LT);
084 filter.addAttribute(">", Entities.GT);
085 return filter;
086 }
087
088 /*
089 * We would like to filter user entered text that might be
090 * dynamically added, using javascript for example. But we do not
091 * want to filter all the above chars, so we will just disallow
092 * <.
093 *
094 * @return A CharacterFilter to do minimal HTML filtering.
095 */
096 private static CharacterFilter htmlMinFilter()
097 {
098 CharacterFilter filter = new CharacterFilter();
099 filter.removeAttribute(">");
100 filter.removeAttribute("\"");
101 filter.removeAttribute("'");
102 filter.removeAttribute("&");
103 filter.addAttribute("<", Entities.LT);
104 return filter;
105 }
106 }