Package com.adobe.granite.xss

Interface XSSAPI

@Deprecated public interface XSSAPI
Deprecated.
Use XSSAPI instead.

A service providing validators and encoders for XSS protection during the composition of HTML pages.

Note: in general, validators are safer than encoders. Encoding only ensures that content within the encoded context cannot break out of said context. It requires that there be a context (for instance, a string context in Javascript), and that damage cannot be done from within the context (for instance, a javascript: URL within a href attribute.

When in doubt, use a validator.

  • Method Details

    • getValidInteger

      Integer getValidInteger(String integer, int defaultValue)
      Deprecated.
      Validate a string which should contain an integer, returning a default value if the source is empty, can't be parsed, or contains XSS risks.
      Parameters:
      integer - the source integer
      defaultValue - a default value if the source can't be used
      Returns:
      a sanitized integer

    • getValidLong

      Long getValidLong(String source, long defaultValue)
      Deprecated.
      Validate a string which should contain a long, returning a default value if the source is empty, can't be parsed, or contains XSS risks.
      Parameters:
      source - the source long
      defaultValue - a default value if the source can't be used
      Returns:
      a sanitized integer

    • getValidDimension

      String getValidDimension(String dimension, String defaultValue)
      Deprecated.
      Validate a string which should contain a dimension, returning a default value if the source is empyt, can't be parsed, or contains XSS risks. Allows integer dimensions and the keyword "auto".
      Parameters:
      dimension - the source dimension
      defaultValue - a default value if the source can't be used
      Returns:
      a sanitized dimension

    • getValidHref

      String getValidHref(String url)
      Deprecated.
      Sanitizes a URL for writing as an HTML href or src attribute value.
      Parameters:
      url - the source URL
      Returns:
      a sanitized URL (possibly empty)

    • getValidHref

      @Deprecated String getValidHref(String url, boolean isPath)
      Deprecated.

    • getValidJSToken

      String getValidJSToken(String token, String defaultValue)
      Deprecated.
      Validate a Javascript token. The value must be either a single identifier, a literal number, or a literal string.
      Parameters:
      token - the source token
      defaultValue - a default value to use if the source doesn't meet validity constraints.
      Returns:
      a string containing a single identifier, a literal number, or a literal string token

    • getValidCSSColor

      String getValidCSSColor(String color, String defaultColor)
      Deprecated.
      Validate a CSS color value. Color values as specified at http://www.w3.org/TR/css3-color/#colorunits are safe and definitively allowed. Vulnerable constructs will be disallowed. Currently known vulnerable constructs include url(...), expression(...), and anything with a semicolon.
      Parameters:
      color - the color value to be used.
      defaultColor - a default value to use if the input color value doesn't meet validity constraints.
      Returns:
      a string a css color value.

    • encodeForHTML

      String encodeForHTML(String source)
      Deprecated.
      Encodes a source string for HTML element content. DO NOT USE FOR WRITING ATTRIBUTE VALUES!
      Parameters:
      source - the source string to encode
      Returns:
      an encoded version of the source

    • encodeForHTMLAttr

      String encodeForHTMLAttr(String source)
      Deprecated.
      Encodes a source string for writing to an HTML attribute value. DO NOT USE FOR ACTIONABLE ATTRIBUTES (href, src, event handlers); YOU MUST USE A VALIDATOR FOR THOSE!
      Parameters:
      source - the source string to encode
      Returns:
      an encoded version of the source

    • encodeForXML

      String encodeForXML(String source)
      Deprecated.
      Encodes a source string for XML element content. DO NOT USE FOR WRITING ATTRIBUTE VALUES!
      Parameters:
      source - the source string to encode
      Returns:
      an encoded version of the source

    • encodeForXMLAttr

      String encodeForXMLAttr(String source)
      Deprecated.
      Encodes a source string for writing to an XML attribute value.
      Parameters:
      source - the source string to encode
      Returns:
      an encoded version of the source

    • encodeForJSString

      String encodeForJSString(String source)
      Deprecated.
      Encodes a source string for writing to JavaScript string content. DO NOT USE FOR WRITING TO ARBITRARY JAVASCRIPT; YOU MUST USE A VALIDATOR FOR THAT. (Encoding only ensures that the source material cannot break out of its context.)
      Parameters:
      source - the source string to encode
      Returns:
      an encoded version of the source

    • filterHTML

      String filterHTML(String source)
      Deprecated.
      Filters potentially user-contributed HTML to meet the AntiSamy policy rules currently in effect for HTML output (see the XSSFilter service for details).
      Parameters:
      source - a string containing the source HTML
      Returns:
      a string containing the sanitized HTML

    • getRequestSpecificAPI

      XSSAPI getRequestSpecificAPI(SlingHttpServletRequest request)
      Deprecated.
      Returns an XSSAPI instance capable of mapping resource URLs. EITHER THIS OR THE RESOURCERESOLVER VERSION MUST BE USED WHEN VALIDATING HREFs!
      Parameters:
      request - the request
      Returns:
      an XSSAPI service capable of validating hrefs.

    • getResourceResolverSpecificAPI

      XSSAPI getResourceResolverSpecificAPI(ResourceResolver resourceResolver)
      Deprecated.
      Returns an XSSAPI instance capable of mapping resource URLs. EITHER THIS OR THE REQUEST VERSION MUST BE USED WHEN VALIDATING HREFs!
      Parameters:
      resourceResolver - the resource resolver
      Returns:
      an XSSAPI service capable of validating hrefs.