1 package org.apache.turbine.util;
2
3
4 /*
5 * Licensed to the Apache Software Foundation (ASF) under one
6 * or more contributor license agreements. See the NOTICE file
7 * distributed with this work for additional information
8 * regarding copyright ownership. The ASF licenses this file
9 * to you under the Apache License, Version 2.0 (the
10 * "License"); you may not use this file except in compliance
11 * with the License. You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing,
16 * software distributed under the License is distributed on an
17 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
18 * KIND, either express or implied. See the License for the
19 * specific language governing permissions and limitations
20 * under the License.
21 */
22
23
24 import org.apache.ecs.Entities;
25
26 import org.apache.ecs.filter.CharacterFilter;
27
28 /**
29 * Some filter methods that have been orphaned in the Screen class.
30 *
31 *
32 * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
33 * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
34 * @version $Id: InputFilterUtils.java 615328 2008-01-25 20:25:05Z tv $
35 */
36
37 public abstract class InputFilterUtils
38 {
39 /** A HtmlFilter Object for the normal input filter */
40 private static final CharacterFilter filter = htmlFilter();
41
42 /** A HtmlFilter Object for the minimal input filter */
43 private static final CharacterFilter minFilter = htmlMinFilter();
44
45 /**
46 * This function can/should be used in any screen that will output
47 * User entered text. This will help prevent users from entering
48 * html (<SCRIPT>) tags that will get executed by the browser.
49 *
50 * @param s The string to prepare.
51 * @return A string with the input already prepared.
52 */
53 public static String prepareText(String s)
54 {
55 return filter.process(s);
56 }
57
58 /**
59 * This function can/should be used in any screen that will output
60 * User entered text. This will help prevent users from entering
61 * html (<SCRIPT>) tags that will get executed by the browser.
62 *
63 * @param s The string to prepare.
64 * @return A string with the input already prepared.
65 */
66 public static String prepareTextMinimum(String s)
67 {
68 return minFilter.process(s);
69 }
70
71 /**
72 * These attributes are supposed to be the default, but they are
73 * not, at least in ECS 1.2. Include them all just to be safe.
74 *
75 * @return A CharacterFilter to do HTML filtering.
76 */
77 private static CharacterFilter htmlFilter()
78 {
79 CharacterFilter filter = new CharacterFilter();
80 filter.addAttribute("\"", Entities.QUOT);
81 filter.addAttribute("'", Entities.LSQUO);
82 filter.addAttribute("&", Entities.AMP);
83 filter.addAttribute("<", Entities.LT);
84 filter.addAttribute(">", Entities.GT);
85 return filter;
86 }
87
88 /*
89 * We would like to filter user entered text that might be
90 * dynamically added, using javascript for example. But we do not
91 * want to filter all the above chars, so we will just disallow
92 * <.
93 *
94 * @return A CharacterFilter to do minimal HTML filtering.
95 */
96 private static CharacterFilter htmlMinFilter()
97 {
98 CharacterFilter filter = new CharacterFilter();
99 filter.removeAttribute(">");
100 filter.removeAttribute("\"");
101 filter.removeAttribute("'");
102 filter.removeAttribute("&");
103 filter.addAttribute("<", Entities.LT);
104 return filter;
105 }
106 }