156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson/* 256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * Copyright (C) 2010 Google Inc. 356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * 456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * Licensed under the Apache License, Version 2.0 (the "License"); 556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * you may not use this file except in compliance with the License. 656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * You may obtain a copy of the License at 756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * 856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * http://www.apache.org/licenses/LICENSE-2.0 956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * 1056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * Unless required by applicable law or agreed to in writing, software 1156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * distributed under the License is distributed on an "AS IS" BASIS, 1256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * See the License for the specific language governing permissions and 1456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * limitations under the License. 1556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson */ 1656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 1756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodsonpackage com.google.clearsilver.jsilver.functions.escape; 1856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 1956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodsonimport com.google.clearsilver.jsilver.functions.TextFilter; 2056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 2156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodsonimport java.io.IOException; 2256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 2356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson/** 2456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * This function will be used to sanitize variables introduced into javascript that are not string 2556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * literals. e.g. <script> var x = <?cs var: x ?> </script> 2656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * 2756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * Currently it only accepts boolean and numeric literals. All other values are replaced with a 2856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * 'null'. This behavior may be extended if required at a later time. This replicates the 2956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * autoescaping behavior of Clearsilver. 3056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson */ 3156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodsonpublic class JsValidateUnquotedLiteral implements TextFilter { 3256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 3356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson public void filter(String in, Appendable out) throws IOException { 3456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson /* Permit boolean literals */ 3556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson if (in.equals("true") || in.equals("false")) { 3656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson out.append(in); 3756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson return; 3856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 3956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 4056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson boolean valid = true; 4156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson if (in.startsWith("0x") || in.startsWith("0X")) { 4256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 4356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson /* 4456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * There must be at least one hex digit after the 0x for it to be valid. Hex number. Check 4556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * that it is of the form 0(x|X)[0-9A-Fa-f]+ 4656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson */ 4756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson for (int i = 2; i < in.length(); i++) { 4856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson char c = in.charAt(i); 4956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson if (!((c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') || (c >= '0' && c <= '9'))) { 5056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson valid = false; 5156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson break; 5256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 5356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 5456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } else { 5556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson /* 5656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * Must be a base-10 (or octal) number. Check that it has the form [0-9+-.eE]+ 5756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson */ 5856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson for (int i = 0; i < in.length(); i++) { 5956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson char c = in.charAt(i); 6056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson if (!((c >= '0' && c <= '9') || c == '+' || c == '-' || c == '.' || c == 'e' || c == 'E')) { 6156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson valid = false; 6256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson break; 6356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 6456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 6556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 6656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 6756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson if (valid) { 6856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson out.append(in); 6956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } else { 7056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson out.append("null"); 7156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 7256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 7356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 7456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson} 75