1<?xml version="1.0" encoding="UTF-8" ?> 2<taglib version="2.1" 3 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd" 4 xmlns="http://java.sun.com/xml/ns/javaee" 5 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 6 <display-name>OWASP Java Encoder Project</display-name> 7 <tlib-version>1.0</tlib-version> 8 <short-name>e</short-name> 9 <uri>owasp.encoder.jakarta</uri> 10 <tag> 11 <description> 12 Encodes data for an XML CDATA section. On the chance that the input 13 contains a terminating 14 "]]&gt;", it will be replaced by 15 &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. 16 As with all XML contexts, characters that are invalid according to the 17 XML specification will be replaced by a space character. Caller must 18 provide the CDATA section boundaries. 19 </description> 20 <display-name>forCDATA</display-name> 21 <name>forCDATA</name> 22 <tag-class>org.owasp.encoder.tag.ForCDATATag</tag-class> 23 <body-content>empty</body-content> 24 <attribute> 25 <description>The value to be written out</description> 26 <name>value</name> 27 <required>true</required> 28 <rtexprvalue>true</rtexprvalue> 29 <type>java.lang.String</type> 30 </attribute> 31 </tag> 32 <tag> 33 <description> 34 This method encodes for HTML text content. It does not escape 35 quotation characters and is thus unsafe for use with 36 HTML attributes. Use either forHtml or forHtmlAttribute for those 37 methods. 38 </description> 39 <display-name>forHtmlContent</display-name> 40 <name>forHtmlContent</name> 41 <tag-class>org.owasp.encoder.tag.ForHtmlContentTag</tag-class> 42 <body-content>empty</body-content> 43 <attribute> 44 <description>value to be written out</description> 45 <name>value</name> 46 <required>true</required> 47 <rtexprvalue>true</rtexprvalue> 48 <type>java.lang.String</type> 49 </attribute> 50 </tag> 51 <tag> 52 <description>Encodes for XML and XHTML attribute content.</description> 53 <display-name>forXmlAttribute</display-name> 54 <name>forXmlAttribute</name> 55 <tag-class>org.owasp.encoder.tag.ForXmlAttributeTag</tag-class> 56 <body-content>empty</body-content> 57 <attribute> 58 <description>value to be written out</description> 59 <name>value</name> 60 <required>true</required> 61 <rtexprvalue>true</rtexprvalue> 62 <type>java.lang.String</type> 63 </attribute> 64 </tag> 65 <tag> 66 <description>Encodes for XML and XHTML.</description> 67 <display-name>forXml</display-name> 68 <name>forXml</name> 69 <tag-class>org.owasp.encoder.tag.ForXmlTag</tag-class> 70 <body-content>empty</body-content> 71 <attribute> 72 <description>value to be written out</description> 73 <name>value</name> 74 <required>true</required> 75 <rtexprvalue>true</rtexprvalue> 76 <type>java.lang.String</type> 77 </attribute> 78 </tag> 79 <tag> 80 <description> 81 Encodes for a JavaScript string. It is safe for use in HTML 82 script attributes (such as onclick), script 83 blocks, JSON files, and JavaScript source. The caller MUST 84 provide the surrounding quotation characters for the string. 85 Since this performs additional encoding so it can work in all 86 of the JavaScript contexts listed, it may be slightly less 87 efficient then using one of the methods targetted to a specific 88 JavaScript context: forJavaScriptAttribute, 89 forJavaScriptBlock, or forJavaScriptSource. 90 91 Unless you are interested in saving a few bytes of output or 92 are writing a framework on top of this library, it is recommend 93 that you use this method over the others. 94 </description> 95 <display-name>forJavaScript</display-name> 96 <name>forJavaScript</name> 97 <tag-class>org.owasp.encoder.tag.ForJavaScriptTag</tag-class> 98 <body-content>empty</body-content> 99 <attribute> 100 <description>value to be written out</description> 101 <name>value</name> 102 <required>true</required> 103 <rtexprvalue>true</rtexprvalue> 104 <type>java.lang.String</type> 105 </attribute> 106 </tag> 107 <tag> 108 <description> 109 Encodes for unquoted HTML attribute values. forHtml(String) or 110 forHtmlAttribute(String) should usually be preferred over this 111 method as quoted attributes are XHTML compliant. 112 </description> 113 <display-name>forHtmlUnquotedAttribute</display-name> 114 <name>forHtmlUnquotedAttribute</name> 115 <tag-class>org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag</tag-class> 116 <body-content>empty</body-content> 117 <attribute> 118 <description>value to be written out</description> 119 <name>value</name> 120 <required>true</required> 121 <rtexprvalue>true</rtexprvalue> 122 <type>java.lang.String</type> 123 </attribute> 124 </tag> 125 <tag> 126 <description> 127 Performs percent-encoding of a URL according to RFC 3986. The provided 128 URL is assumed to a valid URL. This method does not do any checking on 129 the quality or safety of the URL itself. In many applications it may 130 be better to use java.net.URI instead. Note: this is a 131 particularly dangerous context to put untrusted content in, as for 132 example a "javascript:" URL provided by a malicious user would be 133 "properly" escaped, and still execute. 134 </description> 135 <display-name>forUri</display-name> 136 <name>forUri</name> 137 <tag-class>org.owasp.encoder.tag.ForUriTag</tag-class> 138 <body-content>empty</body-content> 139 <attribute> 140 <description>value to be written out</description> 141 <name>value</name> 142 <required>true</required> 143 <rtexprvalue>true</rtexprvalue> 144 <type>java.lang.String</type> 145 </attribute> 146 </tag> 147 <tag> 148 <description> 149 Encodes for CSS URL contexts. The context must be surrounded by "url()". It 150 is safe for use in both style blocks and attributes in HTML. Note: this does 151 not do any checking on the quality or safety of the URL itself. The caller 152 should insure that the URL is safe for embedding (e.g. input validation) by 153 other means. 154 </description> 155 <display-name>forCssUrl</display-name> 156 <name>forCssUrl</name> 157 <tag-class>org.owasp.encoder.tag.ForCssUrlTag</tag-class> 158 <body-content>empty</body-content> 159 <attribute> 160 <description>value to be written out</description> 161 <name>value</name> 162 <required>true</required> 163 <rtexprvalue>true</rtexprvalue> 164 <type>java.lang.String</type> 165 </attribute> 166 </tag> 167 <tag> 168 <description>Encodes for HTML text attributes.</description> 169 <display-name>forHtmlAttribute</display-name> 170 <name>forHtmlAttribute</name> 171 <tag-class>org.owasp.encoder.tag.ForHtmlAttributeTag</tag-class> 172 <body-content>empty</body-content> 173 <attribute> 174 <description>value to be written out</description> 175 <name>value</name> 176 <required>true</required> 177 <rtexprvalue>true</rtexprvalue> 178 <type>java.lang.String</type> 179 </attribute> 180 </tag> 181 <tag> 182 <description> 183 Encodes for (X)HTML text content and text attributes. 184 </description> 185 <display-name>forHtml</display-name> 186 <name>forHtml</name> 187 <tag-class>org.owasp.encoder.tag.ForHtmlTag</tag-class> 188 <body-content>empty</body-content> 189 <attribute> 190 <description>value to be written out</description> 191 <name>value</name> 192 <required>true</required> 193 <rtexprvalue>true</rtexprvalue> 194 <type>java.lang.String</type> 195 </attribute> 196 </tag> 197 <tag> 198 <description> 199 Encodes for HTML text content. It does not escape 200 quotation characters and is thus unsafe for use with 201 HTML attributes. Use either forHtml or forHtmlAttribute for those 202 methods. 203 </description> 204 <display-name>forXmlContent</display-name> 205 <name>forXmlContent</name> 206 <tag-class>org.owasp.encoder.tag.ForXmlContentTag</tag-class> 207 <body-content>empty</body-content> 208 <attribute> 209 <description>value to be written out</description> 210 <name>value</name> 211 <required>true</required> 212 <rtexprvalue>true</rtexprvalue> 213 <type>java.lang.String</type> 214 </attribute> 215 </tag> 216 <tag> 217 <description> 218 Performs percent-encoding for a component of a URI, such as a query 219 parameter name or value, path or query-string. In particular this 220 method insures that special characters in the component do not get 221 interpreted as part of another component. 222 </description> 223 <display-name>forUriComponent</display-name> 224 <name>forUriComponent</name> 225 <tag-class>org.owasp.encoder.tag.ForUriComponentTag</tag-class> 226 <body-content>empty</body-content> 227 <attribute> 228 <description>value to be written out</description> 229 <name>value</name> 230 <required>true</required> 231 <rtexprvalue>true</rtexprvalue> 232 <type>java.lang.String</type> 233 </attribute> 234 </tag> 235 <tag> 236 <description> 237 Encodes for CSS strings. The context must be surrounded by quotation characters. 238 It is safe for use in both style blocks and attributes in HTML. 239 </description> 240 <display-name>forCssString</display-name> 241 <name>forCssString</name> 242 <tag-class>org.owasp.encoder.tag.ForCssStringTag</tag-class> 243 <body-content>empty</body-content> 244 <attribute> 245 <description>value to be written out</description> 246 <name>value</name> 247 <required>true</required> 248 <rtexprvalue>true</rtexprvalue> 249 <type>java.lang.String</type> 250 </attribute> 251 </tag> 252 <function> 253 <description> 254 Encodes for (X)HTML text content and text attributes. 255 </description> 256 <display-name>forHtml</display-name> 257 <name>forHtml</name> 258 <function-class>org.owasp.encoder.Encode</function-class> 259 <function-signature>java.lang.String forHtml(java.lang.String)</function-signature> 260 <example>forHtml(unsafeData)</example> 261 </function> 262 <function> 263 <description> 264 This method encodes for HTML text content. It does not escape 265 quotation characters and is thus unsafe for use with 266 HTML attributes. Use either forHtml or forHtmlAttribute for those 267 methods. 268 </description> 269 <display-name>forHtmlContent</display-name> 270 <name>forHtmlContent</name> 271 <function-class>org.owasp.encoder.Encode</function-class> 272 <function-signature>java.lang.String forHtmlContent(java.lang.String)</function-signature> 273 <example>forHtmlContent(unsafeData)</example> 274 </function> 275 <function> 276 <description>Encodes for HTML text attributes.</description> 277 <name>forHtmlAttribute</name> 278 <function-class>org.owasp.encoder.Encode</function-class> 279 <function-signature>java.lang.String forHtmlAttribute(java.lang.String)</function-signature> 280 <example>forHtmlAttribute(unsafeData)</example> 281 </function> 282 <function> 283 <description> 284 Encodes for unquoted HTML attribute values. forHtml(String) or 285 forHtmlAttribute(String) should usually be preferred over this 286 method as quoted attributes are XHTML compliant. 287 </description> 288 <display-name>forHtmlUnquotedAttribute</display-name> 289 <name>forHtmlUnquotedAttribute</name> 290 <function-class>org.owasp.encoder.Encode</function-class> 291 <function-signature>java.lang.String forHtmlUnquotedAttribute(java.lang.String)</function-signature> 292 <example>forHtmlUnquotedAttribute(unsafeData)</example> 293 </function> 294 <function> 295 <description> 296 Encodes for CSS strings. The context must be surrounded by quotation characters. 297 It is safe for use in both style blocks and attributes in HTML. 298 </description> 299 <display-name>forCssString</display-name> 300 <name>forCssString</name> 301 <function-class>org.owasp.encoder.Encode</function-class> 302 <function-signature>java.lang.String forCssString(java.lang.String)</function-signature> 303 <example>forCssString(unsafeData)</example> 304 </function> 305 <function> 306 <description> 307 Encodes for CSS URL contexts. The context must be surrounded by "url()". It 308 is safe for use in both style blocks and attributes in HTML. Note: this does 309 not do any checking on the quality or safety of the URL itself. The caller 310 should insure that the URL is safe for embedding (e.g. input validation) by 311 other means. 312 </description> 313 <display-name>forCssUrl</display-name> 314 <name>forCssUrl</name> 315 <function-class>org.owasp.encoder.Encode</function-class> 316 <function-signature>java.lang.String forCssUrl(java.lang.String)</function-signature> 317 <example>forCssUrl(unsafeData)</example> 318 </function> 319 <function> 320 <description> 321 Performs percent-encoding of a URL according to RFC 3986. The provided 322 URL is assumed to a valid URL. This method does not do any checking on 323 the quality or safety of the URL itself. In many applications it may 324 be better to use java.net.URI instead. Note: this is a 325 particularly dangerous context to put untrusted content in, as for 326 example a "javascript:" URL provided by a malicious user would be 327 "properly" escaped, and still execute. 328 </description> 329 <display-name>forUri</display-name> 330 <name>forUri</name> 331 <function-class>org.owasp.encoder.Encode</function-class> 332 <function-signature>java.lang.String forUri(java.lang.String)</function-signature> 333 <example>forUri(unsafeData)</example> 334 </function> 335 <function> 336 <description> 337 Performs percent-encoding for a component of a URI, such as a query 338 parameter name or value, path or query-string. In particular this 339 method insures that special characters in the component do not get 340 interpreted as part of another component. 341 </description> 342 <display-name>forUriComponent</display-name> 343 <name>forUriComponent</name> 344 <function-class>org.owasp.encoder.Encode</function-class> 345 <function-signature>java.lang.String forUriComponent(java.lang.String)</function-signature> 346 <example>forUriComponent(unsafeData)</example> 347 </function> 348 <function> 349 <description>Encodes for XML and XHTML.</description> 350 <display-name>forXml</display-name> 351 <name>forXml</name> 352 <function-class>org.owasp.encoder.Encode</function-class> 353 <function-signature>java.lang.String forXml(java.lang.String)</function-signature> 354 <example>forXml(unsafeData)</example> 355 </function> 356 <function> 357 <description> 358 Encodes for HTML text content. It does not escape 359 quotation characters and is thus unsafe for use with 360 HTML attributes. Use either forHtml or forHtmlAttribute for those 361 methods. 362 </description> 363 <display-name>forXmlContent</display-name> 364 <name>forXmlContent</name> 365 <function-class>org.owasp.encoder.Encode</function-class> 366 <function-signature>java.lang.String forXmlContent(java.lang.String)</function-signature> 367 <example>forXmlContent(unsafeData)</example> 368 </function> 369 <function> 370 <description>Encodes for XML and XHTML attribute content.</description> 371 <display-name>forXmlAttribute</display-name> 372 <name>forXmlAttribute</name> 373 <function-class>org.owasp.encoder.Encode</function-class> 374 <function-signature>java.lang.String forXmlAttribute(java.lang.String)</function-signature> 375 <example>forXmlAttribute(unsafeData)</example> 376 </function> 377 <function> 378 <description> 379 Encodes data for an XML CDATA section. On the chance that the input 380 contains a terminating 381 "]]&gt;", it will be replaced by 382 &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. 383 As with all XML contexts, characters that are invalid according to the 384 XML specification will be replaced by a space character. Caller must 385 provide the CDATA section boundaries. 386 </description> 387 <display-name>forCDATA</display-name> 388 <name>forCDATA</name> 389 <function-class>org.owasp.encoder.Encode</function-class> 390 <function-signature>java.lang.String forCDATA(java.lang.String)</function-signature> 391 <example>forCDATA(unsafeData)</example> 392 </function> 393 <function> 394 <description> 395 Encodes for a JavaScript string. It is safe for use in HTML 396 script attributes (such as onclick), script 397 blocks, JSON files, and JavaScript source. The caller MUST 398 provide the surrounding quotation characters for the string. 399 </description> 400 <display-name>forJavaScript</display-name> 401 <name>forJavaScript</name> 402 <function-class>org.owasp.encoder.Encode</function-class> 403 <function-signature>java.lang.String forJavaScript(java.lang.String)</function-signature> 404 <example>forJavaScript(unsafeData)</example> 405 </function> 406</taglib>