1// Copyright (c) 2013, Mike Samuel 2// All rights reserved. 3// 4// Redistribution and use in source and binary forms, with or without 5// modification, are permitted provided that the following conditions 6// are met: 7// 8// Redistributions of source code must retain the above copyright 9// notice, this list of conditions and the following disclaimer. 10// Redistributions in binary form must reproduce the above copyright 11// notice, this list of conditions and the following disclaimer in the 12// documentation and/or other materials provided with the distribution. 13// Neither the name of the OWASP nor the names of its contributors may 14// be used to endorse or promote products derived from this software 15// without specific prior written permission. 16// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 19// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 20// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 21// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 26// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27// POSSIBILITY OF SUCH DAMAGE. 28 29package org.owasp.html.examples; 30 31import java.io.IOException; 32import java.util.ArrayList; 33import java.util.List; 34 35import org.owasp.html.Handler; 36import org.owasp.html.HtmlPolicyBuilder; 37import org.owasp.html.HtmlSanitizer; 38import org.owasp.html.HtmlStreamEventReceiver; 39import org.owasp.html.HtmlStreamRenderer; 40import org.owasp.html.HtmlTextEscapingMode; 41import org.owasp.html.PolicyFactory; 42import org.owasp.html.TagBalancingHtmlStreamEventReceiver; 43 44/** 45 * Uses a custom event receiver to emit the domain of a link or inline image 46 * after the link or image. 47 */ 48public class UrlTextExample { 49 50 /** An event receiver that emits the domain of a link or image after it. */ 51 static class AppendDomainAfterText implements HtmlStreamEventReceiver { 52 final HtmlStreamEventReceiver underlying; 53 private final List<String> pendingText = new ArrayList<String>(); 54 55 AppendDomainAfterText(HtmlStreamEventReceiver underlying) { 56 this.underlying = underlying; 57 } 58 59 public void openDocument() { 60 underlying.openDocument(); 61 } 62 public void closeDocument() { 63 underlying.closeDocument(); 64 } 65 public void openTag(String elementName, List<String> attribs) { 66 underlying.openTag(elementName, attribs); 67 68 String trailingText = null; 69 70 if (!attribs.isEmpty()) { 71 // Figure out which attribute we should look for. 72 String urlAttrName = null; 73 if ("a".equals(elementName)) { 74 urlAttrName = "href"; 75 } else if ("img".equals(elementName)) { 76 urlAttrName = "src"; 77 } 78 if (urlAttrName != null) { 79 // Look for the attribute, and after it for its value. 80 for (int i = 0, n = attribs.size(); i < n; i += 2) { 81 if (urlAttrName.equals(attribs.get(i))) { 82 String url = attribs.get(i+1).trim(); 83 String domain = domainOf(url); 84 if (domain != null) { 85 trailingText = " - " + domain; 86 } 87 break; 88 } 89 } 90 } 91 } 92 if (HtmlTextEscapingMode.isVoidElement(elementName)) { 93 // A void element like <img> will not have a corresponding closeTag 94 // call. 95 if (trailingText != null) { 96 text(trailingText); 97 } 98 } else { 99 // Push the trailing text onto a stack so when we see the corresponding 100 // close tag, we can emit the text. 101 pendingText.add(trailingText); 102 } 103 } 104 public void closeTag(String elementName) { 105 underlying.closeTag(elementName); 106 // Pull the trailing text for the recently closed element off the stack. 107 int pendingTextSize = pendingText.size(); 108 if (pendingTextSize != 0) { 109 String trailingText = pendingText.remove(pendingTextSize - 1); 110 if (trailingText != null) { 111 text(trailingText); 112 } 113 } 114 } 115 public void text(String text) { 116 underlying.text(text); 117 } 118 } 119 120 public static void run(Appendable out, String... argv) throws IOException { 121 PolicyFactory policyBuilder = new HtmlPolicyBuilder() 122 .allowAttributes("src").onElements("img") 123 .allowAttributes("href").onElements("a") 124 // Allow some URLs through. 125 .allowStandardUrlProtocols() 126 .allowElements( 127 "a", "label", "h1", "h2", "h3", "h4", "h5", "h6", 128 "p", "i", "b", "u", "strong", "em", "small", "big", "pre", "code", 129 "cite", "samp", "sub", "sup", "strike", "center", "blockquote", 130 "hr", "br", "col", "font", "span", "div", "img", 131 "ul", "ol", "li", "dd", "dt", "dl", "tbody", "thead", "tfoot", 132 "table", "td", "th", "tr", "colgroup", "fieldset", "legend" 133 ).toFactory(); 134 135 StringBuilder htmlOut = new StringBuilder(); 136 HtmlSanitizer.Policy policy = policyBuilder.apply( 137 // The tag balancer passes events to AppendDomainAfterText which 138 // assumes that openTag and closeTag events line up with one-another. 139 new TagBalancingHtmlStreamEventReceiver( 140 // The domain appender forwards events to the HTML renderer, 141 new AppendDomainAfterText( 142 // which puts tags and text onto the output buffer. 143 HtmlStreamRenderer.create(htmlOut, Handler.DO_NOTHING) 144 ) 145 ) 146 ); 147 148 for (String input : argv) { 149 HtmlSanitizer.sanitize(input, policy); 150 } 151 152 out.append(htmlOut); 153 } 154 155 public static void main(String... argv) throws IOException { 156 run(System.out, argv); 157 System.out.println(); 158 } 159 160 161 /** 162 * The domain (actually authority component) of an HTML5 URL. 163 * If the input is not hierarchical, then this has undefined behavior. 164 */ 165 private static String domainOf(String url) { 166 int start = -1; 167 if (url.startsWith("//")) { 168 start = 2; 169 } else { 170 start = url.indexOf("://"); 171 if (start >= 0) { start += 3; } 172 } 173 if (start < 0) { return null; } 174 for (int i = 0; i < start - 3; ++i) { 175 switch (url.charAt(i)) { 176 case '/': case '?': case '#': return null; 177 default: break; 178 } 179 } 180 int end = url.length(); 181 for (int i = start; i < end; ++i) { 182 switch (url.charAt(i)) { 183 case '/': case '?': case '#': end = i; break; 184 default: break; 185 } 186 } 187 if (start < end) { 188 return url.substring(start, end); 189 } else { 190 return null; 191 } 192 } 193} 194