JsValidateUnquotedLiteral.java revision 56ed4167b942ec265f9cee70ac4d71d10b3835ce 
1/*
2 * Copyright (C) 2010 Google Inc.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package com.google.clearsilver.jsilver.functions.escape;
18
19import com.google.clearsilver.jsilver.functions.TextFilter;
20
21import java.io.IOException;
22
23/**
24 * This function will be used to sanitize variables introduced into javascript that are not string
25 * literals. e.g. <script> var x = <?cs var: x ?> </script>
26 *
27 * Currently it only accepts boolean and numeric literals. All other values are replaced with a
28 * 'null'. This behavior may be extended if required at a later time. This replicates the
29 * autoescaping behavior of Clearsilver.
30 */
31public class JsValidateUnquotedLiteral implements TextFilter {
32
33  public void filter(String in, Appendable out) throws IOException {
34    /* Permit boolean literals */
35    if (in.equals("true") || in.equals("false")) {
36      out.append(in);
37      return;
38    }
39
40    boolean valid = true;
41    if (in.startsWith("0x") || in.startsWith("0X")) {
42
43      /*
44       * There must be at least one hex digit after the 0x for it to be valid. Hex number. Check
45       * that it is of the form 0(x|X)[0-9A-Fa-f]+
46       */
47      for (int i = 2; i < in.length(); i++) {
48        char c = in.charAt(i);
49        if (!((c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') || (c >= '0' && c <= '9'))) {
50          valid = false;
51          break;
52        }
53      }
54    } else {
55      /*
56       * Must be a base-10 (or octal) number. Check that it has the form [0-9+-.eE]+
57       */
58      for (int i = 0; i < in.length(); i++) {
59        char c = in.charAt(i);
60        if (!((c >= '0' && c <= '9') || c == '+' || c == '-' || c == '.' || c == 'e' || c == 'E')) {
61          valid = false;
62          break;
63        }
64      }
65    }
66
67    if (valid) {
68      out.append(in);
69    } else {
70      out.append("null");
71    }
72  }
73
74}
75