Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.jboss.seam.text
Class SeamTextParser.DefaultSanitizer

java.lang.Object
  extended by org.jboss.seam.text.SeamTextParser.DefaultSanitizer
All Implemented Interfaces:
SeamTextParser.Sanitizer
Enclosing class:
SeamTextParser
public static class SeamTextParser.DefaultSanitizer
extends java.lang.Object
implements SeamTextParser.Sanitizer

Implementation of the rules in http://wiki.whatwg.org/wiki/Sanitization_rules 

 Changes and additions:

 1. Expanded all -* wildcard values to their full CSS property name (e.g. border-*).

 2. Added dash as allowed characater to REGEX_VALID_CSS_STRING1.

 3. Improved REGEX_VALID_CSS_VALUE with range {n,m} checks for color values and negative units.

 4. Added more options (mostly of vertical-align property, e.g. "middle", "text-top") as allowed CSS values.

 5. Added "max-height", "max-width", "min-height", "min-width" to CSS properties.

 6. Removed 'data' URI scheme.

 7. Not implemented filtering of CSS url() - it's an invalid value always.

 8. Removed all <form>, <input> and other form tags. Attackers might use them to compromise
    "outer" forms when entering such markup in a textarea.

Field Summary
protected  java.util.Set<java.lang.String> acceptableAttributes
           
protected  java.util.Set<java.lang.String> acceptableElements
           
protected  java.util.Set<java.lang.String> attributesWhoseValueIsAURI
           
protected  java.util.Set<java.lang.String> mathmlAttributes
           
protected  java.util.Set<java.lang.String> mathmlElements
           
 java.util.regex.Pattern REGEX_INVALID_CSS_URL
           
 java.util.regex.Pattern REGEX_VALID_CSS_STRING1
           
 java.util.regex.Pattern REGEX_VALID_CSS_STRING2
           
 java.util.regex.Pattern REGEX_VALID_CSS_VALUE
           
protected  java.util.Set<java.lang.String> styleProperties
           
protected  java.util.Set<java.lang.String> stylePropertiesValues
           
protected  java.util.Set<java.lang.String> svgAttributes
           
protected  java.util.Set<java.lang.String> svgElements
           
protected  java.util.Set<java.lang.String> svgStyleProperties
           
protected  java.util.Set<java.lang.String> uriSchemes
           
 
Constructor Summary
SeamTextParser.DefaultSanitizer()
           
 
Method Summary
 antlr.SemanticException createSemanticException(java.lang.String message, antlr.Token element)
           
 java.lang.String getInvalidAttributeMessage(java.lang.String elementName, java.lang.String attributeName)
           
 java.lang.String getInvalidAttributeValueMessage(java.lang.String elementName, java.lang.String attributeName, java.lang.String value)
           
 java.lang.String getInvalidElementMessage(java.lang.String elementName)
           
 java.lang.String getInvalidURIMessage(java.lang.String uri)
           
 void validateHtmlAttribute(antlr.Token element, antlr.Token attribute)
          Called by the SeamTextParser when a plain HTML attribute is parsed.
 void validateHtmlAttributeValue(antlr.Token element, antlr.Token attribute, java.lang.String attributeValue)
          Called by the SeamTextParser when a plain HTML attribute value is parsed.
 void validateHtmlElement(antlr.Token element)
          Called by the SeamTextParser when a plain HTML element is parsed.
 void validateLinkTagURI(antlr.Token element, java.lang.String uri)
          Called by the SeamTextParser when a link tag is parsed, i.e.
protected  boolean validateURI(java.lang.String uri)
          Validate a URI string.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

REGEX_VALID_CSS_STRING1

public final java.util.regex.Pattern REGEX_VALID_CSS_STRING1

REGEX_VALID_CSS_STRING2

public final java.util.regex.Pattern REGEX_VALID_CSS_STRING2

REGEX_VALID_CSS_VALUE

public final java.util.regex.Pattern REGEX_VALID_CSS_VALUE

REGEX_INVALID_CSS_URL

public final java.util.regex.Pattern REGEX_INVALID_CSS_URL

acceptableElements

protected java.util.Set<java.lang.String> acceptableElements

mathmlElements

protected java.util.Set<java.lang.String> mathmlElements

svgElements

protected java.util.Set<java.lang.String> svgElements

acceptableAttributes

protected java.util.Set<java.lang.String> acceptableAttributes

mathmlAttributes

protected java.util.Set<java.lang.String> mathmlAttributes

svgAttributes

protected java.util.Set<java.lang.String> svgAttributes

styleProperties

protected java.util.Set<java.lang.String> styleProperties

stylePropertiesValues

protected java.util.Set<java.lang.String> stylePropertiesValues

svgStyleProperties

protected java.util.Set<java.lang.String> svgStyleProperties

attributesWhoseValueIsAURI

protected java.util.Set<java.lang.String> attributesWhoseValueIsAURI

uriSchemes

protected java.util.Set<java.lang.String> uriSchemes
Constructor Detail

SeamTextParser.DefaultSanitizer

public SeamTextParser.DefaultSanitizer()
Method Detail

validateLinkTagURI

public void validateLinkTagURI(antlr.Token element,
                               java.lang.String uri)
                        throws antlr.SemanticException
Description copied from interface: SeamTextParser.Sanitizer
Called by the SeamTextParser when a link tag is parsed, i.e. [=>some URI].

Specified by:
validateLinkTagURI in interface SeamTextParser.Sanitizer
Parameters:
element - the token of the parse tree, here the ">" symbol which comes after the "="
uri - the user-entered link text
Throws:
antlr.SemanticException - thrown if the URI is not syntactically or semantically valid

validateHtmlElement

public void validateHtmlElement(antlr.Token element)
                         throws antlr.SemanticException
Description copied from interface: SeamTextParser.Sanitizer
Called by the SeamTextParser when a plain HTML element is parsed.

Specified by:
validateHtmlElement in interface SeamTextParser.Sanitizer
Parameters:
element - the token of the parse tree, call getText() to access the HTML tag name
Throws:
antlr.SemanticException - thrown when the HTML tag is not valid

validateHtmlAttribute

public void validateHtmlAttribute(antlr.Token element,
                                  antlr.Token attribute)
                           throws antlr.SemanticException
Description copied from interface: SeamTextParser.Sanitizer
Called by the SeamTextParser when a plain HTML attribute is parsed.

Specified by:
validateHtmlAttribute in interface SeamTextParser.Sanitizer
Parameters:
element - the token of the parse tree that represents the HTML tag
attribute - the token of the parse tree that represents the HTML attribute
Throws:
antlr.SemanticException - thrown if the attribute is not valid for the given HTML tag

validateHtmlAttributeValue

public void validateHtmlAttributeValue(antlr.Token element,
                                       antlr.Token attribute,
                                       java.lang.String attributeValue)
                                throws antlr.SemanticException
Description copied from interface: SeamTextParser.Sanitizer
Called by the SeamTextParser when a plain HTML attribute value is parsed.

Specified by:
validateHtmlAttributeValue in interface SeamTextParser.Sanitizer
Parameters:
element - the token of the parse tree that represents the HTML tag
attribute - the token of the parse tree that represents the HTML attribute
attributeValue - the plain string value of the HTML attribute
Throws:
antlr.SemanticException - thrown if the attribute value is not valid for the given HTML attribute and element

validateURI

protected boolean validateURI(java.lang.String uri)
Validate a URI string.

The default implementation accepts any URI string that starts with a slash, this is considered a relative URL. Any absolute URI is parsed by the JDK with the java.net.URI constructor. Finally, the scheme of the parsed absolute URI is checked with a list of valid schemes.

Parameters:
uri - the URI string
Returns:
return true if the String represents a safe and valid URI

getInvalidURIMessage

public java.lang.String getInvalidURIMessage(java.lang.String uri)
Specified by:
getInvalidURIMessage in interface SeamTextParser.Sanitizer

getInvalidElementMessage

public java.lang.String getInvalidElementMessage(java.lang.String elementName)
Specified by:
getInvalidElementMessage in interface SeamTextParser.Sanitizer

getInvalidAttributeMessage

public java.lang.String getInvalidAttributeMessage(java.lang.String elementName,
                                                   java.lang.String attributeName)
Specified by:
getInvalidAttributeMessage in interface SeamTextParser.Sanitizer

getInvalidAttributeValueMessage

public java.lang.String getInvalidAttributeValueMessage(java.lang.String elementName,
                                                        java.lang.String attributeName,
                                                        java.lang.String value)
Specified by:
getInvalidAttributeValueMessage in interface SeamTextParser.Sanitizer

createSemanticException

public antlr.SemanticException createSemanticException(java.lang.String message,
                                                       antlr.Token element)
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2011 Seam Framework. All Rights Reserved.