001: /*
002: * Copyright 2005 Joe Walker
003: *
004: * Licensed under the Apache License, Version 2.0 (the "License");
005: * you may not use this file except in compliance with the License.
006: * You may obtain a copy of the License at
007: *
008: * http://www.apache.org/licenses/LICENSE-2.0
009: *
010: * Unless required by applicable law or agreed to in writing, software
011: * distributed under the License is distributed on an "AS IS" BASIS,
012: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013: * See the License for the specific language governing permissions and
014: * limitations under the License.
015: */
016: package org.directwebremoting;
017:
018: /**
019: * Some simple replacement utilities to help people protect themselves from
020: * XSS attacks.
021: * <p>This class represents some simple filters which <b>may</b> protect from
022: * simple attacks in low risk environments. There is no replacement for a full
023: * security review which assesses the risks that you face.</p>
024: * @author Joe Walker [joe at getahead dot ltd dot uk]
025: */
026: public class Security {
027: /**
028: * Perform the following replacements:<ul>
029: * <li>& to &amp;</li>
030: * <li>< to &lt;</li>
031: * <li>> to &gt;</li>
032: * <li>' to &apos;</li>
033: * <li>" to &quot;</li>
034: * </ul>
035: * These replacements are useful when the original sense is important, but
036: * when we wish to reduce the risk of XSS attacks.
037: * @param original The string to perform entity replacement on
038: * @return The original string with &, <, >, ' and " escaped.
039: * @see #unescapeHtml(String)
040: */
041: public static String escapeHtml(String original) {
042: String reply = original;
043: reply = reply.replace("&", "&");
044: reply = reply.replace("<", "<");
045: reply = reply.replace(">", ">");
046: reply = reply.replace("\'", "'");
047: reply = reply.replace("\"", """);
048: return reply;
049: }
050:
051: /**
052: * Perform the following replacements:<ul>
053: * <li>&amp; to &</li>
054: * <li>&lt; to <</li>
055: * <li>&gt; to ></li>
056: * <li>&apos; to '</li>
057: * <li>&quot; to "</li>
058: * </ul>
059: * These replacements are useful to reverse the effects of
060: * {@link #escapeHtml(String)}.
061: * @param original The string to perform entity replacement on
062: * @return The original string with &, <, >, ' and " replaced.
063: * @see #escapeHtml(String)
064: */
065: public static String unescapeHtml(String original) {
066: String reply = original;
067: reply = reply.replace("&", "&");
068: reply = reply.replace("<", "<");
069: reply = reply.replace(">", ">");
070: reply = reply.replace("'", "\'");
071: reply = reply.replace(""", "\"");
072: return reply;
073: }
074:
075: /**
076: * Perform the following replacements:<ul>
077: * <li>& to +</li>
078: * <li>< to \\u2039 (\u2039)</li>
079: * <li>> to \\u203A (\u203A)</li>
080: * <li>' to \\u2018 (\u2018)</li>
081: * <li>" to \\u201C (\u201C)</li>
082: * </ul>
083: * These replacements are useful when readability is more important than
084: * retaining the exact character string of the original.
085: * @param original The string to perform entity replacement on
086: * @return The original string with &, <, >, ' and " escaped.
087: */
088: public static String replaceXmlCharacters(String original) {
089: String reply = original;
090: reply = reply.replace("&", "+");
091: reply = reply.replace("<", "\u2039");
092: reply = reply.replace(">", "\u203A");
093: reply = reply.replace("\'", "\u2018");
094: reply = reply.replace("\"", "\u201C");
095: return reply;
096: }
097:
098: /**
099: * Return true iff the input string contains any of the characters that
100: * are special to XML: &, <, >, ' or "
101: * @param original The string to test for XML special characters
102: * @return True if the characters are found, false otherwise
103: */
104: public static boolean containsXssRiskyCharacters(String original) {
105: return (original.indexOf('&') != -1
106: || original.indexOf('<') != -1
107: || original.indexOf('>') != -1
108: || original.indexOf('\'') != -1 || original
109: .indexOf('\"') != -1);
110: }
111: }
|