Package org.apache.sling.xss.impl

Class XSSAPIImpl

  • All Implemented Interfaces:
    XSSAPI
    public class XSSAPIImpl
extends Object
implements XSSAPI

    • Constructor Detail

      • XSSAPIImpl

        public XSSAPIImpl()

    • Method Detail

      • activate

        protected void activate()

      • deactivate

        protected void deactivate()

      • getValidInteger

        public Integer getValidInteger​(String integer,
                               int defaultValue)
        Description copied from interface: XSSAPI
        Validate a string which should contain an integer, returning a default value if the source is null, empty, can't be parsed, or contains XSS risks.
        Specified by:
        getValidInteger in interface XSSAPI
        Parameters:
        integer - the source integer
        defaultValue - a default value if the source can't be used, is null or an empty string
        Returns:
        a sanitized integer
        See Also:
        XSSAPI.getValidInteger(String, int)

      • getValidLong

        public Long getValidLong​(String source,
                         long defaultValue)
        Description copied from interface: XSSAPI
        Validate a string which should contain a long, returning a default value if the source is null, empty, can't be parsed, or contains XSS risks.
        Specified by:
        getValidLong in interface XSSAPI
        Parameters:
        source - the source long
        defaultValue - a default value if the source can't be used, is null or an empty string
        Returns:
        a sanitized integer
        See Also:
        XSSAPI.getValidLong(String, long)

      • getValidDouble

        public Double getValidDouble​(String source,
                             double defaultValue)
        Description copied from interface: XSSAPI
        Validate a string which should contain an double, returning a default value if the source is null, empty, can't be parsed, or contains XSS risks.
        Specified by:
        getValidDouble in interface XSSAPI
        Parameters:
        source - the source double
        defaultValue - a default value if the source can't be used, is null or an empty string
        Returns:
        a sanitized double
        See Also:
        XSSAPI.getValidDouble(String, double)

      • getValidDimension

        public String getValidDimension​(String dimension,
                                String defaultValue)
        Description copied from interface: XSSAPI
        Validate a string which should contain a dimension, returning a default value if the source is empty, can't be parsed, or contains XSS risks. Allows integer dimensions and the keyword "auto".
        Specified by:
        getValidDimension in interface XSSAPI
        Parameters:
        dimension - the source dimension
        defaultValue - a default value if the source can't be used, is null or an empty string
        Returns:
        a sanitized dimension
        See Also:
        XSSAPI.getValidDimension(String, String)

      • getValidHref

        @NotNull
public @NotNull String getValidHref​(String url)
        Description copied from interface: XSSAPI
        Sanitizes a URL for writing as an HTML href or src attribute value.
        Specified by:
        getValidHref in interface XSSAPI
        Parameters:
        url - the source URL
        Returns:
        a sanitized URL (possibly empty)
        See Also:
        XSSAPI.getValidHref(String)

      • getValidJSToken

        public String getValidJSToken​(String token,
                              String defaultValue)
        Description copied from interface: XSSAPI
        Validate a Javascript token. The value must be either a single identifier, a literal number, or a literal string.
        Specified by:
        getValidJSToken in interface XSSAPI
        Parameters:
        token - the source token
        defaultValue - a default value to use if the source is null, an empty string, or doesn't meet validity constraints.
        Returns:
        a string containing a single identifier, a literal number, or a literal string token
        See Also:
        XSSAPI.getValidJSToken(String, String)

      • getValidStyleToken

        public String getValidStyleToken​(String token,
                                 String defaultValue)
        Description copied from interface: XSSAPI
        Validate a style/CSS token. Valid CSS tokens are specified at http://www.w3.org/TR/css3-syntax/
        Specified by:
        getValidStyleToken in interface XSSAPI
        Parameters:
        token - the source token
        defaultValue - a default value to use if the source is null, an empty string, or doesn't meet validity constraints.
        Returns:
        a string containing sanitized style token
        See Also:
        XSSAPI.getValidStyleToken(String, String)

      • getValidCSSColor

        public String getValidCSSColor​(String color,
                               String defaultColor)
        Description copied from interface: XSSAPI
        Validate a CSS color value. Color values as specified at http://www.w3.org/TR/css3-color/#colorunits are safe and definitively allowed. Vulnerable constructs will be disallowed. Currently known vulnerable constructs include url(...), expression(...), and anything with a semicolon.
        Specified by:
        getValidCSSColor in interface XSSAPI
        Parameters:
        color - the color value to be used.
        defaultColor - a default value to use if the input color value is null, an empty string, doesn't meet validity constraints.
        Returns:
        a string a css color value.
        See Also:
        XSSAPI.getValidCSSColor(String, String)

      • getValidMultiLineComment

        public String getValidMultiLineComment​(String comment,
                                       String defaultComment)
        Description copied from interface: XSSAPI
        Validate multi-line comment to be used inside a <script>...</script> or <style>...</style> block. Multi-line comment end block is disallowed.
        Specified by:
        getValidMultiLineComment in interface XSSAPI
        Parameters:
        comment - the comment to be used
        defaultComment - a default value to use if the comment is null or not valid.
        Returns:
        a valid multi-line comment
        See Also:
        XSSAPI.getValidMultiLineComment(String, String)

      • getValidJSON

        public String getValidJSON​(String json,
                           String defaultJson)
        Description copied from interface: XSSAPI
        Validate a JSON string
        Specified by:
        getValidJSON in interface XSSAPI
        Parameters:
        json - the JSON string to validate
        defaultJson - the default value to use if json is null or not valid
        Returns:
        a valid JSON string
        See Also:
        XSSAPI.getValidJSON(String, String)

      • getValidXML

        public String getValidXML​(String xml,
                          String defaultXml)
        Description copied from interface: XSSAPI
        Validate an XML string
        Specified by:
        getValidXML in interface XSSAPI
        Parameters:
        xml - the XML string to validate
        defaultXml - the default value to use if xml is null or not valid
        Returns:
        a valid XML string
        See Also:
        XSSAPI.getValidXML(String, String)

      • encodeForHTML

        public String encodeForHTML​(String source)
        Description copied from interface: XSSAPI
        Encodes a source string for HTML element content. DO NOT USE FOR WRITING ATTRIBUTE VALUES!
        Specified by:
        encodeForHTML in interface XSSAPI
        Parameters:
        source - the input to encode
        Returns:
        an encoded version of the source
        See Also:
        XSSAPI.encodeForHTML(String)

      • encodeForHTMLAttr

        public String encodeForHTMLAttr​(String source)
        Description copied from interface: XSSAPI
        Encodes a source string for writing to an HTML attribute value. DO NOT USE FOR ACTIONABLE ATTRIBUTES (href, src, event handlers); YOU MUST USE A VALIDATOR FOR THOSE!
        Specified by:
        encodeForHTMLAttr in interface XSSAPI
        Parameters:
        source - the input to encode
        Returns:
        an encoded version of the source
        See Also:
        XSSAPI.encodeForHTMLAttr(String)

      • encodeForXML

        public String encodeForXML​(String source)
        Description copied from interface: XSSAPI
        Encodes a source string for XML element content. DO NOT USE FOR WRITING ATTRIBUTE VALUES!
        Specified by:
        encodeForXML in interface XSSAPI
        Parameters:
        source - the input to encode
        Returns:
        an encoded version of the source
        See Also:
        XSSAPI.encodeForXML(String)

      • encodeForJSString

        public String encodeForJSString​(String source)
        Description copied from interface: XSSAPI
        Encodes a source string for writing to JavaScript string content. DO NOT USE FOR WRITING TO ARBITRARY JAVASCRIPT; YOU MUST USE A VALIDATOR FOR THAT. (Encoding only ensures that the source material cannot break out of its context.)
        Specified by:
        encodeForJSString in interface XSSAPI
        Parameters:
        source - the input to encode
        Returns:
        an encoded version of the source
        See Also:
        XSSAPI.encodeForJSString(String)

      • encodeForCSSString

        public String encodeForCSSString​(String source)
        Description copied from interface: XSSAPI
        Encodes a source string for writing to CSS string content. DO NOT USE FOR WRITING OUT ARBITRARY CSS TOKENS; YOU MUST USE A VALIDATOR FOR THAT! (Encoding only ensures the source string cannot break out of its context.)
        Specified by:
        encodeForCSSString in interface XSSAPI
        Parameters:
        source - the input to encode
        Returns:
        an encoded version of the source
        See Also:
        XSSAPI.encodeForCSSString(String)

      • filterHTML

        @NotNull
public @NotNull String filterHTML​(String source)
        Description copied from interface: XSSAPI
        Filters potentially user-contributed HTML to meet the AntiSamy policy rules currently in effect for HTML output (see the XSSFilter service for details).
        Specified by:
        filterHTML in interface XSSAPI
        Parameters:
        source - a string containing the source HTML
        Returns:
        a string containing the sanitized HTML which may be an empty string if source is null or empty
        See Also:
        XSSAPI.filterHTML(String)