01: package org.apache.turbine.util;
02:
03: /*
04: * Licensed to the Apache Software Foundation (ASF) under one
05: * or more contributor license agreements. See the NOTICE file
06: * distributed with this work for additional information
07: * regarding copyright ownership. The ASF licenses this file
08: * to you under the Apache License, Version 2.0 (the
09: * "License"); you may not use this file except in compliance
10: * with the License. You may obtain a copy of the License at
11: *
12: * http://www.apache.org/licenses/LICENSE-2.0
13: *
14: * Unless required by applicable law or agreed to in writing,
15: * software distributed under the License is distributed on an
16: * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17: * KIND, either express or implied. See the License for the
18: * specific language governing permissions and limitations
19: * under the License.
20: */
21:
22: import org.apache.ecs.Entities;
23:
24: import org.apache.ecs.filter.CharacterFilter;
25:
26: /**
27: * Some filter methods that have been orphaned in the Screen class.
28: *
29: *
30: * @author <a href="mailto:mbryson@mont.mindspring.com">Dave Bryson</a>
31: * @author <a href="mailto:hps@intermeta.de">Henning P. Schmiedehausen</a>
32: * @version $Id: InputFilterUtils.java 534527 2007-05-02 16:10:59Z tv $
33: */
34:
35: public abstract class InputFilterUtils {
36: /** A HtmlFilter Object for the normal input filter */
37: private static final CharacterFilter filter = htmlFilter();
38:
39: /** A HtmlFilter Object for the minimal input filter */
40: private static final CharacterFilter minFilter = htmlMinFilter();
41:
42: /**
43: * This function can/should be used in any screen that will output
44: * User entered text. This will help prevent users from entering
45: * html (<SCRIPT>) tags that will get executed by the browser.
46: *
47: * @param s The string to prepare.
48: * @return A string with the input already prepared.
49: */
50: public static String prepareText(String s) {
51: return filter.process(s);
52: }
53:
54: /**
55: * This function can/should be used in any screen that will output
56: * User entered text. This will help prevent users from entering
57: * html (<SCRIPT>) tags that will get executed by the browser.
58: *
59: * @param s The string to prepare.
60: * @return A string with the input already prepared.
61: */
62: public static String prepareTextMinimum(String s) {
63: return minFilter.process(s);
64: }
65:
66: /**
67: * These attributes are supposed to be the default, but they are
68: * not, at least in ECS 1.2. Include them all just to be safe.
69: *
70: * @return A CharacterFilter to do HTML filtering.
71: */
72: private static CharacterFilter htmlFilter() {
73: CharacterFilter filter = new CharacterFilter();
74: filter.addAttribute("\"", Entities.QUOT);
75: filter.addAttribute("'", Entities.LSQUO);
76: filter.addAttribute("&", Entities.AMP);
77: filter.addAttribute("<", Entities.LT);
78: filter.addAttribute(">", Entities.GT);
79: return filter;
80: }
81:
82: /*
83: * We would like to filter user entered text that might be
84: * dynamically added, using javascript for example. But we do not
85: * want to filter all the above chars, so we will just disallow
86: * <.
87: *
88: * @return A CharacterFilter to do minimal HTML filtering.
89: */
90: private static CharacterFilter htmlMinFilter() {
91: CharacterFilter filter = new CharacterFilter();
92: filter.removeAttribute(">");
93: filter.removeAttribute("\"");
94: filter.removeAttribute("'");
95: filter.removeAttribute("&");
96: filter.addAttribute("<", Entities.LT);
97: return filter;
98: }
99: }
|