001: /* ====================================================================
002: * The Jcorporate Apache Style Software License, Version 1.2 05-07-2002
003: *
004: * Copyright (c) 1995-2002 Jcorporate Ltd. All rights reserved.
005: *
006: * Redistribution and use in source and binary forms, with or without
007: * modification, are permitted provided that the following conditions
008: * are met:
009: *
010: * 1. Redistributions of source code must retain the above copyright
011: * notice, this list of conditions and the following disclaimer.
012: *
013: * 2. Redistributions in binary form must reproduce the above copyright
014: * notice, this list of conditions and the following disclaimer in
015: * the documentation and/or other materials provided with the
016: * distribution.
017: *
018: * 3. The end-user documentation included with the redistribution,
019: * if any, must include the following acknowledgment:
020: * "This product includes software developed by Jcorporate Ltd.
021: * (http://www.jcorporate.com/)."
022: * Alternately, this acknowledgment may appear in the software itself,
023: * if and wherever such third-party acknowledgments normally appear.
024: *
025: * 4. "Jcorporate" and product names such as "Expresso" must
026: * not be used to endorse or promote products derived from this
027: * software without prior written permission. For written permission,
028: * please contact info@jcorporate.com.
029: *
030: * 5. Products derived from this software may not be called "Expresso",
031: * or other Jcorporate product names; nor may "Expresso" or other
032: * Jcorporate product names appear in their name, without prior
033: * written permission of Jcorporate Ltd.
034: *
035: * 6. No product derived from this software may compete in the same
036: * market space, i.e. framework, without prior written permission
037: * of Jcorporate Ltd. For written permission, please contact
038: * partners@jcorporate.com.
039: *
040: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
041: * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
042: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
043: * DISCLAIMED. IN NO EVENT SHALL JCORPORATE LTD OR ITS CONTRIBUTORS
044: * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
045: * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
046: * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
047: * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
048: * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
049: * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
050: * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
051: * SUCH DAMAGE.
052: * ====================================================================
053: *
054: * This software consists of voluntary contributions made by many
055: * individuals on behalf of the Jcorporate Ltd. Contributions back
056: * to the project(s) are encouraged when you make modifications.
057: * Please send them to support@jcorporate.com. For more information
058: * on Jcorporate Ltd. and its products, please see
059: * <http://www.jcorporate.com/>.
060: *
061: * Portions of this software are based upon other open source
062: * products and are subject to their respective licenses.
063: */
064:
065: package com.jcorporate.expresso.core.security.filters;
066:
067: /**
068: * This class provides a filter implementation of the Filter class for stripping
069: * out HTML tags in order to protect against XSS exploits
070: *
071: * @author Larry Hamel
072: */
073: public class HtmlFilter extends Filter {
074:
075: /**
076: * Characters to filter out to eliminate the majority of XSS attacks
077: * from http://www.cert.org/tech_tips/malicious_code_mitigation.html#4
078: * <p/>
079: * Assuming that this filter is only applied to text paragraphs (not
080: * server side scripts or other things), we only need to filter
081: * characters in content of a paragraph of text: < & >
082: * <p/>
083: * This basic filter doesn't allow URLs to be displayed, so we don't have
084: * to filter unsafe characters in URLs (%)
085: * other classes that insert HREF's (HtmlPlusURLFilter) need to worry
086: * about the % character, though (not allowing unsafe encodings after it)
087: */
088: protected static final String[] SPECIAL_STRING_LIST = { "<", ">",
089: "&", "\n", "\r\n", "\t", "<br />\n" };
090:
091: // Each item in the above array needs a corresponding string in the replaceList array
092: protected static final String[] REPLACE_LIST = { "<", ">",
093: "&", "<br />", "<br />", " ", "<br />" };
094:
095: /**
096: * No-arg constructor required
097: */
098: public HtmlFilter() throws IllegalArgumentException {
099: super (SPECIAL_STRING_LIST, REPLACE_LIST);
100: }
101:
102: /**
103: * Constructor for passing strings and their replacements
104: *
105: * @param specialStringList Strings to replace
106: * @param replaceList The replacement strings
107: */
108: public HtmlFilter(String[] specialStringList, String[] replaceList)
109: throws IllegalArgumentException {
110: super(specialStringList, replaceList);
111: }
112: }
|