// Copyright (c) 2011, Mike Samuel // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // Redistributions of source code must retain the above copyright // notice, this list of conditions and the following disclaimer. // Redistributions in binary form must reproduce the above copyright // notice, this list of conditions and the following disclaimer in the // documentation and/or other materials provided with the distribution. // Neither the name of the OWASP nor the names of its contributors may // be used to endorse or promote products derived from this software // without specific prior written permission. // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE // POSSIBILITY OF SUCH DAMAGE. package org.owasp.html; /** * Pre-packaged HTML sanitizer policies. * *
* These policies can be used to sanitize content. *
** Sanitizers.FORMATTING.sanitize({@code "Hello, World!"}) ** and can be chained *
* PolicyFactory sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS); * System.out.println(sanitizer.sanitize({@code "* *Hello, World!"})); *
* For more fine-grained control over sanitization, use * {@link HtmlPolicyBuilder}. *
* * @author Mike Samuel<p>
,
* <h1>
, etc.
*/
public static final PolicyFactory BLOCKS = new HtmlPolicyBuilder()
.allowCommonBlockElements().toFactory();
/**
* Allows certain safe CSS properties in {@code style="..."} attributes.
*/
public static final PolicyFactory STYLES = new HtmlPolicyBuilder()
.allowStyling().toFactory();
/**
* Allows HTTP, HTTPS, MAILTO, and relative links.
*/
public static final PolicyFactory LINKS = new HtmlPolicyBuilder()
.allowStandardUrlProtocols().allowElements("a")
.allowAttributes("href").onElements("a").requireRelNofollowOnLinks()
.toFactory();
private static final AttributePolicy INTEGER = new AttributePolicy() {
public String apply(
String elementName, String attributeName, String value) {
int n = value.length();
if (n == 0) { return null; }
for (int i = 0; i < n; ++i) {
char ch = value.charAt(i);
if (ch == '.') {
if (i == 0) { return null; }
return value.substring(0, i); // truncate to integer.
} else if (!('0' <= ch && ch <= '9')) {
return null;
}
}
return value;
}
};
/**
* Allows {@code } elements from HTTP, HTTPS, and relative sources.
*/
public static final PolicyFactory IMAGES = new HtmlPolicyBuilder()
.allowUrlProtocols("http", "https").allowElements("img")
.allowAttributes("alt", "src").onElements("img")
.allowAttributes("border", "height", "width").matching(INTEGER)
.onElements("img")
.toFactory();
private Sanitizers() {
// Uninstantiable.
}
}