156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson/* 256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * Copyright (C) 2010 Google Inc. 356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * 456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * Licensed under the Apache License, Version 2.0 (the "License"); 556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * you may not use this file except in compliance with the License. 656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * You may obtain a copy of the License at 756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * 856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * http://www.apache.org/licenses/LICENSE-2.0 956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * 1056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * Unless required by applicable law or agreed to in writing, software 1156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * distributed under the License is distributed on an "AS IS" BASIS, 1256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 1356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * See the License for the specific language governing permissions and 1456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * limitations under the License. 1556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson */ 1656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 1756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodsonpackage com.google.clearsilver.jsilver.functions.escape; 1856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 1956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodsonimport com.google.clearsilver.jsilver.functions.TextFilter; 2056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 2156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodsonimport java.io.IOException; 2256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 2356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson/** 2456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * This function will be used to sanitize variables in 'style' attributes. It strips out any 2556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * characters that are not part of a whitelist of safe characters. This replicates the autoescaping 2656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * behavior of Clearsilver. 2756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * 2856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * It does not extend SimpleEscapingFunction because SimpleEscapingFunction requires a blacklist of 2956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * characters to escape. The StyleAttrEscapeFunction instead applies a whitelist, and strips out any 3056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * characters not in the whitelist. 3156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson */ 3256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodsonpublic class StyleEscapeFunction implements TextFilter { 3356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 3456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson private static final boolean[] UNQUOTED_VALID_CHARS; 3556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson private static final boolean[] VALID_CHARS; 3656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson private static final int MAX_CHARS = 0x80; 3756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 3856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson static { 3956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson // Allow characters likely to occur inside a style property value. 4056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson // Refer http://www.w3.org/TR/CSS21/ for more details. 4156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson String SPECIAL_CHARS = "_.,!#%- "; 4256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson String UNQUOTED_SPECIAL_CHARS = "_.,!#%-"; 4356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 4456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson VALID_CHARS = new boolean[MAX_CHARS]; 4556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson UNQUOTED_VALID_CHARS = new boolean[MAX_CHARS]; 4656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 4756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson for (int n = 0; n < MAX_CHARS; n++) { 4856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson VALID_CHARS[n] = false; 4956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson UNQUOTED_VALID_CHARS[n] = false; 5056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 5156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson if (Character.isLetterOrDigit(n)) { 5256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson VALID_CHARS[n] = true; 5356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson UNQUOTED_VALID_CHARS[n] = true; 5456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } else { 5556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson if (SPECIAL_CHARS.indexOf(n) != -1) { 5656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson VALID_CHARS[n] = true; 5756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 5856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 5956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson if (UNQUOTED_SPECIAL_CHARS.indexOf(n) != -1) { 6056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson UNQUOTED_VALID_CHARS[n] = true; 6156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 6256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 6356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 6456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 6556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 6656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson private final boolean[] validChars; 6756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 6856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson /** 6956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * isUnquoted should be true if the function is escaping a string that will appear inside an 7056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * unquoted style attribute. 7156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson * 7256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson */ 7356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson public StyleEscapeFunction(boolean isUnquoted) { 7456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson if (isUnquoted) { 7556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson validChars = UNQUOTED_VALID_CHARS; 7656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } else { 7756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson validChars = VALID_CHARS; 7856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 7956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 8056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 8156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson public void filter(String in, Appendable out) throws IOException { 8256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson for (char c : in.toCharArray()) { 8356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson if (c < MAX_CHARS && validChars[c]) { 8456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson out.append(c); 8556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } else if (c >= MAX_CHARS) { 8656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson out.append(c); 8756ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 8856ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 8956ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 9056ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson 9156ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson public void dumpInfo() { 9256ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson for (int i = 0; i < MAX_CHARS; i++) { 9356ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson System.out.println(i + "(" + (char) i + ")" + " :" + VALID_CHARS[i]); 9456ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 9556ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson } 9656ed4167b942ec265f9cee70ac4d71d10b3835ceBen Dodson} 97