KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > directwebremoting > Security


1 /*
2  * Copyright 2005 Joe Walker
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */

16 package org.directwebremoting;
17
18 import org.directwebremoting.util.LocalUtil;
19
20 /**
21  * Some simple replacement utilities to help people protect themselves from
22  * XSS attacks.
23  * <p>This class represents some simple filters which <b>may</b> protect from
24  * simple attacks in low risk environments. There is no replacement for a full
25  * security review which assesses the risks that you face.</p>
26  * @author Joe Walker [joe at getahead dot ltd dot uk]
27  */

28 public class Security
29 {
30     /**
31      * Perform the following replacements:<ul>
32      * <li>&amp; to &amp;amp;</li>
33      * <li>&lt; to &amp;lt;</li>
34      * <li>&gt; to &amp;gt;</li>
35      * <li>&apos; to &amp;apos;</li>
36      * <li>&quot; to &amp;quot;</li>
37      * </ul>
38      * These replacements are useful when the original sense is important, but
39      * when we wish to reduce the risk of XSS attacks.
40      * @param original The string to perform entity replacement on
41      * @return The original string with &amp;, &lt;, &gt;, ' and " escaped.
42      * @see #unescapeHtml(String)
43      */

44     public static String JavaDoc escapeHtml(String JavaDoc original)
45     {
46         String JavaDoc reply = original;
47         reply = LocalUtil.replace(reply, "&", "&amp;");
48         reply = LocalUtil.replace(reply, "<", "&lt;");
49         reply = LocalUtil.replace(reply, ">", "&gt;");
50         reply = LocalUtil.replace(reply, "\'", "&apos;");
51         reply = LocalUtil.replace(reply, "\"", "&quot;");
52         return reply;
53     }
54
55     /**
56      * Perform the following replacements:<ul>
57      * <li>&amp;amp; to &amp;</li>
58      * <li>&amp;lt; to &lt;</li>
59      * <li>&amp;gt; to &gt;</li>
60      * <li>&amp;apos; to &apos;</li>
61      * <li>&amp;quot; to &quot;</li>
62      * </ul>
63      * These replacements are useful to reverse the effects of
64      * {@link #escapeHtml(String)}.
65      * @param original The string to perform entity replacement on
66      * @return The original string with &amp;, &lt;, &gt;, ' and " replaced.
67      * @see #escapeHtml(String)
68      */

69     public static String JavaDoc unescapeHtml(String JavaDoc original)
70     {
71         String JavaDoc reply = original;
72         reply = LocalUtil.replace(reply, "&amp;", "&");
73         reply = LocalUtil.replace(reply, "&lt;", "<");
74         reply = LocalUtil.replace(reply, "&gt;", ">");
75         reply = LocalUtil.replace(reply, "&apos;", "\'");
76         reply = LocalUtil.replace(reply, "&quot;", "\"");
77         return reply;
78     }
79
80     /**
81      * Perform the following replacements:<ul>
82      * <li>&amp; to +</li>
83      * <li>&lt; to \\u2039 () ()</li>
84      * <li>&gt; to \\u203A () ()</li>
85      * <li>&apos; to \\u2018 () ()</li>
86      * <li>&quot; to \\u201C () ()</li>
87      * </ul>
88      * These replacements are useful when readibility is more important than
89      * retaining the exact character string of the original.
90      * @param original The string to perform entity replacement on
91      * @return The original string with &amp;, &lt;, &gt;, ' and " escaped.
92      */

93     public static String JavaDoc replaceXmlCharacters(String JavaDoc original)
94     {
95         String JavaDoc reply = original;
96         reply = LocalUtil.replace(reply, "&", "+");
97         reply = LocalUtil.replace(reply, "<", "\u2039");
98         reply = LocalUtil.replace(reply, ">", "\u203A");
99         reply = LocalUtil.replace(reply, "\'", "\u2018");
100         reply = LocalUtil.replace(reply, "\"", "\u201C");
101         return reply;
102     }
103
104     /**
105      * Return true iff the input string contains any of the characters that
106      * are special to XML: &amp;, &lt;, &gt;, &apos; or &quot;
107      * @param original The string to test for XML special characters
108      * @return True if the characters are found, false otherwise
109      */

110     public static boolean containsXssRiskyCharacters(String JavaDoc original)
111     {
112         return (original.indexOf('&') != -1
113             || original.indexOf('<') != -1
114             || original.indexOf('>') != -1
115             || original.indexOf('\'') != -1
116             || original.indexOf('\"') != -1);
117     }
118 }
119
Popular Tags