1<HTML> 2<BODY BGCOLOR="white"> 3<PRE> 4<FONT color="green">001</FONT> // Copyright (c) 2011, Mike Samuel<a name="line.1"></a> 5<FONT color="green">002</FONT> // All rights reserved.<a name="line.2"></a> 6<FONT color="green">003</FONT> //<a name="line.3"></a> 7<FONT color="green">004</FONT> // Redistribution and use in source and binary forms, with or without<a name="line.4"></a> 8<FONT color="green">005</FONT> // modification, are permitted provided that the following conditions<a name="line.5"></a> 9<FONT color="green">006</FONT> // are met:<a name="line.6"></a> 10<FONT color="green">007</FONT> //<a name="line.7"></a> 11<FONT color="green">008</FONT> // Redistributions of source code must retain the above copyright<a name="line.8"></a> 12<FONT color="green">009</FONT> // notice, this list of conditions and the following disclaimer.<a name="line.9"></a> 13<FONT color="green">010</FONT> // Redistributions in binary form must reproduce the above copyright<a name="line.10"></a> 14<FONT color="green">011</FONT> // notice, this list of conditions and the following disclaimer in the<a name="line.11"></a> 15<FONT color="green">012</FONT> // documentation and/or other materials provided with the distribution.<a name="line.12"></a> 16<FONT color="green">013</FONT> // Neither the name of the OWASP nor the names of its contributors may<a name="line.13"></a> 17<FONT color="green">014</FONT> // be used to endorse or promote products derived from this software<a name="line.14"></a> 18<FONT color="green">015</FONT> // without specific prior written permission.<a name="line.15"></a> 19<FONT color="green">016</FONT> // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS<a name="line.16"></a> 20<FONT color="green">017</FONT> // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT<a name="line.17"></a> 21<FONT color="green">018</FONT> // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS<a name="line.18"></a> 22<FONT color="green">019</FONT> // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE<a name="line.19"></a> 23<FONT color="green">020</FONT> // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,<a name="line.20"></a> 24<FONT color="green">021</FONT> // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,<a name="line.21"></a> 25<FONT color="green">022</FONT> // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<a name="line.22"></a> 26<FONT color="green">023</FONT> // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER<a name="line.23"></a> 27<FONT color="green">024</FONT> // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT<a name="line.24"></a> 28<FONT color="green">025</FONT> // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN<a name="line.25"></a> 29<FONT color="green">026</FONT> // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<a name="line.26"></a> 30<FONT color="green">027</FONT> // POSSIBILITY OF SUCH DAMAGE.<a name="line.27"></a> 31<FONT color="green">028</FONT> <a name="line.28"></a> 32<FONT color="green">029</FONT> package org.owasp.html;<a name="line.29"></a> 33<FONT color="green">030</FONT> <a name="line.30"></a> 34<FONT color="green">031</FONT> /**<a name="line.31"></a> 35<FONT color="green">032</FONT> * Pre-packaged HTML sanitizer policies.<a name="line.32"></a> 36<FONT color="green">033</FONT> *<a name="line.33"></a> 37<FONT color="green">034</FONT> * <p><a name="line.34"></a> 38<FONT color="green">035</FONT> * These policies can be used to sanitize content.<a name="line.35"></a> 39<FONT color="green">036</FONT> * </p><a name="line.36"></a> 40<FONT color="green">037</FONT> * <pre><a name="line.37"></a> 41<FONT color="green">038</FONT> * Sanitizers.FORMATTING.sanitize({@code "<b>Hello, World!</b>"})<a name="line.38"></a> 42<FONT color="green">039</FONT> * </pre><a name="line.39"></a> 43<FONT color="green">040</FONT> * and can be chained<a name="line.40"></a> 44<FONT color="green">041</FONT> * <pre><a name="line.41"></a> 45<FONT color="green">042</FONT> * PolicyFactory sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS);<a name="line.42"></a> 46<FONT color="green">043</FONT> * System.out.println(sanitizer.sanitize({@code "<p>Hello, <b>World!</b>"}));<a name="line.43"></a> 47<FONT color="green">044</FONT> * </pre><a name="line.44"></a> 48<FONT color="green">045</FONT> *<a name="line.45"></a> 49<FONT color="green">046</FONT> * <p><a name="line.46"></a> 50<FONT color="green">047</FONT> * For more fine-grained control over sanitization, use<a name="line.47"></a> 51<FONT color="green">048</FONT> * {@link HtmlPolicyBuilder}.<a name="line.48"></a> 52<FONT color="green">049</FONT> * </p><a name="line.49"></a> 53<FONT color="green">050</FONT> *<a name="line.50"></a> 54<FONT color="green">051</FONT> * @author Mike Samuel <mikesamuel@gmail.com><a name="line.51"></a> 55<FONT color="green">052</FONT> */<a name="line.52"></a> 56<FONT color="green">053</FONT> public final class Sanitizers {<a name="line.53"></a> 57<FONT color="green">054</FONT> <a name="line.54"></a> 58<FONT color="green">055</FONT> /**<a name="line.55"></a> 59<FONT color="green">056</FONT> * Allows common formatting elements including {@code <b>}, {@code <i>}, etc.<a name="line.56"></a> 60<FONT color="green">057</FONT> */<a name="line.57"></a> 61<FONT color="green">058</FONT> public static final PolicyFactory FORMATTING = new HtmlPolicyBuilder()<a name="line.58"></a> 62<FONT color="green">059</FONT> .allowCommonInlineFormattingElements().toFactory();<a name="line.59"></a> 63<FONT color="green">060</FONT> <a name="line.60"></a> 64<FONT color="green">061</FONT> /**<a name="line.61"></a> 65<FONT color="green">062</FONT> * Allows common block elements including <code>&lt;p&gt;</code>,<a name="line.62"></a> 66<FONT color="green">063</FONT> * <code>&lt;h1&gt;</code>, etc.<a name="line.63"></a> 67<FONT color="green">064</FONT> */<a name="line.64"></a> 68<FONT color="green">065</FONT> public static final PolicyFactory BLOCKS = new HtmlPolicyBuilder()<a name="line.65"></a> 69<FONT color="green">066</FONT> .allowCommonBlockElements().toFactory();<a name="line.66"></a> 70<FONT color="green">067</FONT> <a name="line.67"></a> 71<FONT color="green">068</FONT> /**<a name="line.68"></a> 72<FONT color="green">069</FONT> * Allows certain safe CSS properties in {@code style="..."} attributes.<a name="line.69"></a> 73<FONT color="green">070</FONT> */<a name="line.70"></a> 74<FONT color="green">071</FONT> public static final PolicyFactory STYLES = new HtmlPolicyBuilder()<a name="line.71"></a> 75<FONT color="green">072</FONT> .allowStyling().toFactory();<a name="line.72"></a> 76<FONT color="green">073</FONT> <a name="line.73"></a> 77<FONT color="green">074</FONT> /**<a name="line.74"></a> 78<FONT color="green">075</FONT> * Allows HTTP, HTTPS, MAILTO, and relative links.<a name="line.75"></a> 79<FONT color="green">076</FONT> */<a name="line.76"></a> 80<FONT color="green">077</FONT> public static final PolicyFactory LINKS = new HtmlPolicyBuilder()<a name="line.77"></a> 81<FONT color="green">078</FONT> .allowStandardUrlProtocols().allowElements("a")<a name="line.78"></a> 82<FONT color="green">079</FONT> .allowAttributes("href").onElements("a").requireRelNofollowOnLinks()<a name="line.79"></a> 83<FONT color="green">080</FONT> .toFactory();<a name="line.80"></a> 84<FONT color="green">081</FONT> <a name="line.81"></a> 85<FONT color="green">082</FONT> private static final AttributePolicy INTEGER = new AttributePolicy() {<a name="line.82"></a> 86<FONT color="green">083</FONT> public String apply(<a name="line.83"></a> 87<FONT color="green">084</FONT> String elementName, String attributeName, String value) {<a name="line.84"></a> 88<FONT color="green">085</FONT> int n = value.length();<a name="line.85"></a> 89<FONT color="green">086</FONT> if (n == 0) { return null; }<a name="line.86"></a> 90<FONT color="green">087</FONT> for (int i = 0; i < n; ++i) {<a name="line.87"></a> 91<FONT color="green">088</FONT> char ch = value.charAt(i);<a name="line.88"></a> 92<FONT color="green">089</FONT> if (ch == '.') {<a name="line.89"></a> 93<FONT color="green">090</FONT> if (i == 0) { return null; }<a name="line.90"></a> 94<FONT color="green">091</FONT> return value.substring(0, i); // truncate to integer.<a name="line.91"></a> 95<FONT color="green">092</FONT> } else if (!('0' <= ch && ch <= '9')) {<a name="line.92"></a> 96<FONT color="green">093</FONT> return null;<a name="line.93"></a> 97<FONT color="green">094</FONT> }<a name="line.94"></a> 98<FONT color="green">095</FONT> }<a name="line.95"></a> 99<FONT color="green">096</FONT> return value;<a name="line.96"></a> 100<FONT color="green">097</FONT> }<a name="line.97"></a> 101<FONT color="green">098</FONT> };<a name="line.98"></a> 102<FONT color="green">099</FONT> <a name="line.99"></a> 103<FONT color="green">100</FONT> /**<a name="line.100"></a> 104<FONT color="green">101</FONT> * Allows {@code <img>} elements from HTTP, HTTPS, and relative sources.<a name="line.101"></a> 105<FONT color="green">102</FONT> */<a name="line.102"></a> 106<FONT color="green">103</FONT> public static final PolicyFactory IMAGES = new HtmlPolicyBuilder()<a name="line.103"></a> 107<FONT color="green">104</FONT> .allowUrlProtocols("http", "https").allowElements("img")<a name="line.104"></a> 108<FONT color="green">105</FONT> .allowAttributes("alt", "src").onElements("img")<a name="line.105"></a> 109<FONT color="green">106</FONT> .allowAttributes("border", "height", "width").matching(INTEGER)<a name="line.106"></a> 110<FONT color="green">107</FONT> .onElements("img")<a name="line.107"></a> 111<FONT color="green">108</FONT> .toFactory();<a name="line.108"></a> 112<FONT color="green">109</FONT> <a name="line.109"></a> 113<FONT color="green">110</FONT> private Sanitizers() {<a name="line.110"></a> 114<FONT color="green">111</FONT> // Uninstantiable.<a name="line.111"></a> 115<FONT color="green">112</FONT> }<a name="line.112"></a> 116<FONT color="green">113</FONT> }<a name="line.113"></a> 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177</PRE> 178</BODY> 179</HTML> 180