java.lang.Object
com.jcorporate.expresso.core.security.filters.Filter
com.jcorporate.expresso.core.security.filters.HtmlFilter
com.jcorporate.expresso.core.security.filters.HtmlPlusURLFilter
- Direct Known Subclasses:
- AllowedHtmlPlusURLFilter
- public class HtmlPlusURLFilter
- extends HtmlFilter
This class provides a filter implementation for HTML output, protecting against
XSS exploits, plus it creates anchor () tags for anything that starts
with 'http://', 'www.', etc.
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
URL_TYPES
public static final java.lang.String[] URL_TYPES
URL_INFORMAL_PREFIXES
public static final java.lang.String[] URL_INFORMAL_PREFIXES
MAX_CHARS_IN_URL_LABEL
public static final java.lang.String MAX_CHARS_IN_URL_LABEL
- Name for Setup value which decides if we are limiting anchor labels
- See Also:
- Constant Field Values
HtmlPlusURLFilter
public HtmlPlusURLFilter()
throws java.lang.IllegalArgumentException
- No-args constructor required
HtmlPlusURLFilter
public HtmlPlusURLFilter(java.lang.String[] specialStringList,
java.lang.String[] replaceList)
throws java.lang.IllegalArgumentException
- Constructor for passing strings and their replacements
standardFilter
public java.lang.String standardFilter(java.lang.String data)
- This filter HTML encodes all special characters defined by the replacement
list. If a particular character doesn't exist in the map, then the chracter
is passed appended into the result set.
If it does exist, then the value the special character maps to is appended
into the list instead.
- Overrides:
standardFilter in class Filter
addHttpPrefixIfNeeded
public static java.lang.String addHttpPrefixIfNeeded(java.lang.String url)
- Given a url string, if it's null or equals "" then just return
it as is. Otherwise check if it is valid form, that is, starts
with http:// or ftp:// or some other valid url prefix. If not,
prepend http://.
hasValidUrlPrefix
public static boolean hasValidUrlPrefix(java.lang.String url)
- Return true if the url has a valid prefix, like http://
isValidUrl
public static boolean isValidUrl(java.lang.String url)
- Return true if the url is valid. Checks that it is not
null, that it has a valid prefix, and that it contains
a dot (must, to have a domain name) and at least 2 characters
after the dot (the domain). Add more tests here as appropriate.
getWebHostPort
public static java.lang.String getWebHostPort(com.jcorporate.expresso.core.controller.ControllerRequest request)
- Get web server address
insertHrefTags
public static java.lang.String insertHrefTags(java.lang.String s)
- Insert a href tag around any http, https, www, or www2 strings
findEndOfHref
public static int findEndOfHref(java.lang.String s,
int start)
- Finds the end of a hyperlink
isSafeURLEncoding
private static boolean isSafeURLEncoding(char c1,
char c2)
- Return true if we allow the given URL encoding (after a %).
See http://www.blooberry.com/indexdot/html/topics/urlencoding.htm
To stop XSS attacks, definitely don't allow:
the less than symbol < (3C) and the greater than symbol > (3E)
00-1F hex (ascii control characters)
80-FF hex (non-ascii, by definition not legal)
For extra safety, let's not allow the following (add later if needed)
quote (%27), left paren (%28), right paren (%29)
left bracket (7B), right bracket (7D)
Okay to allow as encoded (might be misunderstood within URLS):s
space (20), ! (21), " (22), # (23), $ (24)
% (25), & (26), * (2A), + (2B), comma (2C)
- (2D), period (2E), / (2F), : (3A), ; (3B),
= (3D), ? (3F), @ (40)
| (7C), \ (5C), ~ (7E)
The following are also okay, but shouldn't be encoded anyway, so don't
bother checking for these for now:
digits: 30-39
uppercase letters: 41 - 5A
lowercase letters: 61 - 7A
JAVADOC | 
SOURCE | 
DOWNLOAD | NESTED | FIELD | CONSTR | METHOD