com.google.template.soy.shared.internal

Class Sanitizers

java.lang.Object

com.google.template.soy.shared.internal.Sanitizers

public final class Sanitizers
extends Object

Java implementations of functions that escape, normalize, and filter untrusted strings to allow them to be safely embedded in particular contexts. These correspond to the soy.$$escape*, soy.$$normalize*, and soy.$$filter* functions defined in "soyutils.js".

Field Summary

Fields

Modifier and Type	Field and Description
static Pattern	HTML_ATTRIBUTE_PATTERN Pattern for matching attribute name and value, where value is single-quoted or double-quoted.

Method Summary

Modifier and Type	Method and Description
static SoyValue	blessStringAsTrustedResourceUrlForLegacy(SoyValue value) For any resource string/variable which has |blessStringAsTrustedResuorceUrlForLegacy directive return the input value as is.
static SoyValue	blessStringAsTrustedResourceUrlForLegacy(String value) For any resource string/variable which has |blessStringAsTrustedResuorceUrlForLegacy directive return the input value as is after converting it into SoyValue.
static LoggingAdvisingAppendable	blessStringAsTrustedResourceUrlForLegacyStreaming(LoggingAdvisingAppendable appendable) For any resource string/variable which has |blessStringAsTrustedResuorceUrlForLegacy directive apply a no-op escaping directive
static SanitizedContent	cleanHtml(SoyValue value) Normalizes the input HTML while preserving "safe" tags and the known directionality.
static SanitizedContent	cleanHtml(SoyValue value, Collection<? extends TagWhitelist.OptionalSafeTag> optionalSafeTags) Normalizes the input HTML while preserving "safe" tags and the known directionality.
static SanitizedContent	cleanHtml(String value) Normalizes the input HTML while preserving "safe" tags.
static SanitizedContent	cleanHtml(String value, Collection<? extends TagWhitelist.OptionalSafeTag> optionalSafeTags) Normalizes the input HTML while preserving "safe" tags.
static SanitizedContent	cleanHtml(String value, Dir contentDir, Collection<? extends TagWhitelist.OptionalSafeTag> optionalSafeTags) Normalizes the input HTML of a given directionality while preserving "safe" tags.
static LoggingAdvisingAppendable	cleanHtmlStreaming(LoggingAdvisingAppendable delegate, Collection<? extends TagWhitelist.OptionalSafeTag> optionalSafeTags) Streaming version of |cleanHtml.
static String	escapeCssString(SoyValue value) Converts the input to the body of a CSS string literal.
static String	escapeCssString(String value) Converts plain text to the body of a CSS string literal.
static LoggingAdvisingAppendable	escapeCssStringStreaming(LoggingAdvisingAppendable delegate) Converts the input to the body of a CSS string literal.
static String	escapeHtml(SoyValue value) Converts the input to HTML by entity escaping.
static String	escapeHtml(String value) Converts plain text to HTML by entity escaping.
static String	escapeHtmlAttribute(SoyValue value) Converts the input to HTML by entity escaping, stripping tags in sanitized content so the result can safely be embedded in an HTML attribute value.
static String	escapeHtmlAttribute(String value) Converts plain text to HTML by entity escaping so the result can safely be embedded in an HTML attribute value.
static String	escapeHtmlAttributeNospace(SoyValue value) Converts plain text to HTML by entity escaping, stripping tags in sanitized content so the result can safely be embedded in an unquoted HTML attribute value.
static String	escapeHtmlAttributeNospace(String value) Converts plain text to HTML by entity escaping so the result can safely be embedded in an unquoted HTML attribute value.
static String	escapeHtmlRcdata(SoyValue value) Converts the input to HTML suitable for use inside <textarea> by entity escaping.
static LoggingAdvisingAppendable	escapeHtmlRcdataStreaming(LoggingAdvisingAppendable delegate) Streaming version of |escapeHtmlRcData.
static String	escapeJsRegex(SoyValue value) Converts the input to the body of a JavaScript regular expression literal.
static String	escapeJsRegex(String value) Converts plain text to the body of a JavaScript regular expression literal.
static LoggingAdvisingAppendable	escapeJsRegexStreaming(LoggingAdvisingAppendable delegate) Converts the input to the body of a JavaScript regular expression literal.
static String	escapeJsString(SoyValue value) Converts the input to the body of a JavaScript string by using \n style escapes.
static String	escapeJsString(String value) Converts plain text to the body of a JavaScript string by using \n style escapes.
static LoggingAdvisingAppendable	escapeJsStringStreaming(LoggingAdvisingAppendable appendable)
static String	escapeJsValue(SoyValue value) Converts the input to a JavaScript expression.
static String	escapeJsValue(String value) Converts plain text to a quoted javaScript string value.
static String	escapeUri(SoyValue value) Converts the input to a piece of a URI by percent encoding the value as UTF-8 bytes.
static String	escapeUri(String value) Converts plain text to a piece of a URI by percent encoding the string as UTF-8 bytes.
static String	filterCssValue(SoyValue value) Makes sure that the input is a valid CSS identifier part, CLASS or ID part, quantity, or CSS keyword part.
static String	filterCssValue(String value) Makes sure that the input is a valid CSS identifier part, CLASS or ID part, quantity, or CSS keyword part.
static String	filterHtmlAttributes(SoyValue value) Checks that the input is a valid HTML attribute name with normal keyword or textual content or known safe attribute content.
static String	filterHtmlAttributes(String value) Checks that the input is a valid HTML attribute name with normal keyword or textual content.
static LoggingAdvisingAppendable	filterHtmlAttributesStreaming(LoggingAdvisingAppendable appendable)
static String	filterHtmlElementName(SoyValue value) Checks that the input is part of the name of an innocuous element.
static String	filterHtmlElementName(String value) Checks that the input is part of the name of an innocuous element.
static SanitizedContent	filterImageDataUri(SoyValue value) Makes sure that the given input is a data URI corresponding to an image.
static SanitizedContent	filterImageDataUri(String value) Makes sure that the given input is a data URI corresponding to an image.
static SoyValue	filterNoAutoescape(SoyValue value) Filters noAutoescape input from explicitly tainted content.
static LoggingAdvisingAppendable	filterNoAutoescapeStreaming(LoggingAdvisingAppendable appendable) Applies the |noAutoescape directive and filters explicitly tainted content.
static String	filterNormalizeMediaUri(SoyValue value) Checks that a URI is safe to be an image source.
static String	filterNormalizeMediaUri(String value) Checks that a URI is safe to be an image source.
static String	filterNormalizeUri(SoyValue value) Makes sure that the given input doesn't specify a dangerous protocol and also normalizes it.
static String	filterNormalizeUri(String value) Makes sure that the given input doesn't specify a dangerous protocol and also normalizes it.
static SanitizedContent	filterSipUri(SoyValue value) Makes sure that the given input is a sip URI.
static SanitizedContent	filterSipUri(String value) Makes sure that the given input is a sip URI.
static SanitizedContent	filterTelUri(SoyValue value) Makes sure that the given input is a tel URI.
static SanitizedContent	filterTelUri(String value) Makes sure that the given input is a tel URI.
static String	filterTrustedResourceUri(SoyValue value) Makes sure the given input is an instance of either trustedResourceUrl or trustedString.
static String	filterTrustedResourceUri(String value) For string inputs this function just returns the input string itself.
static String	normalizeHtml(SoyValue value) Normalizes HTML to HTML making sure quotes and other specials are entity encoded.
static String	normalizeHtml(String value) Normalizes HTML to HTML making sure quotes and other specials are entity encoded.
static String	normalizeHtmlNospace(SoyValue value) Normalizes HTML to HTML making sure quotes, spaces and other specials are entity encoded so that the result can be safely embedded in a valueless attribute.
static String	normalizeHtmlNospace(String value) Normalizes HTML to HTML making sure quotes, spaces and other specials are entity encoded so that the result can be safely embedded in a valueless attribute.
static LoggingAdvisingAppendable	normalizeHtmlStreaming(LoggingAdvisingAppendable appendable)
static String	normalizeUri(SoyValue value) Converts a piece of URI content to a piece of URI content that can be safely embedded in an HTML attribute by percent encoding.
static String	normalizeUri(String value) Converts a piece of URI content to a piece of URI content that can be safely embedded in an HTML attribute by percent encoding.
static LoggingAdvisingAppendable	normalizeUriStreaming(LoggingAdvisingAppendable value) Converts a piece of URI content to a piece of URI content that can be safely embedded in an HTML attribute by percent encoding.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

HTML_ATTRIBUTE_PATTERN

public static final Pattern HTML_ATTRIBUTE_PATTERN

Pattern for matching attribute name and value, where value is single-quoted or double-quoted.

Method Detail

escapeHtml

public static String escapeHtml(SoyValue value)

Converts the input to HTML by entity escaping.

escapeHtml

public static String escapeHtml(String value)

Converts plain text to HTML by entity escaping.

cleanHtml

public static SanitizedContent cleanHtml(SoyValue value)

Normalizes the input HTML while preserving "safe" tags and the known directionality.

Returns:

the normalized input, in the form of SanitizedContent of SanitizedContent.ContentKind.HTML

cleanHtml

public static SanitizedContent cleanHtml(SoyValue value,
                                         Collection<? extends TagWhitelist.OptionalSafeTag> optionalSafeTags)

Normalizes the input HTML while preserving "safe" tags and the known directionality.

Parameters:

optionalSafeTags - to add to the basic whitelist of formatting safe tags

Returns:

the normalized input, in the form of SanitizedContent of SanitizedContent.ContentKind.HTML

cleanHtmlStreaming

public static LoggingAdvisingAppendable cleanHtmlStreaming(LoggingAdvisingAppendable delegate,
                                                           Collection<? extends TagWhitelist.OptionalSafeTag> optionalSafeTags)

Streaming version of |cleanHtml.

cleanHtml

public static SanitizedContent cleanHtml(String value)

Normalizes the input HTML while preserving "safe" tags. The content directionality is unknown.

Returns:

the normalized input, in the form of SanitizedContent of SanitizedContent.ContentKind.HTML

cleanHtml

public static SanitizedContent cleanHtml(String value,
                                         Collection<? extends TagWhitelist.OptionalSafeTag> optionalSafeTags)

Normalizes the input HTML while preserving "safe" tags. The content directionality is unknown.

Parameters:

optionalSafeTags - to add to the basic whitelist of formatting safe tags

Returns:

the normalized input, in the form of SanitizedContent of SanitizedContent.ContentKind.HTML

cleanHtml

public static SanitizedContent cleanHtml(String value,
                                         Dir contentDir,
                                         Collection<? extends TagWhitelist.OptionalSafeTag> optionalSafeTags)

Normalizes the input HTML of a given directionality while preserving "safe" tags.

Parameters:

optionalSafeTags - to add to the basic whitelist of formatting safe tags

Returns:

the normalized input, in the form of SanitizedContent of SanitizedContent.ContentKind.HTML

escapeHtmlRcdata

public static String escapeHtmlRcdata(SoyValue value)

Converts the input to HTML suitable for use inside <textarea> by entity escaping.

escapeHtmlRcdataStreaming

public static LoggingAdvisingAppendable escapeHtmlRcdataStreaming(LoggingAdvisingAppendable delegate)

Streaming version of |escapeHtmlRcData.

normalizeHtml

public static String normalizeHtml(SoyValue value)

Normalizes HTML to HTML making sure quotes and other specials are entity encoded.

normalizeHtmlStreaming

public static LoggingAdvisingAppendable normalizeHtmlStreaming(LoggingAdvisingAppendable appendable)

normalizeHtml

public static String normalizeHtml(String value)

Normalizes HTML to HTML making sure quotes and other specials are entity encoded.

normalizeHtmlNospace

public static String normalizeHtmlNospace(SoyValue value)

Normalizes HTML to HTML making sure quotes, spaces and other specials are entity encoded so that the result can be safely embedded in a valueless attribute.

normalizeHtmlNospace

public static String normalizeHtmlNospace(String value)

Normalizes HTML to HTML making sure quotes, spaces and other specials are entity encoded so that the result can be safely embedded in a valueless attribute.

escapeHtmlAttribute

public static String escapeHtmlAttribute(SoyValue value)

Converts the input to HTML by entity escaping, stripping tags in sanitized content so the result can safely be embedded in an HTML attribute value.

escapeHtmlAttribute

public static String escapeHtmlAttribute(String value)

Converts plain text to HTML by entity escaping so the result can safely be embedded in an HTML attribute value.

escapeHtmlAttributeNospace

public static String escapeHtmlAttributeNospace(SoyValue value)

Converts plain text to HTML by entity escaping, stripping tags in sanitized content so the result can safely be embedded in an unquoted HTML attribute value.

escapeHtmlAttributeNospace

public static String escapeHtmlAttributeNospace(String value)

Converts plain text to HTML by entity escaping so the result can safely be embedded in an unquoted HTML attribute value.

escapeJsString

public static String escapeJsString(SoyValue value)

Converts the input to the body of a JavaScript string by using \n style escapes.

escapeJsStringStreaming

public static LoggingAdvisingAppendable escapeJsStringStreaming(LoggingAdvisingAppendable appendable)

escapeJsString

public static String escapeJsString(String value)

Converts plain text to the body of a JavaScript string by using \n style escapes.

escapeJsValue

public static String escapeJsValue(SoyValue value)

Converts the input to a JavaScript expression. The resulting expression can be a boolean, number, string literal, or null.

escapeJsValue

public static String escapeJsValue(String value)

Converts plain text to a quoted javaScript string value.

escapeJsRegex

public static String escapeJsRegex(SoyValue value)

Converts the input to the body of a JavaScript regular expression literal.

escapeJsRegexStreaming

public static LoggingAdvisingAppendable escapeJsRegexStreaming(LoggingAdvisingAppendable delegate)

Converts the input to the body of a JavaScript regular expression literal.

escapeJsRegex

public static String escapeJsRegex(String value)

Converts plain text to the body of a JavaScript regular expression literal.

escapeCssString

public static String escapeCssString(SoyValue value)

Converts the input to the body of a CSS string literal.

escapeCssStringStreaming

public static LoggingAdvisingAppendable escapeCssStringStreaming(LoggingAdvisingAppendable delegate)

Converts the input to the body of a CSS string literal.

escapeCssString

public static String escapeCssString(String value)

Converts plain text to the body of a CSS string literal.

filterCssValue

public static String filterCssValue(SoyValue value)

Makes sure that the input is a valid CSS identifier part, CLASS or ID part, quantity, or CSS keyword part.

filterCssValue

public static String filterCssValue(String value)

Makes sure that the input is a valid CSS identifier part, CLASS or ID part, quantity, or CSS keyword part.

escapeUri

public static String escapeUri(SoyValue value)

Converts the input to a piece of a URI by percent encoding the value as UTF-8 bytes.

escapeUri

public static String escapeUri(String value)

Converts plain text to a piece of a URI by percent encoding the string as UTF-8 bytes.

normalizeUri

public static String normalizeUri(SoyValue value)

Converts a piece of URI content to a piece of URI content that can be safely embedded in an HTML attribute by percent encoding.

normalizeUriStreaming

public static LoggingAdvisingAppendable normalizeUriStreaming(LoggingAdvisingAppendable value)

Converts a piece of URI content to a piece of URI content that can be safely embedded in an HTML attribute by percent encoding.

normalizeUri

public static String normalizeUri(String value)

Converts a piece of URI content to a piece of URI content that can be safely embedded in an HTML attribute by percent encoding.

filterNormalizeUri

public static String filterNormalizeUri(SoyValue value)

Makes sure that the given input doesn't specify a dangerous protocol and also normalizes it.

filterNormalizeUri

public static String filterNormalizeUri(String value)

Makes sure that the given input doesn't specify a dangerous protocol and also normalizes it.

filterNormalizeMediaUri

public static String filterNormalizeMediaUri(SoyValue value)

Checks that a URI is safe to be an image source.

Does not return SanitizedContent as there isn't an appropriate type for this.

filterNormalizeMediaUri

public static String filterNormalizeMediaUri(String value)

Checks that a URI is safe to be an image source.

Does not return SanitizedContent as there isn't an appropriate type for this.

filterTrustedResourceUri

public static String filterTrustedResourceUri(SoyValue value)

Makes sure the given input is an instance of either trustedResourceUrl or trustedString.

filterTrustedResourceUri

public static String filterTrustedResourceUri(String value)

For string inputs this function just returns the input string itself.

blessStringAsTrustedResourceUrlForLegacy

public static SoyValue blessStringAsTrustedResourceUrlForLegacy(SoyValue value)

For any resource string/variable which has |blessStringAsTrustedResuorceUrlForLegacy directive return the input value as is.

blessStringAsTrustedResourceUrlForLegacy

public static SoyValue blessStringAsTrustedResourceUrlForLegacy(String value)

For any resource string/variable which has |blessStringAsTrustedResuorceUrlForLegacy directive return the input value as is after converting it into SoyValue.

blessStringAsTrustedResourceUrlForLegacyStreaming

public static LoggingAdvisingAppendable blessStringAsTrustedResourceUrlForLegacyStreaming(LoggingAdvisingAppendable appendable)

For any resource string/variable which has |blessStringAsTrustedResuorceUrlForLegacy directive apply a no-op escaping directive

filterImageDataUri

public static SanitizedContent filterImageDataUri(SoyValue value)

Makes sure that the given input is a data URI corresponding to an image.

SanitizedContent kind does not apply -- the directive is also used to ensure no foreign resources are loaded.

filterImageDataUri

public static SanitizedContent filterImageDataUri(String value)

Makes sure that the given input is a data URI corresponding to an image.

filterSipUri

public static SanitizedContent filterSipUri(SoyValue value)

Makes sure that the given input is a sip URI.

filterSipUri

public static SanitizedContent filterSipUri(String value)

Makes sure that the given input is a sip URI.

filterTelUri

public static SanitizedContent filterTelUri(SoyValue value)

Makes sure that the given input is a tel URI.

filterTelUri

public static SanitizedContent filterTelUri(String value)

Makes sure that the given input is a tel URI.

filterHtmlAttributes

public static String filterHtmlAttributes(SoyValue value)

Checks that the input is a valid HTML attribute name with normal keyword or textual content or known safe attribute content.

filterHtmlAttributes

public static String filterHtmlAttributes(String value)

Checks that the input is a valid HTML attribute name with normal keyword or textual content.

filterHtmlAttributesStreaming

public static LoggingAdvisingAppendable filterHtmlAttributesStreaming(LoggingAdvisingAppendable appendable)

filterHtmlElementName

public static String filterHtmlElementName(SoyValue value)

Checks that the input is part of the name of an innocuous element.

filterHtmlElementName

public static String filterHtmlElementName(String value)

Checks that the input is part of the name of an innocuous element.

filterNoAutoescape

public static SoyValue filterNoAutoescape(SoyValue value)

Filters noAutoescape input from explicitly tainted content.

SanitizedContent.ContentKind.TEXT is used to explicitly mark input that is never meant to be used unescaped. Specifically, {let} and {param} blocks of kind "text" are explicitly forbidden from being noAutoescaped to avoid XSS regressions during application transition.

filterNoAutoescapeStreaming

public static LoggingAdvisingAppendable filterNoAutoescapeStreaming(LoggingAdvisingAppendable appendable)

Applies the |noAutoescape directive and filters explicitly tainted content.

See filterNoAutoescape(SoyValue)