ReferenceInsertionFilter


1   package org.tigris.scarab.util;
2   
3   /* ================================================================
4    * Copyright (c) 2000-2002 CollabNet.  All rights reserved.
5    * 
6    * Redistribution and use in source and binary forms, with or without
7    * modification, are permitted provided that the following conditions are
8    * met:
9    * 
10   * 1. Redistributions of source code must retain the above copyright
11   * notice, this list of conditions and the following disclaimer.
12   * 
13   * 2. Redistributions in binary form must reproduce the above copyright
14   * notice, this list of conditions and the following disclaimer in the
15   * documentation and/or other materials provided with the distribution.
16   * 
17   * 3. The end-user documentation included with the redistribution, if
18   * any, must include the following acknowlegement: "This product includes
19   * software developed by Collab.Net <http://www.Collab.Net/>."
20   * Alternately, this acknowlegement may appear in the software itself, if
21   * and wherever such third-party acknowlegements normally appear.
22   * 
23   * 4. The hosted project names must not be used to endorse or promote
24   * products derived from this software without prior written
25   * permission. For written permission, please contact info@collab.net.
26   * 
27   * 5. Products derived from this software may not use the "Tigris" or 
28   * "Scarab" names nor may "Tigris" or "Scarab" appear in their names without 
29   * prior written permission of Collab.Net.
30   * 
31   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
32   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
33   * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
34   * IN NO EVENT SHALL COLLAB.NET OR ITS CONTRIBUTORS BE LIABLE FOR ANY
35   * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
36   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
37   * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
38   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
39   * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
40   * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
41   * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
42   *
43   * ====================================================================
44   * 
45   * This software consists of voluntary contributions made by many
46   * individuals on behalf of Collab.Net.
47   */ 
48  
49  import org.apache.velocity.app.event.ReferenceInsertionEventHandler;
50  import org.apache.velocity.app.event.NullSetEventHandler;
51  
52  /**
53   * This is a Velocity EventCartridge Filter which is responsible
54   * for processing $ variables when they are rendered in a template.
55   * The current purpose of this filter is to process out CSS 
56   * (cross site scripting) vulnerabilities. There is some commented 
57   * out code that adds a bit of timing information to make sure that
58   * the processing doesn't add to much overhead. In limited testing,
59   * it looks like this class only adds about 0-2ms of processing time to
60   * each request.
61   *
62   * <p>
63   * This class also implements the NullSetEventHandler and returns
64   * false from the shouldLogOnNullSet because we don't need that stuff
65   * showing up in the log files.
66   *
67   * @author <a HREF="mailto:jon@collab.net">Jon S. Stevens</a>
68   * @version $Id: ReferenceInsertionFilter.java 7365 2003-03-15 21:56:59Z jon $
69   */
70  public class ReferenceInsertionFilter
71      implements ReferenceInsertionEventHandler, NullSetEventHandler
72  {
73      public boolean shouldLogOnNullSet(String   lhs, String   rhs)
74      {
75          return false;
76      }
77  
78      public Object   referenceInsert(String   reference, Object   value)
79      {
80          // if value is null, we don't want to filter it of course!
81          if (value == null)
82          {
83              return null;
84          }
85          
86  //    System.out.println ("reference: '" + reference + 
87  //                        "' type: '" + value.getClass().getName() + "'");
88  
89  //        long start = System.currentTimeMillis();
90          Object   result = value;
91          if (value instanceof String  )
92          {
93              if (
94                  // don't filter renderer because it will get filtered
95                  // when the actual rendering is done.
96                  !reference.startsWith("$renderer") && 
97                  // don't want to filter this because it outputs HTML
98                  !reference.startsWith("$intake.declare") &&
99                  // localization tool pre-filters data
100                 !reference.startsWith("$l10n")
101               )
102             {
103                 // we are already a String
104                 result = filter((String  )value);
105             }
106         }
107         // don't filter links and some other known to be safe elements
108         else if (!(value instanceof SkipFiltering))
109         {
110             // We convert the object to a string and output the result
111             result = filter(value.toString());
112         }
113 /*        
114         long stop = System.currentTimeMillis();
115         System.out.println ("start: " + start);
116         System.out.println ("stop: " + stop);        
117         long time = stop - start;
118         System.out.println ("reference: '" + reference + 
119                             "': " + time);
120 */
121         return result;
122     }
123 
124     /**
125      * This method is borrowed from Struts. It converts
126      * &lt; &gt; &amp; &quot; into the appropriate entities.
127      */
128     public static String   filter(String   value)
129     {
130         if (value == null)
131         {
132             return (null);
133         }
134         char content[] = new char[value.length()];
135         value.getChars(0, value.length(), content, 0);
136         StringBuffer   result = new StringBuffer  (content.length + 50);
137         for (int i = 0; i < content.length; i++)
138         {
139             switch (content[i])
140             {
141                 case '<':
142                     result.append("&lt;");
143                     break;
144                 case '>':
145                     result.append("&gt;");
146                     break;
147                 case '&':
148                     if (i+1 < content.length && content[i+1] == '#') 
149                     {
150                         result.append('&');
151                     }
152                     else 
153                     {
154                         result.append("&amp;");
155                     }
156                     break;
157                 case '"':
158                     result.append("&quot;");
159                     break;
160                 default:
161                     result.append(content[i]);
162             }
163         }
164         return (result.toString());
165     }
166 }
167
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags