0001: /**********************************************************************************
0002: * $URL: https://source.sakaiproject.org/svn/util/tags/sakai_2-4-1/util-util/util/src/java/org/sakaiproject/util/FormattedText.java $
0003: * $Id: FormattedText.java 28363 2007-04-04 20:04:35Z ajpoland@iupui.edu $
0004: ***********************************************************************************
0005: *
0006: * Copyright (c) 2003, 2004, 2005, 2006 The Sakai Foundation.
0007: *
0008: * Licensed under the Educational Community License, Version 1.0 (the "License");
0009: * you may not use this file except in compliance with the License.
0010: * You may obtain a copy of the License at
0011: *
0012: * http://www.opensource.org/licenses/ecl1.php
0013: *
0014: * Unless required by applicable law or agreed to in writing, software
0015: * distributed under the License is distributed on an "AS IS" BASIS,
0016: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
0017: * See the License for the specific language governing permissions and
0018: * limitations under the License.
0019: *
0020: **********************************************************************************/package org.sakaiproject.util;
0021:
0022: import java.util.Stack;
0023: import java.util.regex.Matcher;
0024: import java.util.regex.Pattern;
0025:
0026: import org.apache.commons.logging.Log;
0027: import org.apache.commons.logging.LogFactory;
0028: import org.w3c.dom.Element;
0029:
0030: import org.sakaiproject.component.cover.ServerConfigurationService;
0031:
0032: /**
0033: * FormattedText provides support for user entry of formatted text; the formatted text is HTML. This includes text formatting in user input such as bold, underline, and fonts.
0034: */
0035: public class FormattedText {
0036: /** Our log (commons). */
0037: private static Log M_log = LogFactory.getLog(FormattedText.class);
0038:
0039: /**
0040: * This list of good and evil tags was extracted from:
0041: *
0042: * @link http://www.blooberry.com/indexdot/html/tagindex/all.htm
0043: */
0044: private static String[] M_goodTags;
0045:
0046: private static String[] M_archivalGoodTags = { "a", "abbr",
0047: "acronym", "address", "b", "big", "blockquote", "br",
0048: "center", "cite", "code", "dd", "del", "dir", "div", "dl",
0049: "dt", "em", "font", "hr", "h1", "h2", "h3", "h4", "h5",
0050: "h6", "i", "ins", "kbd", "li", "marquee", "menu", "nobr",
0051: "ol", "p", "pre", "q", "rt", "ruby", "rbc", "rb", "rtc",
0052: "rp", "s", "samp", "small", "span", "strike", "strong",
0053: "sub", "sup", "tt", "u", "ul", "var", "xmp", "table", "tr",
0054: "td", "th", "tbody", "caption", "thead", "tfoot",
0055: "colgroup", "col" };
0056:
0057: private static String[] M_richGoodTags = { "a", "abbr", "acronym",
0058: "address", "b", "big", "blockquote", "br", "center",
0059: "cite", "code", "dd", "del", "dir", "div", "dl", "dt",
0060: "em", "font", "hr", "h1", "h2", "h3", "h4", "h5", "h6",
0061: "i", "ins", "kbd", "li", "marquee", "menu", "nobr",
0062: "noembed", "ol", "p", "pre", "q", "rt", "ruby", "rbc",
0063: "rb", "rtc", "rp", "s", "samp", "small", "span", "strike",
0064: "strong", "sub", "sup", "tt", "u", "ul", "var", "xmp",
0065: "img", "embed", "object", "table", "tr", "td", "th",
0066: "tbody", "caption", "thead", "tfoot", "colgroup", "col" };
0067:
0068: private static String[] M_goodAttributes = { "abbr", "accept",
0069: "accesskey", "align", "alink", "alt", "axis", "background",
0070: "bgcolor", "border", "cellpadding", "cellspacing", "char",
0071: "charoff", "charset", "checked", "cite", "class",
0072: "classid", "clear", "color", "cols", "colspan", "compact",
0073: "content", "coords", "datetime", "dir", "disabled",
0074: "enctype", "face", "for", "header", "height", "href",
0075: "hreflang", "hspace", "id", "ismap", "label", "lang",
0076: "longdesc", "maxlength", "multiple", "name", "noshade",
0077: "nowrap", "profile", "readonly", "rel", "rev", "rows",
0078: "rowspan", "rules", "scope", "selected", "shape", "size",
0079: "span", "src", "style", "summary", "tabindex", "target",
0080: "text", "title", "type", "usemap", "valign", "value",
0081: "vlink", "vspace", "width" };
0082:
0083: private static String[] M_evilValues = { "javascript:",
0084: "behavior:", "vbscript:", "mocha:", "livescript:",
0085: "expression" };
0086:
0087: /**
0088: * These evil HTML tags are disallowed when the user inputs formatted text; this protects the system from broken pages as well as Cross-Site Scripting (XSS) attacks.
0089: */
0090: private static String[] M_evilTags;
0091:
0092: private static String[] M_archivalEvilTags = { "applet", "base",
0093: "body", "bgsound", "button", "col", "colgroup", "comment",
0094: "embed", "dfn", "embed", "fieldset", "form", "frame",
0095: "frameset", "head", "html", "iframe", "ilayer", "img",
0096: "inlineinput", "isindex", "input", "keygen", "label",
0097: "layer", "legend", "link", "listing", "map", "meta",
0098: "multicol", "nextid", "noembed", "noframes", "nolayer",
0099: "noscript", "object", "optgroup", "option", "param",
0100: "plaintext", "script", "select", "sound", "spacer",
0101: "spell", "submit", "textarea", "title", "wbr" };
0102:
0103: private static String[] M_richEvilTags = { "applet", "base",
0104: "body", "bgsound", "button", "col", "colgroup", "comment",
0105: "dfn", "fieldset", "form", "frame", "frameset", "head",
0106: "html", "iframe", "ilayer", "inlineinput", "isindex",
0107: "input", "keygen", "label", "layer", "legend", "link",
0108: "listing", "map", "meta", "multicol", "nextid", "noframes",
0109: "nolayer", "noscript", "optgroup", "option", "param",
0110: "plaintext", "script", "select", "sound", "spacer",
0111: "spell", "submit", "textarea", "title", "wbr" };
0112:
0113: /** An array of regular expression pattern-matchers, that will match the tags given in M_evilTags */
0114: private static Pattern[] M_evilTagsPatterns;
0115:
0116: /** An array of regular expression pattern-matchers, that will match the tags given in M_goodTags */
0117: private static Pattern[] M_goodTagsPatterns;
0118:
0119: /** An array of regular expression pattern-matchers, that will match the tags given in M_goodCloseTags */
0120: private static Pattern[] M_goodCloseTagsPatterns;
0121:
0122: /** An array of regular expression pattern-matchers, that will match the attributes given in M_goodAttributeTags */
0123: private static Pattern[] M_goodAttributePatterns;
0124:
0125: /** An array of regular expression pattern-matchers, that will match the attributes given in M_evilValues */
0126: private static Pattern[] M_evilValuePatterns;
0127:
0128: static {
0129: init();
0130: }
0131:
0132: private static void init() {
0133: String focus = ServerConfigurationService
0134: .getString("tags.focus");
0135:
0136: if ("archival".equals(focus)) {
0137: M_goodTags = M_archivalGoodTags;
0138: M_evilTags = M_archivalEvilTags;
0139: } else {
0140: M_goodTags = M_richGoodTags;
0141: M_evilTags = M_richEvilTags;
0142: }
0143:
0144: M_evilTagsPatterns = new Pattern[M_evilTags.length];
0145: for (int i = 0; i < M_evilTags.length; i++) {
0146: // matches the start of the particular evil tag "<" followed by whitespace,
0147: // followed by the tag name, followed by anything, followed by ">", case insensitive,
0148: // allowed to match over multiple lines.
0149: M_evilTagsPatterns[i] = Pattern.compile(".*<\\s*"
0150: + M_evilTags[i] + ".*>.*", Pattern.CASE_INSENSITIVE
0151: | Pattern.UNICODE_CASE | Pattern.DOTALL);
0152: }
0153:
0154: M_goodTagsPatterns = new Pattern[M_goodTags.length];
0155: M_goodCloseTagsPatterns = new Pattern[M_goodTags.length];
0156: for (int i = 0; i < M_goodTags.length; i++) {
0157: // matches the start of the particular good tag "<" followed by whitespace,
0158: // followed by the tag name, followed by anything, followed by ">", case insensitive,
0159: // allowed to match over multiple lines.
0160: M_goodTagsPatterns[i] = Pattern.compile(".*<\\s*"
0161: + M_goodTags[i] + "(\\s+.*>|>|/>).*",
0162: Pattern.CASE_INSENSITIVE | Pattern.UNICODE_CASE
0163: | Pattern.DOTALL);
0164: M_goodCloseTagsPatterns[i] = Pattern.compile("<\\s*/\\s*"
0165: + M_goodTags[i] + "(\\s.*>|>)",
0166: Pattern.CASE_INSENSITIVE | Pattern.UNICODE_CASE
0167: | Pattern.DOTALL);
0168: }
0169:
0170: M_goodAttributePatterns = new Pattern[M_goodAttributes.length];
0171: for (int i = 0; i < M_goodAttributes.length; i++) {
0172: M_goodAttributePatterns[i] = Pattern.compile("\\s+"
0173: + M_goodAttributes[i]
0174: + "(\\s*=\\s*(?:\".*?\"|'.*?'|[^'\">\\s]+))",
0175: Pattern.CASE_INSENSITIVE | Pattern.UNICODE_CASE
0176: | Pattern.DOTALL);
0177: }
0178:
0179: M_evilValuePatterns = new Pattern[M_evilValues.length];
0180: String pads = "(\\s)*?(?:/\\*.*\\*/|<!--.*-->|\0|)*?(\\s)*?";
0181: for (int i = 0; i < M_evilValues.length; i++) {
0182: String complexPattern = "\\s*";
0183: String value = M_evilValues[i];
0184: for (int j = 0; j < value.length(); j++) {
0185: complexPattern += value.charAt(j) + pads;
0186: }
0187:
0188: M_evilValuePatterns[i] = Pattern.compile(complexPattern,
0189: Pattern.CASE_INSENSITIVE | Pattern.UNICODE_CASE
0190: | Pattern.DOTALL);
0191: }
0192:
0193: }
0194:
0195: /** Matches HTML-style line breaks like <br> */
0196: private static Pattern M_patternTagBr = Pattern.compile(
0197: "<\\s*br\\s+?[^<>]*?>\\s*", Pattern.CASE_INSENSITIVE);
0198:
0199: /** Matches any HTML-style tag, like <anything> */
0200: private static Pattern M_patternTag = Pattern.compile("<.*?>",
0201: Pattern.DOTALL);
0202:
0203: /** Matches the 3 main pieces of any HTML tag */
0204: private static Pattern M_patternTagPieces = Pattern.compile(
0205: "((?:<|</)\\w+)(\\s[^>]*?)?(/>|>)", Pattern.DOTALL);
0206:
0207: /** Matches newlines */
0208: private static Pattern M_patternNewline = Pattern.compile("\\n");
0209:
0210: /**
0211: * Matches anchor tags so that a target can be added to them. This ensures that links in formatted text are forced to open up in a new window. This pattern matches as follows: "<a " followed by (string not containing characters "<>") possibly
0212: * followed by "target=something" (which is ignored), followed by "href" followed by (string not containing characters "<>") possibly followed by "target=something" (which is ignored), followed by ">". This should match all anchor tags that have an
0213: * href attribute. See escapeHtmlFormattedText()
0214: */
0215: private static Pattern M_patternAnchorTag = Pattern
0216: .compile(
0217: "([<]a\\s[^<>]*?)(\\s+href[^<>\\s]*=[^<>\\s]*?)?+([^<>]*?)[>]",
0218: Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
0219:
0220: /** Matches all close anchor tags. */
0221: private static Pattern M_patternCloseAnchorTag = Pattern.compile(
0222: "[<]\\s[^<>]*?/\\s[^<>]*?a\\s[^<>]*?[>]",
0223: Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
0224:
0225: /** Matches all anchor tags that have a target attribute. */
0226: private static Pattern M_patternAnchorTagWithTarget = Pattern
0227: .compile("([<]a\\s[^<>]*?)target=[^<>\\s]*([^<>]*?)[>]",
0228: Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
0229:
0230: /** Matches href attribute */
0231: private static Pattern M_patternHref = Pattern.compile(
0232: "href\\s*=\\s*\"?\\s*[\\S ]+(\\s|>)",
0233: Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
0234:
0235: /**
0236: * Processes and validates user-entered HTML received from the web browser (from the WYSIWYG editor). Validates that the user input follows the Sakai formatted text specification; disallows dangerous stuff such as <SCRIPT> JavaScript tags.
0237: * Encodes the text according to the formatted text specification, for the rest of the system to use.
0238: *
0239: * @param strFromBrowser
0240: * The formatted text as sent from the web browser (from the WYSIWYG editor)
0241: * @param errorMessages
0242: * User-readable error messages will be returned here.
0243: * @return The validated processed formatted text, ready for use by the system.
0244: */
0245: public static String processFormattedText(
0246: final String strFromBrowser, StringBuffer errorMessages) {
0247: boolean checkForEvilTags = true;
0248: boolean replaceWhitespaceTags = true;
0249: return processFormattedText(strFromBrowser, errorMessages,
0250: checkForEvilTags, replaceWhitespaceTags);
0251: }
0252:
0253: /**
0254: * Process an HTML document that has been edited using the formatted text widget. The document can contain any valid HTML; it will NOT be checked to eliminate things like image tags, script tags, etc, because it is its own document.
0255: *
0256: * @param strFromBrowser
0257: * @param errorMessages
0258: */
0259: public static String processHtmlDocument(
0260: final String strFromBrowser, StringBuffer errorMessages) {
0261: return strFromBrowser;
0262: }
0263:
0264: /**
0265: * Processes and validates HTML formatted text received from the web browser (from the WYSIWYG editor). Validates that the user input follows the Sakai formatted text specification; can disallow dangerous stuff such as <SCRIPT> JavaScript tags.
0266: * Encodes the text according to the formatted text specification, for the rest of the system to use.
0267: *
0268: * @param strFromBrowser
0269: * The formatted text as sent from the web browser (from the WYSIWYG editor)
0270: * @param errorMessages
0271: * User-readable error messages will be returned here.
0272: * @param checkForEvilTags
0273: * If true, check for tags and attributes that shouldn't be in formatted text
0274: * @param replaceWhitespaceTags
0275: * If true, clean up line breaks to be like "<br />".
0276: * @return The validated processed HTML formatted text, ready for use by the system.
0277: */
0278: public static String processFormattedText(
0279: final String strFromBrowser, StringBuffer errorMessages,
0280: boolean checkForEvilTags, boolean replaceWhitespaceTags) {
0281: String val = strFromBrowser;
0282: if (val == null || val.length() == 0)
0283: return val;
0284:
0285: if (replaceWhitespaceTags) {
0286: // normalize all variants of the "<br>" HTML tag to be "<br />\n"
0287: val = M_patternTagBr.matcher(val).replaceAll("<br />\n");
0288:
0289: // replace "<p>" with nothing. Replace "</p>" and "<p />" HTML tags with "<br />"
0290: // val = val.replaceAll("<p>", "");
0291: // val = val.replaceAll("</p>", "<br />\n");
0292: // val = val.replaceAll("<p />", "<br />\n");
0293: }
0294:
0295: if (checkForEvilTags) {
0296: val = processHtml(strFromBrowser, errorMessages);
0297: }
0298:
0299: // deal with hardcoded empty space character from Firefox 1.5
0300: if (val.equals(" ")) {
0301: val = "";
0302: }
0303:
0304: // close any open HTML tags (that the user may have accidentally left open)
0305: StringBuffer buf = new StringBuffer();
0306: trimFormattedText(val, Integer.MAX_VALUE, buf);
0307: val = buf.toString();
0308:
0309: // TODO: Fully parse and validate the formatted text against
0310: // the formatted text specification. Perhaps this could be
0311: // done by treating the text as an XML document and validating
0312: // the XML document against a Document-Type-Definition (DTD) for
0313: // formatted text. This would allow for validating the
0314: // attributes of allowed tags, for example.
0315:
0316: return val;
0317: }
0318:
0319: /**
0320: * Prepares the given HTML formatted text for output as part of an HTML document.
0321: *
0322: * @param value
0323: * The formatted text to output in an HTML document.
0324: * @return The string to include in an HTML document.
0325: */
0326: public static String escapeHtmlFormattedText(String value) {
0327: boolean supressNewlines = false;
0328: return escapeHtmlFormattedText(value, supressNewlines);
0329: }
0330:
0331: /**
0332: * Prepares the given HTML formatted text for output as part of an HTML document, removing newlines ("<br />").
0333: *
0334: * @param value
0335: * The formatted text to output in an HTML document.
0336: * @return The string to include in an HTML document.
0337: */
0338: public static String escapeHtmlFormattedTextSupressNewlines(
0339: String value) {
0340: boolean supressNewlines = true;
0341: return escapeHtmlFormattedText(value, supressNewlines);
0342: }
0343:
0344: /**
0345: * Prepares the given HTML formatted text for output as part of an HTML document. Makes sure that links open up in a new window by setting 'target="_blank"' on anchor tags.
0346: *
0347: * @param value
0348: * The formatted text to escape
0349: * @param supressNewlines
0350: * If true, remove newlines ("<br />") when escaping.
0351: * @return The string to include in an HTML document.
0352: */
0353: private static String escapeHtmlFormattedText(String value,
0354: boolean supressNewlines) {
0355: if (value == null)
0356: return "";
0357: if (value.length() == 0)
0358: return "";
0359:
0360: if (supressNewlines) {
0361: // zap HTML line breaks ("<br />") into plain-old whitespace
0362: value = M_patternTagBr.matcher(value).replaceAll(" ");
0363: }
0364:
0365: // make sure that links open up in a new window. This
0366: // makes sure every anchor tag has a blank target.
0367: // for example:
0368: // <a href="http://www.microsoft.com">Microsoft</a>
0369: // becomes:
0370: // <a href="http://www.microsoft.com" target="_blank">Microsoft</a>
0371: value = M_patternAnchorTagWithTarget.matcher(value).replaceAll(
0372: "$1$2>");
0373: value = M_patternAnchorTag.matcher(value).replaceAll(
0374: "$1$2$3 target=\"_blank\">");
0375:
0376: return value;
0377: }
0378:
0379: /**
0380: * Prepares the given formatted text for editing within the WYSIWYG editor. All HTML meta-characters in the string will be escaped.
0381: *
0382: * @param value
0383: * The formatted text to escape
0384: * @return The string to use as the value of the formatted textarea widget
0385: */
0386: public static String escapeHtmlFormattedTextarea(String value) {
0387: return escapeHtml(value, false);
0388: }
0389:
0390: /**
0391: * Converts the given plain text into HTML formatted text. Conversion to formatted text involves escaping characters that are used for formatting (such as the '<' character). Also converts plaintext line breaks into HTML line breaks ("<br />
0392: * ").
0393: *
0394: * @param value
0395: * The plain text to convert to formatted text
0396: * @return The converted plain text, now as formatted text
0397: */
0398: public static String convertPlaintextToFormattedText(String value) {
0399: return escapeHtml(value, true);
0400: }
0401:
0402: private static final boolean LAZY_CONSTRUCTION = true;
0403:
0404: /**
0405: * Escape the given value so that it appears as-is in HTML - that is, HTML meta-characters like '<' are escaped to HTML character entity references like '<'. Markup, amper, quote are escaped. Whitespace is not.
0406: *
0407: * @param value
0408: * The string to escape.
0409: * @param escapeNewlines
0410: * Whether to escape newlines as "<br />\n" so that they appear as HTML line breaks.
0411: * @return value fully escaped for HTML.
0412: */
0413: public static String escapeHtml(String value, boolean escapeNewlines) {
0414: if (value == null)
0415: return "";
0416:
0417: try {
0418: // lazily allocate the StringBuffer
0419: // only if changes are actually made; otherwise
0420: // just return the given string without changing it.
0421: StringBuffer buf = (LAZY_CONSTRUCTION) ? null
0422: : new StringBuffer();
0423: final int len = value.length();
0424: for (int i = 0; i < len; i++) {
0425: char c = value.charAt(i);
0426: switch (c) {
0427: case '<': {
0428: if (buf == null)
0429: buf = new StringBuffer(value.substring(0, i));
0430: buf.append("<");
0431: }
0432: break;
0433:
0434: case '>': {
0435: if (buf == null)
0436: buf = new StringBuffer(value.substring(0, i));
0437: buf.append(">");
0438: }
0439: break;
0440:
0441: case '&': {
0442: if (buf == null)
0443: buf = new StringBuffer(value.substring(0, i));
0444: buf.append("&");
0445: }
0446: break;
0447:
0448: case '"': {
0449: if (buf == null)
0450: buf = new StringBuffer(value.substring(0, i));
0451: buf.append(""");
0452: }
0453: break;
0454: case '\n': {
0455: if (escapeNewlines) {
0456: if (buf == null)
0457: buf = new StringBuffer(value
0458: .substring(0, i));
0459: buf.append("<br />\n");
0460: } else {
0461: if (buf != null)
0462: buf.append(c);
0463: }
0464: }
0465: break;
0466: default: {
0467: if (c < 128) {
0468: if (buf != null)
0469: buf.append(c);
0470: } else {
0471: // escape higher Unicode characters using an
0472: // HTML numeric character entity reference like "㴸"
0473: if (buf == null)
0474: buf = new StringBuffer(value
0475: .substring(0, i));
0476: buf.append("&#");
0477: buf.append(Integer.toString((int) c));
0478: buf.append(";");
0479: }
0480: }
0481: break;
0482: }
0483: } // for
0484:
0485: return (buf == null) ? value : buf.toString();
0486: } catch (Exception e) {
0487: M_log.warn("Validator.escapeHtml: ", e);
0488: return value;
0489: }
0490:
0491: } // escapeHtml
0492:
0493: /**
0494: * Store the given formatted text in the given XML element; stores both a formatted text representation, and a plaintext representation (plaintext means the formatting has been stripped).
0495: */
0496: public static void encodeFormattedTextAttribute(Element element,
0497: String baseAttributeName, String value) {
0498: // store the formatted text in an attribute called baseAttributeName-html
0499: Xml
0500: .encodeAttribute(element, baseAttributeName + "-html",
0501: value);
0502:
0503: // Store the non-formatted (plaintext) version as well
0504: Xml.encodeAttribute(element, baseAttributeName,
0505: convertFormattedTextToPlaintext(value));
0506: }
0507:
0508: /**
0509: * Returns a String with characters above 128 as entity references.
0510: *
0511: * @param value
0512: * The text to encode.
0513: * @return The encoded text.
0514: */
0515: public static String encodeUnicode(String value) {
0516: // TODO call method in each process routine
0517: if (value == null)
0518: return "";
0519:
0520: try {
0521: // lazily allocate the StringBuffer
0522: // only if changes are actually made; otherwise
0523: // just return the given string without changing it.
0524: StringBuffer buf = (LAZY_CONSTRUCTION) ? null
0525: : new StringBuffer();
0526: final int len = value.length();
0527: for (int i = 0; i < len; i++) {
0528: char c = value.charAt(i);
0529: if (c < 128) {
0530: if (buf != null)
0531: buf.append(c);
0532: } else {
0533: // escape higher Unicode characters using an
0534: // HTML numeric character entity reference like "㴸"
0535: if (buf == null)
0536: buf = new StringBuffer(value.substring(0, i));
0537: buf.append("&#");
0538: buf.append(Integer.toString((int) c));
0539: buf.append(";");
0540: }
0541: } // for
0542:
0543: return (buf == null) ? value : buf.toString();
0544: } catch (Exception e) {
0545: M_log.warn("Validator.escapeHtml: ", e);
0546: return value;
0547: }
0548: }
0549:
0550: /**
0551: * Returns a String with HTML entity references converted to characters suitable for processing as formatted text.
0552: *
0553: * @param value
0554: * The text containing entity references (e.g., a News item description).
0555: * @return The HTML, ready for processing.
0556: */
0557: public static String unEscapeHtml(String value) {
0558: if (value == null)
0559: return "";
0560: if (value.equals(""))
0561: return "";
0562: value.replaceAll("<", "<");
0563: value.replaceAll(">", ">");
0564: value.replaceAll("&", "&");
0565: value.replaceAll(""", "\"");
0566: return value;
0567: }
0568:
0569: /**
0570: * Returns a String with HTML anchor normalized to include only href and target="_blank" for safe display by a browser.
0571: *
0572: * @param anchor
0573: * The anchor tag to be normalized.
0574: * @return The anchor tag containing only href and target="_blank".
0575: */
0576: public static String processAnchor(String anchor) {
0577: String newAnchor = "";
0578: String href = null;
0579:
0580: // get href
0581: try {
0582: Matcher matcher = M_patternHref.matcher(anchor);
0583: if (matcher.find())
0584: href = matcher.group();
0585: } catch (Exception e) {
0586: M_log.warn("FormattedText.processAnchor ", e);
0587: }
0588:
0589: // open in a new window
0590: if (href != null) {
0591: href = href.replaceAll("\"", "");
0592: href = href.replaceAll(">", "");
0593: href = href.replaceAll("http", "\"http");
0594: href = href.replaceAll("https", "\"https");
0595: newAnchor = "<a " + href + "\" target=\"_blank\">";
0596: } else
0597: M_log.warn("FormattedText.processAnchor href == null");
0598: return newAnchor;
0599: }
0600:
0601: /**
0602: * Processes and validates character data as HTML. Disallows dangerous stuff such as <SCRIPT> JavaScript tags. Encodes the text according to the formatted text specification, for the rest of the system to use.
0603: *
0604: * @param source
0605: * The escaped HTML (e.g., from the News service)
0606: * @return The validated processed formatted text, ready for use by the system.
0607: */
0608: public static String processEscapedHtml(final String source) {
0609: if (source == null)
0610: return "";
0611: if (source.equals(""))
0612: return "";
0613:
0614: String Html = null;
0615: try {
0616: // TODO call encodeUnicode in other process routine
0617: Html = encodeUnicode(source);
0618: } catch (Exception e) {
0619: M_log
0620: .warn(
0621: "FormattedText.processEscapedHtml encodeUnicode(source):",
0622: e);
0623: }
0624: try {
0625: // to use the FormattedText functions
0626: Html = unEscapeHtml(Html);
0627: } catch (Exception e) {
0628: M_log
0629: .warn(
0630: "FormattedText.processEscapedHtml unEscapeHtml(Html):",
0631: e);
0632: }
0633:
0634: return processHtml(Html, new StringBuffer());
0635: }
0636:
0637: private static String processHtml(final String source,
0638: StringBuffer errorMessages) {
0639: // normalize all variants of the "<br>" HTML tag to be "<br />\n"
0640: // TODO call a method to do this in each process routine
0641: String Html = M_patternTagBr.matcher(source).replaceAll(
0642: "<br />\n");
0643:
0644: // process text and tags
0645: StringBuffer buf = new StringBuffer();
0646: if (Html != null) {
0647: try {
0648: int start = 0;
0649: Matcher m = M_patternTag.matcher(Html);
0650:
0651: // if there are no tags, return as is
0652: if (!m.find())
0653: return Html;
0654: m.reset(Html);
0655:
0656: // if there are tags, make sure they are safe
0657: while (m.find()) {
0658: // append text that isn't part of a tag
0659: if (m.start() > start)
0660: buf.append(Html.substring(start, m.start()));
0661: start = m.end();
0662:
0663: buf.append(checkTag(m.group(), errorMessages));
0664: }
0665:
0666: // tail
0667: if (Html.length() > start)
0668: buf.append(Html.substring((start)));
0669: } catch (Exception e) {
0670: M_log
0671: .warn(
0672: "FormattedText.processEscapedHtml M_patternTag.matcher(Html):",
0673: e);
0674: }
0675: }
0676: return new String(buf.toString());
0677: }
0678:
0679: private static String checkTag(final String tag,
0680: StringBuffer errorMessages) {
0681: StringBuffer buf = new StringBuffer();
0682: boolean escape = true;
0683:
0684: // if it's a good open tag, don't escape the HTML
0685: for (int i = 0; i < M_goodTags.length; i++) {
0686: if (M_goodTagsPatterns[i].matcher(tag).matches()) {
0687: if (M_patternAnchorTag.matcher(tag).matches()
0688: && !M_patternCloseAnchorTag.matcher(tag)
0689: .matches()) {
0690: // if it's an anchor tag, sanitize it
0691: buf.append(checkAttributes(processAnchor(tag),
0692: errorMessages));
0693: escape = false;
0694: } else {
0695: // otherwise just include it
0696: buf.append(checkAttributes(tag, errorMessages));
0697: escape = false;
0698: }
0699: } else if (M_goodCloseTagsPatterns[i].matcher(tag)
0700: .matches()) {
0701: // if it's a good close tag, don't escape the HTML
0702: buf.append(checkAttributes(tag, errorMessages));
0703: escape = false;
0704: }
0705: }
0706:
0707: // otherwise escape tag
0708: if (escape) {
0709: buf.append((String) escapeHtml(tag, false));
0710:
0711: Matcher fullTag = M_patternTagPieces.matcher(tag);
0712: if (fullTag.matches() && fullTag.groupCount() > 2) {
0713: errorMessages.append("The HTML tag '"
0714: + fullTag.group(1)
0715: + fullTag.group(fullTag.groupCount())
0716: + "' is not allowed in formatted text.\n");
0717: }
0718: }
0719:
0720: return buf.toString();
0721: }
0722:
0723: private static String checkAttributes(final String tag,
0724: StringBuffer errorMessages) {
0725: Matcher fullTag = M_patternTagPieces.matcher(tag);
0726: String close = "";
0727: StringBuffer buf = new StringBuffer();
0728: String leftOvers = "";
0729:
0730: if (fullTag.matches() && fullTag.groupCount() > 2) {
0731: leftOvers = fullTag.group(2);
0732: buf.append(fullTag.group(1));
0733: close = fullTag.group(fullTag.groupCount());
0734: } else {
0735: if (M_log.isDebugEnabled())
0736: M_log.debug("Could not parse " + tag);
0737: return "";
0738: }
0739:
0740: Matcher matcher;
0741: for (int i = 0; i < M_goodAttributePatterns.length; i++) {
0742: matcher = M_goodAttributePatterns[i].matcher(tag);
0743: if (matcher.find()) {
0744: for (int j = 0; j < matcher.groupCount(); j++) {
0745: if (checkValue(matcher.group(j) + " ",
0746: errorMessages)) {
0747: buf.append(matcher.group(j) + " ");
0748:
0749: try {
0750: leftOvers = leftOvers.replace(matcher
0751: .group(j), "");
0752: } catch (Exception e) {
0753: M_log.warn(matcher.group(j));
0754: e.printStackTrace();
0755: }
0756: }
0757: }
0758: }
0759: }
0760:
0761: if (leftOvers != null && leftOvers.trim().length() > 1) {
0762: errorMessages.append("The HTML attribute pattern '"
0763: + leftOvers + "' is not allowed\n");
0764: }
0765:
0766: buf.append(close);
0767: return buf.toString();
0768: }
0769:
0770: private static boolean checkValue(final String value,
0771: StringBuffer errorMessages) {
0772: boolean pass = true;
0773:
0774: Matcher matcher;
0775: for (int i = 0; i < M_evilValuePatterns.length; i++) {
0776: matcher = M_evilValuePatterns[i].matcher(value);
0777:
0778: if (matcher.find()) {
0779: pass = false;
0780: //errorMessages.append("The attribute value '" + value + "' is not allowed\n");
0781: }
0782: }
0783: return pass;
0784: }
0785:
0786: /**
0787: * Retrieves a formatted text attribute from an XML element; converts from older forms of formatted text or plaintext, if found. For example, if the baseAttributeName "foo" is specified, the attribute "foo-html" will be looked for first, and then
0788: * "foo-formatted", and finally just "foo" (plaintext).
0789: *
0790: * @param element
0791: * The XML element from which to retrieve the formatted text attribute
0792: * @param baseAttributeName
0793: * The base attribute name of the formatted text attribute
0794: */
0795: public static String decodeFormattedTextAttribute(Element element,
0796: String baseAttributeName) {
0797: String ret;
0798:
0799: // first check if an HTML-encoded attribute exists, for example "foo-html", and use it if available
0800: ret = StringUtil.trimToNull(Xml.decodeAttribute(element,
0801: baseAttributeName + "-html"));
0802: if (ret != null)
0803: return ret;
0804:
0805: // next try the older kind of formatted text like "foo-formatted", and convert it if found
0806: ret = StringUtil.trimToNull(Xml.decodeAttribute(element,
0807: baseAttributeName + "-formatted"));
0808: ret = FormattedText.convertOldFormattedText(ret);
0809: if (ret != null)
0810: return ret;
0811:
0812: // next try just a plaintext attribute and convert the plaintext to formatted text if found
0813: // convert from old plaintext instructions to new formatted text instruction
0814: ret = Xml.decodeAttribute(element, baseAttributeName);
0815: ret = FormattedText.convertPlaintextToFormattedText(ret);
0816: return ret;
0817: }
0818:
0819: /**
0820: * Converts the given HTML formatted text to plain text - loses formatting information. For example, The formatted text <xmp>"Hello <br />
0821: * <b>World!</b>"</xmp> becomes plain text "Hello \nWorld!" Strips all formatting information from the formatted text
0822: *
0823: * @param value
0824: * The formatted text to convert
0825: * @return The plain text (all formatting removed)
0826: */
0827: public static String convertFormattedTextToPlaintext(String value) {
0828: if (value == null)
0829: return null;
0830: if (value.length() == 0)
0831: return "";
0832:
0833: // strip out newlines
0834: value = M_patternNewline.matcher(value).replaceAll("");
0835:
0836: // convert "<br />" to newline
0837: value = M_patternTagBr.matcher(value).replaceAll("\n");
0838:
0839: // strip out all the HTML-style tags so that:
0840: // <font face="verdana">Something</font> <b>Something else</b>
0841: // becomes:
0842: // Something Something else
0843: value = M_patternTag.matcher(value).replaceAll("");
0844:
0845: // Replace HTML character entity references (like >)
0846: // with the plain Unicode characters to which they refer.
0847: String ref;
0848: char val;
0849: for (int i = 0; i < M_htmlCharacterEntityReferences.length; i++) {
0850: ref = M_htmlCharacterEntityReferences[i];
0851: if (value.indexOf(ref) >= 0) {
0852: val = M_htmlCharacterEntityReferencesUnicode[i];
0853: // System.out.println("REPLACING "+ref+" WITH UNICODE CHARACTER #"+val+" WHICH IN JAVA IS "+Character.toString(val));
0854: value = value.replaceAll(ref, Character.toString(val));
0855: }
0856: }
0857:
0858: // Replace HTML numeric character entity references (like &#nnnn; or &#xnnnn;)
0859: // with the plain Unicode characters to which they refer.
0860: value = decodeNumericCharacterReferences(value);
0861:
0862: return value;
0863: }
0864:
0865: /**
0866: * Converts old-style formatted text to the new style. Previous to Sakai release 1.5, displayed line breaks were stored as "\n". Now, displayed like breaks are properly stored in the HTML-standard way as "<br />". This method converts from the
0867: * previous form.
0868: *
0869: * @param value
0870: * @return
0871: */
0872: public static String convertOldFormattedText(String value) {
0873: // previously, formatted text used "\n" to indicate a line break.
0874: // now we use "<br />\n" as a line break. This code converts old
0875: // formatted text to new formatted text.
0876: if (value == null)
0877: return null;
0878: if (value.length() == 0)
0879: return "";
0880:
0881: value = M_patternNewline.matcher(value).replaceAll("<br />\n");
0882: return value;
0883: }
0884:
0885: /**
0886: * Trims a formatted text string to the given maximum number of displayed characters, preserving formatting. For example, trim("Hello & <b>World</b>!", 9) returns "Hello & <b>W</b>" Ignores HTML comments like "<!-- comment -->"
0887: *
0888: * @param formattedText
0889: * The formatted text to trim
0890: * @param maxNumOfChars
0891: * The maximum number of displayed characters in the returned trimmed formatted text.
0892: * @param strTrimmed
0893: * A StringBuffer to hold the trimmed formatted text
0894: * @return true If the formatted text was trimmed
0895: */
0896: public static boolean trimFormattedText(String formattedText,
0897: final int maxNumOfChars, StringBuffer strTrimmed) {
0898: // This should return a formatted text substring which contains formatting, but which
0899: // isn't broken in the middle of formatting, eg, "<strong>Hi there</stro" It also shouldn't
0900: // break HTML character entities such as ">".
0901:
0902: String str = formattedText;
0903: strTrimmed.setLength(0);
0904: strTrimmed.append(str);
0905: if (str == null)
0906: return false;
0907:
0908: int count = 0; // number of displayed characters seen so far
0909: int pos = 0; // raw position within the formatted text string
0910: int len = str.length();
0911: Stack tags = new Stack(); // currently open tags (may need to be closed at the end)
0912: while (pos < len && count < maxNumOfChars) {
0913: while (pos < len && str.charAt(pos) == '<') {
0914: // currently parsing a tag
0915: pos++;
0916:
0917: if (pos < len && str.charAt(pos) == '!') {
0918: // parsing an HTML comment
0919: if (pos + 2 < len) {
0920: if (str.charAt(pos + 1) == '-'
0921: && str.charAt(pos + 2) == '-') {
0922: // skip past the close of the comment tag
0923: int close = str.indexOf("-->", pos);
0924: if (close != -1) {
0925: pos = close + 3;
0926: continue;
0927: }
0928: }
0929: }
0930: }
0931:
0932: if (pos < len && str.charAt(pos) == '/') {
0933: // currently parsing an closing tag
0934: if (!tags.isEmpty())
0935: tags.pop();
0936: while (pos < len && str.charAt(pos) != '>')
0937: pos++;
0938: pos++;
0939: continue;
0940: }
0941: // capture the name of the opening tag and put it on the stack of open tags
0942: int taglen = 0;
0943: String tag;
0944: while (pos < len && str.charAt(pos) != '>'
0945: && !Character.isWhitespace(str.charAt(pos))) {
0946: pos++;
0947: taglen++;
0948: }
0949: tag = str.substring(pos - taglen, pos);
0950: tags.push(tag);
0951:
0952: while (pos < len && str.charAt(pos) != '>')
0953: pos++;
0954:
0955: if (tag.length() == 0) {
0956: if (!tags.isEmpty())
0957: tags.pop();
0958: continue;
0959: }
0960: if (str.charAt(pos - 1) == '/')
0961: if (!tags.isEmpty())
0962: tags.pop(); // singleton tag like "<br />" has no closing tag
0963: if (tag.charAt(0) == '!')
0964: if (!tags.isEmpty())
0965: tags.pop(); // comment tag like "<!-- comment -->", so just ignore it
0966: if ("br".equalsIgnoreCase(tag))
0967: if (!tags.isEmpty())
0968: tags.pop();
0969: if ("hr".equalsIgnoreCase(tag))
0970: if (!tags.isEmpty())
0971: tags.pop();
0972: if ("meta".equalsIgnoreCase(tag))
0973: if (!tags.isEmpty())
0974: tags.pop();
0975: if ("link".equalsIgnoreCase(tag))
0976: if (!tags.isEmpty())
0977: tags.pop();
0978: pos++;
0979: }
0980:
0981: if (pos < len && str.charAt(pos) == '&') {
0982: // HTML character entity references, like ">"
0983: // count this as one single character
0984: while (pos < len && str.charAt(pos) != ';')
0985: pos++;
0986: }
0987:
0988: if (pos < len) {
0989: count++;
0990: pos++;
0991: }
0992: }
0993:
0994: // close any unclosed tags
0995: strTrimmed.setLength(0);
0996: strTrimmed.append(str.substring(0, pos));
0997: while (tags.size() > 0) {
0998: strTrimmed.append("</");
0999: strTrimmed.append(tags.pop());
1000: strTrimmed.append(">");
1001: }
1002:
1003: boolean didTrim = (count == maxNumOfChars);
1004: return didTrim;
1005:
1006: } // trimFormattedText()
1007:
1008: /**
1009: * decode any HTML Numeric Character References of the style: &#Xhexnumber; or &#decimalnumber; or of our own special style: ^^Xhexnumber^ or ^^decimalnumber^
1010: */
1011: public static String decodeNumericCharacterReferences(String value) {
1012: // lazily allocate StringBuffer only if needed
1013: // buf is not null ONLY when a numeric character reference
1014: // is found - otherwise, buf is not used at all
1015: StringBuffer buf = null;
1016: final int valuelength = value.length();
1017: for (int i = 0; i < valuelength; i++) {
1018: if ((value.charAt(i) == '&' || value.charAt(i) == '^')
1019: && (i + 2 < valuelength)
1020: && (value.charAt(i + 1) == '#' || value
1021: .charAt(i + 1) == '^')) {
1022: int pos = i + 2;
1023: boolean hex = false;
1024: if ((value.charAt(pos) == 'x')
1025: || (value.charAt(pos) == 'X')) {
1026: pos++;
1027: hex = true;
1028: }
1029: StringBuffer num = new StringBuffer(6);
1030: while (pos < valuelength && value.charAt(pos) != ';'
1031: && value.charAt(pos) != '^') {
1032: num.append(value.charAt(pos));
1033: pos++;
1034: }
1035: if (pos < valuelength) {
1036: try {
1037: int val = Integer.parseInt(num.toString(),
1038: (hex ? 16 : 10));
1039: // Found an HTML numeric character reference!
1040: if (buf == null) {
1041: buf = new StringBuffer();
1042: buf.append(value.substring(0, i));
1043: }
1044:
1045: buf.append((char) val);
1046: i = pos;
1047: } catch (Exception ignore) {
1048: if (buf != null)
1049: buf.append(value.charAt(i));
1050: }
1051: } else {
1052: if (buf != null)
1053: buf.append(value.charAt(i));
1054: }
1055: } else {
1056: if (buf != null)
1057: buf.append(value.charAt(i));
1058: }
1059: }
1060:
1061: if (buf != null)
1062: value = buf.toString();
1063:
1064: return value;
1065: }
1066:
1067: /**
1068: * HTML character entity references. These abreviations are used in HTML to escape certain Unicode characters, including characters used in HTML markup. These character entity references were taken directly from the HTML 4.0 specification at:
1069: *
1070: * @link http://www.w3.org/TR/REC-html40/sgml/entities.html
1071: */
1072: private static final String[] M_htmlCharacterEntityReferences = {
1073: " ", "¡", "¢", "£", "¤",
1074: "¥", "¦", "§", "¨", "©", "ª",
1075: "«", "¬", "­", "®", "¯", "°",
1076: "±", "²", "³", "´", "µ",
1077: "¶", "·", "¸", "¹", "º",
1078: "»", "¼", "½", "¾", "¿",
1079: "À", "Á", "Â", "Ã", "Ä",
1080: "Å", "Æ", "Ç", "È", "É",
1081: "Ê", "Ë", "Ì", "Í", "Î",
1082: "Ï", "Ð", "Ñ", "Ò", "Ó",
1083: "Ô", "Õ", "Ö", "×", "Ø",
1084: "Ù", "Ú", "Û", "Ü", "Ý",
1085: "Þ", "ß", "à", "á", "â",
1086: "ã", "ä", "å", "æ", "ç",
1087: "è", "é", "ê", "ë", "ì",
1088: "í", "î", "ï", "ð", "ñ",
1089: "ò", "ó", "ô", "õ", "ö",
1090: "÷", "ø", "ù", "ú", "û",
1091: "ü", "ý", "þ", "ÿ", "ƒ",
1092: "Α", "Β", "Γ", "Δ", "&Epsilo;",
1093: "Ζ", "Η", "Θ", "Ι", "Κ",
1094: "Λ", "Μ", "Ν", "Ξ", "&Omicro;", "Π",
1095: "Ρ", "Σ", "Τ", "&Upsilo;", "Φ", "Χ",
1096: "Ψ", "Ω", "α", "β", "γ",
1097: "δ", "&epsilo;", "ζ", "η", "θ",
1098: "ι", "κ", "λ", "μ", "ν", "ξ",
1099: "&omicro;", "π", "ρ", "ς", "σ",
1100: "τ", "&upsilo;", "φ", "χ", "ψ", "ω",
1101: "&thetas;", "ϒ", "ϖ", "•", "…",
1102: "′", "″", "‾", "⁄", "℘",
1103: "ℑ", "ℜ", "™", "&alefsy;", "←",
1104: "↑", "→", "↓", "↔", "↵",
1105: "⇐", "⇑", "⇒", "⇓", "⇔",
1106: "∀", "∂", "∃", "∅", "∇",
1107: "∈", "∉", "∋", "∏", "∑", "−",
1108: "∗", "√", "∝", "∞", "∠",
1109: "∧", "∨", "∩", "∪", "∫", "∴",
1110: "∼", "≅", "≈", "≠", "≡", "≤",
1111: "≥", "⊂", "⊃", "⊄", "⊆", "⊇",
1112: "⊕", "⊗", "⊥", "⋅", "⌈",
1113: "⌉", "⌊", "⌋", "⟨", "⟩",
1114: "◊", "♠", "♣", "♥", "♦",
1115: """, "&", "<", ">", "Œ", "œ",
1116: "Š", "š", "Ÿ", "ˆ", "˜",
1117: " ", " ", " ", "‌", "‍", "‎",
1118: "‏", "–", "—", "‘", "’",
1119: "‚", "“", "”", "„", "†",
1120: "‡", "‰", "‹", "›", "€" };
1121:
1122: /**
1123: * These character entity references were taken directly from the HTML 4.0 specification at:
1124: *
1125: * @link http://www.w3.org/TR/REC-html40/sgml/entities.html
1126: */
1127: private static final char[] M_htmlCharacterEntityReferencesUnicode = {
1128: 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171,
1129: 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183,
1130: 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195,
1131: 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207,
1132: 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219,
1133: 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231,
1134: 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243,
1135: 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255,
1136: 402, 913, 914, 915, 916, 917, 918, 919, 920, 921, 922, 923,
1137: 924, 925, 926, 927, 928, 929, 931, 932, 933, 934, 935, 936,
1138: 937, 945, 946, 947, 948, 949, 950, 951, 952, 953, 954, 955,
1139: 956, 957, 958, 959, 960, 961, 962, 963, 964, 965, 966, 967,
1140: 968, 969, 977, 978, 982, 8226, 8230, 8242, 8243, 8254,
1141: 8260, 8472, 8465, 8476, 8482, 8501, 8592, 8593, 8594, 8595,
1142: 8596, 8629, 8656, 8657, 8658, 8659, 8660, 8704, 8706, 8707,
1143: 8709, 8711, 8712, 8713, 8715, 8719, 8721, 8722, 8727, 8730,
1144: 8733, 8734, 8736, 8743, 8744, 8745, 8746, 8747, 8756, 8764,
1145: 8773, 8776, 8800, 8801, 8804, 8805, 8834, 8835, 8836, 8838,
1146: 8839, 8853, 8855, 8869, 8901, 8968, 8969, 8970, 8971, 9001,
1147: 9002, 9674, 9824, 9827, 9829, 9830, 34, 38, 60, 62, 338,
1148: 339, 352, 353, 376, 710, 732, 8194, 8195, 8201, 8204, 8205,
1149: 8206, 8207, 8211, 8212, 8216, 8217, 8218, 8220, 8221, 8222,
1150: 8224, 8225, 8240, 8249, 8250, 8364 };
1151:
1152: }
|