[Xss-http-filter-commits] SF.net SVN: xss-http-filter:[22] trunk
Brought to you by:
micksembwever
Menu
▾
▴
[Xss-http-filter-commits] SF.net SVN: xss-http-filter:[22] trunk
|
From: <mic...@us...> - 2011-01-30 09:07:15
|
Revision: 22
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=22&view=rev
Author: micksembwever
Date: 2011-01-30 09:07:06 +0000 (Sun, 30 Jan 2011)
Log Message:
-----------
xss-http-filter --> xss-html-filter
Modified Paths:
--------------
trunk/pom.xml
Added Paths:
-----------
trunk/src/main/java/net/sf/xsshtmlfilter/
trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java
trunk/src/test/java/net/sf/xsshtmlfilter/
trunk/src/test/java/net/sf/xsshtmlfilter/HTMLFilterTest.java
Removed Paths:
-------------
trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2010-09-22 19:22:34 UTC (rev 21)
+++ trunk/pom.xml 2011-01-30 09:07:06 UTC (rev 22)
@@ -1,21 +1,21 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
- <groupId>net.sf.xss-http-filter</groupId>
- <artifactId>xss-http-filter</artifactId>
+ <groupId>net.sf.xss-html-filter</groupId>
+ <artifactId>xss-html-filter</artifactId>
<version>1.3-SNAPSHOT</version>
<packaging>jar</packaging>
- <name>XSS HTTPFilter</name>
+ <name>XSS HTMLFilter</name>
<description>
- A Java library for protecting against cross site scripting.
- Hosted at https://sourceforge.net/projects/xss-http-filter/
+ A Java library for protecting against cross site scripting.
+ Hosted at https://sourceforge.net/projects/xss-html-filter/
</description>
<scm>
- <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</connection>
- <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</developerConnection>
- <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/</url>
+ <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</connection>
+ <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</developerConnection>
+ <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/</url>
</scm>
<licenses>
@@ -27,34 +27,34 @@
</licenses>
- <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
+ <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
- <developers>
- <developer>
+ <developers>
+ <developer>
<name>Cal Henderson</name>
<url>http://www.iamcal.com/</url>
- </developer>
- <developer>
+ </developer>
+ <developer>
<name>Joseph O'Connell</name>
<url>http://josephoconnell.com/</url>
- </developer>
- <developer>
+ </developer>
+ <developer>
<name>mck</name>
<id>micksembwever</id>
<email>mi...@se...</email>
<url>http://semb.wever.org</url>
- </developer>
- </developers>
+ </developer>
+ </developers>
<mailingLists>
<mailingList>
<name>User & Development List</name>
- <post>xss...@li...</post>
- <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-user</archive>
+ <post>xss...@li...</post>
+ <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-user</archive>
</mailingList>
<mailingList>
<name>Commit List</name>
- <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-commits</archive>
+ <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-commits</archive>
</mailingList>
</mailingLists>
@@ -92,7 +92,7 @@
</build>
<dependencies>
-
+
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
Copied: trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java (from rev 18, trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java)
===================================================================
--- trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java (rev 0)
+++ trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java 2011-01-30 09:07:06 UTC (rev 22)
@@ -0,0 +1,529 @@
+package net.sf.xsshtmlfilter;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ *
+ * HTML filtering utility for protecting against XSS (Cross Site Scripting).
+ *
+ * This code is licensed LGPLv3
+ *
+ * This code is a Java port of the original work in PHP by Cal Hendersen.
+ * http://code.iamcal.com/php/lib_filter/
+ *
+ * The trickiest part of the translation was handling the differences in regex handling
+ * between PHP and Java. These resources were helpful in the process:
+ *
+ * http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
+ * http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
+ * http://www.regular-expressions.info/modifiers.html
+ *
+ * A note on naming conventions: instance variables are prefixed with a "v"; global
+ * constants are in all caps.
+ *
+ * Sample use:
+ * String input = ...
+ * String clean = new HTMLInputFilter().filter( input );
+ *
+ * The class is not thread safe. Create a new instance if in doubt.
+ *
+ * If you find bugs or have suggestions on improvement (especially regarding
+ * performance), please contact us. The latest version of this
+ * source, and our contact details, can be found at http://xss-html-filter.sf.net
+ *
+ * @author Joseph O'Connell
+ * @author Cal Hendersen
+ */
+public final class HTMLFilter {
+
+ /** regex flag union representing /si modifiers in php **/
+ private static final int REGEX_FLAGS_SI = Pattern.CASE_INSENSITIVE | Pattern.DOTALL;
+ private static final Pattern P_COMMENTS = Pattern.compile("<!--(.*?)-->", Pattern.DOTALL);
+ private static final Pattern P_COMMENT = Pattern.compile("^!--(.*)--$", REGEX_FLAGS_SI);
+ private static final Pattern P_TAGS = Pattern.compile("<(.*?)>", Pattern.DOTALL);
+ private static final Pattern P_END_TAG = Pattern.compile("^/([a-z0-9]+)", REGEX_FLAGS_SI);
+ private static final Pattern P_START_TAG = Pattern.compile("^([a-z0-9]+)(.*?)(/?)$", REGEX_FLAGS_SI);
+ private static final Pattern P_QUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)=([\"'])(.*?)\\2", REGEX_FLAGS_SI);
+ private static final Pattern P_UNQUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)(=)([^\"\\s']+)", REGEX_FLAGS_SI);
+ private static final Pattern P_PROTOCOL = Pattern.compile("^([^:]+):", REGEX_FLAGS_SI);
+ private static final Pattern P_ENTITY = Pattern.compile("&#(\\d+);?");
+ private static final Pattern P_ENTITY_UNICODE = Pattern.compile("&#x([0-9a-f]+);?");
+ private static final Pattern P_ENCODE = Pattern.compile("%([0-9a-f]{2});?");
+ private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
+ private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
+ private static final Pattern P_END_ARROW = Pattern.compile("^>");
+ private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
+ private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
+ private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
+ private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
+ private static final Pattern P_AMP = Pattern.compile("&");
+ private static final Pattern P_QUOTE = Pattern.compile("\"");
+ private static final Pattern P_LEFT_ARROW = Pattern.compile("<");
+ private static final Pattern P_RIGHT_ARROW = Pattern.compile(">");
+ private static final Pattern P_BOTH_ARROWS = Pattern.compile("<>");
+
+ // @xxx could grow large... maybe use sesat's ReferenceMap
+ private static final ConcurrentMap<String,Pattern> P_REMOVE_PAIR_BLANKS = new ConcurrentHashMap<String, Pattern>();
+ private static final ConcurrentMap<String,Pattern> P_REMOVE_SELF_BLANKS = new ConcurrentHashMap<String, Pattern>();
+
+ /** set of allowed html elements, along with allowed attributes for each element **/
+ private final Map<String, List<String>> vAllowed;
+ /** counts of open tags for each (allowable) html element **/
+ private final Map<String, Integer> vTagCounts = new HashMap<String, Integer>();
+
+ /** html elements which must always be self-closing (e.g. "<img />") **/
+ private final String[] vSelfClosingTags;
+ /** html elements which must always have separate opening and closing tags (e.g. "<b></b>") **/
+ private final String[] vNeedClosingTags;
+ /** set of disallowed html elements **/
+ private final String[] vDisallowed;
+ /** attributes which should be checked for valid protocols **/
+ private final String[] vProtocolAtts;
+ /** allowed protocols **/
+ private final String[] vAllowedProtocols;
+ /** tags which should be removed if they contain no content (e.g. "<b></b>" or "<b />") **/
+ private final String[] vRemoveBlanks;
+ /** entities allowed within html markup **/
+ private final String[] vAllowedEntities;
+ /** flag determining whether comments are allowed in input String. */
+ private final boolean stripComment;
+ private boolean vDebug = false;
+ /**
+ * flag determining whether to try to make tags when presented with "unbalanced"
+ * angle brackets (e.g. "<b text </b>" becomes "<b> text </b>"). If set to false,
+ * unbalanced angle brackets will be html escaped.
+ */
+ private final boolean alwaysMakeTags;
+
+ /** Default constructor.
+ *
+ */
+ public HTMLFilter() {
+ vAllowed = new HashMap<String, List<String>>();
+
+ final ArrayList<String> a_atts = new ArrayList<String>();
+ a_atts.add("href");
+ a_atts.add("target");
+ vAllowed.put("a", a_atts);
+
+ final ArrayList<String> img_atts = new ArrayList<String>();
+ img_atts.add("src");
+ img_atts.add("width");
+ img_atts.add("height");
+ img_atts.add("alt");
+ vAllowed.put("img", img_atts);
+
+ final ArrayList<String> no_atts = new ArrayList<String>();
+ vAllowed.put("b", no_atts);
+ vAllowed.put("strong", no_atts);
+ vAllowed.put("i", no_atts);
+ vAllowed.put("em", no_atts);
+
+ vSelfClosingTags = new String[]{"img"};
+ vNeedClosingTags = new String[]{"a", "b", "strong", "i", "em"};
+ vDisallowed = new String[]{};
+ vAllowedProtocols = new String[]{"http", "mailto"}; // no ftp.
+ vProtocolAtts = new String[]{"src", "href"};
+ vRemoveBlanks = new String[]{"a", "b", "strong", "i", "em"};
+ vAllowedEntities = new String[]{"amp", "gt", "lt", "quot"};
+ stripComment = true;
+ alwaysMakeTags = true;
+ }
+
+ /** Set debug flag to true. Otherwise use default settings. See the default constructor.
+ *
+ * @param debug turn debug on with a true argument
+ */
+ public HTMLFilter(final boolean debug) {
+ this();
+ vDebug = debug;
+
+ }
+
+ /** Map-parameter configurable constructor.
+ *
+ * @param configuration map containing configuration. keys match field names.
+ */
+ public HTMLFilter(final Map<String,Object> configuration) {
+
+ assert configuration.containsKey("vAllowed") : "configuration requires vAllowed";
+ assert configuration.containsKey("vSelfClosingTags") : "configuration requires vSelfClosingTags";
+ assert configuration.containsKey("vNeedClosingTags") : "configuration requires vNeedClosingTags";
+ assert configuration.containsKey("vDisallowed") : "configuration requires vDisallowed";
+ assert configuration.containsKey("vAllowedProtocols") : "configuration requires vAllowedProtocols";
+ assert configuration.containsKey("vProtocolAtts") : "configuration requires vProtocolAtts";
+ assert configuration.containsKey("vRemoveBlanks") : "configuration requires vRemoveBlanks";
+ assert configuration.containsKey("vAllowedEntities") : "configuration requires vAllowedEntities";
+ assert configuration.containsKey("stripComment") : "configuration requires stripComment";
+ assert configuration.containsKey("alwaysMakeTags") : "configuration requires alwaysMakeTags";
+
+ vAllowed = Collections.unmodifiableMap((HashMap<String, List<String>>) configuration.get("vAllowed"));
+ vSelfClosingTags = (String[]) configuration.get("vSelfClosingTags");
+ vNeedClosingTags = (String[]) configuration.get("vNeedClosingTags");
+ vDisallowed = (String[]) configuration.get("vDisallowed");
+ vAllowedProtocols = (String[]) configuration.get("vAllowedProtocols");
+ vProtocolAtts = (String[]) configuration.get("vProtocolAtts");
+ vRemoveBlanks = (String[]) configuration.get("vRemoveBlanks");
+ vAllowedEntities = (String[]) configuration.get("vAllowedEntities");
+ stripComment = (Boolean) configuration.get("stripComment");
+ alwaysMakeTags = (Boolean) configuration.get("alwaysMakeTags");
+ }
+
+ private void reset() {
+ vTagCounts.clear();
+ }
+
+ private void debug(final String msg) {
+ if (vDebug) {
+ Logger.getAnonymousLogger().info(msg);
+ }
+ }
+
+ //---------------------------------------------------------------
+ // my versions of some PHP library functions
+ public static String chr(final int decimal) {
+ return String.valueOf((char) decimal);
+ }
+
+ public static String htmlSpecialChars(final String s) {
+ String result = s;
+ result = regexReplace(P_AMP, "&", result);
+ result = regexReplace(P_QUOTE, """, result);
+ result = regexReplace(P_LEFT_ARROW, "<", result);
+ result = regexReplace(P_RIGHT_ARROW, ">", result);
+ return result;
+ }
+
+ //---------------------------------------------------------------
+ /**
+ * given a user submitted input String, filter out any invalid or restricted
+ * html.
+ *
+ * @param input text (i.e. submitted by a user) than may contain html
+ * @return "clean" version of input, with only valid, whitelisted html elements allowed
+ */
+ public String filter(final String input) {
+ reset();
+ String s = input;
+
+ debug("************************************************");
+ debug(" INPUT: " + input);
+
+ s = escapeComments(s);
+ debug(" escapeComments: " + s);
+
+ s = balanceHTML(s);
+ debug(" balanceHTML: " + s);
+
+ s = checkTags(s);
+ debug(" checkTags: " + s);
+
+ s = processRemoveBlanks(s);
+ debug("processRemoveBlanks: " + s);
+
+ s = validateEntities(s);
+ debug(" validateEntites: " + s);
+
+ debug("************************************************\n\n");
+ return s;
+ }
+
+ public boolean isAlwaysMakeTags(){
+ return alwaysMakeTags;
+ }
+
+ public boolean isStripComments(){
+ return stripComment;
+ }
+
+ private String escapeComments(final String s) {
+ final Matcher m = P_COMMENTS.matcher(s);
+ final StringBuffer buf = new StringBuffer();
+ if (m.find()) {
+ final String match = m.group(1); //(.*?)
+ m.appendReplacement(buf, "<!--" + htmlSpecialChars(match) + "-->");
+ }
+ m.appendTail(buf);
+
+ return buf.toString();
+ }
+
+ private String balanceHTML(String s) {
+ if (alwaysMakeTags) {
+ //
+ // try and form html
+ //
+ s = regexReplace(P_END_ARROW, "", s);
+ s = regexReplace(P_BODY_TO_END, "<$1>", s);
+ s = regexReplace(P_XML_CONTENT, "$1<$2", s);
+
+ } else {
+ //
+ // escape stray brackets
+ //
+ s = regexReplace(P_STRAY_LEFT_ARROW, "<$1", s);
+ s = regexReplace(P_STRAY_RIGHT_ARROW, "$1$2><", s);
+
+ //
+ // the last regexp causes '<>' entities to appear
+ // (we need to do a lookahead assertion so that the last bracket can
+ // be used in the next pass of the regexp)
+ //
+ s = regexReplace(P_BOTH_ARROWS, "", s);
+ }
+
+ return s;
+ }
+
+ private String checkTags(String s) {
+ Matcher m = P_TAGS.matcher(s);
+
+ final StringBuffer buf = new StringBuffer();
+ while (m.find()) {
+ String replaceStr = m.group(1);
+ replaceStr = processTag(replaceStr);
+ m.appendReplacement(buf, replaceStr);
+ }
+ m.appendTail(buf);
+
+ s = buf.toString();
+
+ // these get tallied in processTag
+ // (remember to reset before subsequent calls to filter method)
+ for (String key : vTagCounts.keySet()) {
+ for (int ii = 0; ii < vTagCounts.get(key); ii++) {
+ s += "</" + key + ">";
+ }
+ }
+
+ return s;
+ }
+
+ private String processRemoveBlanks(final String s) {
+ String result = s;
+ for (String tag : vRemoveBlanks) {
+ if(!P_REMOVE_PAIR_BLANKS.containsKey(tag)){
+ P_REMOVE_PAIR_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?></" + tag + ">"));
+ }
+ result = regexReplace(P_REMOVE_PAIR_BLANKS.get(tag), "", result);
+ if(!P_REMOVE_SELF_BLANKS.containsKey(tag)){
+ P_REMOVE_SELF_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?/>"));
+ }
+ result = regexReplace(P_REMOVE_SELF_BLANKS.get(tag), "", result);
+ }
+
+ return result;
+ }
+
+ private static String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
+ Matcher m = regex_pattern.matcher(s);
+ return m.replaceAll(replacement);
+ }
+
+ private String processTag(final String s) {
+ // ending tags
+ Matcher m = P_END_TAG.matcher(s);
+ if (m.find()) {
+ final String name = m.group(1).toLowerCase();
+ if (allowed(name)) {
+ if (!inArray(name, vSelfClosingTags)) {
+ if (vTagCounts.containsKey(name)) {
+ vTagCounts.put(name, vTagCounts.get(name) - 1);
+ return "</" + name + ">";
+ }
+ }
+ }
+ }
+
+ // starting tags
+ m = P_START_TAG.matcher(s);
+ if (m.find()) {
+ final String name = m.group(1).toLowerCase();
+ final String body = m.group(2);
+ String ending = m.group(3);
+
+ //debug( "in a starting tag, name='" + name + "'; body='" + body + "'; ending='" + ending + "'" );
+ if (allowed(name)) {
+ String params = "";
+
+ final Matcher m2 = P_QUOTED_ATTRIBUTES.matcher(body);
+ final Matcher m3 = P_UNQUOTED_ATTRIBUTES.matcher(body);
+ final List<String> paramNames = new ArrayList<String>();
+ final List<String> paramValues = new ArrayList<String>();
+ while (m2.find()) {
+ paramNames.add(m2.group(1)); //([a-z0-9]+)
+ paramValues.add(m2.group(3)); //(.*?)
+ }
+ while (m3.find()) {
+ paramNames.add(m3.group(1)); //([a-z0-9]+)
+ paramValues.add(m3.group(3)); //([^\"\\s']+)
+ }
+
+ String paramName, paramValue;
+ for (int ii = 0; ii < paramNames.size(); ii++) {
+ paramName = paramNames.get(ii).toLowerCase();
+ paramValue = paramValues.get(ii);
+
+// debug( "paramName='" + paramName + "'" );
+// debug( "paramValue='" + paramValue + "'" );
+// debug( "allowed? " + vAllowed.get( name ).contains( paramName ) );
+
+ if (allowedAttribute(name, paramName)) {
+ if (inArray(paramName, vProtocolAtts)) {
+ paramValue = processParamProtocol(paramValue);
+ }
+ params += " " + paramName + "=\"" + paramValue + "\"";
+ }
+ }
+
+ if (inArray(name, vSelfClosingTags)) {
+ ending = " /";
+ }
+
+ if (inArray(name, vNeedClosingTags)) {
+ ending = "";
+ }
+
+ if (ending == null || ending.length() < 1) {
+ if (vTagCounts.containsKey(name)) {
+ vTagCounts.put(name, vTagCounts.get(name) + 1);
+ } else {
+ vTagCounts.put(name, 1);
+ }
+ } else {
+ ending = " /";
+ }
+ return "<" + name + params + ending + ">";
+ } else {
+ return "";
+ }
+ }
+
+ // comments
+ m = P_COMMENT.matcher(s);
+ if (!stripComment && m.find()) {
+ return "<" + m.group() + ">";
+ }
+
+ return "";
+ }
+
+ private String processParamProtocol(String s) {
+ s = decodeEntities(s);
+ final Matcher m = P_PROTOCOL.matcher(s);
+ if (m.find()) {
+ final String protocol = m.group(1);
+ if (!inArray(protocol, vAllowedProtocols)) {
+ // bad protocol, turn into local anchor link instead
+ s = "#" + s.substring(protocol.length() + 1, s.length());
+ if (s.startsWith("#//")) {
+ s = "#" + s.substring(3, s.length());
+ }
+ }
+ }
+
+ return s;
+ }
+
+ private String decodeEntities(String s) {
+ StringBuffer buf = new StringBuffer();
+
+ Matcher m = P_ENTITY.matcher(s);
+ while (m.find()) {
+ final String match = m.group(1);
+ final int decimal = Integer.decode(match).intValue();
+ m.appendReplacement(buf, chr(decimal));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ buf = new StringBuffer();
+ m = P_ENTITY_UNICODE.matcher(s);
+ while (m.find()) {
+ final String match = m.group(1);
+ final int decimal = Integer.valueOf(match, 16).intValue();
+ m.appendReplacement(buf, chr(decimal));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ buf = new StringBuffer();
+ m = P_ENCODE.matcher(s);
+ while (m.find()) {
+ final String match = m.group(1);
+ final int decimal = Integer.valueOf(match, 16).intValue();
+ m.appendReplacement(buf, chr(decimal));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ s = validateEntities(s);
+ return s;
+ }
+
+ private String validateEntities(String s) {
+ StringBuffer buf = new StringBuffer();
+
+ // validate entities throughout the string
+ Matcher m = P_VALID_ENTITIES.matcher(s);
+ while (m.find()) {
+ final String one = m.group(1); //([^&;]*)
+ final String two = m.group(2); //(?=(;|&|$))
+ final String replacement = Matcher.quoteReplacement(checkEntity(one, two));
+ m.appendReplacement(buf, replacement);
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ // validate quotes outside of tags
+ buf = new StringBuffer();
+ m = P_VALID_QUOTES.matcher(s);
+ while (m.find()) {
+ final String one = m.group(1); //(>|^)
+ final String two = m.group(2); //([^<]+?)
+ final String three = m.group(3); //(<|$)
+ m.appendReplacement(buf, Matcher.quoteReplacement(one + regexReplace(P_QUOTE, """, two) + three));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ return s;
+ }
+
+ private String checkEntity(final String preamble, final String term) {
+
+ return ";".equals(term) && isValidEntity(preamble)
+ ? '&' + preamble
+ : "&" + preamble;
+ }
+
+ private boolean isValidEntity(final String entity) {
+ return inArray(entity, vAllowedEntities);
+ }
+
+ private static boolean inArray(final String s, final String[] array) {
+ for (String item : array) {
+ if (item != null && item.equals(s)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private boolean allowed(final String name) {
+ return (vAllowed.isEmpty() || vAllowed.containsKey(name)) && !inArray(name, vDisallowed);
+ }
+
+ private boolean allowedAttribute(final String name, final String paramName) {
+ return allowed(name) && (vAllowed.isEmpty() || vAllowed.get(name).contains(paramName));
+ }
+}
Deleted: trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
===================================================================
--- trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-09-22 19:22:34 UTC (rev 21)
+++ trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2011-01-30 09:07:06 UTC (rev 22)
@@ -1,529 +0,0 @@
-package net.sf.xsshttpfilter;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentMap;
-import java.util.logging.Logger;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-/**
- *
- * HTML filtering utility for protecting against XSS (Cross Site Scripting).
- *
- * This code is licensed LGPLv3
- *
- * This code is a Java port of the original work in PHP by Cal Hendersen.
- * http://code.iamcal.com/php/lib_filter/
- *
- * The trickiest part of the translation was handling the differences in regex handling
- * between PHP and Java. These resources were helpful in the process:
- *
- * http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
- * http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
- * http://www.regular-expressions.info/modifiers.html
- *
- * A note on naming conventions: instance variables are prefixed with a "v"; global
- * constants are in all caps.
- *
- * Sample use:
- * String input = ...
- * String clean = new HTMLInputFilter().filter( input );
- *
- * The class is not thread safe. Create a new instance if in doubt.
- *
- * If you find bugs or have suggestions on improvement (especially regarding
- * performance), please contact us. The latest version of this
- * source, and our contact details, can be found at http://xss-html-filter.sf.net
- *
- * @author Joseph O'Connell
- * @author Cal Hendersen
- */
-public final class HTMLFilter {
-
- /** regex flag union representing /si modifiers in php **/
- private static final int REGEX_FLAGS_SI = Pattern.CASE_INSENSITIVE | Pattern.DOTALL;
- private static final Pattern P_COMMENTS = Pattern.compile("<!--(.*?)-->", Pattern.DOTALL);
- private static final Pattern P_COMMENT = Pattern.compile("^!--(.*)--$", REGEX_FLAGS_SI);
- private static final Pattern P_TAGS = Pattern.compile("<(.*?)>", Pattern.DOTALL);
- private static final Pattern P_END_TAG = Pattern.compile("^/([a-z0-9]+)", REGEX_FLAGS_SI);
- private static final Pattern P_START_TAG = Pattern.compile("^([a-z0-9]+)(.*?)(/?)$", REGEX_FLAGS_SI);
- private static final Pattern P_QUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)=([\"'])(.*?)\\2", REGEX_FLAGS_SI);
- private static final Pattern P_UNQUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)(=)([^\"\\s']+)", REGEX_FLAGS_SI);
- private static final Pattern P_PROTOCOL = Pattern.compile("^([^:]+):", REGEX_FLAGS_SI);
- private static final Pattern P_ENTITY = Pattern.compile("&#(\\d+);?");
- private static final Pattern P_ENTITY_UNICODE = Pattern.compile("&#x([0-9a-f]+);?");
- private static final Pattern P_ENCODE = Pattern.compile("%([0-9a-f]{2});?");
- private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
- private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
- private static final Pattern P_END_ARROW = Pattern.compile("^>");
- private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
- private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
- private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
- private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
- private static final Pattern P_AMP = Pattern.compile("&");
- private static final Pattern P_QUOTE = Pattern.compile("\"");
- private static final Pattern P_LEFT_ARROW = Pattern.compile("<");
- private static final Pattern P_RIGHT_ARROW = Pattern.compile(">");
- private static final Pattern P_BOTH_ARROWS = Pattern.compile("<>");
-
- // @xxx could grow large... maybe use sesat's ReferenceMap
- private static final ConcurrentMap<String,Pattern> P_REMOVE_PAIR_BLANKS = new ConcurrentHashMap<String, Pattern>();
- private static final ConcurrentMap<String,Pattern> P_REMOVE_SELF_BLANKS = new ConcurrentHashMap<String, Pattern>();
-
- /** set of allowed html elements, along with allowed attributes for each element **/
- private final Map<String, List<String>> vAllowed;
- /** counts of open tags for each (allowable) html element **/
- private final Map<String, Integer> vTagCounts = new HashMap<String, Integer>();
-
- /** html elements which must always be self-closing (e.g. "<img />") **/
- private final String[] vSelfClosingTags;
- /** html elements which must always have separate opening and closing tags (e.g. "<b></b>") **/
- private final String[] vNeedClosingTags;
- /** set of disallowed html elements **/
- private final String[] vDisallowed;
- /** attributes which should be checked for valid protocols **/
- private final String[] vProtocolAtts;
- /** allowed protocols **/
- private final String[] vAllowedProtocols;
- /** tags which should be removed if they contain no content (e.g. "<b></b>" or "<b />") **/
- private final String[] vRemoveBlanks;
- /** entities allowed within html markup **/
- private final String[] vAllowedEntities;
- /** flag determining whether comments are allowed in input String. */
- private final boolean stripComment;
- private boolean vDebug = false;
- /**
- * flag determining whether to try to make tags when presented with "unbalanced"
- * angle brackets (e.g. "<b text </b>" becomes "<b> text </b>"). If set to false,
- * unbalanced angle brackets will be html escaped.
- */
- private final boolean alwaysMakeTags;
-
- /** Default constructor.
- *
- */
- public HTMLFilter() {
- vAllowed = new HashMap<String, List<String>>();
-
- final ArrayList<String> a_atts = new ArrayList<String>();
- a_atts.add("href");
- a_atts.add("target");
- vAllowed.put("a", a_atts);
-
- final ArrayList<String> img_atts = new ArrayList<String>();
- img_atts.add("src");
- img_atts.add("width");
- img_atts.add("height");
- img_atts.add("alt");
- vAllowed.put("img", img_atts);
-
- final ArrayList<String> no_atts = new ArrayList<String>();
- vAllowed.put("b", no_atts);
- vAllowed.put("strong", no_atts);
- vAllowed.put("i", no_atts);
- vAllowed.put("em", no_atts);
-
- vSelfClosingTags = new String[]{"img"};
- vNeedClosingTags = new String[]{"a", "b", "strong", "i", "em"};
- vDisallowed = new String[]{};
- vAllowedProtocols = new String[]{"http", "mailto"}; // no ftp.
- vProtocolAtts = new String[]{"src", "href"};
- vRemoveBlanks = new String[]{"a", "b", "strong", "i", "em"};
- vAllowedEntities = new String[]{"amp", "gt", "lt", "quot"};
- stripComment = true;
- alwaysMakeTags = true;
- }
-
- /** Set debug flag to true. Otherwise use default settings. See the default constructor.
- *
- * @param debug turn debug on with a true argument
- */
- public HTMLFilter(final boolean debug) {
- this();
- vDebug = debug;
-
- }
-
- /** Map-parameter configurable constructor.
- *
- * @param configuration map containing configuration. keys match field names.
- */
- public HTMLFilter(final Map<String,Object> configuration) {
-
- assert configuration.containsKey("vAllowed") : "configuration requires vAllowed";
- assert configuration.containsKey("vSelfClosingTags") : "configuration requires vSelfClosingTags";
- assert configuration.containsKey("vNeedClosingTags") : "configuration requires vNeedClosingTags";
- assert configuration.containsKey("vDisallowed") : "configuration requires vDisallowed";
- assert configuration.containsKey("vAllowedProtocols") : "configuration requires vAllowedProtocols";
- assert configuration.containsKey("vProtocolAtts") : "configuration requires vProtocolAtts";
- assert configuration.containsKey("vRemoveBlanks") : "configuration requires vRemoveBlanks";
- assert configuration.containsKey("vAllowedEntities") : "configuration requires vAllowedEntities";
- assert configuration.containsKey("stripComment") : "configuration requires stripComment";
- assert configuration.containsKey("alwaysMakeTags") : "configuration requires alwaysMakeTags";
-
- vAllowed = Collections.unmodifiableMap((HashMap<String, List<String>>) configuration.get("vAllowed"));
- vSelfClosingTags = (String[]) configuration.get("vSelfClosingTags");
- vNeedClosingTags = (String[]) configuration.get("vNeedClosingTags");
- vDisallowed = (String[]) configuration.get("vDisallowed");
- vAllowedProtocols = (String[]) configuration.get("vAllowedProtocols");
- vProtocolAtts = (String[]) configuration.get("vProtocolAtts");
- vRemoveBlanks = (String[]) configuration.get("vRemoveBlanks");
- vAllowedEntities = (String[]) configuration.get("vAllowedEntities");
- stripComment = (Boolean) configuration.get("stripComment");
- alwaysMakeTags = (Boolean) configuration.get("alwaysMakeTags");
- }
-
- private void reset() {
- vTagCounts.clear();
- }
-
- private void debug(final String msg) {
- if (vDebug) {
- Logger.getAnonymousLogger().info(msg);
- }
- }
-
- //---------------------------------------------------------------
- // my versions of some PHP library functions
- public static String chr(final int decimal) {
- return String.valueOf((char) decimal);
- }
-
- public static String htmlSpecialChars(final String s) {
- String result = s;
- result = regexReplace(P_AMP, "&", result);
- result = regexReplace(P_QUOTE, """, result);
- result = regexReplace(P_LEFT_ARROW, "<", result);
- result = regexReplace(P_RIGHT_ARROW, ">", result);
- return result;
- }
-
- //---------------------------------------------------------------
- /**
- * given a user submitted input String, filter out any invalid or restricted
- * html.
- *
- * @param input text (i.e. submitted by a user) than may contain html
- * @return "clean" version of input, with only valid, whitelisted html elements allowed
- */
- public String filter(final String input) {
- reset();
- String s = input;
-
- debug("************************************************");
- debug(" INPUT: " + input);
-
- s = escapeComments(s);
- debug(" escapeComments: " + s);
-
- s = balanceHTML(s);
- debug(" balanceHTML: " + s);
-
- s = checkTags(s);
- debug(" checkTags: " + s);
-
- s = processRemoveBlanks(s);
- debug("processRemoveBlanks: " + s);
-
- s = validateEntities(s);
- debug(" validateEntites: " + s);
-
- debug("************************************************\n\n");
- return s;
- }
-
- public boolean isAlwaysMakeTags(){
- return alwaysMakeTags;
- }
-
- public boolean isStripComments(){
- return stripComment;
- }
-
- private String escapeComments(final String s) {
- final Matcher m = P_COMMENTS.matcher(s);
- final StringBuffer buf = new StringBuffer();
- if (m.find()) {
- final String match = m.group(1); //(.*?)
- m.appendReplacement(buf, "<!--" + htmlSpecialChars(match) + "-->");
- }
- m.appendTail(buf);
-
- return buf.toString();
- }
-
- private String balanceHTML(String s) {
- if (alwaysMakeTags) {
- //
- // try and form html
- //
- s = regexReplace(P_END_ARROW, "", s);
- s = regexReplace(P_BODY_TO_END, "<$1>", s);
- s = regexReplace(P_XML_CONTENT, "$1<$2", s);
-
- } else {
- //
- // escape stray brackets
- //
- s = regexReplace(P_STRAY_LEFT_ARROW, "<$1", s);
- s = regexReplace(P_STRAY_RIGHT_ARROW, "$1$2><", s);
-
- //
- // the last regexp causes '<>' entities to appear
- // (we need to do a lookahead assertion so that the last bracket can
- // be used in the next pass of the regexp)
- //
- s = regexReplace(P_BOTH_ARROWS, "", s);
- }
-
- return s;
- }
-
- private String checkTags(String s) {
- Matcher m = P_TAGS.matcher(s);
-
- final StringBuffer buf = new StringBuffer();
- while (m.find()) {
- String replaceStr = m.group(1);
- replaceStr = processTag(replaceStr);
- m.appendReplacement(buf, replaceStr);
- }
- m.appendTail(buf);
-
- s = buf.toString();
-
- // these get tallied in processTag
- // (remember to reset before subsequent calls to filter method)
- for (String key : vTagCounts.keySet()) {
- for (int ii = 0; ii < vTagCounts.get(key); ii++) {
- s += "</" + key + ">";
- }
- }
-
- return s;
- }
-
- private String processRemoveBlanks(final String s) {
- String result = s;
- for (String tag : vRemoveBlanks) {
- if(!P_REMOVE_PAIR_BLANKS.containsKey(tag)){
- P_REMOVE_PAIR_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?></" + tag + ">"));
- }
- result = regexReplace(P_REMOVE_PAIR_BLANKS.get(tag), "", result);
- if(!P_REMOVE_SELF_BLANKS.containsKey(tag)){
- P_REMOVE_SELF_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?/>"));
- }
- result = regexReplace(P_REMOVE_SELF_BLANKS.get(tag), "", result);
- }
-
- return result;
- }
-
- private static String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
- Matcher m = regex_pattern.matcher(s);
- return m.replaceAll(replacement);
- }
-
- private String processTag(final String s) {
- // ending tags
- Matcher m = P_END_TAG.matcher(s);
- if (m.find()) {
- final String name = m.group(1).toLowerCase();
- if (allowed(name)) {
- if (!inArray(name, vSelfClosingTags)) {
- if (vTagCounts.containsKey(name)) {
- vTagCounts.put(name, vTagCounts.get(name) - 1);
- return "</" + name + ">";
- }
- }
- }
- }
-
- // starting tags
- m = P_START_TAG.matcher(s);
- if (m.find()) {
- final String name = m.group(1).toLowerCase();
- final String body = m.group(2);
- String ending = m.group(3);
-
- //debug( "in a starting tag, name='" + name + "'; body='" + body + "'; ending='" + ending + "'" );
- if (allowed(name)) {
- String params = "";
-
- final Matcher m2 = P_QUOTED_ATTRIBUTES.matcher(body);
- final Matcher m3 = P_UNQUOTED_ATTRIBUTES.matcher(body);
- final List<String> paramNames = new ArrayList<String>();
- final List<String> paramValues = new ArrayList<String>();
- while (m2.find()) {
- paramNames.add(m2.group(1)); //([a-z0-9]+)
- paramValues.add(m2.group(3)); //(.*?)
- }
- while (m3.find()) {
- paramNames.add(m3.group(1)); //([a-z0-9]+)
- paramValues.add(m3.group(3)); //([^\"\\s']+)
- }
-
- String paramName, paramValue;
- for (int ii = 0; ii < paramNames.size(); ii++) {
- paramName = paramNames.get(ii).toLowerCase();
- paramValue = paramValues.get(ii);
-
-// debug( "paramName='" + paramName + "'" );
-// debug( "paramValue='" + paramValue + "'" );
-// debug( "allowed? " + vAllowed.get( name ).contains( paramName ) );
-
- if (allowedAttribute(name, paramName)) {
- if (inArray(paramName, vProtocolAtts)) {
- paramValue = processParamProtocol(paramValue);
- }
- params += " " + paramName + "=\"" + paramValue + "\"";
- }
- }
-
- if (inArray(name, vSelfClosingTags)) {
- ending = " /";
- }
-
- if (inArray(name, vNeedClosingTags)) {
- ending = "";
- }
-
- if (ending == null || ending.length() < 1) {
- if (vTagCounts.containsKey(name)) {
- vTagCounts.put(name, vTagCounts.get(name) + 1);
- } else {
- vTagCounts.put(name, 1);
- }
- } else {
- ending = " /";
- }
- return "<" + name + params + ending + ">";
- } else {
- return "";
- }
- }
-
- // comments
- m = P_COMMENT.matcher(s);
- if (!stripComment && m.find()) {
- return "<" + m.group() + ">";
- }
-
- return "";
- }
-
- private String processParamProtocol(String s) {
- s = decodeEntities(s);
- final Matcher m = P_PROTOCOL.matcher(s);
- if (m.find()) {
- final String protocol = m.group(1);
- if (!inArray(protocol, vAllowedProtocols)) {
- // bad protocol, turn into local anchor link instead
- s = "#" + s.substring(protocol.length() + 1, s.length());
- if (s.startsWith("#//")) {
- s = "#" + s.substring(3, s.length());
- }
- }
- }
-
- return s;
- }
-
- private String decodeEntities(String s) {
- StringBuffer buf = new StringBuffer();
-
- Matcher m = P_ENTITY.matcher(s);
- while (m.find()) {
- final String match = m.group(1);
- final int decimal = Integer.decode(match).intValue();
- m.appendReplacement(buf, chr(decimal));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- buf = new StringBuffer();
- m = P_ENTITY_UNICODE.matcher(s);
- while (m.find()) {
- final String match = m.group(1);
- final int decimal = Integer.valueOf(match, 16).intValue();
- m.appendReplacement(buf, chr(decimal));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- buf = new StringBuffer();
- m = P_ENCODE.matcher(s);
- while (m.find()) {
- final String match = m.group(1);
- final int decimal = Integer.valueOf(match, 16).intValue();
- m.appendReplacement(buf, chr(decimal));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- s = validateEntities(s);
- return s;
- }
-
- private String validateEntities(String s) {
- StringBuffer buf = new StringBuffer();
-
- // validate entities throughout the string
- Matcher m = P_VALID_ENTITIES.matcher(s);
- while (m.find()) {
- final String one = m.group(1); //([^&;]*)
- final String two = m.group(2); //(?=(;|&|$))
- final String replacement = Matcher.quoteReplacement(checkEntity(one, two));
- m.appendReplacement(buf, replacement);
- }
- m.appendTail(buf);
- s = buf.toString();
-
- // validate quotes outside of tags
- buf = new StringBuffer();
- m = P_VALID_QUOTES.matcher(s);
- while (m.find()) {
- final String one = m.group(1); //(>|^)
- final String two = m.group(2); //([^<]+?)
- final String three = m.group(3); //(<|$)
- m.appendReplacement(buf, Matcher.quoteReplacement(one + regexReplace(P_QUOTE, """, two) + three));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- return s;
- }
-
- private String checkEntity(final String preamble, final String term) {
-
- return ";".equals(term) && isValidEntity(preamble)
- ? '&' + preamble
- : "&" + preamble;
- }
-
- private boolean isValidEntity(final String entity) {
- return inArray(entity, vAllowedEntities);
- }
-
- private static boolean inArray(final String s, final String[] array) {
- for (String item : array) {
- if (item != null && item.equals(s)) {
- return true;
- }
- }
- return false;
- }
-
- private boolean allowed(final String name) {
- return (vAllowed.isEmpty() || vAllowed.containsKey(name)) && !inArray(name, vDisallowed);
- }
-
- private boolean allowedAttribute(final String name, final String paramName) {
- return allowed(name) && (vAllowed.isEmpty() || vAllowed.get(name).contains(paramName));
- }
-}
Copied: trunk/src/test/java/net/sf/xsshtmlfilter/HTMLFilterTest.java (from rev 13, trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java)
===================================================================
--- trunk/src/test/java/net/sf/xsshtmlfilter/HTMLFilterTest.java (rev 0)
+++ trunk/src/test/java/net/sf/xsshtmlfilter/HTMLFilterTest.java 2011-01-30 09:07:06 UTC (rev 22)
@@ -0,0 +1,191 @@
+package net.sf.xsshtmlfilter;
+
+import net.sf.xsshtmlfilter.HTMLFilter;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+/**
+ *
+ */
+public class HTMLFilterTest {
+ protected HTMLFilter vFilter;
+
+ @Before
+ public void setUp() {
+ vFilter = new HTMLFilter(true);
+ }
+
+ @After
+ public void tearDown() {
+ vFilter = null;
+ }
+
+ @Test
+ public void testBasics() {
+ assertThat(vFilter.filter(""), is(""));
+ assertThat(vFilter.filter("hello"), is("hello"));
+ }
+
+ @Test
+ public void testBalancingTags() {
+ assertThat(vFilter.filter("<b>hello"), is("<b>hello</b>"));
+ assertThat(vFilter.filter("<b>hello"), is("<b>hello</b>"));
+ assertThat(vFilter.filter("hello<b>"), is("hello"));
+ assertThat(vFilter.filter("hello</b>"), is("hello"));
+ assertThat(vFilter.filter("hello<b/>"), is("hello"));
+ assertThat(vFilter.filter("<b><b><b>hello"), is("<b><b><b>hello</b></b></b>"));
+ assertThat(vFilter.filter("</b><b>"), is(""));
+ }
+
+ @Test
+ public void testEndSlashes() {
+ assertThat(vFilter.filter("<img>"), is("<img />"));
+ assertThat(vFilter.filter("<img/>"), is("<img />"));
+ assertThat(vFilter.filter("<b/></b>"), is(""));
+ }
+
+ @Test
+ public void testBalancingAngleBrackets() {
+ if (vFilter.isAlwaysMakeTags()) {
+ assertThat(vFilter.filter("<img src=\"foo\""), is("<img src=\"foo\" />"));
+ assertThat(vFilter.filter("i>"), is(""));
+ assertThat(vFilter.filter("<img src=\"foo\"/"), is("<img src=\"foo\" />"));
+ assertThat(vFilter.filter(">"), is(""));
+ assertThat(vFilter.filter("foo<b"), is("foo"));
+ assertThat(vFilter.filter("b>foo"), is("<b>foo</b>"));
+ assertThat(vFilter.filter("><b"), is(""));
+ assertThat(vFilter.filter("b><"), is(""));
+ assertThat(vFilter.filter("><b>"), is(""));
+ } else {
+ assertThat(vFilter.filter("<img src=\"foo\""), is("<img src=\"foo\""));
+ assertThat(vFilter.filter("b>"), is("b>"));
+ assertThat(vFilter.filter("<img src=\"foo\"/"), is("<img src=\"foo\"/"));
+ assertThat(vFilter.filter(">"), is(">"));
+ assertThat(vFilter.filter("foo<b"), is("foo<b"));
+ assertThat(vFilter.filter("b>foo"), is("b>foo"));
+ assertThat(vFilter.filter("><b"), is("><b"));
+ assertThat(vFilter.filter("b><"), is("b><"));
+ assertThat(vFilter.filter("><b>"), is(">"));
+ }
+ }
+
+ @Test
+ public void testAttributes() {
+ assertThat(vFilter.filter("<img src=foo>"), is("<img src=\"foo\" />"));
+ assertThat(vFilter.filter("<img asrc=foo>"), is("<img />"));
+ assertThat(vFilter.filter("<img src=test test>"), is("<img src=\"test\" />"));
+ }
+
+ @Test
+ public void testDisallowScriptTags() {
+ assertThat(vFilter.filter("<script>"), is(""));
+ String result = vFilter.isAlwaysMakeTags() ? "" : "<script";
+ assertThat(vFilter.filter("<script"), is(result));
+ assertThat(vFilter.filter("<script/>"), is(""));
+ assertThat(vFilter.filter("</script>"), is(""));
+ assertThat(vFilter.filter("<script woo=yay>"), is(""));
+ assertThat(vFilter.filter("<script woo=\"yay\">"), is(""));
+ assertThat(vFilter.filter("<script woo=\"yay>"), is(""));
+ assertThat(vFilter.filter("<script woo=\"yay<b>"), is(""));
+ assertThat(vFilter.filter("<script<script>>"), is(""));
+ assertThat(vFilter.filter("<<script>script<script>>"), is("script"));
+ assertThat(vFilter.filter("<<script><script>>"), is(""));
+ assertThat(vFilter.filter("<<script>script>>"), is(""));
+ assertThat(vFilter.filter("<<script<script>>"), is(""));
+ }
+
+ @Test
+ public void testProtocols() {
+ assertThat(vFilter.filter("<a href=\"http://foo\">bar</a>"), is("<a href=\"http://foo\">bar</a>"));
+ // we don't allow ftp. t("<a href=\"ftp://foo\">bar</a>", "<a href=\"ftp://foo\">bar</a>");
+ assertThat(vFilter.filter("<a href=\"mailto:foo\">bar</a>"), is("<a href=\"mailto:foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"javascript:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"java script:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"java\tscript:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"java\nscript:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"java" + HTMLFilter.chr(1) + "script:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"jscript:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"vbscript:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"view-source:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ }
+
+ @Test
+ public void testSelfClosingTags() {
+ assertThat(vFilter.filter("<img src=\"a\">"), is("<img src=\"a\" />"));
+ assertThat(vFilter.filter("<img src=\"a\">foo</img>"), is("<img src=\"a\" />foo"));
+ assertThat(vFilter.filter("</img>"), is(""));
+ }
+
+ @Test
+ public void testComments() {
+ if (vFilter.isStripComments()) {
+ assertThat(vFilter.filter("<!-- a<b --->"), is(""));
+ } else {
+ assertThat(vFilter.filter("<!-- a<b --->"), is("<!-- a<b --->"));
+ }
+ }
+
+ @Test
+ public void testEntities() {
+ assertThat(vFilter.filter(" "), is("&nbsp;"));
+ assertThat(vFilter.filter("&"), is("&"));
+ assertThat(vFilter.filter("test test"), is("test &nbsp; test"));
+ assertThat(vFilter.filter("test & test"), is("test & test"));
+ assertThat(vFilter.filter(" "), is("&nbsp;&nbsp;"));
+ assertThat(vFilter.filter("&&"), is("&&"));
+ assertThat(vFilter.filter("test test"), is("test &nbsp;&nbsp; test"));
+ assertThat(vFilter.filter("test && test"), is("test && test"));
+ assertThat(vFilter.filter("& "), is("&&nbsp;"));
+ assertThat(vFilter.filter("test & test"), is("test &&nbsp; test"));
+ }
+
+ @Test
+ public void testDollar() {
+ String text = "modeling & US MSRP $81.99, (Not Included)";
+ String result = "modeling & US MSRP $81.99, (Not Included)";
+
+ assertThat(vFilter.filter(text), is(result));
+ }
+
+ @Test
+ public void testBr() {
+ final Map<String, List<String>> allowed = new HashMap<String, List<String>>();
+ for(String allow : "span;br;b;strong;em;u;i".split("\\s*;\\s*")){
+ if(0 < allow.indexOf(':')){
+ final String name = allow.split(":")[0];
+ final String[] attributes = allow.split(":")[0].split("\\s*,\\s*");
+ allowed.put(name, Arrays.asList(attributes));
+ }else{
+ allowed.put(allow, Collections.<String>emptyList());
+ }
+ }
+
+ Map<String,Object> config = new HashMap<String,Object>(){{
+ put("vAllowed", allowed);
+ put("vSelfClosingTags", "img,br".split("\\s*,\\s*"));
+ put("vNeedClosingTags", "a,b,strong,i,em".split("\\s*,\\s*"));
+ put("vDisallowed", "".split("\\s*,\\s*"));
+ put("vAllowedProtocols", "src,href".split("\\s*,\\s*"));
+ put("vProtocolAtts", "".split("\\s*,\\s*"));
+ put("vRemoveBlanks", "a,b,strong,i,em".split("\\s*,\\s*"));
+ put("vAllowedEntities", "mdash,euro,quot,amp,lt,gt,nbsp,iexcl,cent,pound,curren,yen,brvbar,sect,uml,copy,ordf,laquo,not,shy,reg,macr,deg,plusmn,sup2,sup3,acute,micro,para,middot,cedil,sup1,ordm,raquo,frac14,frac12,frac34,iquest,Agrave,Aacute,Acirc,Atilde,Auml,Aring,AElig,Ccedil,Egrave,Eacute,Ecirc,Euml,Igrave,Iacute,Icirc,Iuml,ETH,Ntilde,Ograve,Oacute,Ocirc,Otilde,Ouml,times,Oslash,Ugrave,Uacute,Ucirc,Uuml,Yacute,THORN,szlig,agrave,aacute,acirc,atilde,auml,aring,aelig,ccedil,egrave,eacute,ecirc,euml,igrave,iacute,icirc,iuml,eth,ntilde,ograve,oacute,ocirc,otilde,ouml,divide,oslash,ugrave,uacute,ucirc,uuml,yacute,thorn,yuml,#34,#38,#60,#62,#160,#161,#162,#163,#164,#165,#166,#167,#168,#169,#170,#171,#172,#173,#174,#175,#176,#177,#178,#179,#180,#181,#182,#183,#184,#185,#186,#187,#188,#189,#190,#191,#192,#193,#194,#195,#196,#197,#198,#199,#200,#201,#202,#203,#204,#205,#206,#207,#208,#209,#210,#211,#212,#213,#214,#215,#216,#217,#218,#219,#220,#221,#222,#223,#224,#225,#226,#227,#228,#229,#230,#231,#232,#233,#234,#235,#236,#237,#238,#239,#240,#241,#242,#243,#244,#245,#246,#247,#248,#249,#250,#251,#252,#253,#254,#255".split("\\s*,\\s*"));
+ put("stripComment", Boolean.TRUE);
+ put("alwaysMakeTags", Boolean.TRUE);
+ }};
+
+ vFilter = new HTMLFilter(config);
+
+ assertThat(vFilter.filter("test <br> test <br>"), is("test <br /> test <br />"));
+ }
+
+}
Deleted: trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java
===================================================================
--- trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java 2010-09-22 19:22:34 UTC (rev 21)
+++ trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java 2011-01-30 09:07:06 UTC (rev 22)
@@ -1,190 +0,0 @@
-package net.sf.xsshttpfilter;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.is;
-
-/**
- *
- */
-public class HTMLFilterTest {
- protected HTMLFilter vFilter;
-
- @Before
- public void setUp() {
- vFilter = new HTMLFilter(true);
- }
-
- @After
- public void tearDown() {
- vFilter = null;
- }
-
- @Test
- public void testBasics() {
- assertThat(vFilter.filter(""), is(""));
- assertThat(vFilter.filter("hello"), is("hello"));
- }
-
- @Test
- public void testBalancingTags() {
- assertThat(vFilter.filter("<b>hello"), is("<b>hello</b>"));
- assertThat(vFilter.filter("<b>hello"), is("<b>hello</b>"));
- assertThat(vFilter.filter("hello<b>"), is("hello"));
- assertThat(vFilter.filter("hello</b>"), is("hello"));
- assertThat(vFilter.filter("hello<b/>"), is("hello"));
- assertThat(vFilter.filter("<b><b><b>hello"), is("<b><b><b>hello</b></b></b>"));
- assertThat(vFilter.filter("</b><b>"), is(""));
- }
-
- @Test
- public void testEndSlashes() {
- assertThat(vFilter.filter("<img>"), is("<img />"));
- assertThat(vFilter.filter("<img/>"), is("<img />"));
- assertThat(vFilter.filter("<b/></b>"), is(""));
- }
-
- @Test
- public void testBalancingAngleBrackets() {
- if (vFilter.isAlwaysMakeTags()) {
- assertThat(vFilter.filter("<img src=\"foo\""), is("<img src=\"foo\" />"));
- assertThat(vFilter.filter("i>"), is(""));
- assertThat(vFilter.filter("<img src=\"foo\"/"), is("<img src=\"foo\" />"));
- assertThat(vFilter.filter(">"), is(""));
- assertThat(vFilter.filter("foo<b"), is("foo"));
- assertThat(vFilter.filter("b>foo"), is("<b>foo</b>"));
- assertThat(vFilter.filter("><b"), is(""));
- assertThat(vFilter.filter("b><"), is(""));
- assertThat(vFilter.filter("><b>"), is(""));
- } else {
- assertThat(vFilter.filter("<img src=\"foo\""), is("<img src=\"foo\""));
- assertThat(vFilter.filter("b>"), is("b>"));
- assertThat(vFilter.filter("<img src=\"foo\"/"), is("<img src=\"foo\"/"));
- assertThat(vFilter.filter(">"), is(">"));
- assertThat(vFilter.filter("foo<b"), is("foo<b"));
- assertThat(vFilter.filter("b>foo"), is("b>foo"));
- assertThat(vFilter.filter("><b"), is("><b"));
- assertThat(vFilter.filter("b><"), is("b><"));
- assertThat(vFilter.filter("><b>"), is(">"));
- }
- }
-
- @Test
- public void testAttributes() {
- assertThat(vFilter.filter("<img src=foo>"), is("<img src=\"foo\" />"));
- ...
[truncated message content] |
