01: /*
02:
03: Licensed to the Apache Software Foundation (ASF) under one or more
04: contributor license agreements. See the NOTICE file distributed with
05: this work for additional information regarding copyright ownership.
06: The ASF licenses this file to You under the Apache License, Version 2.0
07: (the "License"); you may not use this file except in compliance with
08: the License. You may obtain a copy of the License at
09:
10: http://www.apache.org/licenses/LICENSE-2.0
11:
12: Unless required by applicable law or agreed to in writing, software
13: distributed under the License is distributed on an "AS IS" BASIS,
14: WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15: See the License for the specific language governing permissions and
16: limitations under the License.
17:
18: */
19: package org.apache.batik.bridge;
20:
21: import org.apache.batik.util.ParsedURL;
22:
23: /**
24: * This implementation of the <tt>ScriptSecurity</tt> interface only
25: * allows scripts embeded in the document, i.e., scripts whith either
26: * the same URL as the document (as for event attributes) or scripts
27: * embeded with the data protocol.
28: *
29: * @author <a href="mailto:vhardy@apache.org">Vincent Hardy</a>
30: * @version $Id: EmbededScriptSecurity.java 475477 2006-11-15 22:44:28Z cam $
31: */
32: public class EmbededScriptSecurity implements ScriptSecurity {
33: public static final String DATA_PROTOCOL = "data";
34:
35: /**
36: * Message when trying to load a script file and the Document
37: * does not have a URL
38: */
39: public static final String ERROR_CANNOT_ACCESS_DOCUMENT_URL = "DefaultScriptSecurity.error.cannot.access.document.url";
40:
41: /**
42: * Message when trying to load a script that is not embeded
43: * in the document.
44: */
45: public static final String ERROR_SCRIPT_NOT_EMBEDED = "EmbededScriptSecurity.error.script.not.embeded";
46:
47: /**
48: * The exception is built in the constructor and thrown if
49: * not null and the checkLoadScript method is called.
50: */
51: protected SecurityException se;
52:
53: /**
54: * Controls whether the script should be loaded or not.
55: *
56: * @throws SecurityException if the script should not be loaded.
57: */
58: public void checkLoadScript() {
59: if (se != null) {
60: throw se;
61: }
62: }
63:
64: /**
65: * @param scriptType type of script, as found in the
66: * type attribute of the <script> element.
67: * @param scriptURL url for the script, as defined in
68: * the script's xlink:href attribute. If that
69: * attribute was empty, then this parameter should
70: * be null
71: * @param docURL url for the document into which the
72: * script was found.
73: */
74: public EmbededScriptSecurity(String scriptType,
75: ParsedURL scriptURL, ParsedURL docURL) {
76: // Make sure that the archives comes from the same host
77: // as the document itself
78: if (docURL == null) {
79: se = new SecurityException(Messages.formatMessage(
80: ERROR_CANNOT_ACCESS_DOCUMENT_URL,
81: new Object[] { scriptURL }));
82: } else {
83: if (!docURL.equals(scriptURL)
84: && (scriptURL == null || !DATA_PROTOCOL
85: .equals(scriptURL.getProtocol()))) {
86: se = new SecurityException(Messages.formatMessage(
87: ERROR_SCRIPT_NOT_EMBEDED,
88: new Object[] { scriptURL }));
89: }
90: }
91: }
92: }
|