org.jboss.seam.text
Class SeamTextParser.DefaultSanitizer

java.lang.Object
  extended by org.jboss.seam.text.SeamTextParser.DefaultSanitizer
All Implemented Interfaces:
SeamTextParser.Sanitizer
Enclosing class:
SeamTextParser

public static class SeamTextParser.DefaultSanitizer
extends Object
implements SeamTextParser.Sanitizer

Implementation of the rules in http://wiki.whatwg.org/wiki/Sanitization_rules Changes and additions: 1. Expanded all -* wildcard values to their full CSS property name (e.g. border-*). 2. Added dash as allowed characater to REGEX_VALID_CSS_STRING1. 3. Improved REGEX_VALID_CSS_VALUE with range {n,m} checks for color values and negative units. 4. Added more options (mostly of vertical-align property, e.g. "middle", "text-top") as allowed CSS values. 5. Added "max-height", "max-width", "min-height", "min-width" to CSS properties. 6. Removed 'data' URI scheme. 7. Not implemented filtering of CSS url() - it's an invalid value always.


Field Summary
protected  Set<String> acceptableAttributes
           
protected  Set<String> acceptableElements
           
protected  Set<String> attributesWhoseValueIsAURI
           
protected  Set<String> mathmlAttributes
           
protected  Set<String> mathmlElements
           
 Pattern REGEX_INVALID_CSS_URL
           
 Pattern REGEX_VALID_CSS_STRING1
           
 Pattern REGEX_VALID_CSS_STRING2
           
 Pattern REGEX_VALID_CSS_VALUE
           
protected  Set<String> styleProperties
           
protected  Set<String> stylePropertiesValues
           
protected  Set<String> svgAttributes
           
protected  Set<String> svgElements
           
protected  Set<String> svgStyleProperties
           
protected  Set<String> uriSchemes
           
 
Constructor Summary
SeamTextParser.DefaultSanitizer()
           
 
Method Summary
 antlr.SemanticException createSemanticException(String message, antlr.Token element)
           
 String getInvalidAttributeMessage(String elementName, String attributeName)
           
 String getInvalidAttributeValueMessage(String elementName, String attributeName, String value)
           
 String getInvalidElementMessage(String elementName)
           
 String getInvalidURIMessage(String uri)
           
 void validateHtmlAttribute(antlr.Token element, antlr.Token attribute)
          Called by the SeamTextParser when a plain HTML attribute is parsed.
 void validateHtmlAttributeValue(antlr.Token element, antlr.Token attribute, String attributeValue)
          Called by the SeamTextParser when a plain HTML attribute value is parsed.
 void validateHtmlElement(antlr.Token element)
          Called by the SeamTextParser when a plain HTML element is parsed.
 void validateLinkTagURI(antlr.Token element, String uri)
          Called by the SeamTextParser when a link tag is parsed, i.e.
protected  boolean validateURI(String uri)
          Validate a URI string.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

REGEX_VALID_CSS_STRING1

public final Pattern REGEX_VALID_CSS_STRING1

REGEX_VALID_CSS_STRING2

public final Pattern REGEX_VALID_CSS_STRING2

REGEX_VALID_CSS_VALUE

public final Pattern REGEX_VALID_CSS_VALUE

REGEX_INVALID_CSS_URL

public final Pattern REGEX_INVALID_CSS_URL

acceptableElements

protected Set<String> acceptableElements

mathmlElements

protected Set<String> mathmlElements

svgElements

protected Set<String> svgElements

acceptableAttributes

protected Set<String> acceptableAttributes

mathmlAttributes

protected Set<String> mathmlAttributes

svgAttributes

protected Set<String> svgAttributes

styleProperties

protected Set<String> styleProperties

stylePropertiesValues

protected Set<String> stylePropertiesValues

svgStyleProperties

protected Set<String> svgStyleProperties

attributesWhoseValueIsAURI

protected Set<String> attributesWhoseValueIsAURI

uriSchemes

protected Set<String> uriSchemes
Constructor Detail

SeamTextParser.DefaultSanitizer

public SeamTextParser.DefaultSanitizer()
Method Detail

validateLinkTagURI

public void validateLinkTagURI(antlr.Token element,
                               String uri)
                        throws antlr.SemanticException
Description copied from interface: SeamTextParser.Sanitizer
Called by the SeamTextParser when a link tag is parsed, i.e. [=>some URI].

Specified by:
validateLinkTagURI in interface SeamTextParser.Sanitizer
Parameters:
element - the token of the parse tree, here the ">" symbol which comes after the "="
uri - the user-entered link text
Throws:
antlr.SemanticException - thrown if the URI is not syntactically or semantically valid

validateHtmlElement

public void validateHtmlElement(antlr.Token element)
                         throws antlr.SemanticException
Description copied from interface: SeamTextParser.Sanitizer
Called by the SeamTextParser when a plain HTML element is parsed.

Specified by:
validateHtmlElement in interface SeamTextParser.Sanitizer
Parameters:
element - the token of the parse tree, call getText() to access the HTML tag name
Throws:
antlr.SemanticException - thrown when the HTML tag is not valid

validateHtmlAttribute

public void validateHtmlAttribute(antlr.Token element,
                                  antlr.Token attribute)
                           throws antlr.SemanticException
Description copied from interface: SeamTextParser.Sanitizer
Called by the SeamTextParser when a plain HTML attribute is parsed.

Specified by:
validateHtmlAttribute in interface SeamTextParser.Sanitizer
Parameters:
element - the token of the parse tree that represents the HTML tag
attribute - the token of the parse tree that represents the HTML attribute
Throws:
antlr.SemanticException - thrown if the attribute is not valid for the given HTML tag

validateHtmlAttributeValue

public void validateHtmlAttributeValue(antlr.Token element,
                                       antlr.Token attribute,
                                       String attributeValue)
                                throws antlr.SemanticException
Description copied from interface: SeamTextParser.Sanitizer
Called by the SeamTextParser when a plain HTML attribute value is parsed.

Specified by:
validateHtmlAttributeValue in interface SeamTextParser.Sanitizer
Parameters:
element - the token of the parse tree that represents the HTML tag
attribute - the token of the parse tree that represents the HTML attribute
attributeValue - the plain string value of the HTML attribute
Throws:
antlr.SemanticException - thrown if the attribute value is not valid for the given HTML attribute and element

validateURI

protected boolean validateURI(String uri)
Validate a URI string.

The default implementation accepts any URI string that starts with a slash, this is considered a relative URL. Any absolute URI is parsed by the JDK with the java.net.URI constructor. Finally, the scheme of the parsed absolute URI is checked with a list of valid schemes.

Parameters:
uri - the URI string
Returns:
return true if the String represents a safe and valid URI

getInvalidURIMessage

public String getInvalidURIMessage(String uri)
Specified by:
getInvalidURIMessage in interface SeamTextParser.Sanitizer

getInvalidElementMessage

public String getInvalidElementMessage(String elementName)
Specified by:
getInvalidElementMessage in interface SeamTextParser.Sanitizer

getInvalidAttributeMessage

public String getInvalidAttributeMessage(String elementName,
                                         String attributeName)
Specified by:
getInvalidAttributeMessage in interface SeamTextParser.Sanitizer

getInvalidAttributeValueMessage

public String getInvalidAttributeValueMessage(String elementName,
                                              String attributeName,
                                              String value)
Specified by:
getInvalidAttributeValueMessage in interface SeamTextParser.Sanitizer

createSemanticException

public antlr.SemanticException createSemanticException(String message,
                                                       antlr.Token element)