xss-html-filter-commits Mailing List for xss-html-filter
Brought to you by:
micksembwever
Menu
▾
▴
xss-html-filter-commits — Subversion commits
You can subscribe to this list here.
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
(10) |
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2011 |
Jan
(2) |
Feb
(5) |
Mar
|
Apr
|
May
|
Jun
(5) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
|
From: <mic...@us...> - 2011-09-21 10:23:56
|
Revision: 35
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=35&view=rev
Author: micksembwever
Date: 2011-09-21 10:23:50 +0000 (Wed, 21 Sep 2011)
Log Message:
-----------
docs
Modified Paths:
--------------
trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java
Modified: trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java
===================================================================
--- trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java 2011-06-11 12:23:39 UTC (rev 34)
+++ trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java 2011-09-21 10:23:50 UTC (rev 35)
@@ -32,7 +32,7 @@
*
* Sample use:
* String input = ...
- * String clean = new HTMLInputFilter().filter( input );
+ * String clean = new HTMLFilter().filter( input );
*
* The class is not thread safe. Create a new instance if in doubt.
*
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-06-11 12:23:45
|
Revision: 34
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=34&view=rev
Author: micksembwever
Date: 2011-06-11 12:23:39 +0000 (Sat, 11 Jun 2011)
Log Message:
-----------
[maven-release-plugin] prepare for next development iteration
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2011-06-11 12:23:32 UTC (rev 33)
+++ trunk/pom.xml 2011-06-11 12:23:39 UTC (rev 34)
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>net.sf.xss-html-filter</groupId>
<artifactId>xss-html-filter</artifactId>
- <version>1.4</version>
+ <version>1.5-SNAPSHOT</version>
<packaging>jar</packaging>
<name>XSS HTMLFilter</name>
@@ -13,9 +13,9 @@
</description>
<scm>
- <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.4</connection>
- <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.4</developerConnection>
- <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/tags/xss-html-filter-1.4</url>
+ <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</connection>
+ <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</developerConnection>
+ <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/</url>
</scm>
<licenses>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-06-11 12:23:40
|
Revision: 33
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=33&view=rev
Author: micksembwever
Date: 2011-06-11 12:23:32 +0000 (Sat, 11 Jun 2011)
Log Message:
-----------
[maven-release-plugin] copy for tag xss-html-filter-1.4
Added Paths:
-----------
tags/xss-html-filter-1.4/
tags/xss-html-filter-1.4/pom.xml
Removed Paths:
-------------
tags/xss-html-filter-1.4/pom.xml
Deleted: tags/xss-html-filter-1.4/pom.xml
===================================================================
--- trunk/pom.xml 2011-06-03 14:40:34 UTC (rev 31)
+++ tags/xss-html-filter-1.4/pom.xml 2011-06-11 12:23:32 UTC (rev 33)
@@ -1,250 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>net.sf.xss-html-filter</groupId>
- <artifactId>xss-html-filter</artifactId>
- <version>1.4-SNAPSHOT</version>
- <packaging>jar</packaging>
- <name>XSS HTMLFilter</name>
-
-
- <description>
- A Java library for protecting against cross site scripting.
- Hosted at https://sourceforge.net/projects/xss-html-filter/
- </description>
-
- <scm>
- <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</connection>
- <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</developerConnection>
- <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/</url>
- </scm>
-
- <licenses>
- <license>
- <name>LGPLv3</name>
- <url>LICENSE.txt</url>
- <distribution>manual</distribution>
- </license>
- </licenses>
-
-
- <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
-
- <developers>
- <developer>
- <name>Cal Henderson</name>
- <url>http://www.iamcal.com/</url>
- </developer>
- <developer>
- <name>Joseph O'Connell</name>
- <url>http://josephoconnell.com/</url>
- </developer>
- <developer>
- <name>mck</name>
- <id>micksembwever</id>
- <email>mi...@se...</email>
- <url>http://semb.wever.org</url>
- </developer>
- </developers>
-
- <mailingLists>
- <mailingList>
- <name>User & Development List</name>
- <post>xss...@li...</post>
- <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-user</archive>
- </mailingList>
- <mailingList>
- <name>Commit List</name>
- <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-commits</archive>
- </mailingList>
- </mailingLists>
-
- <properties>
- <!-- java -->
- <version.jdk>1.6</version.jdk>
-
- </properties>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-compiler-plugin</artifactId>
- <configuration>
- <source>${version.jdk}</source>
- <target>${version.jdk}</target>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-source-plugin</artifactId>
- <version>2.1.1</version>
- <executions>
- <execution>
- <id>attach-sources</id>
- <goals>
- <goal>jar-no-fork</goal>
- <goal>test-jar-no-fork</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
-
- <dependencies>
-
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>4.7</version>
- <scope>test</scope>
- </dependency>
-
- <dependency>
- <groupId>org.hamcrest</groupId>
- <artifactId>hamcrest-all</artifactId>
- <version>1.1</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
-
- <repositories>
- <repository>
- <id>xss-html-filter-releases</id>
- <name>xss-html-filter.sf.net releases</name>
- <url>http://xss-html-filter.sf.net/releases/</url>
- <releases>
- <enabled>true</enabled>
- </releases>
- <snapshots>
- <enabled>false</enabled>
- </snapshots>
- </repository>
- <repository>
- <id>xss-html-filter-snapshot</id>
- <name>xss-html-filter.sf.net snapshots</name>
- <url>http://xss-html-filter.sf.net/snapshots/</url>
- <releases>
- <enabled>false</enabled>
- </releases>
- <snapshots>
- <enabled>true</enabled>
- </snapshots>
- </repository>
- </repositories>
-
- <distributionManagement>
- <repository>
- <id>xss-html-filter-releases</id>
- <name>xss-html-filter.sf.net releases</name>
- <url>scp://shell.sourceforge.net:/home/project-web/xss-html-filter/htdocs/releases/</url>
- </repository>
- <snapshotRepository>
- <id>xss-html-filter-snapshots</id>
- <name>xss-html-filter.sf.net snapshots</name>
- <url>scp://shell.sourceforge.net:/home/project-web/xss-html-filter/htdocs/snapshots/</url>
- </snapshotRepository>
- <site>
- <id>xss-html-filter.sf.net</id>
- <url>scp://web.sourceforge.net/home/project-web/xss-html-filter/htdocs/site/</url>
- </site>
- </distributionManagement>
-
- <reporting>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-project-info-reports-plugin</artifactId>
- <version>2.1.2</version>
- <reportSets>
- <reportSet>
- <reports>
- <report>index</report>
- <report>dependencies</report>
- <report>dependency-convergence</report>
- <report>issue-tracking</report>
- <report>scm</report>
- <report>project-team</report>
- <report>summary</report>
- <report>cim</report>
- </reports>
- </reportSet>
- </reportSets>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>cobertura-maven-plugin</artifactId>
- <configuration>
- <formats>
- <format>html</format>
- <format>xml</format>
- </formats>
- </configuration>
- </plugin>
- <plugin>
- <artifactId>maven-javadoc-plugin</artifactId>
- <reportSets>
- <reportSet>
- <id>html</id>
- <configuration>
- <minmemory>128m</minmemory>
- <maxmemory>512m</maxmemory>
- <source>${version.jdk}</source>
- <docfilessubdirs>true</docfilessubdirs>
- <links>
- <link>http://java.sun.com/javase/6/docs/api/</link>
- <link>http://java.sun.com/javaee/5/docs/api/</link>
- </links>
- </configuration>
- <reports><report>javadoc</report></reports>
- </reportSet>
- </reportSets>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>findbugs-maven-plugin</artifactId>
- <configuration>
- <threshold>Normal</threshold>
- <xmlOutput>true</xmlOutput>
- <!-- Optional derectory to put findbugs xdoc xml report -->
- <xmlOutputDirectory>target/site</xmlOutputDirectory>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>taglist-maven-plugin</artifactId>
- <configuration>
- <tags>
- <tag>TODO</tag>
- <tag>@todo</tag>
- <tag>FIXME</tag>
- <tag>XXX</tag>
- <tag>hack</tag>
- </tags>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-jxr-plugin</artifactId>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-report-plugin</artifactId>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-pmd-plugin</artifactId>
- <configuration>
- <targetJdk>${version.jdk}</targetJdk>
- <rulesets>
- <ruleset>/rulesets/basic.xml</ruleset>
- <ruleset>/rulesets/imports.xml</ruleset>
- <ruleset>/rulesets/unusedcode.xml</ruleset>
- <ruleset>/rulesets/finalizers.xml</ruleset>
- </rulesets>
- </configuration>
- </plugin>
- </plugins>
- </reporting>
-
-</project>
Copied: tags/xss-html-filter-1.4/pom.xml (from rev 32, trunk/pom.xml)
===================================================================
--- tags/xss-html-filter-1.4/pom.xml (rev 0)
+++ tags/xss-html-filter-1.4/pom.xml 2011-06-11 12:23:32 UTC (rev 33)
@@ -0,0 +1,250 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>net.sf.xss-html-filter</groupId>
+ <artifactId>xss-html-filter</artifactId>
+ <version>1.4</version>
+ <packaging>jar</packaging>
+ <name>XSS HTMLFilter</name>
+
+
+ <description>
+ A Java library for protecting against cross site scripting.
+ Hosted at https://sourceforge.net/projects/xss-html-filter/
+ </description>
+
+ <scm>
+ <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.4</connection>
+ <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.4</developerConnection>
+ <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/tags/xss-html-filter-1.4</url>
+ </scm>
+
+ <licenses>
+ <license>
+ <name>LGPLv3</name>
+ <url>LICENSE.txt</url>
+ <distribution>manual</distribution>
+ </license>
+ </licenses>
+
+
+ <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
+
+ <developers>
+ <developer>
+ <name>Cal Henderson</name>
+ <url>http://www.iamcal.com/</url>
+ </developer>
+ <developer>
+ <name>Joseph O'Connell</name>
+ <url>http://josephoconnell.com/</url>
+ </developer>
+ <developer>
+ <name>mck</name>
+ <id>micksembwever</id>
+ <email>mi...@se...</email>
+ <url>http://semb.wever.org</url>
+ </developer>
+ </developers>
+
+ <mailingLists>
+ <mailingList>
+ <name>User & Development List</name>
+ <post>xss...@li...</post>
+ <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-user</archive>
+ </mailingList>
+ <mailingList>
+ <name>Commit List</name>
+ <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-commits</archive>
+ </mailingList>
+ </mailingLists>
+
+ <properties>
+ <!-- java -->
+ <version.jdk>1.6</version.jdk>
+
+ </properties>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>${version.jdk}</source>
+ <target>${version.jdk}</target>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-source-plugin</artifactId>
+ <version>2.1.1</version>
+ <executions>
+ <execution>
+ <id>attach-sources</id>
+ <goals>
+ <goal>jar-no-fork</goal>
+ <goal>test-jar-no-fork</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+
+ <dependencies>
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.7</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.hamcrest</groupId>
+ <artifactId>hamcrest-all</artifactId>
+ <version>1.1</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+ <repositories>
+ <repository>
+ <id>xss-html-filter-releases</id>
+ <name>xss-html-filter.sf.net releases</name>
+ <url>http://xss-html-filter.sf.net/releases/</url>
+ <releases>
+ <enabled>true</enabled>
+ </releases>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ </repository>
+ <repository>
+ <id>xss-html-filter-snapshot</id>
+ <name>xss-html-filter.sf.net snapshots</name>
+ <url>http://xss-html-filter.sf.net/snapshots/</url>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </repository>
+ </repositories>
+
+ <distributionManagement>
+ <repository>
+ <id>xss-html-filter-releases</id>
+ <name>xss-html-filter.sf.net releases</name>
+ <url>scp://shell.sourceforge.net:/home/project-web/xss-html-filter/htdocs/releases/</url>
+ </repository>
+ <snapshotRepository>
+ <id>xss-html-filter-snapshots</id>
+ <name>xss-html-filter.sf.net snapshots</name>
+ <url>scp://shell.sourceforge.net:/home/project-web/xss-html-filter/htdocs/snapshots/</url>
+ </snapshotRepository>
+ <site>
+ <id>xss-html-filter.sf.net</id>
+ <url>scp://web.sourceforge.net/home/project-web/xss-html-filter/htdocs/site/</url>
+ </site>
+ </distributionManagement>
+
+ <reporting>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-project-info-reports-plugin</artifactId>
+ <version>2.1.2</version>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>index</report>
+ <report>dependencies</report>
+ <report>dependency-convergence</report>
+ <report>issue-tracking</report>
+ <report>scm</report>
+ <report>project-team</report>
+ <report>summary</report>
+ <report>cim</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>cobertura-maven-plugin</artifactId>
+ <configuration>
+ <formats>
+ <format>html</format>
+ <format>xml</format>
+ </formats>
+ </configuration>
+ </plugin>
+ <plugin>
+ <artifactId>maven-javadoc-plugin</artifactId>
+ <reportSets>
+ <reportSet>
+ <id>html</id>
+ <configuration>
+ <minmemory>128m</minmemory>
+ <maxmemory>512m</maxmemory>
+ <source>${version.jdk}</source>
+ <docfilessubdirs>true</docfilessubdirs>
+ <links>
+ <link>http://java.sun.com/javase/6/docs/api/</link>
+ <link>http://java.sun.com/javaee/5/docs/api/</link>
+ </links>
+ </configuration>
+ <reports><report>javadoc</report></reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>findbugs-maven-plugin</artifactId>
+ <configuration>
+ <threshold>Normal</threshold>
+ <xmlOutput>true</xmlOutput>
+ <!-- Optional derectory to put findbugs xdoc xml report -->
+ <xmlOutputDirectory>target/site</xmlOutputDirectory>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>taglist-maven-plugin</artifactId>
+ <configuration>
+ <tags>
+ <tag>TODO</tag>
+ <tag>@todo</tag>
+ <tag>FIXME</tag>
+ <tag>XXX</tag>
+ <tag>hack</tag>
+ </tags>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jxr-plugin</artifactId>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-report-plugin</artifactId>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-pmd-plugin</artifactId>
+ <configuration>
+ <targetJdk>${version.jdk}</targetJdk>
+ <rulesets>
+ <ruleset>/rulesets/basic.xml</ruleset>
+ <ruleset>/rulesets/imports.xml</ruleset>
+ <ruleset>/rulesets/unusedcode.xml</ruleset>
+ <ruleset>/rulesets/finalizers.xml</ruleset>
+ </rulesets>
+ </configuration>
+ </plugin>
+ </plugins>
+ </reporting>
+
+</project>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-06-11 12:23:21
|
Revision: 32
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=32&view=rev
Author: micksembwever
Date: 2011-06-11 12:23:15 +0000 (Sat, 11 Jun 2011)
Log Message:
-----------
[maven-release-plugin] prepare release xss-html-filter-1.4
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2011-06-03 14:40:34 UTC (rev 31)
+++ trunk/pom.xml 2011-06-11 12:23:15 UTC (rev 32)
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>net.sf.xss-html-filter</groupId>
<artifactId>xss-html-filter</artifactId>
- <version>1.4-SNAPSHOT</version>
+ <version>1.4</version>
<packaging>jar</packaging>
<name>XSS HTMLFilter</name>
@@ -13,9 +13,9 @@
</description>
<scm>
- <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</connection>
- <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</developerConnection>
- <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/</url>
+ <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.4</connection>
+ <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.4</developerConnection>
+ <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/tags/xss-html-filter-1.4</url>
</scm>
<licenses>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-06-03 14:40:40
|
Revision: 31
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=31&view=rev
Author: micksembwever
Date: 2011-06-03 14:40:34 +0000 (Fri, 03 Jun 2011)
Log Message:
-----------
(again) use Matcher.quoteReplacement(..) for all m.appendReplacement(..) calls. xss-html-filter isn't intended to capture and replace groups, just filter.
Modified Paths:
--------------
trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java
Modified: trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java
===================================================================
--- trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java 2011-06-03 12:46:53 UTC (rev 30)
+++ trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java 2011-06-03 14:40:34 UTC (rev 31)
@@ -442,7 +442,7 @@
while (m.find()) {
final String match = m.group(1);
final int decimal = Integer.decode(match).intValue();
- m.appendReplacement(buf, chr(decimal));
+ m.appendReplacement(buf, Matcher.quoteReplacement(chr(decimal)));
}
m.appendTail(buf);
s = buf.toString();
@@ -452,7 +452,7 @@
while (m.find()) {
final String match = m.group(1);
final int decimal = Integer.valueOf(match, 16).intValue();
- m.appendReplacement(buf, chr(decimal));
+ m.appendReplacement(buf, Matcher.quoteReplacement(chr(decimal)));
}
m.appendTail(buf);
s = buf.toString();
@@ -462,7 +462,7 @@
while (m.find()) {
final String match = m.group(1);
final int decimal = Integer.valueOf(match, 16).intValue();
- m.appendReplacement(buf, chr(decimal));
+ m.appendReplacement(buf, Matcher.quoteReplacement(chr(decimal)));
}
m.appendTail(buf);
s = buf.toString();
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-06-03 12:46:59
|
Revision: 30
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=30&view=rev
Author: micksembwever
Date: 2011-06-03 12:46:53 +0000 (Fri, 03 Jun 2011)
Log Message:
-----------
use Matcher.quoteReplacement(..) for all m.appendReplacement(..) calls. xss-html-filter isn't intended to capture and replace groups, just filter.
Modified Paths:
--------------
trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java
Modified: trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java
===================================================================
--- trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java 2011-02-25 11:18:43 UTC (rev 29)
+++ trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java 2011-06-03 12:46:53 UTC (rev 30)
@@ -42,6 +42,7 @@
*
* @author Joseph O'Connell
* @author Cal Hendersen
+ * @author Michael Semb Wever
*/
public final class HTMLFilter {
@@ -250,7 +251,7 @@
final StringBuffer buf = new StringBuffer();
if (m.find()) {
final String match = m.group(1); //(.*?)
- m.appendReplacement(buf, "<!--" + htmlSpecialChars(match) + "-->");
+ m.appendReplacement(buf, Matcher.quoteReplacement("<!--" + htmlSpecialChars(match) + "-->"));
}
m.appendTail(buf);
@@ -291,7 +292,7 @@
while (m.find()) {
String replaceStr = m.group(1);
replaceStr = processTag(replaceStr);
- m.appendReplacement(buf, replaceStr);
+ m.appendReplacement(buf, Matcher.quoteReplacement(replaceStr));
}
m.appendTail(buf);
@@ -478,8 +479,7 @@
while (m.find()) {
final String one = m.group(1); //([^&;]*)
final String two = m.group(2); //(?=(;|&|$))
- final String replacement = Matcher.quoteReplacement(checkEntity(one, two));
- m.appendReplacement(buf, replacement);
+ m.appendReplacement(buf, Matcher.quoteReplacement(checkEntity(one, two)));
}
m.appendTail(buf);
s = buf.toString();
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-02-25 11:18:49
|
Revision: 29
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=29&view=rev
Author: micksembwever
Date: 2011-02-25 11:18:43 +0000 (Fri, 25 Feb 2011)
Log Message:
-----------
[maven-release-plugin] prepare for next development iteration
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2011-02-25 11:18:36 UTC (rev 28)
+++ trunk/pom.xml 2011-02-25 11:18:43 UTC (rev 29)
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>net.sf.xss-html-filter</groupId>
<artifactId>xss-html-filter</artifactId>
- <version>1.3</version>
+ <version>1.4-SNAPSHOT</version>
<packaging>jar</packaging>
<name>XSS HTMLFilter</name>
@@ -13,9 +13,9 @@
</description>
<scm>
- <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.3</connection>
- <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.3</developerConnection>
- <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/tags/xss-html-filter-1.3</url>
+ <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</connection>
+ <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</developerConnection>
+ <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/</url>
</scm>
<licenses>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-02-25 11:18:43
|
Revision: 28
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=28&view=rev
Author: micksembwever
Date: 2011-02-25 11:18:36 +0000 (Fri, 25 Feb 2011)
Log Message:
-----------
[maven-release-plugin] copy for tag xss-html-filter-1.3
Added Paths:
-----------
tags/xss-html-filter-1.3/
tags/xss-html-filter-1.3/pom.xml
tags/xss-html-filter-1.3/src/website/constretto.html
tags/xss-html-filter-1.3/src/website/index.html
Removed Paths:
-------------
tags/xss-html-filter-1.3/pom.xml
tags/xss-html-filter-1.3/src/website/constretto.html
tags/xss-html-filter-1.3/src/website/index.html
Deleted: tags/xss-html-filter-1.3/pom.xml
===================================================================
--- trunk/pom.xml 2011-01-30 09:12:15 UTC (rev 23)
+++ tags/xss-html-filter-1.3/pom.xml 2011-02-25 11:18:36 UTC (rev 28)
@@ -1,250 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>net.sf.xss-html-filter</groupId>
- <artifactId>xss-html-filter</artifactId>
- <version>1.3-SNAPSHOT</version>
- <packaging>jar</packaging>
- <name>XSS HTMLFilter</name>
-
-
- <description>
- A Java library for protecting against cross site scripting.
- Hosted at https://sourceforge.net/projects/xss-html-filter/
- </description>
-
- <scm>
- <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</connection>
- <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</developerConnection>
- <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/</url>
- </scm>
-
- <licenses>
- <license>
- <name>LGPLv3</name>
- <url>LICENSE.txt</url>
- <distribution>manual</distribution>
- </license>
- </licenses>
-
-
- <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
-
- <developers>
- <developer>
- <name>Cal Henderson</name>
- <url>http://www.iamcal.com/</url>
- </developer>
- <developer>
- <name>Joseph O'Connell</name>
- <url>http://josephoconnell.com/</url>
- </developer>
- <developer>
- <name>mck</name>
- <id>micksembwever</id>
- <email>mi...@se...</email>
- <url>http://semb.wever.org</url>
- </developer>
- </developers>
-
- <mailingLists>
- <mailingList>
- <name>User & Development List</name>
- <post>xss...@li...</post>
- <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-user</archive>
- </mailingList>
- <mailingList>
- <name>Commit List</name>
- <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-commits</archive>
- </mailingList>
- </mailingLists>
-
- <properties>
- <!-- java -->
- <version.jdk>1.6</version.jdk>
-
- </properties>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-compiler-plugin</artifactId>
- <configuration>
- <source>${version.jdk}</source>
- <target>${version.jdk}</target>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-source-plugin</artifactId>
- <version>2.1.1</version>
- <executions>
- <execution>
- <id>attach-sources</id>
- <goals>
- <goal>jar-no-fork</goal>
- <goal>test-jar-no-fork</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
-
- <dependencies>
-
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>4.7</version>
- <scope>test</scope>
- </dependency>
-
- <dependency>
- <groupId>org.hamcrest</groupId>
- <artifactId>hamcrest-all</artifactId>
- <version>1.1</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
-
- <repositories>
- <repository>
- <id>xss-html-filter-releases</id>
- <name>xss-html-filter.sf.net releases</name>
- <url>http://xss-html-filter.sf.net/releases/</url>
- <releases>
- <enabled>true</enabled>
- </releases>
- <snapshots>
- <enabled>false</enabled>
- </snapshots>
- </repository>
- <repository>
- <id>finntech-snapshot</id>
- <name>xss-html-filter.sf.net snapshots</name>
- <url>http://xss-html-filter.sf.net/snapshots/</url>
- <releases>
- <enabled>false</enabled>
- </releases>
- <snapshots>
- <enabled>true</enabled>
- </snapshots>
- </repository>
- </repositories>
-
- <distributionManagement>
- <repository>
- <id>xss-html-filter-releases</id>
- <name>xss-html-filter.sf.net releases</name>
- <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-html-filter/htdocs/releases/</url>
- </repository>
- <snapshotRepository>
- <id>xss-html-filter-snapshots</id>
- <name>xss-html-filter.sf.net snapshots</name>
- <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-html-filter/htdocs/snapshots/</url>
- </snapshotRepository>
- <site>
- <id>xss-html-filter.sf.net</id>
- <url>scp://216.34.181.119/home/groups/x/xs/xss-html-filter/htdocs/site/</url>
- </site>
- </distributionManagement>
-
- <reporting>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-project-info-reports-plugin</artifactId>
- <version>2.1.2</version>
- <reportSets>
- <reportSet>
- <reports>
- <report>index</report>
- <report>dependencies</report>
- <report>dependency-convergence</report>
- <report>issue-tracking</report>
- <report>scm</report>
- <report>project-team</report>
- <report>summary</report>
- <report>cim</report>
- </reports>
- </reportSet>
- </reportSets>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>cobertura-maven-plugin</artifactId>
- <configuration>
- <formats>
- <format>html</format>
- <format>xml</format>
- </formats>
- </configuration>
- </plugin>
- <plugin>
- <artifactId>maven-javadoc-plugin</artifactId>
- <reportSets>
- <reportSet>
- <id>html</id>
- <configuration>
- <minmemory>128m</minmemory>
- <maxmemory>512m</maxmemory>
- <source>${version.jdk}</source>
- <docfilessubdirs>true</docfilessubdirs>
- <links>
- <link>http://java.sun.com/javase/6/docs/api/</link>
- <link>http://java.sun.com/javaee/5/docs/api/</link>
- </links>
- </configuration>
- <reports><report>javadoc</report></reports>
- </reportSet>
- </reportSets>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>findbugs-maven-plugin</artifactId>
- <configuration>
- <threshold>Normal</threshold>
- <xmlOutput>true</xmlOutput>
- <!-- Optional derectory to put findbugs xdoc xml report -->
- <xmlOutputDirectory>target/site</xmlOutputDirectory>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>taglist-maven-plugin</artifactId>
- <configuration>
- <tags>
- <tag>TODO</tag>
- <tag>@todo</tag>
- <tag>FIXME</tag>
- <tag>XXX</tag>
- <tag>hack</tag>
- </tags>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-jxr-plugin</artifactId>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-report-plugin</artifactId>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-pmd-plugin</artifactId>
- <configuration>
- <targetJdk>${version.jdk}</targetJdk>
- <rulesets>
- <ruleset>/rulesets/basic.xml</ruleset>
- <ruleset>/rulesets/imports.xml</ruleset>
- <ruleset>/rulesets/unusedcode.xml</ruleset>
- <ruleset>/rulesets/finalizers.xml</ruleset>
- </rulesets>
- </configuration>
- </plugin>
- </plugins>
- </reporting>
-
-</project>
Copied: tags/xss-html-filter-1.3/pom.xml (from rev 27, trunk/pom.xml)
===================================================================
--- tags/xss-html-filter-1.3/pom.xml (rev 0)
+++ tags/xss-html-filter-1.3/pom.xml 2011-02-25 11:18:36 UTC (rev 28)
@@ -0,0 +1,250 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>net.sf.xss-html-filter</groupId>
+ <artifactId>xss-html-filter</artifactId>
+ <version>1.3</version>
+ <packaging>jar</packaging>
+ <name>XSS HTMLFilter</name>
+
+
+ <description>
+ A Java library for protecting against cross site scripting.
+ Hosted at https://sourceforge.net/projects/xss-html-filter/
+ </description>
+
+ <scm>
+ <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.3</connection>
+ <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.3</developerConnection>
+ <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/tags/xss-html-filter-1.3</url>
+ </scm>
+
+ <licenses>
+ <license>
+ <name>LGPLv3</name>
+ <url>LICENSE.txt</url>
+ <distribution>manual</distribution>
+ </license>
+ </licenses>
+
+
+ <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
+
+ <developers>
+ <developer>
+ <name>Cal Henderson</name>
+ <url>http://www.iamcal.com/</url>
+ </developer>
+ <developer>
+ <name>Joseph O'Connell</name>
+ <url>http://josephoconnell.com/</url>
+ </developer>
+ <developer>
+ <name>mck</name>
+ <id>micksembwever</id>
+ <email>mi...@se...</email>
+ <url>http://semb.wever.org</url>
+ </developer>
+ </developers>
+
+ <mailingLists>
+ <mailingList>
+ <name>User & Development List</name>
+ <post>xss...@li...</post>
+ <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-user</archive>
+ </mailingList>
+ <mailingList>
+ <name>Commit List</name>
+ <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-commits</archive>
+ </mailingList>
+ </mailingLists>
+
+ <properties>
+ <!-- java -->
+ <version.jdk>1.6</version.jdk>
+
+ </properties>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>${version.jdk}</source>
+ <target>${version.jdk}</target>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-source-plugin</artifactId>
+ <version>2.1.1</version>
+ <executions>
+ <execution>
+ <id>attach-sources</id>
+ <goals>
+ <goal>jar-no-fork</goal>
+ <goal>test-jar-no-fork</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+
+ <dependencies>
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.7</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.hamcrest</groupId>
+ <artifactId>hamcrest-all</artifactId>
+ <version>1.1</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+ <repositories>
+ <repository>
+ <id>xss-html-filter-releases</id>
+ <name>xss-html-filter.sf.net releases</name>
+ <url>http://xss-html-filter.sf.net/releases/</url>
+ <releases>
+ <enabled>true</enabled>
+ </releases>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ </repository>
+ <repository>
+ <id>xss-html-filter-snapshot</id>
+ <name>xss-html-filter.sf.net snapshots</name>
+ <url>http://xss-html-filter.sf.net/snapshots/</url>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </repository>
+ </repositories>
+
+ <distributionManagement>
+ <repository>
+ <id>xss-html-filter-releases</id>
+ <name>xss-html-filter.sf.net releases</name>
+ <url>scp://shell.sourceforge.net:/home/project-web/xss-html-filter/htdocs/releases/</url>
+ </repository>
+ <snapshotRepository>
+ <id>xss-html-filter-snapshots</id>
+ <name>xss-html-filter.sf.net snapshots</name>
+ <url>scp://shell.sourceforge.net:/home/project-web/xss-html-filter/htdocs/snapshots/</url>
+ </snapshotRepository>
+ <site>
+ <id>xss-html-filter.sf.net</id>
+ <url>scp://web.sourceforge.net/home/project-web/xss-html-filter/htdocs/site/</url>
+ </site>
+ </distributionManagement>
+
+ <reporting>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-project-info-reports-plugin</artifactId>
+ <version>2.1.2</version>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>index</report>
+ <report>dependencies</report>
+ <report>dependency-convergence</report>
+ <report>issue-tracking</report>
+ <report>scm</report>
+ <report>project-team</report>
+ <report>summary</report>
+ <report>cim</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>cobertura-maven-plugin</artifactId>
+ <configuration>
+ <formats>
+ <format>html</format>
+ <format>xml</format>
+ </formats>
+ </configuration>
+ </plugin>
+ <plugin>
+ <artifactId>maven-javadoc-plugin</artifactId>
+ <reportSets>
+ <reportSet>
+ <id>html</id>
+ <configuration>
+ <minmemory>128m</minmemory>
+ <maxmemory>512m</maxmemory>
+ <source>${version.jdk}</source>
+ <docfilessubdirs>true</docfilessubdirs>
+ <links>
+ <link>http://java.sun.com/javase/6/docs/api/</link>
+ <link>http://java.sun.com/javaee/5/docs/api/</link>
+ </links>
+ </configuration>
+ <reports><report>javadoc</report></reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>findbugs-maven-plugin</artifactId>
+ <configuration>
+ <threshold>Normal</threshold>
+ <xmlOutput>true</xmlOutput>
+ <!-- Optional derectory to put findbugs xdoc xml report -->
+ <xmlOutputDirectory>target/site</xmlOutputDirectory>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>taglist-maven-plugin</artifactId>
+ <configuration>
+ <tags>
+ <tag>TODO</tag>
+ <tag>@todo</tag>
+ <tag>FIXME</tag>
+ <tag>XXX</tag>
+ <tag>hack</tag>
+ </tags>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jxr-plugin</artifactId>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-report-plugin</artifactId>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-pmd-plugin</artifactId>
+ <configuration>
+ <targetJdk>${version.jdk}</targetJdk>
+ <rulesets>
+ <ruleset>/rulesets/basic.xml</ruleset>
+ <ruleset>/rulesets/imports.xml</ruleset>
+ <ruleset>/rulesets/unusedcode.xml</ruleset>
+ <ruleset>/rulesets/finalizers.xml</ruleset>
+ </rulesets>
+ </configuration>
+ </plugin>
+ </plugins>
+ </reporting>
+
+</project>
Deleted: tags/xss-html-filter-1.3/src/website/constretto.html
===================================================================
--- trunk/src/website/constretto.html 2011-01-30 09:12:15 UTC (rev 23)
+++ tags/xss-html-filter-1.3/src/website/constretto.html 2011-02-25 11:18:36 UTC (rev 28)
@@ -1,82 +0,0 @@
-<html>
-<head>
- <title>XSS HTML Filter: A Java library for protecting against cross site scripting</title>
- <style><!--
- body { background-color: #cc9; }
-
-#announce {
- padding-left: 25%;
- padding-right: 25%;
- margin: 10px;
- padding-top: 30px;
-}
-
-
- #announce h1 { font-weight: normal; font-family: Arial, sans-serif; font-size: 16px; color: #930; }
- #announce h2 { font-weight: normal; font-family: Arial, sans-serif; font-size: 14px; color: #930; }
- #announce p { font-family: Arial, sans-serif; font-size: 11px; color: #663; }
-
-a {
- font-family: Courier;
- font-size: 12px;
- text-decoration: none;
- color: #666;
-}
-
-a:hover { color: #930; }
-
- --></style>
- <link rel="SHORTCUT ICON" href="/favicon.ico">
-</head>
-<body>
-
-<div id="announce">
-<h1>HTML filtering utility for Java</h1>
-
-<h2>Using with constretto</h2>
-<p>
-It's easy to keep all the configuration in constretto, passing it in via the HTMLFilter( Map ) constructor.<br/>
-For example to load all configuration options:
-<pre>
-
-import static ....ConstrettoConfigurationFactory.iniFile;
-import static org.springframework.core.io.ResourceLoader.CLASSPATH_URL_PREFIX;
-
-public static final Map<String,Object> CONFIGURATION
- = Collections.unmodifiableMap(new HashMap<String,Object>(){{
-
- final ConstrettoConfiguration constretto = iniFile(CLASSPATH_URL_PREFIX + "my-constretto-file.ini");
- final Map<String, List<String>> allowed = new HashMap<String, List<String>>();
- for(String allow : constretto.evaluateTo("HTMLFilter.vAllowed", "").split("\\s*;\\s*")){
- if(0 < allow.indexOf(':')){
- final String name = allow.split("\\s*:\\s*")[0];
- final String[] attributes = allow.split("\\s*:\\s*")[1].split("\\s*,\\s*");
- allowed.put(name, Arrays.asList(attributes));
- }else{
- allowed.put(allow, Collections.<String>emptyList());
- }
- }
- put("vAllowed", allowed);
- put("vSelfClosingTags", constretto.evaluateTo("HTMLFilter.vSelfClosingTags", "").split("\\s*,\\s*"));
- put("vNeedClosingTags", constretto.evaluateTo("HTMLFilter.vNeedClosingTags", "").split("\\s*,\\s*"));
- put("vDisallowed", constretto.evaluateTo("HTMLFilter.vDisallowed", "").split("\\s*,\\s*"));
- put("vAllowedProtocols", constretto.evaluateTo("HTMLFilter.vAllowedProtocols", "").split("\\s*,\\s*"));
- put("vProtocolAtts", constretto.evaluateTo("HTMLFilter.vProtocolAtts", "").split("\\s*,\\s*"));
- put("vRemoveBlanks", constretto.evaluateTo("HTMLFilter.vRemoveBlanks", "").split("\\s*,\\s*"));
- put("vAllowedEntities", constretto.evaluateTo("HTMLFilter.vAllowedEntities", "").split("\\s*,\\s*"));
- put("stripComment", constretto.evaluateTo("HTMLFilter.stripComment", Boolean.TRUE));
- put("alwaysMakeTags", constretto.evaluateTo("HTMLFilter.alwaysMakeTags", Boolean.TRUE));
-}});
-...
-String input = ...
-String clean = new HTMLFilter( CONFIGURATION ).filter(input);
-</pre></p>
-<p>
- Here the property values in my-constretto-file.ini are comma separated,
- except for "HTMLFilter.vAllowed" which is semi-colon separated. Each value is then a comma separate list,
- the first item being the element name allowed and subsequent items being the attributes allowed within that element.
-</p>
-</div>
-
-</body>
-</html>
Copied: tags/xss-html-filter-1.3/src/website/constretto.html (from rev 24, trunk/src/website/constretto.html)
===================================================================
--- tags/xss-html-filter-1.3/src/website/constretto.html (rev 0)
+++ tags/xss-html-filter-1.3/src/website/constretto.html 2011-02-25 11:18:36 UTC (rev 28)
@@ -0,0 +1,82 @@
+<html>
+<head>
+ <title>XSS HTML Filter: A Java library for protecting against cross site scripting</title>
+ <style><!--
+ body { background-color: #cc9; }
+
+#announce {
+ padding-left: 25%;
+ padding-right: 25%;
+ margin: 10px;
+ padding-top: 30px;
+}
+
+
+ #announce h1 { font-weight: normal; font-family: Arial, sans-serif; font-size: 16px; color: #930; }
+ #announce h2 { font-weight: normal; font-family: Arial, sans-serif; font-size: 14px; color: #930; }
+ #announce p { font-family: Arial, sans-serif; font-size: 11px; color: #663; }
+
+a {
+ font-family: Courier;
+ font-size: 12px;
+ text-decoration: none;
+ color: #666;
+}
+
+a:hover { color: #930; }
+
+ --></style>
+ <link rel="SHORTCUT ICON" href="/favicon.ico">
+</head>
+<body>
+
+<div id="announce">
+<h1>Open Sourced HTML filtering utility for Java</h1>
+
+<h2>Using with constretto</h2>
+<p>
+It's easy to keep all the configuration in constretto, passing it in via the HTMLFilter( Map ) constructor.<br/>
+For example to load all configuration options:
+<pre>
+
+import static ....ConstrettoConfigurationFactory.iniFile;
+import static org.springframework.core.io.ResourceLoader.CLASSPATH_URL_PREFIX;
+
+public static final Map<String,Object> CONFIGURATION
+ = Collections.unmodifiableMap(new HashMap<String,Object>(){{
+
+ final ConstrettoConfiguration constretto = iniFile(CLASSPATH_URL_PREFIX + "my-constretto-file.ini");
+ final Map<String, List<String>> allowed = new HashMap<String, List<String>>();
+ for(String allow : constretto.evaluateTo("HTMLFilter.vAllowed", "").split("\\s*;\\s*")){
+ if(0 < allow.indexOf(':')){
+ final String name = allow.split("\\s*:\\s*")[0];
+ final String[] attributes = allow.split("\\s*:\\s*")[1].split("\\s*,\\s*");
+ allowed.put(name, Arrays.asList(attributes));
+ }else{
+ allowed.put(allow, Collections.<String>emptyList());
+ }
+ }
+ put("vAllowed", allowed);
+ put("vSelfClosingTags", constretto.evaluateTo("HTMLFilter.vSelfClosingTags", "").split("\\s*,\\s*"));
+ put("vNeedClosingTags", constretto.evaluateTo("HTMLFilter.vNeedClosingTags", "").split("\\s*,\\s*"));
+ put("vDisallowed", constretto.evaluateTo("HTMLFilter.vDisallowed", "").split("\\s*,\\s*"));
+ put("vAllowedProtocols", constretto.evaluateTo("HTMLFilter.vAllowedProtocols", "").split("\\s*,\\s*"));
+ put("vProtocolAtts", constretto.evaluateTo("HTMLFilter.vProtocolAtts", "").split("\\s*,\\s*"));
+ put("vRemoveBlanks", constretto.evaluateTo("HTMLFilter.vRemoveBlanks", "").split("\\s*,\\s*"));
+ put("vAllowedEntities", constretto.evaluateTo("HTMLFilter.vAllowedEntities", "").split("\\s*,\\s*"));
+ put("stripComment", constretto.evaluateTo("HTMLFilter.stripComment", Boolean.TRUE));
+ put("alwaysMakeTags", constretto.evaluateTo("HTMLFilter.alwaysMakeTags", Boolean.TRUE));
+}});
+...
+String input = ...
+String clean = new HTMLFilter( CONFIGURATION ).filter(input);
+</pre></p>
+<p>
+ Here the property values in my-constretto-file.ini are comma separated,
+ except for "HTMLFilter.vAllowed" which is semi-colon separated. Each value is then a comma separate list,
+ the first item being the element name allowed and subsequent items being the attributes allowed within that element.
+</p>
+</div>
+
+</body>
+</html>
Deleted: tags/xss-html-filter-1.3/src/website/index.html
===================================================================
--- trunk/src/website/index.html 2011-01-30 09:12:15 UTC (rev 23)
+++ tags/xss-html-filter-1.3/src/website/index.html 2011-02-25 11:18:36 UTC (rev 28)
@@ -1,92 +0,0 @@
-<html>
-<head>
- <title>XSS HTML Filter: A Java library for protecting against cross site scripting</title>
- <style><!--
- body { background-color: #cc9; }
-
-#announce {
- padding-left: 25%;
- padding-right: 25%;
- margin: 10px;
- padding-top: 30px;
-}
-
-
- #announce h1 { font-weight: normal; font-family: Arial, sans-serif; font-size: 16px; color: #930; }
- #announce h2 { font-weight: normal; font-family: Arial, sans-serif; font-size: 14px; color: #930; }
- #announce p { font-family: Arial, sans-serif; font-size: 11px; color: #663; }
-
-a {
- font-family: Courier;
- font-size: 12px;
- text-decoration: none;
- color: #666;
-}
-
-a:hover { color: #930; }
-
- --></style>
- <link rel="SHORTCUT ICON" href="/favicon.ico">
-</head>
-<body>
-
-<div id="announce">
-<h1>HTML filtering utility for Java</h1>
-
-<p>
-<ul>
- <li><a href="http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java?view=markup">View Source</a></li>
- <li><a href="/site/">Project information</a></li>
-</ul>
-</p>
-
-<p>
-This utility is a single class, HTMLFilter, which can be used to parse user-submitted input and sanitize it against potential cross site scripting attacks, malicious html, or simply badly formed html. This version, written in Java, is largely a translation of <a href="http://code.iamcal.com/php/lib_filter/">lib_filter</a>, the original work of <a href="http://www.iamcal.com/">Cal Henderson</a> written in PHP.
-</p>
-
-<p>
-Combined with this code is a Test class for unit testing, designed to be executed in <a href="http://www.junit.org/">JUnit</a>.
-</p><br/>
-
-<h2>Processing HTML Input</h2>
-
-<p>
-Sample usage:
-
-<blockquote><pre>
-// retrieve input from user...
-String input = ...
-String clean = new HTMLInputFilter().filter( input );
-</pre></blockquote>
-</p>
-
-<p>
-There's also an <a href="constretto.html">example using constretto</a>.
-</p><br/>
-
-<h2>Building with maven</h2>
-<p>
-To include xss-http-filter into a maven built project add the following to your pom.xml (in the corresponding sections)
-<br/><pre>
- <dependency>
- <groupId>net.sf.xss-http-filter</groupId>
- <artifactId>xss-http-filter</artifactId>
- <version>1.1</version> <!-- remember to check for newer versions -->
- </dependency>
-
- <repository>
- <id>xss-http-filter releases</id>
- <name>xss-http-filter Releases Repository</name>
- <url><a href="http://xss-http-filter.sf.net/releases/">http://xss-http-filter.sf.net/releases/</a></url>
- </repository>
-</pre>
-</p><br/>
-
-<h2>License</h2>
-<p>
-This code is licensed under a <a href="http://www.gnu.org/licenses/lgpl.html">Lesser GNU version3 License</a>. If you find any bugs, or have any suggestions on improvement, please <a
-href="http://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-user">contact us</a>.
-</p><br/>
-</div>
-</body>
-</html>
Copied: tags/xss-html-filter-1.3/src/website/index.html (from rev 25, trunk/src/website/index.html)
===================================================================
--- tags/xss-html-filter-1.3/src/website/index.html (rev 0)
+++ tags/xss-html-filter-1.3/src/website/index.html 2011-02-25 11:18:36 UTC (rev 28)
@@ -0,0 +1,92 @@
+<html>
+<head>
+ <title>XSS HTML Filter: A Java library for protecting against cross site scripting</title>
+ <style><!--
+ body { background-color: #cc9; }
+
+#announce {
+ padding-left: 25%;
+ padding-right: 25%;
+ margin: 10px;
+ padding-top: 30px;
+}
+
+
+ #announce h1 { font-weight: normal; font-family: Arial, sans-serif; font-size: 16px; color: #930; }
+ #announce h2 { font-weight: normal; font-family: Arial, sans-serif; font-size: 14px; color: #930; }
+ #announce p { font-family: Arial, sans-serif; font-size: 11px; color: #663; }
+
+a {
+ font-family: Courier;
+ font-size: 12px;
+ text-decoration: none;
+ color: #666;
+}
+
+a:hover { color: #930; }
+
+ --></style>
+ <link rel="SHORTCUT ICON" href="/favicon.ico">
+</head>
+<body>
+
+<div id="announce">
+<h1>Open Sourced HTML filtering utility for Java</h1>
+
+<p>
+<ul>
+ <li><a href="http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java?view=markup">View Source</a></li>
+ <li><a href="/site/">Project information</a></li>
+</ul>
+</p>
+
+<p>
+This utility is a single class, HTMLFilter, which can be used to parse user-submitted input and sanitize it against potential cross site scripting attacks, malicious html, or simply badly formed html. This version, written in Java, is largely a translation of <a href="http://code.iamcal.com/php/lib_filter/">lib_filter</a>, the original work of <a href="http://www.iamcal.com/">Cal Henderson</a> written in PHP.
+</p>
+
+<p>
+Combined with this code is a Test class for unit testing, designed to be executed in <a href="http://www.junit.org/">JUnit</a>.
+</p><br/>
+
+<h2>Processing HTML Input</h2>
+
+<p>
+Sample usage:
+
+<blockquote><pre>
+// retrieve input from user...
+String input = ...
+String clean = new HTMLInputFilter().filter( input );
+</pre></blockquote>
+</p>
+
+<p>
+There's also an <a href="constretto.html">example using constretto</a>.
+</p><br/>
+
+<h2>Building with maven</h2>
+<p>
+To include xss-html-filter into a maven built project add the following to your pom.xml (in the corresponding sections)
+<br/><pre>
+ <dependency>
+ <groupId>net.sf.xss-html-filter</groupId>
+ <artifactId>xss-html-filter</artifactId>
+ <version>1.1</version> <!-- remember to check for newer versions -->
+ </dependency>
+
+ <repository>
+ <id>xss-html-filter releases</id>
+ <name>xss-html-filter Releases Repository</name>
+ <url><a href="http://xss-html-filter.sf.net/releases/">http://xss-html-filter.sf.net/releases/</a></url>
+ </repository>
+</pre>
+</p><br/>
+
+<h2>License</h2>
+<p>
+This code is licensed under a <a href="http://www.gnu.org/licenses/lgpl.html">Lesser GNU version3 License</a>. If you find any bugs, or have any suggestions on improvement, please <a
+href="http://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-user">contact us</a>.
+</p><br/>
+</div>
+</body>
+</html>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-02-25 11:18:19
|
Revision: 27
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=27&view=rev
Author: micksembwever
Date: 2011-02-25 11:18:14 +0000 (Fri, 25 Feb 2011)
Log Message:
-----------
[maven-release-plugin] prepare release xss-html-filter-1.3
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2011-02-25 11:16:57 UTC (rev 26)
+++ trunk/pom.xml 2011-02-25 11:18:14 UTC (rev 27)
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>net.sf.xss-html-filter</groupId>
<artifactId>xss-html-filter</artifactId>
- <version>1.3-SNAPSHOT</version>
+ <version>1.3</version>
<packaging>jar</packaging>
<name>XSS HTMLFilter</name>
@@ -13,9 +13,9 @@
</description>
<scm>
- <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</connection>
- <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</developerConnection>
- <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/</url>
+ <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.3</connection>
+ <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/tags/xss-html-filter-1.3</developerConnection>
+ <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/tags/xss-html-filter-1.3</url>
</scm>
<licenses>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-02-25 11:17:04
|
Revision: 26
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=26&view=rev
Author: micksembwever
Date: 2011-02-25 11:16:57 +0000 (Fri, 25 Feb 2011)
Log Message:
-----------
new sourceforge infrastructure
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2011-02-25 10:12:59 UTC (rev 25)
+++ trunk/pom.xml 2011-02-25 11:16:57 UTC (rev 26)
@@ -137,16 +137,16 @@
<repository>
<id>xss-html-filter-releases</id>
<name>xss-html-filter.sf.net releases</name>
- <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-html-filter/htdocs/releases/</url>
+ <url>scp://shell.sourceforge.net:/home/project-web/xss-html-filter/htdocs/releases/</url>
</repository>
<snapshotRepository>
<id>xss-html-filter-snapshots</id>
<name>xss-html-filter.sf.net snapshots</name>
- <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-html-filter/htdocs/snapshots/</url>
+ <url>scp://shell.sourceforge.net:/home/project-web/xss-html-filter/htdocs/snapshots/</url>
</snapshotRepository>
<site>
<id>xss-html-filter.sf.net</id>
- <url>scp://216.34.181.119/home/groups/x/xs/xss-html-filter/htdocs/site/</url>
+ <url>scp://web.sourceforge.net/home/project-web/xss-html-filter/htdocs/site/</url>
</site>
</distributionManagement>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-02-25 10:13:05
|
Revision: 25
http://xss-html-filter.svn.sourceforge.net/xss-html-filter/?rev=25&view=rev
Author: micksembwever
Date: 2011-02-25 10:12:59 +0000 (Fri, 25 Feb 2011)
Log Message:
-----------
correct link to "view source"
Modified Paths:
--------------
trunk/src/website/index.html
Modified: trunk/src/website/index.html
===================================================================
--- trunk/src/website/index.html 2011-02-25 10:05:45 UTC (rev 24)
+++ trunk/src/website/index.html 2011-02-25 10:12:59 UTC (rev 25)
@@ -35,7 +35,7 @@
<p>
<ul>
- <li><a href="http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java?view=markup">View Source</a></li>
+ <li><a href="http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java?view=markup">View Source</a></li>
<li><a href="/site/">Project information</a></li>
</ul>
</p>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-01-30 09:12:21
|
Revision: 23
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=23&view=rev
Author: micksembwever
Date: 2011-01-30 09:12:15 +0000 (Sun, 30 Jan 2011)
Log Message:
-----------
xss-http-filter --> xss-html-filter
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2011-01-30 09:07:06 UTC (rev 22)
+++ trunk/pom.xml 2011-01-30 09:12:15 UTC (rev 23)
@@ -110,9 +110,9 @@
<repositories>
<repository>
- <id>xss-http-filter-releases</id>
- <name>xss-http-filter.sf.net releases</name>
- <url>http://xss-http-filter.sf.net/releases/</url>
+ <id>xss-html-filter-releases</id>
+ <name>xss-html-filter.sf.net releases</name>
+ <url>http://xss-html-filter.sf.net/releases/</url>
<releases>
<enabled>true</enabled>
</releases>
@@ -122,8 +122,8 @@
</repository>
<repository>
<id>finntech-snapshot</id>
- <name>xss-http-filter.sf.net snapshots</name>
- <url>http://xss-http-filter.sf.net/snapshots/</url>
+ <name>xss-html-filter.sf.net snapshots</name>
+ <url>http://xss-html-filter.sf.net/snapshots/</url>
<releases>
<enabled>false</enabled>
</releases>
@@ -135,18 +135,18 @@
<distributionManagement>
<repository>
- <id>xss-http-filter-releases</id>
- <name>xss-http-filter.sf.net releases</name>
- <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-http-filter/htdocs/releases/</url>
+ <id>xss-html-filter-releases</id>
+ <name>xss-html-filter.sf.net releases</name>
+ <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-html-filter/htdocs/releases/</url>
</repository>
<snapshotRepository>
- <id>xss-http-filter-snapshots</id>
- <name>xss-http-filter.sf.net snapshots</name>
- <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-http-filter/htdocs/snapshots/</url>
+ <id>xss-html-filter-snapshots</id>
+ <name>xss-html-filter.sf.net snapshots</name>
+ <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-html-filter/htdocs/snapshots/</url>
</snapshotRepository>
<site>
- <id>xss-http-filter.sf.net</id>
- <url>scp://216.34.181.119/home/groups/x/xs/xss-http-filter/htdocs/site/</url>
+ <id>xss-html-filter.sf.net</id>
+ <url>scp://216.34.181.119/home/groups/x/xs/xss-html-filter/htdocs/site/</url>
</site>
</distributionManagement>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2011-01-30 09:07:15
|
Revision: 22
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=22&view=rev
Author: micksembwever
Date: 2011-01-30 09:07:06 +0000 (Sun, 30 Jan 2011)
Log Message:
-----------
xss-http-filter --> xss-html-filter
Modified Paths:
--------------
trunk/pom.xml
Added Paths:
-----------
trunk/src/main/java/net/sf/xsshtmlfilter/
trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java
trunk/src/test/java/net/sf/xsshtmlfilter/
trunk/src/test/java/net/sf/xsshtmlfilter/HTMLFilterTest.java
Removed Paths:
-------------
trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2010-09-22 19:22:34 UTC (rev 21)
+++ trunk/pom.xml 2011-01-30 09:07:06 UTC (rev 22)
@@ -1,21 +1,21 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
- <groupId>net.sf.xss-http-filter</groupId>
- <artifactId>xss-http-filter</artifactId>
+ <groupId>net.sf.xss-html-filter</groupId>
+ <artifactId>xss-html-filter</artifactId>
<version>1.3-SNAPSHOT</version>
<packaging>jar</packaging>
- <name>XSS HTTPFilter</name>
+ <name>XSS HTMLFilter</name>
<description>
- A Java library for protecting against cross site scripting.
- Hosted at https://sourceforge.net/projects/xss-http-filter/
+ A Java library for protecting against cross site scripting.
+ Hosted at https://sourceforge.net/projects/xss-html-filter/
</description>
<scm>
- <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</connection>
- <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</developerConnection>
- <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/</url>
+ <connection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</connection>
+ <developerConnection>scm:svn:https://xss-html-filter.svn.sourceforge.net/svnroot/xss-html-filter/trunk</developerConnection>
+ <url>http://xss-html-filter.svn.sourceforge.net/viewvc/xss-html-filter/trunk/</url>
</scm>
<licenses>
@@ -27,34 +27,34 @@
</licenses>
- <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
+ <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
- <developers>
- <developer>
+ <developers>
+ <developer>
<name>Cal Henderson</name>
<url>http://www.iamcal.com/</url>
- </developer>
- <developer>
+ </developer>
+ <developer>
<name>Joseph O'Connell</name>
<url>http://josephoconnell.com/</url>
- </developer>
- <developer>
+ </developer>
+ <developer>
<name>mck</name>
<id>micksembwever</id>
<email>mi...@se...</email>
<url>http://semb.wever.org</url>
- </developer>
- </developers>
+ </developer>
+ </developers>
<mailingLists>
<mailingList>
<name>User & Development List</name>
- <post>xss...@li...</post>
- <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-user</archive>
+ <post>xss...@li...</post>
+ <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-user</archive>
</mailingList>
<mailingList>
<name>Commit List</name>
- <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-commits</archive>
+ <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-html-filter-commits</archive>
</mailingList>
</mailingLists>
@@ -92,7 +92,7 @@
</build>
<dependencies>
-
+
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
Copied: trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java (from rev 18, trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java)
===================================================================
--- trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java (rev 0)
+++ trunk/src/main/java/net/sf/xsshtmlfilter/HTMLFilter.java 2011-01-30 09:07:06 UTC (rev 22)
@@ -0,0 +1,529 @@
+package net.sf.xsshtmlfilter;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ *
+ * HTML filtering utility for protecting against XSS (Cross Site Scripting).
+ *
+ * This code is licensed LGPLv3
+ *
+ * This code is a Java port of the original work in PHP by Cal Hendersen.
+ * http://code.iamcal.com/php/lib_filter/
+ *
+ * The trickiest part of the translation was handling the differences in regex handling
+ * between PHP and Java. These resources were helpful in the process:
+ *
+ * http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
+ * http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
+ * http://www.regular-expressions.info/modifiers.html
+ *
+ * A note on naming conventions: instance variables are prefixed with a "v"; global
+ * constants are in all caps.
+ *
+ * Sample use:
+ * String input = ...
+ * String clean = new HTMLInputFilter().filter( input );
+ *
+ * The class is not thread safe. Create a new instance if in doubt.
+ *
+ * If you find bugs or have suggestions on improvement (especially regarding
+ * performance), please contact us. The latest version of this
+ * source, and our contact details, can be found at http://xss-html-filter.sf.net
+ *
+ * @author Joseph O'Connell
+ * @author Cal Hendersen
+ */
+public final class HTMLFilter {
+
+ /** regex flag union representing /si modifiers in php **/
+ private static final int REGEX_FLAGS_SI = Pattern.CASE_INSENSITIVE | Pattern.DOTALL;
+ private static final Pattern P_COMMENTS = Pattern.compile("<!--(.*?)-->", Pattern.DOTALL);
+ private static final Pattern P_COMMENT = Pattern.compile("^!--(.*)--$", REGEX_FLAGS_SI);
+ private static final Pattern P_TAGS = Pattern.compile("<(.*?)>", Pattern.DOTALL);
+ private static final Pattern P_END_TAG = Pattern.compile("^/([a-z0-9]+)", REGEX_FLAGS_SI);
+ private static final Pattern P_START_TAG = Pattern.compile("^([a-z0-9]+)(.*?)(/?)$", REGEX_FLAGS_SI);
+ private static final Pattern P_QUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)=([\"'])(.*?)\\2", REGEX_FLAGS_SI);
+ private static final Pattern P_UNQUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)(=)([^\"\\s']+)", REGEX_FLAGS_SI);
+ private static final Pattern P_PROTOCOL = Pattern.compile("^([^:]+):", REGEX_FLAGS_SI);
+ private static final Pattern P_ENTITY = Pattern.compile("&#(\\d+);?");
+ private static final Pattern P_ENTITY_UNICODE = Pattern.compile("&#x([0-9a-f]+);?");
+ private static final Pattern P_ENCODE = Pattern.compile("%([0-9a-f]{2});?");
+ private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
+ private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
+ private static final Pattern P_END_ARROW = Pattern.compile("^>");
+ private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
+ private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
+ private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
+ private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
+ private static final Pattern P_AMP = Pattern.compile("&");
+ private static final Pattern P_QUOTE = Pattern.compile("\"");
+ private static final Pattern P_LEFT_ARROW = Pattern.compile("<");
+ private static final Pattern P_RIGHT_ARROW = Pattern.compile(">");
+ private static final Pattern P_BOTH_ARROWS = Pattern.compile("<>");
+
+ // @xxx could grow large... maybe use sesat's ReferenceMap
+ private static final ConcurrentMap<String,Pattern> P_REMOVE_PAIR_BLANKS = new ConcurrentHashMap<String, Pattern>();
+ private static final ConcurrentMap<String,Pattern> P_REMOVE_SELF_BLANKS = new ConcurrentHashMap<String, Pattern>();
+
+ /** set of allowed html elements, along with allowed attributes for each element **/
+ private final Map<String, List<String>> vAllowed;
+ /** counts of open tags for each (allowable) html element **/
+ private final Map<String, Integer> vTagCounts = new HashMap<String, Integer>();
+
+ /** html elements which must always be self-closing (e.g. "<img />") **/
+ private final String[] vSelfClosingTags;
+ /** html elements which must always have separate opening and closing tags (e.g. "<b></b>") **/
+ private final String[] vNeedClosingTags;
+ /** set of disallowed html elements **/
+ private final String[] vDisallowed;
+ /** attributes which should be checked for valid protocols **/
+ private final String[] vProtocolAtts;
+ /** allowed protocols **/
+ private final String[] vAllowedProtocols;
+ /** tags which should be removed if they contain no content (e.g. "<b></b>" or "<b />") **/
+ private final String[] vRemoveBlanks;
+ /** entities allowed within html markup **/
+ private final String[] vAllowedEntities;
+ /** flag determining whether comments are allowed in input String. */
+ private final boolean stripComment;
+ private boolean vDebug = false;
+ /**
+ * flag determining whether to try to make tags when presented with "unbalanced"
+ * angle brackets (e.g. "<b text </b>" becomes "<b> text </b>"). If set to false,
+ * unbalanced angle brackets will be html escaped.
+ */
+ private final boolean alwaysMakeTags;
+
+ /** Default constructor.
+ *
+ */
+ public HTMLFilter() {
+ vAllowed = new HashMap<String, List<String>>();
+
+ final ArrayList<String> a_atts = new ArrayList<String>();
+ a_atts.add("href");
+ a_atts.add("target");
+ vAllowed.put("a", a_atts);
+
+ final ArrayList<String> img_atts = new ArrayList<String>();
+ img_atts.add("src");
+ img_atts.add("width");
+ img_atts.add("height");
+ img_atts.add("alt");
+ vAllowed.put("img", img_atts);
+
+ final ArrayList<String> no_atts = new ArrayList<String>();
+ vAllowed.put("b", no_atts);
+ vAllowed.put("strong", no_atts);
+ vAllowed.put("i", no_atts);
+ vAllowed.put("em", no_atts);
+
+ vSelfClosingTags = new String[]{"img"};
+ vNeedClosingTags = new String[]{"a", "b", "strong", "i", "em"};
+ vDisallowed = new String[]{};
+ vAllowedProtocols = new String[]{"http", "mailto"}; // no ftp.
+ vProtocolAtts = new String[]{"src", "href"};
+ vRemoveBlanks = new String[]{"a", "b", "strong", "i", "em"};
+ vAllowedEntities = new String[]{"amp", "gt", "lt", "quot"};
+ stripComment = true;
+ alwaysMakeTags = true;
+ }
+
+ /** Set debug flag to true. Otherwise use default settings. See the default constructor.
+ *
+ * @param debug turn debug on with a true argument
+ */
+ public HTMLFilter(final boolean debug) {
+ this();
+ vDebug = debug;
+
+ }
+
+ /** Map-parameter configurable constructor.
+ *
+ * @param configuration map containing configuration. keys match field names.
+ */
+ public HTMLFilter(final Map<String,Object> configuration) {
+
+ assert configuration.containsKey("vAllowed") : "configuration requires vAllowed";
+ assert configuration.containsKey("vSelfClosingTags") : "configuration requires vSelfClosingTags";
+ assert configuration.containsKey("vNeedClosingTags") : "configuration requires vNeedClosingTags";
+ assert configuration.containsKey("vDisallowed") : "configuration requires vDisallowed";
+ assert configuration.containsKey("vAllowedProtocols") : "configuration requires vAllowedProtocols";
+ assert configuration.containsKey("vProtocolAtts") : "configuration requires vProtocolAtts";
+ assert configuration.containsKey("vRemoveBlanks") : "configuration requires vRemoveBlanks";
+ assert configuration.containsKey("vAllowedEntities") : "configuration requires vAllowedEntities";
+ assert configuration.containsKey("stripComment") : "configuration requires stripComment";
+ assert configuration.containsKey("alwaysMakeTags") : "configuration requires alwaysMakeTags";
+
+ vAllowed = Collections.unmodifiableMap((HashMap<String, List<String>>) configuration.get("vAllowed"));
+ vSelfClosingTags = (String[]) configuration.get("vSelfClosingTags");
+ vNeedClosingTags = (String[]) configuration.get("vNeedClosingTags");
+ vDisallowed = (String[]) configuration.get("vDisallowed");
+ vAllowedProtocols = (String[]) configuration.get("vAllowedProtocols");
+ vProtocolAtts = (String[]) configuration.get("vProtocolAtts");
+ vRemoveBlanks = (String[]) configuration.get("vRemoveBlanks");
+ vAllowedEntities = (String[]) configuration.get("vAllowedEntities");
+ stripComment = (Boolean) configuration.get("stripComment");
+ alwaysMakeTags = (Boolean) configuration.get("alwaysMakeTags");
+ }
+
+ private void reset() {
+ vTagCounts.clear();
+ }
+
+ private void debug(final String msg) {
+ if (vDebug) {
+ Logger.getAnonymousLogger().info(msg);
+ }
+ }
+
+ //---------------------------------------------------------------
+ // my versions of some PHP library functions
+ public static String chr(final int decimal) {
+ return String.valueOf((char) decimal);
+ }
+
+ public static String htmlSpecialChars(final String s) {
+ String result = s;
+ result = regexReplace(P_AMP, "&", result);
+ result = regexReplace(P_QUOTE, """, result);
+ result = regexReplace(P_LEFT_ARROW, "<", result);
+ result = regexReplace(P_RIGHT_ARROW, ">", result);
+ return result;
+ }
+
+ //---------------------------------------------------------------
+ /**
+ * given a user submitted input String, filter out any invalid or restricted
+ * html.
+ *
+ * @param input text (i.e. submitted by a user) than may contain html
+ * @return "clean" version of input, with only valid, whitelisted html elements allowed
+ */
+ public String filter(final String input) {
+ reset();
+ String s = input;
+
+ debug("************************************************");
+ debug(" INPUT: " + input);
+
+ s = escapeComments(s);
+ debug(" escapeComments: " + s);
+
+ s = balanceHTML(s);
+ debug(" balanceHTML: " + s);
+
+ s = checkTags(s);
+ debug(" checkTags: " + s);
+
+ s = processRemoveBlanks(s);
+ debug("processRemoveBlanks: " + s);
+
+ s = validateEntities(s);
+ debug(" validateEntites: " + s);
+
+ debug("************************************************\n\n");
+ return s;
+ }
+
+ public boolean isAlwaysMakeTags(){
+ return alwaysMakeTags;
+ }
+
+ public boolean isStripComments(){
+ return stripComment;
+ }
+
+ private String escapeComments(final String s) {
+ final Matcher m = P_COMMENTS.matcher(s);
+ final StringBuffer buf = new StringBuffer();
+ if (m.find()) {
+ final String match = m.group(1); //(.*?)
+ m.appendReplacement(buf, "<!--" + htmlSpecialChars(match) + "-->");
+ }
+ m.appendTail(buf);
+
+ return buf.toString();
+ }
+
+ private String balanceHTML(String s) {
+ if (alwaysMakeTags) {
+ //
+ // try and form html
+ //
+ s = regexReplace(P_END_ARROW, "", s);
+ s = regexReplace(P_BODY_TO_END, "<$1>", s);
+ s = regexReplace(P_XML_CONTENT, "$1<$2", s);
+
+ } else {
+ //
+ // escape stray brackets
+ //
+ s = regexReplace(P_STRAY_LEFT_ARROW, "<$1", s);
+ s = regexReplace(P_STRAY_RIGHT_ARROW, "$1$2><", s);
+
+ //
+ // the last regexp causes '<>' entities to appear
+ // (we need to do a lookahead assertion so that the last bracket can
+ // be used in the next pass of the regexp)
+ //
+ s = regexReplace(P_BOTH_ARROWS, "", s);
+ }
+
+ return s;
+ }
+
+ private String checkTags(String s) {
+ Matcher m = P_TAGS.matcher(s);
+
+ final StringBuffer buf = new StringBuffer();
+ while (m.find()) {
+ String replaceStr = m.group(1);
+ replaceStr = processTag(replaceStr);
+ m.appendReplacement(buf, replaceStr);
+ }
+ m.appendTail(buf);
+
+ s = buf.toString();
+
+ // these get tallied in processTag
+ // (remember to reset before subsequent calls to filter method)
+ for (String key : vTagCounts.keySet()) {
+ for (int ii = 0; ii < vTagCounts.get(key); ii++) {
+ s += "</" + key + ">";
+ }
+ }
+
+ return s;
+ }
+
+ private String processRemoveBlanks(final String s) {
+ String result = s;
+ for (String tag : vRemoveBlanks) {
+ if(!P_REMOVE_PAIR_BLANKS.containsKey(tag)){
+ P_REMOVE_PAIR_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?></" + tag + ">"));
+ }
+ result = regexReplace(P_REMOVE_PAIR_BLANKS.get(tag), "", result);
+ if(!P_REMOVE_SELF_BLANKS.containsKey(tag)){
+ P_REMOVE_SELF_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?/>"));
+ }
+ result = regexReplace(P_REMOVE_SELF_BLANKS.get(tag), "", result);
+ }
+
+ return result;
+ }
+
+ private static String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
+ Matcher m = regex_pattern.matcher(s);
+ return m.replaceAll(replacement);
+ }
+
+ private String processTag(final String s) {
+ // ending tags
+ Matcher m = P_END_TAG.matcher(s);
+ if (m.find()) {
+ final String name = m.group(1).toLowerCase();
+ if (allowed(name)) {
+ if (!inArray(name, vSelfClosingTags)) {
+ if (vTagCounts.containsKey(name)) {
+ vTagCounts.put(name, vTagCounts.get(name) - 1);
+ return "</" + name + ">";
+ }
+ }
+ }
+ }
+
+ // starting tags
+ m = P_START_TAG.matcher(s);
+ if (m.find()) {
+ final String name = m.group(1).toLowerCase();
+ final String body = m.group(2);
+ String ending = m.group(3);
+
+ //debug( "in a starting tag, name='" + name + "'; body='" + body + "'; ending='" + ending + "'" );
+ if (allowed(name)) {
+ String params = "";
+
+ final Matcher m2 = P_QUOTED_ATTRIBUTES.matcher(body);
+ final Matcher m3 = P_UNQUOTED_ATTRIBUTES.matcher(body);
+ final List<String> paramNames = new ArrayList<String>();
+ final List<String> paramValues = new ArrayList<String>();
+ while (m2.find()) {
+ paramNames.add(m2.group(1)); //([a-z0-9]+)
+ paramValues.add(m2.group(3)); //(.*?)
+ }
+ while (m3.find()) {
+ paramNames.add(m3.group(1)); //([a-z0-9]+)
+ paramValues.add(m3.group(3)); //([^\"\\s']+)
+ }
+
+ String paramName, paramValue;
+ for (int ii = 0; ii < paramNames.size(); ii++) {
+ paramName = paramNames.get(ii).toLowerCase();
+ paramValue = paramValues.get(ii);
+
+// debug( "paramName='" + paramName + "'" );
+// debug( "paramValue='" + paramValue + "'" );
+// debug( "allowed? " + vAllowed.get( name ).contains( paramName ) );
+
+ if (allowedAttribute(name, paramName)) {
+ if (inArray(paramName, vProtocolAtts)) {
+ paramValue = processParamProtocol(paramValue);
+ }
+ params += " " + paramName + "=\"" + paramValue + "\"";
+ }
+ }
+
+ if (inArray(name, vSelfClosingTags)) {
+ ending = " /";
+ }
+
+ if (inArray(name, vNeedClosingTags)) {
+ ending = "";
+ }
+
+ if (ending == null || ending.length() < 1) {
+ if (vTagCounts.containsKey(name)) {
+ vTagCounts.put(name, vTagCounts.get(name) + 1);
+ } else {
+ vTagCounts.put(name, 1);
+ }
+ } else {
+ ending = " /";
+ }
+ return "<" + name + params + ending + ">";
+ } else {
+ return "";
+ }
+ }
+
+ // comments
+ m = P_COMMENT.matcher(s);
+ if (!stripComment && m.find()) {
+ return "<" + m.group() + ">";
+ }
+
+ return "";
+ }
+
+ private String processParamProtocol(String s) {
+ s = decodeEntities(s);
+ final Matcher m = P_PROTOCOL.matcher(s);
+ if (m.find()) {
+ final String protocol = m.group(1);
+ if (!inArray(protocol, vAllowedProtocols)) {
+ // bad protocol, turn into local anchor link instead
+ s = "#" + s.substring(protocol.length() + 1, s.length());
+ if (s.startsWith("#//")) {
+ s = "#" + s.substring(3, s.length());
+ }
+ }
+ }
+
+ return s;
+ }
+
+ private String decodeEntities(String s) {
+ StringBuffer buf = new StringBuffer();
+
+ Matcher m = P_ENTITY.matcher(s);
+ while (m.find()) {
+ final String match = m.group(1);
+ final int decimal = Integer.decode(match).intValue();
+ m.appendReplacement(buf, chr(decimal));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ buf = new StringBuffer();
+ m = P_ENTITY_UNICODE.matcher(s);
+ while (m.find()) {
+ final String match = m.group(1);
+ final int decimal = Integer.valueOf(match, 16).intValue();
+ m.appendReplacement(buf, chr(decimal));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ buf = new StringBuffer();
+ m = P_ENCODE.matcher(s);
+ while (m.find()) {
+ final String match = m.group(1);
+ final int decimal = Integer.valueOf(match, 16).intValue();
+ m.appendReplacement(buf, chr(decimal));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ s = validateEntities(s);
+ return s;
+ }
+
+ private String validateEntities(String s) {
+ StringBuffer buf = new StringBuffer();
+
+ // validate entities throughout the string
+ Matcher m = P_VALID_ENTITIES.matcher(s);
+ while (m.find()) {
+ final String one = m.group(1); //([^&;]*)
+ final String two = m.group(2); //(?=(;|&|$))
+ final String replacement = Matcher.quoteReplacement(checkEntity(one, two));
+ m.appendReplacement(buf, replacement);
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ // validate quotes outside of tags
+ buf = new StringBuffer();
+ m = P_VALID_QUOTES.matcher(s);
+ while (m.find()) {
+ final String one = m.group(1); //(>|^)
+ final String two = m.group(2); //([^<]+?)
+ final String three = m.group(3); //(<|$)
+ m.appendReplacement(buf, Matcher.quoteReplacement(one + regexReplace(P_QUOTE, """, two) + three));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ return s;
+ }
+
+ private String checkEntity(final String preamble, final String term) {
+
+ return ";".equals(term) && isValidEntity(preamble)
+ ? '&' + preamble
+ : "&" + preamble;
+ }
+
+ private boolean isValidEntity(final String entity) {
+ return inArray(entity, vAllowedEntities);
+ }
+
+ private static boolean inArray(final String s, final String[] array) {
+ for (String item : array) {
+ if (item != null && item.equals(s)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private boolean allowed(final String name) {
+ return (vAllowed.isEmpty() || vAllowed.containsKey(name)) && !inArray(name, vDisallowed);
+ }
+
+ private boolean allowedAttribute(final String name, final String paramName) {
+ return allowed(name) && (vAllowed.isEmpty() || vAllowed.get(name).contains(paramName));
+ }
+}
Deleted: trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
===================================================================
--- trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-09-22 19:22:34 UTC (rev 21)
+++ trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2011-01-30 09:07:06 UTC (rev 22)
@@ -1,529 +0,0 @@
-package net.sf.xsshttpfilter;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentMap;
-import java.util.logging.Logger;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-/**
- *
- * HTML filtering utility for protecting against XSS (Cross Site Scripting).
- *
- * This code is licensed LGPLv3
- *
- * This code is a Java port of the original work in PHP by Cal Hendersen.
- * http://code.iamcal.com/php/lib_filter/
- *
- * The trickiest part of the translation was handling the differences in regex handling
- * between PHP and Java. These resources were helpful in the process:
- *
- * http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
- * http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
- * http://www.regular-expressions.info/modifiers.html
- *
- * A note on naming conventions: instance variables are prefixed with a "v"; global
- * constants are in all caps.
- *
- * Sample use:
- * String input = ...
- * String clean = new HTMLInputFilter().filter( input );
- *
- * The class is not thread safe. Create a new instance if in doubt.
- *
- * If you find bugs or have suggestions on improvement (especially regarding
- * performance), please contact us. The latest version of this
- * source, and our contact details, can be found at http://xss-html-filter.sf.net
- *
- * @author Joseph O'Connell
- * @author Cal Hendersen
- */
-public final class HTMLFilter {
-
- /** regex flag union representing /si modifiers in php **/
- private static final int REGEX_FLAGS_SI = Pattern.CASE_INSENSITIVE | Pattern.DOTALL;
- private static final Pattern P_COMMENTS = Pattern.compile("<!--(.*?)-->", Pattern.DOTALL);
- private static final Pattern P_COMMENT = Pattern.compile("^!--(.*)--$", REGEX_FLAGS_SI);
- private static final Pattern P_TAGS = Pattern.compile("<(.*?)>", Pattern.DOTALL);
- private static final Pattern P_END_TAG = Pattern.compile("^/([a-z0-9]+)", REGEX_FLAGS_SI);
- private static final Pattern P_START_TAG = Pattern.compile("^([a-z0-9]+)(.*?)(/?)$", REGEX_FLAGS_SI);
- private static final Pattern P_QUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)=([\"'])(.*?)\\2", REGEX_FLAGS_SI);
- private static final Pattern P_UNQUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)(=)([^\"\\s']+)", REGEX_FLAGS_SI);
- private static final Pattern P_PROTOCOL = Pattern.compile("^([^:]+):", REGEX_FLAGS_SI);
- private static final Pattern P_ENTITY = Pattern.compile("&#(\\d+);?");
- private static final Pattern P_ENTITY_UNICODE = Pattern.compile("&#x([0-9a-f]+);?");
- private static final Pattern P_ENCODE = Pattern.compile("%([0-9a-f]{2});?");
- private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
- private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
- private static final Pattern P_END_ARROW = Pattern.compile("^>");
- private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
- private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
- private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
- private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
- private static final Pattern P_AMP = Pattern.compile("&");
- private static final Pattern P_QUOTE = Pattern.compile("\"");
- private static final Pattern P_LEFT_ARROW = Pattern.compile("<");
- private static final Pattern P_RIGHT_ARROW = Pattern.compile(">");
- private static final Pattern P_BOTH_ARROWS = Pattern.compile("<>");
-
- // @xxx could grow large... maybe use sesat's ReferenceMap
- private static final ConcurrentMap<String,Pattern> P_REMOVE_PAIR_BLANKS = new ConcurrentHashMap<String, Pattern>();
- private static final ConcurrentMap<String,Pattern> P_REMOVE_SELF_BLANKS = new ConcurrentHashMap<String, Pattern>();
-
- /** set of allowed html elements, along with allowed attributes for each element **/
- private final Map<String, List<String>> vAllowed;
- /** counts of open tags for each (allowable) html element **/
- private final Map<String, Integer> vTagCounts = new HashMap<String, Integer>();
-
- /** html elements which must always be self-closing (e.g. "<img />") **/
- private final String[] vSelfClosingTags;
- /** html elements which must always have separate opening and closing tags (e.g. "<b></b>") **/
- private final String[] vNeedClosingTags;
- /** set of disallowed html elements **/
- private final String[] vDisallowed;
- /** attributes which should be checked for valid protocols **/
- private final String[] vProtocolAtts;
- /** allowed protocols **/
- private final String[] vAllowedProtocols;
- /** tags which should be removed if they contain no content (e.g. "<b></b>" or "<b />") **/
- private final String[] vRemoveBlanks;
- /** entities allowed within html markup **/
- private final String[] vAllowedEntities;
- /** flag determining whether comments are allowed in input String. */
- private final boolean stripComment;
- private boolean vDebug = false;
- /**
- * flag determining whether to try to make tags when presented with "unbalanced"
- * angle brackets (e.g. "<b text </b>" becomes "<b> text </b>"). If set to false,
- * unbalanced angle brackets will be html escaped.
- */
- private final boolean alwaysMakeTags;
-
- /** Default constructor.
- *
- */
- public HTMLFilter() {
- vAllowed = new HashMap<String, List<String>>();
-
- final ArrayList<String> a_atts = new ArrayList<String>();
- a_atts.add("href");
- a_atts.add("target");
- vAllowed.put("a", a_atts);
-
- final ArrayList<String> img_atts = new ArrayList<String>();
- img_atts.add("src");
- img_atts.add("width");
- img_atts.add("height");
- img_atts.add("alt");
- vAllowed.put("img", img_atts);
-
- final ArrayList<String> no_atts = new ArrayList<String>();
- vAllowed.put("b", no_atts);
- vAllowed.put("strong", no_atts);
- vAllowed.put("i", no_atts);
- vAllowed.put("em", no_atts);
-
- vSelfClosingTags = new String[]{"img"};
- vNeedClosingTags = new String[]{"a", "b", "strong", "i", "em"};
- vDisallowed = new String[]{};
- vAllowedProtocols = new String[]{"http", "mailto"}; // no ftp.
- vProtocolAtts = new String[]{"src", "href"};
- vRemoveBlanks = new String[]{"a", "b", "strong", "i", "em"};
- vAllowedEntities = new String[]{"amp", "gt", "lt", "quot"};
- stripComment = true;
- alwaysMakeTags = true;
- }
-
- /** Set debug flag to true. Otherwise use default settings. See the default constructor.
- *
- * @param debug turn debug on with a true argument
- */
- public HTMLFilter(final boolean debug) {
- this();
- vDebug = debug;
-
- }
-
- /** Map-parameter configurable constructor.
- *
- * @param configuration map containing configuration. keys match field names.
- */
- public HTMLFilter(final Map<String,Object> configuration) {
-
- assert configuration.containsKey("vAllowed") : "configuration requires vAllowed";
- assert configuration.containsKey("vSelfClosingTags") : "configuration requires vSelfClosingTags";
- assert configuration.containsKey("vNeedClosingTags") : "configuration requires vNeedClosingTags";
- assert configuration.containsKey("vDisallowed") : "configuration requires vDisallowed";
- assert configuration.containsKey("vAllowedProtocols") : "configuration requires vAllowedProtocols";
- assert configuration.containsKey("vProtocolAtts") : "configuration requires vProtocolAtts";
- assert configuration.containsKey("vRemoveBlanks") : "configuration requires vRemoveBlanks";
- assert configuration.containsKey("vAllowedEntities") : "configuration requires vAllowedEntities";
- assert configuration.containsKey("stripComment") : "configuration requires stripComment";
- assert configuration.containsKey("alwaysMakeTags") : "configuration requires alwaysMakeTags";
-
- vAllowed = Collections.unmodifiableMap((HashMap<String, List<String>>) configuration.get("vAllowed"));
- vSelfClosingTags = (String[]) configuration.get("vSelfClosingTags");
- vNeedClosingTags = (String[]) configuration.get("vNeedClosingTags");
- vDisallowed = (String[]) configuration.get("vDisallowed");
- vAllowedProtocols = (String[]) configuration.get("vAllowedProtocols");
- vProtocolAtts = (String[]) configuration.get("vProtocolAtts");
- vRemoveBlanks = (String[]) configuration.get("vRemoveBlanks");
- vAllowedEntities = (String[]) configuration.get("vAllowedEntities");
- stripComment = (Boolean) configuration.get("stripComment");
- alwaysMakeTags = (Boolean) configuration.get("alwaysMakeTags");
- }
-
- private void reset() {
- vTagCounts.clear();
- }
-
- private void debug(final String msg) {
- if (vDebug) {
- Logger.getAnonymousLogger().info(msg);
- }
- }
-
- //---------------------------------------------------------------
- // my versions of some PHP library functions
- public static String chr(final int decimal) {
- return String.valueOf((char) decimal);
- }
-
- public static String htmlSpecialChars(final String s) {
- String result = s;
- result = regexReplace(P_AMP, "&", result);
- result = regexReplace(P_QUOTE, """, result);
- result = regexReplace(P_LEFT_ARROW, "<", result);
- result = regexReplace(P_RIGHT_ARROW, ">", result);
- return result;
- }
-
- //---------------------------------------------------------------
- /**
- * given a user submitted input String, filter out any invalid or restricted
- * html.
- *
- * @param input text (i.e. submitted by a user) than may contain html
- * @return "clean" version of input, with only valid, whitelisted html elements allowed
- */
- public String filter(final String input) {
- reset();
- String s = input;
-
- debug("************************************************");
- debug(" INPUT: " + input);
-
- s = escapeComments(s);
- debug(" escapeComments: " + s);
-
- s = balanceHTML(s);
- debug(" balanceHTML: " + s);
-
- s = checkTags(s);
- debug(" checkTags: " + s);
-
- s = processRemoveBlanks(s);
- debug("processRemoveBlanks: " + s);
-
- s = validateEntities(s);
- debug(" validateEntites: " + s);
-
- debug("************************************************\n\n");
- return s;
- }
-
- public boolean isAlwaysMakeTags(){
- return alwaysMakeTags;
- }
-
- public boolean isStripComments(){
- return stripComment;
- }
-
- private String escapeComments(final String s) {
- final Matcher m = P_COMMENTS.matcher(s);
- final StringBuffer buf = new StringBuffer();
- if (m.find()) {
- final String match = m.group(1); //(.*?)
- m.appendReplacement(buf, "<!--" + htmlSpecialChars(match) + "-->");
- }
- m.appendTail(buf);
-
- return buf.toString();
- }
-
- private String balanceHTML(String s) {
- if (alwaysMakeTags) {
- //
- // try and form html
- //
- s = regexReplace(P_END_ARROW, "", s);
- s = regexReplace(P_BODY_TO_END, "<$1>", s);
- s = regexReplace(P_XML_CONTENT, "$1<$2", s);
-
- } else {
- //
- // escape stray brackets
- //
- s = regexReplace(P_STRAY_LEFT_ARROW, "<$1", s);
- s = regexReplace(P_STRAY_RIGHT_ARROW, "$1$2><", s);
-
- //
- // the last regexp causes '<>' entities to appear
- // (we need to do a lookahead assertion so that the last bracket can
- // be used in the next pass of the regexp)
- //
- s = regexReplace(P_BOTH_ARROWS, "", s);
- }
-
- return s;
- }
-
- private String checkTags(String s) {
- Matcher m = P_TAGS.matcher(s);
-
- final StringBuffer buf = new StringBuffer();
- while (m.find()) {
- String replaceStr = m.group(1);
- replaceStr = processTag(replaceStr);
- m.appendReplacement(buf, replaceStr);
- }
- m.appendTail(buf);
-
- s = buf.toString();
-
- // these get tallied in processTag
- // (remember to reset before subsequent calls to filter method)
- for (String key : vTagCounts.keySet()) {
- for (int ii = 0; ii < vTagCounts.get(key); ii++) {
- s += "</" + key + ">";
- }
- }
-
- return s;
- }
-
- private String processRemoveBlanks(final String s) {
- String result = s;
- for (String tag : vRemoveBlanks) {
- if(!P_REMOVE_PAIR_BLANKS.containsKey(tag)){
- P_REMOVE_PAIR_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?></" + tag + ">"));
- }
- result = regexReplace(P_REMOVE_PAIR_BLANKS.get(tag), "", result);
- if(!P_REMOVE_SELF_BLANKS.containsKey(tag)){
- P_REMOVE_SELF_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?/>"));
- }
- result = regexReplace(P_REMOVE_SELF_BLANKS.get(tag), "", result);
- }
-
- return result;
- }
-
- private static String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
- Matcher m = regex_pattern.matcher(s);
- return m.replaceAll(replacement);
- }
-
- private String processTag(final String s) {
- // ending tags
- Matcher m = P_END_TAG.matcher(s);
- if (m.find()) {
- final String name = m.group(1).toLowerCase();
- if (allowed(name)) {
- if (!inArray(name, vSelfClosingTags)) {
- if (vTagCounts.containsKey(name)) {
- vTagCounts.put(name, vTagCounts.get(name) - 1);
- return "</" + name + ">";
- }
- }
- }
- }
-
- // starting tags
- m = P_START_TAG.matcher(s);
- if (m.find()) {
- final String name = m.group(1).toLowerCase();
- final String body = m.group(2);
- String ending = m.group(3);
-
- //debug( "in a starting tag, name='" + name + "'; body='" + body + "'; ending='" + ending + "'" );
- if (allowed(name)) {
- String params = "";
-
- final Matcher m2 = P_QUOTED_ATTRIBUTES.matcher(body);
- final Matcher m3 = P_UNQUOTED_ATTRIBUTES.matcher(body);
- final List<String> paramNames = new ArrayList<String>();
- final List<String> paramValues = new ArrayList<String>();
- while (m2.find()) {
- paramNames.add(m2.group(1)); //([a-z0-9]+)
- paramValues.add(m2.group(3)); //(.*?)
- }
- while (m3.find()) {
- paramNames.add(m3.group(1)); //([a-z0-9]+)
- paramValues.add(m3.group(3)); //([^\"\\s']+)
- }
-
- String paramName, paramValue;
- for (int ii = 0; ii < paramNames.size(); ii++) {
- paramName = paramNames.get(ii).toLowerCase();
- paramValue = paramValues.get(ii);
-
-// debug( "paramName='" + paramName + "'" );
-// debug( "paramValue='" + paramValue + "'" );
-// debug( "allowed? " + vAllowed.get( name ).contains( paramName ) );
-
- if (allowedAttribute(name, paramName)) {
- if (inArray(paramName, vProtocolAtts)) {
- paramValue = processParamProtocol(paramValue);
- }
- params += " " + paramName + "=\"" + paramValue + "\"";
- }
- }
-
- if (inArray(name, vSelfClosingTags)) {
- ending = " /";
- }
-
- if (inArray(name, vNeedClosingTags)) {
- ending = "";
- }
-
- if (ending == null || ending.length() < 1) {
- if (vTagCounts.containsKey(name)) {
- vTagCounts.put(name, vTagCounts.get(name) + 1);
- } else {
- vTagCounts.put(name, 1);
- }
- } else {
- ending = " /";
- }
- return "<" + name + params + ending + ">";
- } else {
- return "";
- }
- }
-
- // comments
- m = P_COMMENT.matcher(s);
- if (!stripComment && m.find()) {
- return "<" + m.group() + ">";
- }
-
- return "";
- }
-
- private String processParamProtocol(String s) {
- s = decodeEntities(s);
- final Matcher m = P_PROTOCOL.matcher(s);
- if (m.find()) {
- final String protocol = m.group(1);
- if (!inArray(protocol, vAllowedProtocols)) {
- // bad protocol, turn into local anchor link instead
- s = "#" + s.substring(protocol.length() + 1, s.length());
- if (s.startsWith("#//")) {
- s = "#" + s.substring(3, s.length());
- }
- }
- }
-
- return s;
- }
-
- private String decodeEntities(String s) {
- StringBuffer buf = new StringBuffer();
-
- Matcher m = P_ENTITY.matcher(s);
- while (m.find()) {
- final String match = m.group(1);
- final int decimal = Integer.decode(match).intValue();
- m.appendReplacement(buf, chr(decimal));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- buf = new StringBuffer();
- m = P_ENTITY_UNICODE.matcher(s);
- while (m.find()) {
- final String match = m.group(1);
- final int decimal = Integer.valueOf(match, 16).intValue();
- m.appendReplacement(buf, chr(decimal));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- buf = new StringBuffer();
- m = P_ENCODE.matcher(s);
- while (m.find()) {
- final String match = m.group(1);
- final int decimal = Integer.valueOf(match, 16).intValue();
- m.appendReplacement(buf, chr(decimal));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- s = validateEntities(s);
- return s;
- }
-
- private String validateEntities(String s) {
- StringBuffer buf = new StringBuffer();
-
- // validate entities throughout the string
- Matcher m = P_VALID_ENTITIES.matcher(s);
- while (m.find()) {
- final String one = m.group(1); //([^&;]*)
- final String two = m.group(2); //(?=(;|&|$))
- final String replacement = Matcher.quoteReplacement(checkEntity(one, two));
- m.appendReplacement(buf, replacement);
- }
- m.appendTail(buf);
- s = buf.toString();
-
- // validate quotes outside of tags
- buf = new StringBuffer();
- m = P_VALID_QUOTES.matcher(s);
- while (m.find()) {
- final String one = m.group(1); //(>|^)
- final String two = m.group(2); //([^<]+?)
- final String three = m.group(3); //(<|$)
- m.appendReplacement(buf, Matcher.quoteReplacement(one + regexReplace(P_QUOTE, """, two) + three));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- return s;
- }
-
- private String checkEntity(final String preamble, final String term) {
-
- return ";".equals(term) && isValidEntity(preamble)
- ? '&' + preamble
- : "&" + preamble;
- }
-
- private boolean isValidEntity(final String entity) {
- return inArray(entity, vAllowedEntities);
- }
-
- private static boolean inArray(final String s, final String[] array) {
- for (String item : array) {
- if (item != null && item.equals(s)) {
- return true;
- }
- }
- return false;
- }
-
- private boolean allowed(final String name) {
- return (vAllowed.isEmpty() || vAllowed.containsKey(name)) && !inArray(name, vDisallowed);
- }
-
- private boolean allowedAttribute(final String name, final String paramName) {
- return allowed(name) && (vAllowed.isEmpty() || vAllowed.get(name).contains(paramName));
- }
-}
Copied: trunk/src/test/java/net/sf/xsshtmlfilter/HTMLFilterTest.java (from rev 13, trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java)
===================================================================
--- trunk/src/test/java/net/sf/xsshtmlfilter/HTMLFilterTest.java (rev 0)
+++ trunk/src/test/java/net/sf/xsshtmlfilter/HTMLFilterTest.java 2011-01-30 09:07:06 UTC (rev 22)
@@ -0,0 +1,191 @@
+package net.sf.xsshtmlfilter;
+
+import net.sf.xsshtmlfilter.HTMLFilter;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+/**
+ *
+ */
+public class HTMLFilterTest {
+ protected HTMLFilter vFilter;
+
+ @Before
+ public void setUp() {
+ vFilter = new HTMLFilter(true);
+ }
+
+ @After
+ public void tearDown() {
+ vFilter = null;
+ }
+
+ @Test
+ public void testBasics() {
+ assertThat(vFilter.filter(""), is(""));
+ assertThat(vFilter.filter("hello"), is("hello"));
+ }
+
+ @Test
+ public void testBalancingTags() {
+ assertThat(vFilter.filter("<b>hello"), is("<b>hello</b>"));
+ assertThat(vFilter.filter("<b>hello"), is("<b>hello</b>"));
+ assertThat(vFilter.filter("hello<b>"), is("hello"));
+ assertThat(vFilter.filter("hello</b>"), is("hello"));
+ assertThat(vFilter.filter("hello<b/>"), is("hello"));
+ assertThat(vFilter.filter("<b><b><b>hello"), is("<b><b><b>hello</b></b></b>"));
+ assertThat(vFilter.filter("</b><b>"), is(""));
+ }
+
+ @Test
+ public void testEndSlashes() {
+ assertThat(vFilter.filter("<img>"), is("<img />"));
+ assertThat(vFilter.filter("<img/>"), is("<img />"));
+ assertThat(vFilter.filter("<b/></b>"), is(""));
+ }
+
+ @Test
+ public void testBalancingAngleBrackets() {
+ if (vFilter.isAlwaysMakeTags()) {
+ assertThat(vFilter.filter("<img src=\"foo\""), is("<img src=\"foo\" />"));
+ assertThat(vFilter.filter("i>"), is(""));
+ assertThat(vFilter.filter("<img src=\"foo\"/"), is("<img src=\"foo\" />"));
+ assertThat(vFilter.filter(">"), is(""));
+ assertThat(vFilter.filter("foo<b"), is("foo"));
+ assertThat(vFilter.filter("b>foo"), is("<b>foo</b>"));
+ assertThat(vFilter.filter("><b"), is(""));
+ assertThat(vFilter.filter("b><"), is(""));
+ assertThat(vFilter.filter("><b>"), is(""));
+ } else {
+ assertThat(vFilter.filter("<img src=\"foo\""), is("<img src=\"foo\""));
+ assertThat(vFilter.filter("b>"), is("b>"));
+ assertThat(vFilter.filter("<img src=\"foo\"/"), is("<img src=\"foo\"/"));
+ assertThat(vFilter.filter(">"), is(">"));
+ assertThat(vFilter.filter("foo<b"), is("foo<b"));
+ assertThat(vFilter.filter("b>foo"), is("b>foo"));
+ assertThat(vFilter.filter("><b"), is("><b"));
+ assertThat(vFilter.filter("b><"), is("b><"));
+ assertThat(vFilter.filter("><b>"), is(">"));
+ }
+ }
+
+ @Test
+ public void testAttributes() {
+ assertThat(vFilter.filter("<img src=foo>"), is("<img src=\"foo\" />"));
+ assertThat(vFilter.filter("<img asrc=foo>"), is("<img />"));
+ assertThat(vFilter.filter("<img src=test test>"), is("<img src=\"test\" />"));
+ }
+
+ @Test
+ public void testDisallowScriptTags() {
+ assertThat(vFilter.filter("<script>"), is(""));
+ String result = vFilter.isAlwaysMakeTags() ? "" : "<script";
+ assertThat(vFilter.filter("<script"), is(result));
+ assertThat(vFilter.filter("<script/>"), is(""));
+ assertThat(vFilter.filter("</script>"), is(""));
+ assertThat(vFilter.filter("<script woo=yay>"), is(""));
+ assertThat(vFilter.filter("<script woo=\"yay\">"), is(""));
+ assertThat(vFilter.filter("<script woo=\"yay>"), is(""));
+ assertThat(vFilter.filter("<script woo=\"yay<b>"), is(""));
+ assertThat(vFilter.filter("<script<script>>"), is(""));
+ assertThat(vFilter.filter("<<script>script<script>>"), is("script"));
+ assertThat(vFilter.filter("<<script><script>>"), is(""));
+ assertThat(vFilter.filter("<<script>script>>"), is(""));
+ assertThat(vFilter.filter("<<script<script>>"), is(""));
+ }
+
+ @Test
+ public void testProtocols() {
+ assertThat(vFilter.filter("<a href=\"http://foo\">bar</a>"), is("<a href=\"http://foo\">bar</a>"));
+ // we don't allow ftp. t("<a href=\"ftp://foo\">bar</a>", "<a href=\"ftp://foo\">bar</a>");
+ assertThat(vFilter.filter("<a href=\"mailto:foo\">bar</a>"), is("<a href=\"mailto:foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"javascript:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"java script:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"java\tscript:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"java\nscript:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"java" + HTMLFilter.chr(1) + "script:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"jscript:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"vbscript:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ assertThat(vFilter.filter("<a href=\"view-source:foo\">bar</a>"), is("<a href=\"#foo\">bar</a>"));
+ }
+
+ @Test
+ public void testSelfClosingTags() {
+ assertThat(vFilter.filter("<img src=\"a\">"), is("<img src=\"a\" />"));
+ assertThat(vFilter.filter("<img src=\"a\">foo</img>"), is("<img src=\"a\" />foo"));
+ assertThat(vFilter.filter("</img>"), is(""));
+ }
+
+ @Test
+ public void testComments() {
+ if (vFilter.isStripComments()) {
+ assertThat(vFilter.filter("<!-- a<b --->"), is(""));
+ } else {
+ assertThat(vFilter.filter("<!-- a<b --->"), is("<!-- a<b --->"));
+ }
+ }
+
+ @Test
+ public void testEntities() {
+ assertThat(vFilter.filter(" "), is("&nbsp;"));
+ assertThat(vFilter.filter("&"), is("&"));
+ assertThat(vFilter.filter("test test"), is("test &nbsp; test"));
+ assertThat(vFilter.filter("test & test"), is("test & test"));
+ assertThat(vFilter.filter(" "), is("&nbsp;&nbsp;"));
+ assertThat(vFilter.filter("&&"), is("&&"));
+ assertThat(vFilter.filter("test test"), is("test &nbsp;&nbsp; test"));
+ assertThat(vFilter.filter("test && test"), is("test && test"));
+ assertThat(vFilter.filter("& "), is("&&nbsp;"));
+ assertThat(vFilter.filter("test & test"), is("test &&nbsp; test"));
+ }
+
+ @Test
+ public void testDollar() {
+ String text = "modeling & US MSRP $81.99, (Not Included)";
+ String result = "modeling & US MSRP $81.99, (Not Included)";
+
+ assertThat(vFilter.filter(text), is(result));
+ }
+
+ @Test
+ public void testBr() {
+ final Map<String, List<String>> allowed = new HashMap<String, List<String>>();
+ for(String allow : "span;br;b;strong;em;u;i".split("\\s*;\\s*")){
+ if(0 < allow.indexOf(':')){
+ final String name = allow.split(":")[0];
+ final String[] attributes = allow.split(":")[0].split("\\s*,\\s*");
+ allowed.put(name, Arrays.asList(attributes));
+ }else{
+ allowed.put(allow, Collections.<String>emptyList());
+ }
+ }
+
+ Map<String,Object> config = new HashMap<String,Object>(){{
+ put("vAllowed", allowed);
+ put("vSelfClosingTags", "img,br".split("\\s*,\\s*"));
+ put("vNeedClosingTags", "a,b,strong,i,em".split("\\s*,\\s*"));
+ put("vDisallowed", "".split("\\s*,\\s*"));
+ put("vAllowedProtocols", "src,href".split("\\s*,\\s*"));
+ put("vProtocolAtts", "".split("\\s*,\\s*"));
+ put("vRemoveBlanks", "a,b,strong,i,em".split("\\s*,\\s*"));
+ put("vAllowedEntities", "mdash,euro,quot,amp,lt,gt,nbsp,iexcl,cent,pound,curren,yen,brvbar,sect,uml,copy,ordf,laquo,not,shy,reg,macr,deg,plusmn,sup2,sup3,acute,micro,para,middot,cedil,sup1,ordm,raquo,frac14,frac12,frac34,iquest,Agrave,Aacute,Acirc,Atilde,Auml,Aring,AElig,Ccedil,Egrave,Eacute,Ecirc,Euml,Igrave,Iacute,Icirc,Iuml,ETH,Ntilde,Ograve,Oacute,Ocirc,Otilde,Ouml,times,Oslash,Ugrave,Uacute,Ucirc,Uuml,Yacute,THORN,szlig,agrave,aacute,acirc,atilde,auml,aring,aelig,ccedil,egrave,eacute,ecirc,euml,igrave,iacute,icirc,iuml,eth,ntilde,ograve,oacute,ocirc,otilde,ouml,divide,oslash,ugrave,uacute,ucirc,uuml,yacute,thorn,yuml,#34,#38,#60,#62,#160,#161,#162,#163,#164,#165,#166,#167,#168,#169,#170,#171,#172,#173,#174,#175,#176,#177,#178,#179,#180,#181,#182,#183,#184,#185,#186,#187,#188,#189,#190,#191,#192,#193,#194,#195,#196,#197,#198,#199,#200,#201,#202,#203,#204,#205,#206,#207,#208,#209,#210,#211,#212,#213,#214,#215,#216,#217,#218,#219,#220,#221,#222,#223,#224,#225,#226,#227,#228,#229,#230,#231,#232,#233,#234,#235,#236,#237,#238,#239,#240,#241,#242,#243,#244,#245,#246,#247,#248,#249,#250,#251,#252,#253,#254,#255".split("\\s*,\\s*"));
+ put("stripComment", Boolean.TRUE);
+ put("alwaysMakeTags", Boolean.TRUE);
+ }};
+
+ vFilter = new HTMLFilter(config);
+
+ assertThat(vFilter.filter("test <br> test <br>"), is("test <br /> test <br />"));
+ }
+
+}
Deleted: trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java
===================================================================
--- trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java 2010-09-22 19:22:34 UTC (rev 21)
+++ trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java 2011-01-30 09:07:06 UTC (rev 22)
@@ -1,190 +0,0 @@
-package net.sf.xsshttpfilter;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.is;
-
-/**
- *
- */
-public class HTMLFilterTest {
- protected HTMLFilter vFilter;
-
- @Before
- public void setUp() {
- vFilter = new HTMLFilter(true);
- }
-
- @After
- public void tearDown() {
- vFilter = null;
- }
-
- @Test
- public void testBasics() {
- assertThat(vFilter.filter(""), is(""));
- assertThat(vFilter.filter("hello"), is("hello"));
- }
-
- @Test
- public void testBalancingTags() {
- assertThat(vFilter.filter("<b>hello"), is("<b>hello</b>"));
- assertThat(vFilter.filter("<b>hello"), is("<b>hello</b>"));
- assertThat(vFilter.filter("hello<b>"), is("hello"));
- assertThat(vFilter.filter("hello</b>"), is("hello"));
- assertThat(vFilter.filter("hello<b/>"), is("hello"));
- assertThat(vFilter.filter("<b><b><b>hello"), is("<b><b><b>hello</b></b></b>"));
- assertThat(vFilter.filter("</b><b>"), is(""));
- }
-
- @Test
- public void testEndSlashes() {
- assertThat(vFilter.filter("<img>"), is("<img />"));
- assertThat(vFilter.filter("<img/>"), is("<img />"));
- assertThat(vFilter.filter("<b/></b>"), is(""));
- }
-
- @Test
- public void testBalancingAngleBrackets() {
- if (vFilter.isAlwaysMakeTags()) {
- assertThat(vFilter.filter("<img src=\"foo\""), is("<img src=\"foo\" />"));
- assertThat(vFilter.filter("i>"), is(""));
- assertThat(vFilter.filter("<img src=\"foo\"/"), is("<img src=\"foo\" />"));
- assertThat(vFilter.filter(">"), is(""));
- assertThat(vFilter.filter("foo<b"), is("foo"));
- assertThat(vFilter.filter("b>foo"), is("<b>foo</b>"));
- assertThat(vFilter.filter("><b"), is(""));
- assertThat(vFilter.filter("b><"), is(""));
- assertThat(vFilter.filter("><b>"), is(""));
- } else {
- assertThat(vFilter.filter("<img src=\"foo\""), is("<img src=\"foo\""));
- assertThat(vFilter.filter("b>"), is("b>"));
- assertThat(vFilter.filter("<img src=\"foo\"/"), is("<img src=\"foo\"/"));
- assertThat(vFilter.filter(">"), is(">"));
- assertThat(vFilter.filter("foo<b"), is("foo<b"));
- assertThat(vFilter.filter("b>foo"), is("b>foo"));
- assertThat(vFilter.filter("><b"), is("><b"));
- assertThat(vFilter.filter("b><"), is("b><"));
- assertThat(vFilter.filter("><b>"), is(">"));
- }
- }
-
- @Test
- public void testAttributes() {
- assertThat(vFilter.filter("<img src=foo>"), is("<img src=\"foo\" />"));
- ...
[truncated message content] |
|
From: <mic...@us...> - 2010-09-22 19:22:40
|
Revision: 21
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=21&view=rev
Author: micksembwever
Date: 2010-09-22 19:22:34 +0000 (Wed, 22 Sep 2010)
Log Message:
-----------
[maven-release-plugin] prepare for next development iteration
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2010-09-22 19:22:26 UTC (rev 20)
+++ trunk/pom.xml 2010-09-22 19:22:34 UTC (rev 21)
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>net.sf.xss-http-filter</groupId>
<artifactId>xss-http-filter</artifactId>
- <version>1.2</version>
+ <version>1.3-SNAPSHOT</version>
<packaging>jar</packaging>
<name>XSS HTTPFilter</name>
@@ -13,9 +13,9 @@
</description>
<scm>
- <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.2</connection>
- <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.2</developerConnection>
- <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/tags/xss-http-filter-1.2</url>
+ <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</connection>
+ <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</developerConnection>
+ <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/</url>
</scm>
<licenses>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2010-09-22 19:22:36
|
Revision: 20
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=20&view=rev
Author: micksembwever
Date: 2010-09-22 19:22:26 +0000 (Wed, 22 Sep 2010)
Log Message:
-----------
[maven-release-plugin] copy for tag xss-http-filter-1.2
Added Paths:
-----------
tags/xss-http-filter-1.2/
tags/xss-http-filter-1.2/pom.xml
tags/xss-http-filter-1.2/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
tags/xss-http-filter-1.2/src/website/index.html
Removed Paths:
-------------
tags/xss-http-filter-1.2/pom.xml
tags/xss-http-filter-1.2/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
tags/xss-http-filter-1.2/src/website/index.html
Deleted: tags/xss-http-filter-1.2/pom.xml
===================================================================
--- trunk/pom.xml 2010-09-07 18:05:41 UTC (rev 13)
+++ tags/xss-http-filter-1.2/pom.xml 2010-09-22 19:22:26 UTC (rev 20)
@@ -1,250 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>net.sf.xss-http-filter</groupId>
- <artifactId>xss-http-filter</artifactId>
- <version>1.2-SNAPSHOT</version>
- <packaging>jar</packaging>
- <name>XSS HTTPFilter</name>
-
-
- <description>
- A Java library for protecting against cross site scripting.
- Hosted at https://sourceforge.net/projects/xss-http-filter/
- </description>
-
- <scm>
- <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</connection>
- <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</developerConnection>
- <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/</url>
- </scm>
-
- <licenses>
- <license>
- <name>LGPLv3</name>
- <url>LICENSE.txt</url>
- <distribution>manual</distribution>
- </license>
- </licenses>
-
-
- <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
-
- <developers>
- <developer>
- <name>Cal Henderson</name>
- <url>http://www.iamcal.com/</url>
- </developer>
- <developer>
- <name>Joseph O'Connell</name>
- <url>http://josephoconnell.com/</url>
- </developer>
- <developer>
- <name>mck</name>
- <id>micksembwever</id>
- <email>mi...@se...</email>
- <url>http://semb.wever.org</url>
- </developer>
- </developers>
-
- <mailingLists>
- <mailingList>
- <name>User & Development List</name>
- <post>xss...@li...</post>
- <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-user</archive>
- </mailingList>
- <mailingList>
- <name>Commit List</name>
- <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-commits</archive>
- </mailingList>
- </mailingLists>
-
- <properties>
- <!-- java -->
- <version.jdk>1.6</version.jdk>
-
- </properties>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-compiler-plugin</artifactId>
- <configuration>
- <source>${version.jdk}</source>
- <target>${version.jdk}</target>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-source-plugin</artifactId>
- <version>2.1.1</version>
- <executions>
- <execution>
- <id>attach-sources</id>
- <goals>
- <goal>jar-no-fork</goal>
- <goal>test-jar-no-fork</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
-
- <dependencies>
-
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>4.7</version>
- <scope>test</scope>
- </dependency>
-
- <dependency>
- <groupId>org.hamcrest</groupId>
- <artifactId>hamcrest-all</artifactId>
- <version>1.1</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
-
- <repositories>
- <repository>
- <id>xss-http-filter-releases</id>
- <name>xss-http-filter.sf.net releases</name>
- <url>http://xss-http-filter.sf.net/releases/</url>
- <releases>
- <enabled>true</enabled>
- </releases>
- <snapshots>
- <enabled>false</enabled>
- </snapshots>
- </repository>
- <repository>
- <id>finntech-snapshot</id>
- <name>xss-http-filter.sf.net snapshots</name>
- <url>http://xss-http-filter.sf.net/snapshots/</url>
- <releases>
- <enabled>false</enabled>
- </releases>
- <snapshots>
- <enabled>true</enabled>
- </snapshots>
- </repository>
- </repositories>
-
- <distributionManagement>
- <repository>
- <id>xss-http-filter-releases</id>
- <name>xss-http-filter.sf.net releases</name>
- <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-http-filter/htdocs/releases/</url>
- </repository>
- <snapshotRepository>
- <id>xss-http-filter-snapshots</id>
- <name>xss-http-filter.sf.net snapshots</name>
- <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-http-filter/htdocs/snapshots/</url>
- </snapshotRepository>
- <site>
- <id>xss-http-filter.sf.net</id>
- <url>scp://216.34.181.119/home/groups/x/xs/xss-http-filter/htdocs/site/</url>
- </site>
- </distributionManagement>
-
- <reporting>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-project-info-reports-plugin</artifactId>
- <version>2.1.2</version>
- <reportSets>
- <reportSet>
- <reports>
- <report>index</report>
- <report>dependencies</report>
- <report>dependency-convergence</report>
- <report>issue-tracking</report>
- <report>scm</report>
- <report>project-team</report>
- <report>summary</report>
- <report>cim</report>
- </reports>
- </reportSet>
- </reportSets>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>cobertura-maven-plugin</artifactId>
- <configuration>
- <formats>
- <format>html</format>
- <format>xml</format>
- </formats>
- </configuration>
- </plugin>
- <plugin>
- <artifactId>maven-javadoc-plugin</artifactId>
- <reportSets>
- <reportSet>
- <id>html</id>
- <configuration>
- <minmemory>128m</minmemory>
- <maxmemory>512m</maxmemory>
- <source>${version.jdk}</source>
- <docfilessubdirs>true</docfilessubdirs>
- <links>
- <link>http://java.sun.com/javase/6/docs/api/</link>
- <link>http://java.sun.com/javaee/5/docs/api/</link>
- </links>
- </configuration>
- <reports><report>javadoc</report></reports>
- </reportSet>
- </reportSets>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>findbugs-maven-plugin</artifactId>
- <configuration>
- <threshold>Normal</threshold>
- <xmlOutput>true</xmlOutput>
- <!-- Optional derectory to put findbugs xdoc xml report -->
- <xmlOutputDirectory>target/site</xmlOutputDirectory>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>taglist-maven-plugin</artifactId>
- <configuration>
- <tags>
- <tag>TODO</tag>
- <tag>@todo</tag>
- <tag>FIXME</tag>
- <tag>XXX</tag>
- <tag>hack</tag>
- </tags>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-jxr-plugin</artifactId>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-report-plugin</artifactId>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-pmd-plugin</artifactId>
- <configuration>
- <targetJdk>${version.jdk}</targetJdk>
- <rulesets>
- <ruleset>/rulesets/basic.xml</ruleset>
- <ruleset>/rulesets/imports.xml</ruleset>
- <ruleset>/rulesets/unusedcode.xml</ruleset>
- <ruleset>/rulesets/finalizers.xml</ruleset>
- </rulesets>
- </configuration>
- </plugin>
- </plugins>
- </reporting>
-
-</project>
Copied: tags/xss-http-filter-1.2/pom.xml (from rev 19, trunk/pom.xml)
===================================================================
--- tags/xss-http-filter-1.2/pom.xml (rev 0)
+++ tags/xss-http-filter-1.2/pom.xml 2010-09-22 19:22:26 UTC (rev 20)
@@ -0,0 +1,250 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>net.sf.xss-http-filter</groupId>
+ <artifactId>xss-http-filter</artifactId>
+ <version>1.2</version>
+ <packaging>jar</packaging>
+ <name>XSS HTTPFilter</name>
+
+
+ <description>
+ A Java library for protecting against cross site scripting.
+ Hosted at https://sourceforge.net/projects/xss-http-filter/
+ </description>
+
+ <scm>
+ <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.2</connection>
+ <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.2</developerConnection>
+ <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/tags/xss-http-filter-1.2</url>
+ </scm>
+
+ <licenses>
+ <license>
+ <name>LGPLv3</name>
+ <url>LICENSE.txt</url>
+ <distribution>manual</distribution>
+ </license>
+ </licenses>
+
+
+ <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
+
+ <developers>
+ <developer>
+ <name>Cal Henderson</name>
+ <url>http://www.iamcal.com/</url>
+ </developer>
+ <developer>
+ <name>Joseph O'Connell</name>
+ <url>http://josephoconnell.com/</url>
+ </developer>
+ <developer>
+ <name>mck</name>
+ <id>micksembwever</id>
+ <email>mi...@se...</email>
+ <url>http://semb.wever.org</url>
+ </developer>
+ </developers>
+
+ <mailingLists>
+ <mailingList>
+ <name>User & Development List</name>
+ <post>xss...@li...</post>
+ <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-user</archive>
+ </mailingList>
+ <mailingList>
+ <name>Commit List</name>
+ <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-commits</archive>
+ </mailingList>
+ </mailingLists>
+
+ <properties>
+ <!-- java -->
+ <version.jdk>1.6</version.jdk>
+
+ </properties>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>${version.jdk}</source>
+ <target>${version.jdk}</target>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-source-plugin</artifactId>
+ <version>2.1.1</version>
+ <executions>
+ <execution>
+ <id>attach-sources</id>
+ <goals>
+ <goal>jar-no-fork</goal>
+ <goal>test-jar-no-fork</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+
+ <dependencies>
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.7</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.hamcrest</groupId>
+ <artifactId>hamcrest-all</artifactId>
+ <version>1.1</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+ <repositories>
+ <repository>
+ <id>xss-http-filter-releases</id>
+ <name>xss-http-filter.sf.net releases</name>
+ <url>http://xss-http-filter.sf.net/releases/</url>
+ <releases>
+ <enabled>true</enabled>
+ </releases>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ </repository>
+ <repository>
+ <id>finntech-snapshot</id>
+ <name>xss-http-filter.sf.net snapshots</name>
+ <url>http://xss-http-filter.sf.net/snapshots/</url>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </repository>
+ </repositories>
+
+ <distributionManagement>
+ <repository>
+ <id>xss-http-filter-releases</id>
+ <name>xss-http-filter.sf.net releases</name>
+ <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-http-filter/htdocs/releases/</url>
+ </repository>
+ <snapshotRepository>
+ <id>xss-http-filter-snapshots</id>
+ <name>xss-http-filter.sf.net snapshots</name>
+ <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-http-filter/htdocs/snapshots/</url>
+ </snapshotRepository>
+ <site>
+ <id>xss-http-filter.sf.net</id>
+ <url>scp://216.34.181.119/home/groups/x/xs/xss-http-filter/htdocs/site/</url>
+ </site>
+ </distributionManagement>
+
+ <reporting>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-project-info-reports-plugin</artifactId>
+ <version>2.1.2</version>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>index</report>
+ <report>dependencies</report>
+ <report>dependency-convergence</report>
+ <report>issue-tracking</report>
+ <report>scm</report>
+ <report>project-team</report>
+ <report>summary</report>
+ <report>cim</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>cobertura-maven-plugin</artifactId>
+ <configuration>
+ <formats>
+ <format>html</format>
+ <format>xml</format>
+ </formats>
+ </configuration>
+ </plugin>
+ <plugin>
+ <artifactId>maven-javadoc-plugin</artifactId>
+ <reportSets>
+ <reportSet>
+ <id>html</id>
+ <configuration>
+ <minmemory>128m</minmemory>
+ <maxmemory>512m</maxmemory>
+ <source>${version.jdk}</source>
+ <docfilessubdirs>true</docfilessubdirs>
+ <links>
+ <link>http://java.sun.com/javase/6/docs/api/</link>
+ <link>http://java.sun.com/javaee/5/docs/api/</link>
+ </links>
+ </configuration>
+ <reports><report>javadoc</report></reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>findbugs-maven-plugin</artifactId>
+ <configuration>
+ <threshold>Normal</threshold>
+ <xmlOutput>true</xmlOutput>
+ <!-- Optional derectory to put findbugs xdoc xml report -->
+ <xmlOutputDirectory>target/site</xmlOutputDirectory>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>taglist-maven-plugin</artifactId>
+ <configuration>
+ <tags>
+ <tag>TODO</tag>
+ <tag>@todo</tag>
+ <tag>FIXME</tag>
+ <tag>XXX</tag>
+ <tag>hack</tag>
+ </tags>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jxr-plugin</artifactId>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-report-plugin</artifactId>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-pmd-plugin</artifactId>
+ <configuration>
+ <targetJdk>${version.jdk}</targetJdk>
+ <rulesets>
+ <ruleset>/rulesets/basic.xml</ruleset>
+ <ruleset>/rulesets/imports.xml</ruleset>
+ <ruleset>/rulesets/unusedcode.xml</ruleset>
+ <ruleset>/rulesets/finalizers.xml</ruleset>
+ </rulesets>
+ </configuration>
+ </plugin>
+ </plugins>
+ </reporting>
+
+</project>
Deleted: tags/xss-http-filter-1.2/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
===================================================================
--- trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-09-07 18:05:41 UTC (rev 13)
+++ tags/xss-http-filter-1.2/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-09-22 19:22:26 UTC (rev 20)
@@ -1,509 +0,0 @@
-package net.sf.xsshttpfilter;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.logging.Logger;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-/**
- *
- * HTML filtering utility for protecting against XSS (Cross Site Scripting).
- *
- * This code is licensed LGPLv3
- *
- * This code is a Java port of the original work in PHP by Cal Hendersen.
- * http://code.iamcal.com/php/lib_filter/
- *
- * The trickiest part of the translation was handling the differences in regex handling
- * between PHP and Java. These resources were helpful in the process:
- *
- * http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
- * http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
- * http://www.regular-expressions.info/modifiers.html
- *
- * A note on naming conventions: instance variables are prefixed with a "v"; global
- * constants are in all caps.
- *
- * Sample use:
- * String input = ...
- * String clean = new HTMLInputFilter().filter( input );
- *
- * The class is not thread safe. Create a new instance if in doubt.
- *
- * If you find bugs or have suggestions on improvement (especially regarding
- * performance), please contact us. The latest version of this
- * source, and our contact details, can be found at http://xss-html-filter.sf.net
- *
- * @author Joseph O'Connell
- * @author Cal Hendersen
- */
-public final class HTMLFilter {
-
- /** regex flag union representing /si modifiers in php **/
- private static final int REGEX_FLAGS_SI = Pattern.CASE_INSENSITIVE | Pattern.DOTALL;
- private static final Pattern P_COMMENTS = Pattern.compile("<!--(.*?)-->", Pattern.DOTALL);
- private static final Pattern P_COMMENT = Pattern.compile("^!--(.*)--$", REGEX_FLAGS_SI);
- private static final Pattern P_TAGS = Pattern.compile("<(.*?)>", Pattern.DOTALL);
- private static final Pattern P_END_TAG = Pattern.compile("^/([a-z0-9]+)", REGEX_FLAGS_SI);
- private static final Pattern P_START_TAG = Pattern.compile("^([a-z0-9]+)(.*?)(/?)$", REGEX_FLAGS_SI);
- private static final Pattern P_QUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)=([\"'])(.*?)\\2", REGEX_FLAGS_SI);
- private static final Pattern P_UNQUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)(=)([^\"\\s']+)", REGEX_FLAGS_SI);
- private static final Pattern P_PROTOCOL = Pattern.compile("^([^:]+):", REGEX_FLAGS_SI);
- private static final Pattern P_ENTITY = Pattern.compile("&#(\\d+);?");
- private static final Pattern P_ENTITY_UNICODE = Pattern.compile("&#x([0-9a-f]+);?");
- private static final Pattern P_ENCODE = Pattern.compile("%([0-9a-f]{2});?");
- private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
- private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
- private static final Pattern P_END_ARROW = Pattern.compile("^>");
- private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
- private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
- private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
- private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
- /** set of allowed html elements, along with allowed attributes for each element **/
- private final Map<String, List<String>> vAllowed;
- /** counts of open tags for each (allowable) html element **/
- private final Map<String, Integer> vTagCounts = new HashMap<String, Integer>();
-
- /** html elements which must always be self-closing (e.g. "<img />") **/
- private final String[] vSelfClosingTags;
- /** html elements which must always have separate opening and closing tags (e.g. "<b></b>") **/
- private final String[] vNeedClosingTags;
- /** set of disallowed html elements **/
- private final String[] vDisallowed;
- /** attributes which should be checked for valid protocols **/
- private final String[] vProtocolAtts;
- /** allowed protocols **/
- private final String[] vAllowedProtocols;
- /** tags which should be removed if they contain no content (e.g. "<b></b>" or "<b />") **/
- private final String[] vRemoveBlanks;
- /** entities allowed within html markup **/
- private final String[] vAllowedEntities;
- /** flag determining whether comments are allowed in input String. */
- private final boolean stripComment;
- private boolean vDebug = false;
- /**
- * flag determining whether to try to make tags when presented with "unbalanced"
- * angle brackets (e.g. "<b text </b>" becomes "<b> text </b>"). If set to false,
- * unbalanced angle brackets will be html escaped.
- */
- private final boolean alwaysMakeTags;
-
- /** Default constructor.
- *
- */
- public HTMLFilter() {
- vAllowed = new HashMap<String, List<String>>();
-
- final ArrayList<String> a_atts = new ArrayList<String>();
- a_atts.add("href");
- a_atts.add("target");
- vAllowed.put("a", a_atts);
-
- final ArrayList<String> img_atts = new ArrayList<String>();
- img_atts.add("src");
- img_atts.add("width");
- img_atts.add("height");
- img_atts.add("alt");
- vAllowed.put("img", img_atts);
-
- final ArrayList<String> no_atts = new ArrayList<String>();
- vAllowed.put("b", no_atts);
- vAllowed.put("strong", no_atts);
- vAllowed.put("i", no_atts);
- vAllowed.put("em", no_atts);
-
- vSelfClosingTags = new String[]{"img"};
- vNeedClosingTags = new String[]{"a", "b", "strong", "i", "em"};
- vDisallowed = new String[]{};
- vAllowedProtocols = new String[]{"http", "mailto"}; // no ftp.
- vProtocolAtts = new String[]{"src", "href"};
- vRemoveBlanks = new String[]{"a", "b", "strong", "i", "em"};
- vAllowedEntities = new String[]{"amp", "gt", "lt", "quot"};
- stripComment = true;
- alwaysMakeTags = true;
- }
-
- /** Set debug flag to true. Otherwise use default settings. See the default constructor.
- *
- * @param debug turn debug on with a true argument
- */
- public HTMLFilter(final boolean debug) {
- this();
- vDebug = debug;
-
- }
-
- /** Map-parameter configurable constructor.
- *
- * @param configuration map containing configuration. keys match field names.
- */
- public HTMLFilter(final Map<String,Object> configuration) {
-
- assert configuration.containsKey("vAllowed") : "configuration requires vAllowed";
- assert configuration.containsKey("vSelfClosingTags") : "configuration requires vSelfClosingTags";
- assert configuration.containsKey("vNeedClosingTags") : "configuration requires vNeedClosingTags";
- assert configuration.containsKey("vDisallowed") : "configuration requires vDisallowed";
- assert configuration.containsKey("vAllowedProtocols") : "configuration requires vAllowedProtocols";
- assert configuration.containsKey("vProtocolAtts") : "configuration requires vProtocolAtts";
- assert configuration.containsKey("vRemoveBlanks") : "configuration requires vRemoveBlanks";
- assert configuration.containsKey("vAllowedEntities") : "configuration requires vAllowedEntities";
- assert configuration.containsKey("stripComment") : "configuration requires stripComment";
- assert configuration.containsKey("alwaysMakeTags") : "configuration requires alwaysMakeTags";
-
- vAllowed = Collections.unmodifiableMap((HashMap<String, List<String>>) configuration.get("vAllowed"));
- vSelfClosingTags = (String[]) configuration.get("vSelfClosingTags");
- vNeedClosingTags = (String[]) configuration.get("vNeedClosingTags");
- vDisallowed = (String[]) configuration.get("vDisallowed");
- vAllowedProtocols = (String[]) configuration.get("vAllowedProtocols");
- vProtocolAtts = (String[]) configuration.get("vProtocolAtts");
- vRemoveBlanks = (String[]) configuration.get("vRemoveBlanks");
- vAllowedEntities = (String[]) configuration.get("vAllowedEntities");
- stripComment = (Boolean) configuration.get("stripComment");
- alwaysMakeTags = (Boolean) configuration.get("alwaysMakeTags");
- }
-
- private void reset() {
- vTagCounts.clear();
- }
-
- private void debug(final String msg) {
- if (vDebug) {
- Logger.getAnonymousLogger().info(msg);
- }
- }
-
- //---------------------------------------------------------------
- // my versions of some PHP library functions
- public static String chr(final int decimal) {
- return String.valueOf((char) decimal);
- }
-
- public static String htmlSpecialChars(final String s) {
- return s.replaceAll("&", "&").replaceAll("\"", """).replaceAll("<", "<").replaceAll(">", ">");
- }
-
- //---------------------------------------------------------------
- /**
- * given a user submitted input String, filter out any invalid or restricted
- * html.
- *
- * @param input text (i.e. submitted by a user) than may contain html
- * @return "clean" version of input, with only valid, whitelisted html elements allowed
- */
- public String filter(final String input) {
- reset();
- String s = input;
-
- debug("************************************************");
- debug(" INPUT: " + input);
-
- s = escapeComments(s);
- debug(" escapeComments: " + s);
-
- s = balanceHTML(s);
- debug(" balanceHTML: " + s);
-
- s = checkTags(s);
- debug(" checkTags: " + s);
-
- s = processRemoveBlanks(s);
- debug("processRemoveBlanks: " + s);
-
- s = validateEntities(s);
- debug(" validateEntites: " + s);
-
- debug("************************************************\n\n");
- return s;
- }
-
- public boolean isAlwaysMakeTags(){
- return alwaysMakeTags;
- }
-
- public boolean isStripComments(){
- return stripComment;
- }
-
- private String escapeComments(final String s) {
- final Matcher m = P_COMMENTS.matcher(s);
- final StringBuffer buf = new StringBuffer();
- if (m.find()) {
- final String match = m.group(1); //(.*?)
- m.appendReplacement(buf, "<!--" + htmlSpecialChars(match) + "-->");
- }
- m.appendTail(buf);
-
- return buf.toString();
- }
-
- private String balanceHTML(String s) {
- if (alwaysMakeTags) {
- //
- // try and form html
- //
- s = regexReplace(P_END_ARROW, "", s);
- s = regexReplace(P_BODY_TO_END, "<$1>", s);
- s = regexReplace(P_XML_CONTENT, "$1<$2", s);
-
- } else {
- //
- // escape stray brackets
- //
- s = regexReplace(P_STRAY_LEFT_ARROW, "<$1", s);
- s = regexReplace(P_STRAY_RIGHT_ARROW, "$1$2><", s);
-
- //
- // the last regexp causes '<>' entities to appear
- // (we need to do a lookahead assertion so that the last bracket can
- // be used in the next pass of the regexp)
- //
- s = s.replaceAll("<>", "");
- }
-
- return s;
- }
-
- private String checkTags(String s) {
- Matcher m = P_TAGS.matcher(s);
-
- final StringBuffer buf = new StringBuffer();
- while (m.find()) {
- String replaceStr = m.group(1);
- replaceStr = processTag(replaceStr);
- m.appendReplacement(buf, replaceStr);
- }
- m.appendTail(buf);
-
- s = buf.toString();
-
- // these get tallied in processTag
- // (remember to reset before subsequent calls to filter method)
- for (String key : vTagCounts.keySet()) {
- for (int ii = 0; ii < vTagCounts.get(key); ii++) {
- s += "</" + key + ">";
- }
- }
-
- return s;
- }
-
- private String processRemoveBlanks(String s) {
- for (String tag : vRemoveBlanks) {
- s = regexReplace("<" + tag + "(\\s[^>]*)?></" + tag + ">", "", s);
- s = regexReplace("<" + tag + "(\\s[^>]*)?/>", "", s);
- }
-
- return s;
- }
-
- private String regexReplace(final String regex_pattern, final String replacement, final String s) {
- return regexReplace(Pattern.compile(regex_pattern), replacement, s);
- }
-
- private String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
- Matcher m = regex_pattern.matcher(s);
- return m.replaceAll(replacement);
- }
-
- private String processTag(final String s) {
- // ending tags
- Matcher m = P_END_TAG.matcher(s);
- if (m.find()) {
- final String name = m.group(1).toLowerCase();
- if (allowed(name)) {
- if (!inArray(name, vSelfClosingTags)) {
- if (vTagCounts.containsKey(name)) {
- vTagCounts.put(name, vTagCounts.get(name) - 1);
- return "</" + name + ">";
- }
- }
- }
- }
-
- // starting tags
- m = P_START_TAG.matcher(s);
- if (m.find()) {
- final String name = m.group(1).toLowerCase();
- final String body = m.group(2);
- String ending = m.group(3);
-
- //debug( "in a starting tag, name='" + name + "'; body='" + body + "'; ending='" + ending + "'" );
- if (allowed(name)) {
- String params = "";
-
- final Matcher m2 = P_QUOTED_ATTRIBUTES.matcher(body);
- final Matcher m3 = P_UNQUOTED_ATTRIBUTES.matcher(body);
- final List<String> paramNames = new ArrayList<String>();
- final List<String> paramValues = new ArrayList<String>();
- while (m2.find()) {
- paramNames.add(m2.group(1)); //([a-z0-9]+)
- paramValues.add(m2.group(3)); //(.*?)
- }
- while (m3.find()) {
- paramNames.add(m3.group(1)); //([a-z0-9]+)
- paramValues.add(m3.group(3)); //([^\"\\s']+)
- }
-
- String paramName, paramValue;
- for (int ii = 0; ii < paramNames.size(); ii++) {
- paramName = paramNames.get(ii).toLowerCase();
- paramValue = paramValues.get(ii);
-
-// debug( "paramName='" + paramName + "'" );
-// debug( "paramValue='" + paramValue + "'" );
-// debug( "allowed? " + vAllowed.get( name ).contains( paramName ) );
-
- if (allowedAttribute(name, paramName)) {
- if (inArray(paramName, vProtocolAtts)) {
- paramValue = processParamProtocol(paramValue);
- }
- params += " " + paramName + "=\"" + paramValue + "\"";
- }
- }
-
- if (inArray(name, vSelfClosingTags)) {
- ending = " /";
- }
-
- if (inArray(name, vNeedClosingTags)) {
- ending = "";
- }
-
- if (ending == null || ending.length() < 1) {
- if (vTagCounts.containsKey(name)) {
- vTagCounts.put(name, vTagCounts.get(name) + 1);
- } else {
- vTagCounts.put(name, 1);
- }
- } else {
- ending = " /";
- }
- return "<" + name + params + ending + ">";
- } else {
- return "";
- }
- }
-
- // comments
- m = P_COMMENT.matcher(s);
- if (!stripComment && m.find()) {
- return "<" + m.group() + ">";
- }
-
- return "";
- }
-
- private String processParamProtocol(String s) {
- s = decodeEntities(s);
- final Matcher m = P_PROTOCOL.matcher(s);
- if (m.find()) {
- final String protocol = m.group(1);
- if (!inArray(protocol, vAllowedProtocols)) {
- // bad protocol, turn into local anchor link instead
- s = "#" + s.substring(protocol.length() + 1, s.length());
- if (s.startsWith("#//")) {
- s = "#" + s.substring(3, s.length());
- }
- }
- }
-
- return s;
- }
-
- private String decodeEntities(String s) {
- StringBuffer buf = new StringBuffer();
-
- Matcher m = P_ENTITY.matcher(s);
- while (m.find()) {
- final String match = m.group(1);
- final int decimal = Integer.decode(match).intValue();
- m.appendReplacement(buf, chr(decimal));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- buf = new StringBuffer();
- m = P_ENTITY_UNICODE.matcher(s);
- while (m.find()) {
- final String match = m.group(1);
- final int decimal = Integer.valueOf(match, 16).intValue();
- m.appendReplacement(buf, chr(decimal));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- buf = new StringBuffer();
- m = P_ENCODE.matcher(s);
- while (m.find()) {
- final String match = m.group(1);
- final int decimal = Integer.valueOf(match, 16).intValue();
- m.appendReplacement(buf, chr(decimal));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- s = validateEntities(s);
- return s;
- }
-
- private String validateEntities(String s) {
- StringBuffer buf = new StringBuffer();
-
- // validate entities throughout the string
- Matcher m = P_VALID_ENTITIES.matcher(s);
- while (m.find()) {
- final String one = m.group(1); //([^&;]*)
- final String two = m.group(2); //(?=(;|&|$))
- final String replacement = Matcher.quoteReplacement(checkEntity(one, two));
- m.appendReplacement(buf, replacement);
- }
- m.appendTail(buf);
- s = buf.toString();
-
- // validate quotes outside of tags
- buf = new StringBuffer();
- m = P_VALID_QUOTES.matcher(s);
- while (m.find()) {
- final String one = m.group(1); //(>|^)
- final String two = m.group(2); //([^<]+?)
- final String three = m.group(3); //(<|$)
- m.appendReplacement(buf, Matcher.quoteReplacement(one + two.replaceAll("\"", """) + three));
- }
- m.appendTail(buf);
- s = buf.toString();
-
- return s;
- }
-
- private String checkEntity(final String preamble, final String term) {
-
- return ";".equals(term) && isValidEntity(preamble)
- ? '&' + preamble
- : "&" + preamble;
- }
-
- private boolean isValidEntity(final String entity) {
- return inArray(entity, vAllowedEntities);
- }
-
- private boolean inArray(final String s, final String[] array) {
- for (String item : array) {
- if (item != null && item.equals(s)) {
- return true;
- }
- }
- return false;
- }
-
- private boolean allowed(final String name) {
- return (vAllowed.isEmpty() || vAllowed.containsKey(name)) && !inArray(name, vDisallowed);
- }
-
- private boolean allowedAttribute(final String name, final String paramName) {
- return allowed(name) && (vAllowed.isEmpty() || vAllowed.get(name).contains(paramName));
- }
-}
Copied: tags/xss-http-filter-1.2/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java (from rev 18, trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java)
===================================================================
--- tags/xss-http-filter-1.2/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java (rev 0)
+++ tags/xss-http-filter-1.2/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-09-22 19:22:26 UTC (rev 20)
@@ -0,0 +1,529 @@
+package net.sf.xsshttpfilter;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ *
+ * HTML filtering utility for protecting against XSS (Cross Site Scripting).
+ *
+ * This code is licensed LGPLv3
+ *
+ * This code is a Java port of the original work in PHP by Cal Hendersen.
+ * http://code.iamcal.com/php/lib_filter/
+ *
+ * The trickiest part of the translation was handling the differences in regex handling
+ * between PHP and Java. These resources were helpful in the process:
+ *
+ * http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
+ * http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
+ * http://www.regular-expressions.info/modifiers.html
+ *
+ * A note on naming conventions: instance variables are prefixed with a "v"; global
+ * constants are in all caps.
+ *
+ * Sample use:
+ * String input = ...
+ * String clean = new HTMLInputFilter().filter( input );
+ *
+ * The class is not thread safe. Create a new instance if in doubt.
+ *
+ * If you find bugs or have suggestions on improvement (especially regarding
+ * performance), please contact us. The latest version of this
+ * source, and our contact details, can be found at http://xss-html-filter.sf.net
+ *
+ * @author Joseph O'Connell
+ * @author Cal Hendersen
+ */
+public final class HTMLFilter {
+
+ /** regex flag union representing /si modifiers in php **/
+ private static final int REGEX_FLAGS_SI = Pattern.CASE_INSENSITIVE | Pattern.DOTALL;
+ private static final Pattern P_COMMENTS = Pattern.compile("<!--(.*?)-->", Pattern.DOTALL);
+ private static final Pattern P_COMMENT = Pattern.compile("^!--(.*)--$", REGEX_FLAGS_SI);
+ private static final Pattern P_TAGS = Pattern.compile("<(.*?)>", Pattern.DOTALL);
+ private static final Pattern P_END_TAG = Pattern.compile("^/([a-z0-9]+)", REGEX_FLAGS_SI);
+ private static final Pattern P_START_TAG = Pattern.compile("^([a-z0-9]+)(.*?)(/?)$", REGEX_FLAGS_SI);
+ private static final Pattern P_QUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)=([\"'])(.*?)\\2", REGEX_FLAGS_SI);
+ private static final Pattern P_UNQUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)(=)([^\"\\s']+)", REGEX_FLAGS_SI);
+ private static final Pattern P_PROTOCOL = Pattern.compile("^([^:]+):", REGEX_FLAGS_SI);
+ private static final Pattern P_ENTITY = Pattern.compile("&#(\\d+);?");
+ private static final Pattern P_ENTITY_UNICODE = Pattern.compile("&#x([0-9a-f]+);?");
+ private static final Pattern P_ENCODE = Pattern.compile("%([0-9a-f]{2});?");
+ private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
+ private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
+ private static final Pattern P_END_ARROW = Pattern.compile("^>");
+ private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
+ private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
+ private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
+ private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
+ private static final Pattern P_AMP = Pattern.compile("&");
+ private static final Pattern P_QUOTE = Pattern.compile("\"");
+ private static final Pattern P_LEFT_ARROW = Pattern.compile("<");
+ private static final Pattern P_RIGHT_ARROW = Pattern.compile(">");
+ private static final Pattern P_BOTH_ARROWS = Pattern.compile("<>");
+
+ // @xxx could grow large... maybe use sesat's ReferenceMap
+ private static final ConcurrentMap<String,Pattern> P_REMOVE_PAIR_BLANKS = new ConcurrentHashMap<String, Pattern>();
+ private static final ConcurrentMap<String,Pattern> P_REMOVE_SELF_BLANKS = new ConcurrentHashMap<String, Pattern>();
+
+ /** set of allowed html elements, along with allowed attributes for each element **/
+ private final Map<String, List<String>> vAllowed;
+ /** counts of open tags for each (allowable) html element **/
+ private final Map<String, Integer> vTagCounts = new HashMap<String, Integer>();
+
+ /** html elements which must always be self-closing (e.g. "<img />") **/
+ private final String[] vSelfClosingTags;
+ /** html elements which must always have separate opening and closing tags (e.g. "<b></b>") **/
+ private final String[] vNeedClosingTags;
+ /** set of disallowed html elements **/
+ private final String[] vDisallowed;
+ /** attributes which should be checked for valid protocols **/
+ private final String[] vProtocolAtts;
+ /** allowed protocols **/
+ private final String[] vAllowedProtocols;
+ /** tags which should be removed if they contain no content (e.g. "<b></b>" or "<b />") **/
+ private final String[] vRemoveBlanks;
+ /** entities allowed within html markup **/
+ private final String[] vAllowedEntities;
+ /** flag determining whether comments are allowed in input String. */
+ private final boolean stripComment;
+ private boolean vDebug = false;
+ /**
+ * flag determining whether to try to make tags when presented with "unbalanced"
+ * angle brackets (e.g. "<b text </b>" becomes "<b> text </b>"). If set to false,
+ * unbalanced angle brackets will be html escaped.
+ */
+ private final boolean alwaysMakeTags;
+
+ /** Default constructor.
+ *
+ */
+ public HTMLFilter() {
+ vAllowed = new HashMap<String, List<String>>();
+
+ final ArrayList<String> a_atts = new ArrayList<String>();
+ a_atts.add("href");
+ a_atts.add("target");
+ vAllowed.put("a", a_atts);
+
+ final ArrayList<String> img_atts = new ArrayList<String>();
+ img_atts.add("src");
+ img_atts.add("width");
+ img_atts.add("height");
+ img_atts.add("alt");
+ vAllowed.put("img", img_atts);
+
+ final ArrayList<String> no_atts = new ArrayList<String>();
+ vAllowed.put("b", no_atts);
+ vAllowed.put("strong", no_atts);
+ vAllowed.put("i", no_atts);
+ vAllowed.put("em", no_atts);
+
+ vSelfClosingTags = new String[]{"img"};
+ vNeedClosingTags = new String[]{"a", "b", "strong", "i", "em"};
+ vDisallowed = new String[]{};
+ vAllowedProtocols = new String[]{"http", "mailto"}; // no ftp.
+ vProtocolAtts = new String[]{"src", "href"};
+ vRemoveBlanks = new String[]{"a", "b", "strong", "i", "em"};
+ vAllowedEntities = new String[]{"amp", "gt", "lt", "quot"};
+ stripComment = true;
+ alwaysMakeTags = true;
+ }
+
+ /** Set debug flag to true. Otherwise use default settings. See the default constructor.
+ *
+ * @param debug turn debug on with a true argument
+ */
+ public HTMLFilter(final boolean debug) {
+ this();
+ vDebug = debug;
+
+ }
+
+ /** Map-parameter configurable constructor.
+ *
+ * @param configuration map containing configuration. keys match field names.
+ */
+ public HTMLFilter(final Map<String,Object> configuration) {
+
+ assert configuration.containsKey("vAllowed") : "configuration requires vAllowed";
+ assert configuration.containsKey("vSelfClosingTags") : "configuration requires vSelfClosingTags";
+ assert configuration.containsKey("vNeedClosingTags") : "configuration requires vNeedClosingTags";
+ assert configuration.containsKey("vDisallowed") : "configuration requires vDisallowed";
+ assert configuration.containsKey("vAllowedProtocols") : "configuration requires vAllowedProtocols";
+ assert configuration.containsKey("vProtocolAtts") : "configuration requires vProtocolAtts";
+ assert configuration.containsKey("vRemoveBlanks") : "configuration requires vRemoveBlanks";
+ assert configuration.containsKey("vAllowedEntities") : "configuration requires vAllowedEntities";
+ assert configuration.containsKey("stripComment") : "configuration requires stripComment";
+ assert configuration.containsKey("alwaysMakeTags") : "configuration requires alwaysMakeTags";
+
+ vAllowed = Collections.unmodifiableMap((HashMap<String, List<String>>) configuration.get("vAllowed"));
+ vSelfClosingTags = (String[]) configuration.get("vSelfClosingTags");
+ vNeedClosingTags = (String[]) configuration.get("vNeedClosingTags");
+ vDisallowed = (String[]) configuration.get("vDisallowed");
+ vAllowedProtocols = (String[]) configuration.get("vAllowedProtocols");
+ vProtocolAtts = (String[]) configuration.get("vProtocolAtts");
+ vRemoveBlanks = (String[]) configuration.get("vRemoveBlanks");
+ vAllowedEntities = (String[]) configuration.get("vAllowedEntities");
+ stripComment = (Boolean) configuration.get("stripComment");
+ alwaysMakeTags = (Boolean) configuration.get("alwaysMakeTags");
+ }
+
+ private void reset() {
+ vTagCounts.clear();
+ }
+
+ private void debug(final String msg) {
+ if (vDebug) {
+ Logger.getAnonymousLogger().info(msg);
+ }
+ }
+
+ //---------------------------------------------------------------
+ // my versions of some PHP library functions
+ public static String chr(final int decimal) {
+ return String.valueOf((char) decimal);
+ }
+
+ public static String htmlSpecialChars(final String s) {
+ String result = s;
+ result = regexReplace(P_AMP, "&", result);
+ result = regexReplace(P_QUOTE, """, result);
+ result = regexReplace(P_LEFT_ARROW, "<", result);
+ result = regexReplace(P_RIGHT_ARROW, ">", result);
+ return result;
+ }
+
+ //---------------------------------------------------------------
+ /**
+ * given a user submitted input String, filter out any invalid or restricted
+ * html.
+ *
+ * @param input text (i.e. submitted by a user) than may contain html
+ * @return "clean" version of input, with only valid, whitelisted html elements allowed
+ */
+ public String filter(final String input) {
+ reset();
+ String s = input;
+
+ debug("************************************************");
+ debug(" INPUT: " + input);
+
+ s = escapeComments(s);
+ debug(" escapeComments: " + s);
+
+ s = balanceHTML(s);
+ debug(" balanceHTML: " + s);
+
+ s = checkTags(s);
+ debug(" checkTags: " + s);
+
+ s = processRemoveBlanks(s);
+ debug("processRemoveBlanks: " + s);
+
+ s = validateEntities(s);
+ debug(" validateEntites: " + s);
+
+ debug("************************************************\n\n");
+ return s;
+ }
+
+ public boolean isAlwaysMakeTags(){
+ return alwaysMakeTags;
+ }
+
+ public boolean isStripComments(){
+ return stripComment;
+ }
+
+ private String escapeComments(final String s) {
+ final Matcher m = P_COMMENTS.matcher(s);
+ final StringBuffer buf = new StringBuffer();
+ if (m.find()) {
+ final String match = m.group(1); //(.*?)
+ m.appendReplacement(buf, "<!--" + htmlSpecialChars(match) + "-->");
+ }
+ m.appendTail(buf);
+
+ return buf.toString();
+ }
+
+ private String balanceHTML(String s) {
+ if (alwaysMakeTags) {
+ //
+ // try and form html
+ //
+ s = regexReplace(P_END_ARROW, "", s);
+ s = regexReplace(P_BODY_TO_END, "<$1>", s);
+ s = regexReplace(P_XML_CONTENT, "$1<$2", s);
+
+ } else {
+ //
+ // escape stray brackets
+ //
+ s = regexReplace(P_STRAY_LEFT_ARROW, "<$1", s);
+ s = regexReplace(P_STRAY_RIGHT_ARROW, "$1$2><", s);
+
+ //
+ // the last regexp causes '<>' entities to appear
+ // (we need to do a lookahead assertion so that the last bracket can
+ // be used in the next pass of the regexp)
+ //
+ s = regexReplace(P_BOTH_ARROWS, "", s);
+ }
+
+ return s;
+ }
+
+ private String checkTags(String s) {
+ Matcher m = P_TAGS.matcher(s);
+
+ final StringBuffer buf = new StringBuffer();
+ while (m.find()) {
+ String replaceStr = m.group(1);
+ replaceStr = processTag(replaceStr);
+ m.appendReplacement(buf, replaceStr);
+ }
+ m.appendTail(buf);
+
+ s = buf.toString();
+
+ // these get tallied in processTag
+ // (remember to reset before subsequent calls to filter method)
+ for (String key : vTagCounts.keySet()) {
+ for (int ii = 0; ii < vTagCounts.get(key); ii++) {
+ s += "</" + key + ">";
+ }
+ }
+
+ return s;
+ }
+
+ private String processRemoveBlanks(final String s) {
+ String result = s;
+ for (String tag : vRemoveBlanks) {
+ if(!P_REMOVE_PAIR_BLANKS.containsKey(tag)){
+ P_REMOVE_PAIR_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?></" + tag + ">"));
+ }
+ result = regexReplace(P_REMOVE_PAIR_BLANKS.get(tag), "", result);
+ if(!P_REMOVE_SELF_BLANKS.containsKey(tag)){
+ P_REMOVE_SELF_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?/>"));
+ }
+ result = regexReplace(P_REMOVE_SELF_BLANKS.get(tag), "", result);
+ }
+
+ return result;
+ }
+
+ private static String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
+ Matcher m = regex_pattern.matcher(s);
+ return m.replaceAll(replacement);
+ }
+
+ private String processTag(final String s) {
+ // ending tags
+ Matcher m = P_END_TAG.matcher(s);
+ if (m.find()) {
+ final String name = m.group(1).toLowerCase();
+ if (allowed(name)) {
+ if (!inArray(name, vSelfClosingTags)) {
+ if (vTagCounts.containsKey(name)) {
+ vTagCounts.put(name, vTagCounts.get(name) - 1);
+ return "</" + name + ">";
+ }
+ }
+ }
+ }
+
+ // starting tags
+ m = P_START_TAG.matcher(s);
+ if (m.find()) {
+ final String name = m.group(1).toLowerCase();
+ final String body = m.group(2);
+ String ending = m.group(3);
+
+ //debug( "in a starting tag, name='" + name + "'; body='" + body + "'; ending='" + ending + "'" );
+ if (allowed(name)) {
+ String params = "";
+
+ final Matcher m2 = P_QUOTED_ATTRIBUTES.matcher(body);
+ final Matcher m3 = P_UNQUOTED_ATTRIBUTES.matcher(body);
+ final List<String> paramNames = new ArrayList<String>();
+ final List<String> paramValues = new ArrayList<String>();
+ while (m2.find()) {
+ paramNames.add(m2.group(1)); //([a-z0-9]+)
+ paramValues.add(m2.group(3)); //(.*?)
+ }
+ while (m3.find()) {
+ paramNames.add(m3.group(1)); //([a-z0-9]+)
+ paramValues.add(m3.group(3)); //([^\"\\s']+)
+ }
+
+ String paramName, paramValue;
+ for (int ii = 0; ii < paramNames.size(); ii++) {
+ paramName = paramNames.get(ii).toLowerCase();
+ paramValue = paramValues.get(ii);
+
+// debug( "paramName='" + paramName + "'" );
+// debug( "paramValue='" + paramValue + "'" );
+// debug( "allowed? " + vAllowed.get( name ).contains( paramName ) );
+
+ if (allowedAttribute(name, paramName)) {
+ if (inArray(paramName, vProtocolAtts)) {
+ paramValue = processParamProtocol(paramValue);
+ }
+ params += " " + paramName + "=\"" + paramValue + "\"";
+ }
+ }
+
+ if (inArray(name, vSelfClosingTags)) {
+ ending = " /";
+ }
+
+ if (inArray(name, vNeedClosingTags)) {
+ ending = "";
+ }
+
+ if (ending == null || ending.length() < 1) {
+ if (vTagCounts.containsKey(name)) {
+ vTagCounts.put(name, vTagCounts.get(name) + 1);
+ } else {
+ vTagCounts.put(name, 1);
+ }
+ } else {
+ ending = " /";
+ }
+ return "<" + name + params + ending + ">";
+ } else {
+ return "";
+ }
+ }
+
+ // comments
+ m = P_COMMENT.matcher(s);
+ if (!stripComment && m.find()) {
+ return "<" + m.group() + ">";
+ }
+
+ return "";
+ }
+
+ private String processParamProtocol(String s) {
+ s = decodeEntities(s);
+ final Matcher m = P_PROTOCOL.matcher(s);
+ if (m.find()) {
+ final String protocol = m.group(1);
+ if (!inArray(protocol, vAllowedProtocols)) {
+ // bad protocol, turn into local anchor link instead
+ s = "#" + s.substring(protocol.length() + 1, s.length());
+ if (s.startsWith("#//")) {
+ s = "#" + s.substring(3, s.length());
+ }
+ }
+ }
+
+ return s;
+ }
+
+ private String decodeEntities(String s) {
+ StringBuffer buf = new StringBuffer();
+
+ Matcher m = P_ENTITY.matcher(s);
+ while (m.find()) {
+ final String match = m.group(1);
+ final int decimal = Integer.decode(match).intValue();
+ m.appendReplacement(buf, chr(decimal));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ buf = new StringBuffer();
+ m = P_ENTITY_UNICODE.matcher(s);
+ while (m.find()) {
+ final String match = m.group(1);
+ final int decimal = Integer.valueOf(match, 16).intValue();
+ m.appendReplacement(buf, chr(decimal));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ buf = new StringBuffer();
+ m = P_ENCODE.matcher(s);
+ while (m.find()) {
+ final String match = m.group(1);
+ final int decimal = Integer.valueOf(match, 16).intValue();
+ m.appendReplacement(buf, chr(decimal));
+ }
+ m.appendTail(buf);
+ s = buf.toString();
+
+ s = validateEntities(s);
+ return s;
+ }
+
+ private String validateEntities(String s) {
+ StringBuffer buf = new StringBuffer();
+
+ // validate entities throughout the string
+ Matcher m = P_VALID_ENTITIES.matcher(s);
+ while (m.find()) {
+ final String one = m.group(1); //([^&;]*)
+ final String two = m.group(2); //(?=(;|&|$))
+ final String replacement = Matcher.quoteRep...
[truncated message content] |
|
From: <mic...@us...> - 2010-09-22 19:22:09
|
Revision: 19
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=19&view=rev
Author: micksembwever
Date: 2010-09-22 19:22:03 +0000 (Wed, 22 Sep 2010)
Log Message:
-----------
[maven-release-plugin] prepare release xss-http-filter-1.2
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2010-09-22 19:20:42 UTC (rev 18)
+++ trunk/pom.xml 2010-09-22 19:22:03 UTC (rev 19)
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>net.sf.xss-http-filter</groupId>
<artifactId>xss-http-filter</artifactId>
- <version>1.2-SNAPSHOT</version>
+ <version>1.2</version>
<packaging>jar</packaging>
<name>XSS HTTPFilter</name>
@@ -13,9 +13,9 @@
</description>
<scm>
- <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</connection>
- <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</developerConnection>
- <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/</url>
+ <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.2</connection>
+ <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.2</developerConnection>
+ <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/tags/xss-http-filter-1.2</url>
</scm>
<licenses>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2010-09-22 19:20:48
|
Revision: 18
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=18&view=rev
Author: micksembwever
Date: 2010-09-22 19:20:42 +0000 (Wed, 22 Sep 2010)
Log Message:
-----------
performance improvements by minimising the use of Pattern.compile(string)
Modified Paths:
--------------
trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
Modified: trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
===================================================================
--- trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-09-07 19:40:13 UTC (rev 17)
+++ trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-09-22 19:20:42 UTC (rev 18)
@@ -5,6 +5,8 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -63,6 +65,16 @@
private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
+ private static final Pattern P_AMP = Pattern.compile("&");
+ private static final Pattern P_QUOTE = Pattern.compile("\"");
+ private static final Pattern P_LEFT_ARROW = Pattern.compile("<");
+ private static final Pattern P_RIGHT_ARROW = Pattern.compile(">");
+ private static final Pattern P_BOTH_ARROWS = Pattern.compile("<>");
+
+ // @xxx could grow large... maybe use sesat's ReferenceMap
+ private static final ConcurrentMap<String,Pattern> P_REMOVE_PAIR_BLANKS = new ConcurrentHashMap<String, Pattern>();
+ private static final ConcurrentMap<String,Pattern> P_REMOVE_SELF_BLANKS = new ConcurrentHashMap<String, Pattern>();
+
/** set of allowed html elements, along with allowed attributes for each element **/
private final Map<String, List<String>> vAllowed;
/** counts of open tags for each (allowable) html element **/
@@ -183,7 +195,12 @@
}
public static String htmlSpecialChars(final String s) {
- return s.replaceAll("&", "&").replaceAll("\"", """).replaceAll("<", "<").replaceAll(">", ">");
+ String result = s;
+ result = regexReplace(P_AMP, "&", result);
+ result = regexReplace(P_QUOTE, """, result);
+ result = regexReplace(P_LEFT_ARROW, "<", result);
+ result = regexReplace(P_RIGHT_ARROW, ">", result);
+ return result;
}
//---------------------------------------------------------------
@@ -223,11 +240,11 @@
public boolean isAlwaysMakeTags(){
return alwaysMakeTags;
}
-
+
public boolean isStripComments(){
return stripComment;
}
-
+
private String escapeComments(final String s) {
final Matcher m = P_COMMENTS.matcher(s);
final StringBuffer buf = new StringBuffer();
@@ -261,7 +278,7 @@
// (we need to do a lookahead assertion so that the last bracket can
// be used in the next pass of the regexp)
//
- s = s.replaceAll("<>", "");
+ s = regexReplace(P_BOTH_ARROWS, "", s);
}
return s;
@@ -291,20 +308,23 @@
return s;
}
- private String processRemoveBlanks(String s) {
+ private String processRemoveBlanks(final String s) {
+ String result = s;
for (String tag : vRemoveBlanks) {
- s = regexReplace("<" + tag + "(\\s[^>]*)?></" + tag + ">", "", s);
- s = regexReplace("<" + tag + "(\\s[^>]*)?/>", "", s);
+ if(!P_REMOVE_PAIR_BLANKS.containsKey(tag)){
+ P_REMOVE_PAIR_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?></" + tag + ">"));
+ }
+ result = regexReplace(P_REMOVE_PAIR_BLANKS.get(tag), "", result);
+ if(!P_REMOVE_SELF_BLANKS.containsKey(tag)){
+ P_REMOVE_SELF_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\\s[^>]*)?/>"));
+ }
+ result = regexReplace(P_REMOVE_SELF_BLANKS.get(tag), "", result);
}
- return s;
+ return result;
}
- private String regexReplace(final String regex_pattern, final String replacement, final String s) {
- return regexReplace(Pattern.compile(regex_pattern), replacement, s);
- }
-
- private String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
+ private static String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
Matcher m = regex_pattern.matcher(s);
return m.replaceAll(replacement);
}
@@ -471,7 +491,7 @@
final String one = m.group(1); //(>|^)
final String two = m.group(2); //([^<]+?)
final String three = m.group(3); //(<|$)
- m.appendReplacement(buf, Matcher.quoteReplacement(one + two.replaceAll("\"", """) + three));
+ m.appendReplacement(buf, Matcher.quoteReplacement(one + regexReplace(P_QUOTE, """, two) + three));
}
m.appendTail(buf);
s = buf.toString();
@@ -490,7 +510,7 @@
return inArray(entity, vAllowedEntities);
}
- private boolean inArray(final String s, final String[] array) {
+ private static boolean inArray(final String s, final String[] array) {
for (String item : array) {
if (item != null && item.equals(s)) {
return true;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2010-09-07 19:40:20
|
Revision: 17
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=17&view=rev
Author: micksembwever
Date: 2010-09-07 19:40:13 +0000 (Tue, 07 Sep 2010)
Log Message:
-----------
view source --> trunk
Modified Paths:
--------------
trunk/src/website/index.html
Modified: trunk/src/website/index.html
===================================================================
--- trunk/src/website/index.html 2010-09-07 18:09:15 UTC (rev 16)
+++ trunk/src/website/index.html 2010-09-07 19:40:13 UTC (rev 17)
@@ -35,7 +35,7 @@
<p>
<ul>
- <li><a href="http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java?revision=2&view=markup">View Source</a></li>
+ <li><a href="http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java?view=markup">View Source</a></li>
<li><a href="/site/">Project information</a></li>
</ul>
</p>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2010-09-07 18:09:21
|
Revision: 16
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=16&view=rev
Author: micksembwever
Date: 2010-09-07 18:09:15 +0000 (Tue, 07 Sep 2010)
Log Message:
-----------
[maven-release-plugin] prepare for next development iteration
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2010-09-07 18:09:08 UTC (rev 15)
+++ trunk/pom.xml 2010-09-07 18:09:15 UTC (rev 16)
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>net.sf.xss-http-filter</groupId>
<artifactId>xss-http-filter</artifactId>
- <version>1.1.1</version>
+ <version>1.2-SNAPSHOT</version>
<packaging>jar</packaging>
<name>XSS HTTPFilter</name>
@@ -13,9 +13,9 @@
</description>
<scm>
- <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.1.1</connection>
- <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.1.1</developerConnection>
- <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/tags/xss-http-filter-1.1.1</url>
+ <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</connection>
+ <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</developerConnection>
+ <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/</url>
</scm>
<licenses>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2010-09-07 18:09:14
|
Revision: 15
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=15&view=rev
Author: micksembwever
Date: 2010-09-07 18:09:08 +0000 (Tue, 07 Sep 2010)
Log Message:
-----------
[maven-release-plugin] copy for tag xss-http-filter-1.1.1
Added Paths:
-----------
tags/xss-http-filter-1.1.1/
tags/xss-http-filter-1.1.1/pom.xml
Removed Paths:
-------------
tags/xss-http-filter-1.1.1/pom.xml
Deleted: tags/xss-http-filter-1.1.1/pom.xml
===================================================================
--- trunk/pom.xml 2010-09-07 18:05:41 UTC (rev 13)
+++ tags/xss-http-filter-1.1.1/pom.xml 2010-09-07 18:09:08 UTC (rev 15)
@@ -1,250 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>net.sf.xss-http-filter</groupId>
- <artifactId>xss-http-filter</artifactId>
- <version>1.2-SNAPSHOT</version>
- <packaging>jar</packaging>
- <name>XSS HTTPFilter</name>
-
-
- <description>
- A Java library for protecting against cross site scripting.
- Hosted at https://sourceforge.net/projects/xss-http-filter/
- </description>
-
- <scm>
- <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</connection>
- <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</developerConnection>
- <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/</url>
- </scm>
-
- <licenses>
- <license>
- <name>LGPLv3</name>
- <url>LICENSE.txt</url>
- <distribution>manual</distribution>
- </license>
- </licenses>
-
-
- <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
-
- <developers>
- <developer>
- <name>Cal Henderson</name>
- <url>http://www.iamcal.com/</url>
- </developer>
- <developer>
- <name>Joseph O'Connell</name>
- <url>http://josephoconnell.com/</url>
- </developer>
- <developer>
- <name>mck</name>
- <id>micksembwever</id>
- <email>mi...@se...</email>
- <url>http://semb.wever.org</url>
- </developer>
- </developers>
-
- <mailingLists>
- <mailingList>
- <name>User & Development List</name>
- <post>xss...@li...</post>
- <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-user</archive>
- </mailingList>
- <mailingList>
- <name>Commit List</name>
- <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-commits</archive>
- </mailingList>
- </mailingLists>
-
- <properties>
- <!-- java -->
- <version.jdk>1.6</version.jdk>
-
- </properties>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-compiler-plugin</artifactId>
- <configuration>
- <source>${version.jdk}</source>
- <target>${version.jdk}</target>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-source-plugin</artifactId>
- <version>2.1.1</version>
- <executions>
- <execution>
- <id>attach-sources</id>
- <goals>
- <goal>jar-no-fork</goal>
- <goal>test-jar-no-fork</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
-
- <dependencies>
-
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>4.7</version>
- <scope>test</scope>
- </dependency>
-
- <dependency>
- <groupId>org.hamcrest</groupId>
- <artifactId>hamcrest-all</artifactId>
- <version>1.1</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
-
- <repositories>
- <repository>
- <id>xss-http-filter-releases</id>
- <name>xss-http-filter.sf.net releases</name>
- <url>http://xss-http-filter.sf.net/releases/</url>
- <releases>
- <enabled>true</enabled>
- </releases>
- <snapshots>
- <enabled>false</enabled>
- </snapshots>
- </repository>
- <repository>
- <id>finntech-snapshot</id>
- <name>xss-http-filter.sf.net snapshots</name>
- <url>http://xss-http-filter.sf.net/snapshots/</url>
- <releases>
- <enabled>false</enabled>
- </releases>
- <snapshots>
- <enabled>true</enabled>
- </snapshots>
- </repository>
- </repositories>
-
- <distributionManagement>
- <repository>
- <id>xss-http-filter-releases</id>
- <name>xss-http-filter.sf.net releases</name>
- <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-http-filter/htdocs/releases/</url>
- </repository>
- <snapshotRepository>
- <id>xss-http-filter-snapshots</id>
- <name>xss-http-filter.sf.net snapshots</name>
- <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-http-filter/htdocs/snapshots/</url>
- </snapshotRepository>
- <site>
- <id>xss-http-filter.sf.net</id>
- <url>scp://216.34.181.119/home/groups/x/xs/xss-http-filter/htdocs/site/</url>
- </site>
- </distributionManagement>
-
- <reporting>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-project-info-reports-plugin</artifactId>
- <version>2.1.2</version>
- <reportSets>
- <reportSet>
- <reports>
- <report>index</report>
- <report>dependencies</report>
- <report>dependency-convergence</report>
- <report>issue-tracking</report>
- <report>scm</report>
- <report>project-team</report>
- <report>summary</report>
- <report>cim</report>
- </reports>
- </reportSet>
- </reportSets>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>cobertura-maven-plugin</artifactId>
- <configuration>
- <formats>
- <format>html</format>
- <format>xml</format>
- </formats>
- </configuration>
- </plugin>
- <plugin>
- <artifactId>maven-javadoc-plugin</artifactId>
- <reportSets>
- <reportSet>
- <id>html</id>
- <configuration>
- <minmemory>128m</minmemory>
- <maxmemory>512m</maxmemory>
- <source>${version.jdk}</source>
- <docfilessubdirs>true</docfilessubdirs>
- <links>
- <link>http://java.sun.com/javase/6/docs/api/</link>
- <link>http://java.sun.com/javaee/5/docs/api/</link>
- </links>
- </configuration>
- <reports><report>javadoc</report></reports>
- </reportSet>
- </reportSets>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>findbugs-maven-plugin</artifactId>
- <configuration>
- <threshold>Normal</threshold>
- <xmlOutput>true</xmlOutput>
- <!-- Optional derectory to put findbugs xdoc xml report -->
- <xmlOutputDirectory>target/site</xmlOutputDirectory>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.codehaus.mojo</groupId>
- <artifactId>taglist-maven-plugin</artifactId>
- <configuration>
- <tags>
- <tag>TODO</tag>
- <tag>@todo</tag>
- <tag>FIXME</tag>
- <tag>XXX</tag>
- <tag>hack</tag>
- </tags>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-jxr-plugin</artifactId>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-report-plugin</artifactId>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-pmd-plugin</artifactId>
- <configuration>
- <targetJdk>${version.jdk}</targetJdk>
- <rulesets>
- <ruleset>/rulesets/basic.xml</ruleset>
- <ruleset>/rulesets/imports.xml</ruleset>
- <ruleset>/rulesets/unusedcode.xml</ruleset>
- <ruleset>/rulesets/finalizers.xml</ruleset>
- </rulesets>
- </configuration>
- </plugin>
- </plugins>
- </reporting>
-
-</project>
Copied: tags/xss-http-filter-1.1.1/pom.xml (from rev 14, trunk/pom.xml)
===================================================================
--- tags/xss-http-filter-1.1.1/pom.xml (rev 0)
+++ tags/xss-http-filter-1.1.1/pom.xml 2010-09-07 18:09:08 UTC (rev 15)
@@ -0,0 +1,250 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>net.sf.xss-http-filter</groupId>
+ <artifactId>xss-http-filter</artifactId>
+ <version>1.1.1</version>
+ <packaging>jar</packaging>
+ <name>XSS HTTPFilter</name>
+
+
+ <description>
+ A Java library for protecting against cross site scripting.
+ Hosted at https://sourceforge.net/projects/xss-http-filter/
+ </description>
+
+ <scm>
+ <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.1.1</connection>
+ <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.1.1</developerConnection>
+ <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/tags/xss-http-filter-1.1.1</url>
+ </scm>
+
+ <licenses>
+ <license>
+ <name>LGPLv3</name>
+ <url>LICENSE.txt</url>
+ <distribution>manual</distribution>
+ </license>
+ </licenses>
+
+
+ <issueManagement><url>http://sourceforge.net/tracker/?group_id=344527</url></issueManagement>
+
+ <developers>
+ <developer>
+ <name>Cal Henderson</name>
+ <url>http://www.iamcal.com/</url>
+ </developer>
+ <developer>
+ <name>Joseph O'Connell</name>
+ <url>http://josephoconnell.com/</url>
+ </developer>
+ <developer>
+ <name>mck</name>
+ <id>micksembwever</id>
+ <email>mi...@se...</email>
+ <url>http://semb.wever.org</url>
+ </developer>
+ </developers>
+
+ <mailingLists>
+ <mailingList>
+ <name>User & Development List</name>
+ <post>xss...@li...</post>
+ <archive>http://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-user</archive>
+ </mailingList>
+ <mailingList>
+ <name>Commit List</name>
+ <archive>https://sourceforge.net/mailarchive/forum.php?forum_name=xss-http-filter-commits</archive>
+ </mailingList>
+ </mailingLists>
+
+ <properties>
+ <!-- java -->
+ <version.jdk>1.6</version.jdk>
+
+ </properties>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>${version.jdk}</source>
+ <target>${version.jdk}</target>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-source-plugin</artifactId>
+ <version>2.1.1</version>
+ <executions>
+ <execution>
+ <id>attach-sources</id>
+ <goals>
+ <goal>jar-no-fork</goal>
+ <goal>test-jar-no-fork</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+
+ <dependencies>
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.7</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.hamcrest</groupId>
+ <artifactId>hamcrest-all</artifactId>
+ <version>1.1</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+ <repositories>
+ <repository>
+ <id>xss-http-filter-releases</id>
+ <name>xss-http-filter.sf.net releases</name>
+ <url>http://xss-http-filter.sf.net/releases/</url>
+ <releases>
+ <enabled>true</enabled>
+ </releases>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ </repository>
+ <repository>
+ <id>finntech-snapshot</id>
+ <name>xss-http-filter.sf.net snapshots</name>
+ <url>http://xss-http-filter.sf.net/snapshots/</url>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </repository>
+ </repositories>
+
+ <distributionManagement>
+ <repository>
+ <id>xss-http-filter-releases</id>
+ <name>xss-http-filter.sf.net releases</name>
+ <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-http-filter/htdocs/releases/</url>
+ </repository>
+ <snapshotRepository>
+ <id>xss-http-filter-snapshots</id>
+ <name>xss-http-filter.sf.net snapshots</name>
+ <url>scp://shell.sourceforge.net:/home/groups/x/xs/xss-http-filter/htdocs/snapshots/</url>
+ </snapshotRepository>
+ <site>
+ <id>xss-http-filter.sf.net</id>
+ <url>scp://216.34.181.119/home/groups/x/xs/xss-http-filter/htdocs/site/</url>
+ </site>
+ </distributionManagement>
+
+ <reporting>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-project-info-reports-plugin</artifactId>
+ <version>2.1.2</version>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>index</report>
+ <report>dependencies</report>
+ <report>dependency-convergence</report>
+ <report>issue-tracking</report>
+ <report>scm</report>
+ <report>project-team</report>
+ <report>summary</report>
+ <report>cim</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>cobertura-maven-plugin</artifactId>
+ <configuration>
+ <formats>
+ <format>html</format>
+ <format>xml</format>
+ </formats>
+ </configuration>
+ </plugin>
+ <plugin>
+ <artifactId>maven-javadoc-plugin</artifactId>
+ <reportSets>
+ <reportSet>
+ <id>html</id>
+ <configuration>
+ <minmemory>128m</minmemory>
+ <maxmemory>512m</maxmemory>
+ <source>${version.jdk}</source>
+ <docfilessubdirs>true</docfilessubdirs>
+ <links>
+ <link>http://java.sun.com/javase/6/docs/api/</link>
+ <link>http://java.sun.com/javaee/5/docs/api/</link>
+ </links>
+ </configuration>
+ <reports><report>javadoc</report></reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>findbugs-maven-plugin</artifactId>
+ <configuration>
+ <threshold>Normal</threshold>
+ <xmlOutput>true</xmlOutput>
+ <!-- Optional derectory to put findbugs xdoc xml report -->
+ <xmlOutputDirectory>target/site</xmlOutputDirectory>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>taglist-maven-plugin</artifactId>
+ <configuration>
+ <tags>
+ <tag>TODO</tag>
+ <tag>@todo</tag>
+ <tag>FIXME</tag>
+ <tag>XXX</tag>
+ <tag>hack</tag>
+ </tags>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jxr-plugin</artifactId>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-report-plugin</artifactId>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-pmd-plugin</artifactId>
+ <configuration>
+ <targetJdk>${version.jdk}</targetJdk>
+ <rulesets>
+ <ruleset>/rulesets/basic.xml</ruleset>
+ <ruleset>/rulesets/imports.xml</ruleset>
+ <ruleset>/rulesets/unusedcode.xml</ruleset>
+ <ruleset>/rulesets/finalizers.xml</ruleset>
+ </rulesets>
+ </configuration>
+ </plugin>
+ </plugins>
+ </reporting>
+
+</project>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2010-09-07 18:08:54
|
Revision: 14
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=14&view=rev
Author: micksembwever
Date: 2010-09-07 18:08:48 +0000 (Tue, 07 Sep 2010)
Log Message:
-----------
[maven-release-plugin] prepare release xss-http-filter-1.1.1
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2010-09-07 18:05:41 UTC (rev 13)
+++ trunk/pom.xml 2010-09-07 18:08:48 UTC (rev 14)
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>net.sf.xss-http-filter</groupId>
<artifactId>xss-http-filter</artifactId>
- <version>1.2-SNAPSHOT</version>
+ <version>1.1.1</version>
<packaging>jar</packaging>
<name>XSS HTTPFilter</name>
@@ -13,9 +13,9 @@
</description>
<scm>
- <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</connection>
- <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</developerConnection>
- <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/trunk/</url>
+ <connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.1.1</connection>
+ <developerConnection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/tags/xss-http-filter-1.1.1</developerConnection>
+ <url>http://xss-http-filter.svn.sourceforge.net/viewvc/xss-http-filter/tags/xss-http-filter-1.1.1</url>
</scm>
<licenses>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2010-09-07 18:05:47
|
Revision: 13
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=13&view=rev
Author: micksembwever
Date: 2010-09-07 18:05:41 +0000 (Tue, 07 Sep 2010)
Log Message:
-----------
bugfix: unicode entities and url-encoded characters were not being decoded as hex digits (radix 16)
Modified Paths:
--------------
trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
Modified: trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
===================================================================
--- trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-09-06 09:25:38 UTC (rev 12)
+++ trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-09-07 18:05:41 UTC (rev 13)
@@ -430,7 +430,7 @@
m = P_ENTITY_UNICODE.matcher(s);
while (m.find()) {
final String match = m.group(1);
- final int decimal = Integer.decode(match).intValue();
+ final int decimal = Integer.valueOf(match, 16).intValue();
m.appendReplacement(buf, chr(decimal));
}
m.appendTail(buf);
@@ -440,7 +440,7 @@
m = P_ENCODE.matcher(s);
while (m.find()) {
final String match = m.group(1);
- final int decimal = Integer.decode(match).intValue();
+ final int decimal = Integer.valueOf(match, 16).intValue();
m.appendReplacement(buf, chr(decimal));
}
m.appendTail(buf);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2010-09-06 09:25:44
|
Revision: 12
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=12&view=rev
Author: micksembwever
Date: 2010-09-06 09:25:38 +0000 (Mon, 06 Sep 2010)
Log Message:
-----------
fix tests
Modified Paths:
--------------
trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java
Modified: trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
===================================================================
--- trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-08-26 17:35:00 UTC (rev 11)
+++ trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-09-06 09:25:38 UTC (rev 12)
@@ -220,6 +220,14 @@
return s;
}
+ public boolean isAlwaysMakeTags(){
+ return alwaysMakeTags;
+ }
+
+ public boolean isStripComments(){
+ return stripComment;
+ }
+
private String escapeComments(final String s) {
final Matcher m = P_COMMENTS.matcher(s);
final StringBuffer buf = new StringBuffer();
Modified: trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java
===================================================================
--- trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java 2010-08-26 17:35:00 UTC (rev 11)
+++ trunk/src/test/java/net/sf/xsshttpfilter/HTMLFilterTest.java 2010-09-06 09:25:38 UTC (rev 12)
@@ -55,7 +55,7 @@
@Test
public void testBalancingAngleBrackets() {
- if (vFilter.alwaysMakeTags) {
+ if (vFilter.isAlwaysMakeTags()) {
assertThat(vFilter.filter("<img src=\"foo\""), is("<img src=\"foo\" />"));
assertThat(vFilter.filter("i>"), is(""));
assertThat(vFilter.filter("<img src=\"foo\"/"), is("<img src=\"foo\" />"));
@@ -88,7 +88,7 @@
@Test
public void testDisallowScriptTags() {
assertThat(vFilter.filter("<script>"), is(""));
- String result = vFilter.alwaysMakeTags ? "" : "<script";
+ String result = vFilter.isAlwaysMakeTags() ? "" : "<script";
assertThat(vFilter.filter("<script"), is(result));
assertThat(vFilter.filter("<script/>"), is(""));
assertThat(vFilter.filter("</script>"), is(""));
@@ -127,7 +127,7 @@
@Test
public void testComments() {
- if (vFilter.stripComment) {
+ if (vFilter.isStripComments()) {
assertThat(vFilter.filter("<!-- a<b --->"), is(""));
} else {
assertThat(vFilter.filter("<!-- a<b --->"), is("<!-- a<b --->"));
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2010-08-26 17:35:07
|
Revision: 11
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=11&view=rev
Author: micksembwever
Date: 2010-08-26 17:35:00 +0000 (Thu, 26 Aug 2010)
Log Message:
-----------
description updated
Modified Paths:
--------------
trunk/pom.xml
Modified: trunk/pom.xml
===================================================================
--- trunk/pom.xml 2010-08-26 13:54:16 UTC (rev 10)
+++ trunk/pom.xml 2010-08-26 17:35:00 UTC (rev 11)
@@ -7,7 +7,10 @@
<name>XSS HTTPFilter</name>
- <description>A Java library for protecting against cross site scripting</description>
+ <description>
+ A Java library for protecting against cross site scripting.
+ Hosted at https://sourceforge.net/projects/xss-http-filter/
+ </description>
<scm>
<connection>scm:svn:https://xss-http-filter.svn.sourceforge.net/svnroot/xss-http-filter/trunk</connection>
@@ -36,9 +39,9 @@
<url>http://josephoconnell.com/</url>
</developer>
<developer>
- <name>Mck Semb Wever</name>
+ <name>mck</name>
<id>micksembwever</id>
- <email>mi...@we...</email>
+ <email>mi...@se...</email>
<url>http://semb.wever.org</url>
</developer>
</developers>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mic...@us...> - 2010-08-26 13:54:22
|
Revision: 10
http://xss-http-filter.svn.sourceforge.net/xss-http-filter/?rev=10&view=rev
Author: micksembwever
Date: 2010-08-26 13:54:16 +0000 (Thu, 26 Aug 2010)
Log Message:
-----------
replace protected with private. (no real need, and no dedicated design, for class extension yet).
Modified Paths:
--------------
trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
Modified: trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java
===================================================================
--- trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-08-23 13:04:03 UTC (rev 9)
+++ trunk/src/main/java/net/sf/xsshttpfilter/HTMLFilter.java 2010-08-26 13:54:16 UTC (rev 10)
@@ -44,53 +44,53 @@
public final class HTMLFilter {
/** regex flag union representing /si modifiers in php **/
- protected static final int REGEX_FLAGS_SI = Pattern.CASE_INSENSITIVE | Pattern.DOTALL;
- protected static final Pattern P_COMMENTS = Pattern.compile("<!--(.*?)-->", Pattern.DOTALL);
- protected static final Pattern P_COMMENT = Pattern.compile("^!--(.*)--$", REGEX_FLAGS_SI);
- protected static final Pattern P_TAGS = Pattern.compile("<(.*?)>", Pattern.DOTALL);
- protected static final Pattern P_END_TAG = Pattern.compile("^/([a-z0-9]+)", REGEX_FLAGS_SI);
- protected static final Pattern P_START_TAG = Pattern.compile("^([a-z0-9]+)(.*?)(/?)$", REGEX_FLAGS_SI);
- protected static final Pattern P_QUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)=([\"'])(.*?)\\2", REGEX_FLAGS_SI);
- protected static final Pattern P_UNQUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)(=)([^\"\\s']+)", REGEX_FLAGS_SI);
- protected static final Pattern P_PROTOCOL = Pattern.compile("^([^:]+):", REGEX_FLAGS_SI);
- protected static final Pattern P_ENTITY = Pattern.compile("&#(\\d+);?");
- protected static final Pattern P_ENTITY_UNICODE = Pattern.compile("&#x([0-9a-f]+);?");
- protected static final Pattern P_ENCODE = Pattern.compile("%([0-9a-f]{2});?");
- protected static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
- protected static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
- protected static final Pattern P_END_ARROW = Pattern.compile("^>");
- protected static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
- protected static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
- protected static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
- protected static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
+ private static final int REGEX_FLAGS_SI = Pattern.CASE_INSENSITIVE | Pattern.DOTALL;
+ private static final Pattern P_COMMENTS = Pattern.compile("<!--(.*?)-->", Pattern.DOTALL);
+ private static final Pattern P_COMMENT = Pattern.compile("^!--(.*)--$", REGEX_FLAGS_SI);
+ private static final Pattern P_TAGS = Pattern.compile("<(.*?)>", Pattern.DOTALL);
+ private static final Pattern P_END_TAG = Pattern.compile("^/([a-z0-9]+)", REGEX_FLAGS_SI);
+ private static final Pattern P_START_TAG = Pattern.compile("^([a-z0-9]+)(.*?)(/?)$", REGEX_FLAGS_SI);
+ private static final Pattern P_QUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)=([\"'])(.*?)\\2", REGEX_FLAGS_SI);
+ private static final Pattern P_UNQUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)(=)([^\"\\s']+)", REGEX_FLAGS_SI);
+ private static final Pattern P_PROTOCOL = Pattern.compile("^([^:]+):", REGEX_FLAGS_SI);
+ private static final Pattern P_ENTITY = Pattern.compile("&#(\\d+);?");
+ private static final Pattern P_ENTITY_UNICODE = Pattern.compile("&#x([0-9a-f]+);?");
+ private static final Pattern P_ENCODE = Pattern.compile("%([0-9a-f]{2});?");
+ private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
+ private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
+ private static final Pattern P_END_ARROW = Pattern.compile("^>");
+ private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
+ private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
+ private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
+ private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
/** set of allowed html elements, along with allowed attributes for each element **/
- protected final Map<String, List<String>> vAllowed;
+ private final Map<String, List<String>> vAllowed;
/** counts of open tags for each (allowable) html element **/
- protected final Map<String, Integer> vTagCounts = new HashMap<String, Integer>();
+ private final Map<String, Integer> vTagCounts = new HashMap<String, Integer>();
/** html elements which must always be self-closing (e.g. "<img />") **/
- protected final String[] vSelfClosingTags;
+ private final String[] vSelfClosingTags;
/** html elements which must always have separate opening and closing tags (e.g. "<b></b>") **/
- protected final String[] vNeedClosingTags;
+ private final String[] vNeedClosingTags;
/** set of disallowed html elements **/
- protected final String[] vDisallowed;
+ private final String[] vDisallowed;
/** attributes which should be checked for valid protocols **/
- protected final String[] vProtocolAtts;
+ private final String[] vProtocolAtts;
/** allowed protocols **/
- protected final String[] vAllowedProtocols;
+ private final String[] vAllowedProtocols;
/** tags which should be removed if they contain no content (e.g. "<b></b>" or "<b />") **/
- protected final String[] vRemoveBlanks;
+ private final String[] vRemoveBlanks;
/** entities allowed within html markup **/
- protected final String[] vAllowedEntities;
+ private final String[] vAllowedEntities;
/** flag determining whether comments are allowed in input String. */
- protected final boolean stripComment;
- protected boolean vDebug = false;
+ private final boolean stripComment;
+ private boolean vDebug = false;
/**
* flag determining whether to try to make tags when presented with "unbalanced"
* angle brackets (e.g. "<b text </b>" becomes "<b> text </b>"). If set to false,
* unbalanced angle brackets will be html escaped.
*/
- protected final boolean alwaysMakeTags;
+ private final boolean alwaysMakeTags;
/** Default constructor.
*
@@ -166,11 +166,11 @@
alwaysMakeTags = (Boolean) configuration.get("alwaysMakeTags");
}
- protected void reset() {
+ private void reset() {
vTagCounts.clear();
}
- protected void debug(final String msg) {
+ private void debug(final String msg) {
if (vDebug) {
Logger.getAnonymousLogger().info(msg);
}
@@ -220,7 +220,7 @@
return s;
}
- protected String escapeComments(final String s) {
+ private String escapeComments(final String s) {
final Matcher m = P_COMMENTS.matcher(s);
final StringBuffer buf = new StringBuffer();
if (m.find()) {
@@ -232,7 +232,7 @@
return buf.toString();
}
- protected String balanceHTML(String s) {
+ private String balanceHTML(String s) {
if (alwaysMakeTags) {
//
// try and form html
@@ -259,7 +259,7 @@
return s;
}
- protected String checkTags(String s) {
+ private String checkTags(String s) {
Matcher m = P_TAGS.matcher(s);
final StringBuffer buf = new StringBuffer();
@@ -283,7 +283,7 @@
return s;
}
- protected String processRemoveBlanks(String s) {
+ private String processRemoveBlanks(String s) {
for (String tag : vRemoveBlanks) {
s = regexReplace("<" + tag + "(\\s[^>]*)?></" + tag + ">", "", s);
s = regexReplace("<" + tag + "(\\s[^>]*)?/>", "", s);
@@ -292,16 +292,16 @@
return s;
}
- protected String regexReplace(final String regex_pattern, final String replacement, final String s) {
+ private String regexReplace(final String regex_pattern, final String replacement, final String s) {
return regexReplace(Pattern.compile(regex_pattern), replacement, s);
}
- protected String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
+ private String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
Matcher m = regex_pattern.matcher(s);
return m.replaceAll(replacement);
}
- protected String processTag(final String s) {
+ private String processTag(final String s) {
// ending tags
Matcher m = P_END_TAG.matcher(s);
if (m.find()) {
@@ -389,7 +389,7 @@
return "";
}
- protected String processParamProtocol(String s) {
+ private String processParamProtocol(String s) {
s = decodeEntities(s);
final Matcher m = P_PROTOCOL.matcher(s);
if (m.find()) {
@@ -406,7 +406,7 @@
return s;
}
- protected String decodeEntities(String s) {
+ private String decodeEntities(String s) {
StringBuffer buf = new StringBuffer();
Matcher m = P_ENTITY.matcher(s);
@@ -442,7 +442,7 @@
return s;
}
- protected String validateEntities(String s) {
+ private String validateEntities(String s) {
StringBuffer buf = new StringBuffer();
// validate entities throughout the string
@@ -471,14 +471,14 @@
return s;
}
- protected String checkEntity(final String preamble, final String term) {
+ private String checkEntity(final String preamble, final String term) {
return ";".equals(term) && isValidEntity(preamble)
? '&' + preamble
: "&" + preamble;
}
- protected boolean isValidEntity(final String entity) {
+ private boolean isValidEntity(final String entity) {
return inArray(entity, vAllowedEntities);
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
1 message has been excluded from this view by a project administrator.
