diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..dcee386 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,26 @@ +name: Java CI + +on: + push: + branches: + - main + pull_request: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + - name: Run build + run: | + mvn -B install -PtestJakarta + + diff --git a/.gitignore b/.gitignore index ae98f63..140b296 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ */target/** +/target/** # Intellij project files *.iml *.ipr @@ -12,4 +13,10 @@ maven-eclipse.xml .externalToolBuilders # Netbeans configuration nb-configuration.xml -/target/ \ No newline at end of file +*/nbproject/* + +/jsp/target/ +/esapi/target/ +/target/ +/jakarta/target/ +/jakarta-test/target/ diff --git a/.java-version b/.java-version new file mode 100644 index 0000000..03b6389 --- /dev/null +++ b/.java-version @@ -0,0 +1 @@ +17.0 diff --git a/META-INF/MANIFEST.MF b/META-INF/MANIFEST.MF new file mode 100644 index 0000000..2aaee67 --- /dev/null +++ b/META-INF/MANIFEST.MF @@ -0,0 +1,9 @@ +Manifest-Version: 1.0 +Bnd-LastModified: 1533328833261 +Bundle-ManifestVersion: 2 +Bundle-Name: org.owasp.encoder +Bundle-SymbolicName: org.owasp.encoder +Bundle-Version: 1.2.1 +Created-By: 1.8.0_181 (Oracle Corporation) +Export-Package: org.owasp.encoder +Tool: Bnd-1.50.0 diff --git a/README.md b/README.md index 54cb4e4..ee9f915 100644 --- a/README.md +++ b/README.md @@ -1,34 +1,51 @@ OWASP Java Encoder Project ========================== -Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with little baggage. -For more information on how to use this project, please see https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project. +![Build Status](https://github.com/OWASP/owasp-java-encoder/actions/workflows/build.yaml/badge.svg?branch=main) [![License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause) [![javadoc](https://javadoc.io/badge2/org.owasp.encoder/encoder/javadoc.svg)](https://javadoc.io/doc/org.owasp.encoder/encoder) + +Contextual Output Encoding is a computer programming technique necessary to stop +Cross-Site Scripting. This project is a Java 1.8+ simple-to-use drop-in high-performance +encoder class with little baggage. + +For more detailed documentation on the OWASP Java Encoder please visit https://owasp.org/www-project-java-encoder/. Start using the OWASP Java Encoders ----------------------------------- You can download a JAR from [Maven Central](https://search.maven.org/#search|ga|1|g%3A%22org.owasp.encoder%22%20a%3A%22encoder%22). -JSP tags and functions are available in the encoder-jsp, also available in [Central](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.2/encoder-jsp-1.2.jar). This jar requires the core library. +JSP tags and EL functions are available in the encoder-jsp, also available: +- [encoder-jakarta-jsp](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jakarta-jsp/1.2.3/encoder-jakarta-jsp-1.2.3.jar) - Servlet Spec 5.0 +- [encoder-jsp](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.2.3/encoder-jsp-1.2.3.jar) - Servlet Spec 3.0 -The jars are also available in Maven: +The jars are also available in Central: ```xml - org.owasp.encoder - encoder - 1.2 + org.owasp.encoder + encoder + 1.3.0 + + + + + org.owasp.encoder + encoder-jakarta-jsp + 1.3.0 + - org.owasp.encoder - encoder-jsp - 1.2 + org.owasp.encoder + encoder-jsp + 1.3.0 ``` Quick Overview -------------- -The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.2.jar, import org.owasp.encoder.Encode and start using. +The OWASP Java Encoder library is intended for quick contextual encoding with very little +overhead, either in performance or usage. To get started, simply add the encoder-1.2.3.jar, +import org.owasp.encoder.Encode and start using. Example usage: @@ -41,8 +58,74 @@ Please look at the javadoc for Encode to see the variety of contexts for which y Happy Encoding! +Building +-------- + +Due to test cases for the `encoder-jakarta-jsp` project Java 17 is required to package and test +the project. Simply run: + +```shell +mvn package +``` + +To run the Jakarta JSP intgration test, to validate that the JSP Tags and EL work correctly run: + +```shell +mvn verify -PtestJakarta +``` + +* Note that the above test may fail on modern Apple silicon. + +Java 9+ Module Names +-------------------- + +| JAR | Module Name | +|---------------------|-----------------------| +| encoder | owasp.encoder | +| encoder-jakarta-jsp | owasp.encoder.jakarta | +| encoder-jsp | owasp.encoder.jsp | +| encoder-espai | owasp.encoder.esapi | + + +TagLib +-------------------- + +| Lib | TagLib | +|---------------------|-----------------------------------------------------------------------------------------------| +| encoder-jakarta-jsp | <%@taglib prefix="e" uri="owasp.encoder.jakarta"%> | +| encoder-jsp | <%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project"%> | + + News ---- +### 2024-08-20 - 1.3.1 Release +The team is happy to announce that version 1.3.1 has been released! +* fix: add OSGi related entries in the MANIFEST.MF file (#82). +* fix: java.lang.NoSuchMethodError when running on Java 8 (#80). + +### 2024-08-02 - 1.3.0 Release +The team is happy to announce that version 1.3.0 has been released! +* Minimum JDK Requirement is now Java 8 + - Requires Java 17 to build due to test case dependencies. +* Adds Java 9 Module name via Multi-Release Jars (#77). +* Fixed compilation errors with the ESAPI Thunk (#76). +* Adds support for Servlet Spec 5 using the `jakarta.servlet.*` (#75). + - taglib : <%@taglib prefix="e" uri="owasp.encoder.jakarta"%> + +### 2020-11-08 - 1.2.3 Release +The team is happy to announce that version 1.2.3 has been released! +* Update to make the manifest OSGi-compliant (#39). +* Update to support ESAPI 2.2 and later (#37). + +### 2018-09-14 - 1.2.2 Release +The team is happy to announce that version 1.2.2 has been released! +* This is a minor release fixing documentation and licensing issues. + +### 2017-02-19 - 1.2.1 Release +The team is happy to announce that version 1.2.1 has been released! +* The CDATA Encoder was modified so that it does not emit intermediate characters between adjacent CDATA sections. +* The documentation on [gh-pages](http://owasp.github.io/owasp-java-encoder/) has been improved. + ### 2015-04-12 - 1.2 Release on GitHub OWASP Java Encoder has been moved to GitHub. Version 1.2 was also released! @@ -53,4 +136,4 @@ Please visit https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_ We're happy to announce that version 1.1.1 has been released. Along with a important bug fix, we added ESAPI integration to replace the legacy ESAPI encoders with the OWASP Java Encoder. ### 2013-02-14 - Version 1.1 released -We're happy to announce that version 1.1 has been released. Along with a few minor encoding enhancements, we improved performance, and added a JSP tag and function library. \ No newline at end of file +We're happy to announce that version 1.1 has been released. Along with a few minor encoding enhancements, we improved performance, and added a JSP tag and function library. diff --git a/core/pom.xml b/core/pom.xml index 7fafdac..4ae9ce6 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -1,5 +1,4 @@ - "); - * out.println("</data>"); + * out.println("<?xml version='1.0'?>"); + * out.println("<data>"); + * out.println("<!-- "+Encode.forXmlComment(comment)+" -->"); + * out.println("</data>"); * * * @param input the input to encode @@ -846,7 +877,7 @@ public static void forXmlComment(Writer out, String input) * provide the CDATA section boundaries. * * 
-     *     <xml-data><![CDATA[<%=Encode.forCDATA(...)%>]]></xml-data>
+     *     <xml-data><![CDATA[<%=Encode.forCDATA(...)%>]]></xml-data>
      *
* * @param input the input to encode @@ -913,93 +944,93 @@ public static void forJava(Writer out, String input) * provide the surrounding quotation characters for the string. * Since this performs additional encoding so it can work in all * of the JavaScript contexts listed, it may be slightly less - * efficient then using one of the methods targetted to a specific + * efficient than using one of the methods targeted to a specific * JavaScript context ({@link #forJavaScriptAttribute(String)}, * {@link #forJavaScriptBlock}, {@link #forJavaScriptSource}). * Unless you are interested in saving a few bytes of output or * are writing a framework on top of this library, it is recommend * that you use this method over the others.

* - *
Example JSP Usage:
+ * Example JSP Usage: * 
-     *    <button onclick="alert('<%=Encode.forJavaScript(data)%>');">
-     *    <script type="text/javascript">
-     *        var data = "<%=Encode.forJavaScript(data)%>";
-     *    </script>
+     *    <button onclick="alert('<%=Encode.forJavaScript(data)%>');">
+     *    <script type="text/javascript">
+     *        var data = "<%=Encode.forJavaScript(data)%>";
+     *    </script>
      *
* - *
Encoding Description
- * + *
+ * * - * - * - * - * + * + * + * + * * * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * * - * - * - * - * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * * * @@ -1041,9 +1072,9 @@ public static void forJavaScript(Writer out, String input) * recommend that you use {@link #forJavaScript(String)} over this * method.

* - *
Example JSP Usage:
+ * Example JSP Usage: * 
-     *    <button onclick="alert('<%=Encode.forJavaScriptAttribute(data)%>');">
+     *    <button onclick="alert('<%=Encode.forJavaScriptAttribute(data)%>');">
      *
* * @param input the input string to encode @@ -1084,11 +1115,11 @@ public static void forJavaScriptAttribute(Writer out, String input) * recommend that you use {@link #forJavaScript(String)} over this * method.

* - *
Example JSP Usage:
+ * Example JSP Usage: * 
-     *    <script type="text/javascript">
-     *        var data = "<%=Encode.forJavaScriptBlock(data)%>";
-     *    </script>
+     *    <script type="text/javascript">
+     *        var data = "<%=Encode.forJavaScriptBlock(data)%>";
+     *    </script>
      *
* * @param input the input string to encode @@ -1129,19 +1160,19 @@ public static void forJavaScriptBlock(Writer out, String input) * recommend that you use {@link #forJavaScript(String)} over this * method.

* - *
Example JSP Usage:
+ * Example JSP Usage: * This example is serving up JavaScript source directly: * 
-     *    <%@page contentType="text/javascript; charset=UTF-8"%>
-     *    var data = "<%=Encode.forJavaScriptSource(data)%>";
+     *    <%@page contentType="text/javascript; charset=UTF-8"%>
+     *    var data = "<%=Encode.forJavaScriptSource(data)%>";
      *
* * This example is serving up JSON data (users of this use-case * are encouraged to read up on "JSON Hijacking"): * 
-     *    <%@page contentType="application/json; charset=UTF-8"%>
-     *    <% myapp.jsonHijackingPreventionMeasure(); %>
-     *    {"data":"<%=Encode.forJavaScriptSource(data)%>"}
+     *    <%@page contentType="application/json; charset=UTF-8"%>
+     *    <% myapp.jsonHijackingPreventionMeasure(); %>
+     *    {"data":"<%=Encode.forJavaScriptSource(data)%>"}
      *
* * @param input the input string to encode @@ -1302,9 +1333,8 @@ String encode(Encoder encoder, String str, int j) { // else, it's an overflow, we need to use a new output buffer // we'll allocate this buffer to be the exact size of the worst // case, guaranteeing a second overflow would not be possible. - CharBuffer tmp = CharBuffer.allocate( - _output.position() + - encoder.maxEncodedLength(_input.remaining())); + CharBuffer tmp = CharBuffer.allocate(_output.position() + + encoder.maxEncodedLength(_input.remaining())); // copy over everything that has been encoded so far tmp.put(_output.array(), 0, _output.position()); diff --git a/core/src/main/java/org/owasp/encoder/EncodedWriter.java b/core/src/main/java/org/owasp/encoder/EncodedWriter.java index 36b884c..8a233a7 100644 --- a/core/src/main/java/org/owasp/encoder/EncodedWriter.java +++ b/core/src/main/java/org/owasp/encoder/EncodedWriter.java @@ -39,7 +39,7 @@ import java.nio.charset.CoderResult; /** - * EncodedWriter -- A writer the encodes all input for a specific context and writes the encoded output to another writer. + * EncodedWriter -- A writer that encodes all input for a specific context and writes the encoded output to another writer. * * @author Jeff Ichnowski */ diff --git a/core/src/main/java/org/owasp/encoder/Encoder.java b/core/src/main/java/org/owasp/encoder/Encoder.java index 7f4b887..3c5656e 100644 --- a/core/src/main/java/org/owasp/encoder/Encoder.java +++ b/core/src/main/java/org/owasp/encoder/Encoder.java @@ -110,7 +110,7 @@ public abstract class Encoder { * true}). This will happen when the encoder needs to see more * input before determining what to do--for example when encoding * for CDATA, if the input ends with {@code "foo]]"}, the encoder - * will need to see the next character to determine if it is a ">" + * will need to see the next character to determine if it is a ">" * or not.

* *

Example usage:

diff --git a/core/src/main/java/org/owasp/encoder/Encoders.java b/core/src/main/java/org/owasp/encoder/Encoders.java index f810d8d..3879fd0 100644 --- a/core/src/main/java/org/owasp/encoder/Encoders.java +++ b/core/src/main/java/org/owasp/encoder/Encoders.java @@ -31,7 +31,6 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.util.HashMap; @@ -39,70 +38,183 @@ /** * Encoders -- Public factory method for obtaining instances of Encoders. - * Classes implementing the encoders are not directly exposed as part of - * the API since encoding strategies are subject to change. In many cases - * encoders will share the same implementation, but have different internal - * flags for how to handle varied content. For example the XML_CONTENT and - * XML_ATTRIBUTE contexts may currently share the same class with each - * instances having a different set of flags. Future version may optimize - * them into different classes. + * Classes implementing the encoders are not directly exposed as part of the API + * since encoding strategies are subject to change. In many cases encoders will + * share the same implementation, but have different internal flags for how to + * handle varied content. For example the XML_CONTENT and XML_ATTRIBUTE contexts + * may currently share the same class with each instances having a different set + * of flags. Future version may optimize them into different classes. * - *

All encoders returned by the factory are thread-safe.

+ *

+ * All encoders returned by the factory are thread-safe.

* * @author Jeff Ichnowski */ public final class Encoders { - /** No instances. */ - private Encoders() {} - - /** Name of {@linkplain Encode#forHtml(String) HTML general} context. */ + /** + * Name of {@linkplain Encode#forHtml(String) HTML general} context. + */ public static final String HTML = "html"; - /** Name of {@linkplain Encode#forHtmlContent(String) HTML content} context. */ + /** + * Name of {@linkplain Encode#forHtmlContent(String) HTML content} context. + */ public static final String HTML_CONTENT = "html-content"; - /** Name of {@linkplain Encode#forHtmlAttribute(String) HTML attribute} context. */ + /** + * Name of {@linkplain Encode#forHtmlAttribute(String) HTML attribute} + * context. + */ public static final String HTML_ATTRIBUTE = "html-attribute"; - /** Name of {@linkplain Encode#forHtmlUnquotedAttribute(String) unquoted HTML attribute} context. */ + /** + * Name of + * {@linkplain Encode#forHtmlUnquotedAttribute(String) unquoted HTML attribute} + * context. + */ public static final String HTML_UNQUOTED_ATTRIBUTE = "html-attribute-unquoted"; - - /** Name of {@linkplain Encode#forXml(String) XML general} context. */ + /** + * Name of {@linkplain Encode#forXml(String) XML general} context. + */ public static final String XML = "xml"; - /** Name of {@linkplain Encode#forXmlContent(String) XML content} context. */ + /** + * Name of {@linkplain Encode#forXmlContent(String) XML content} context. + */ public static final String XML_CONTENT = "xml-content"; - /** Name of {@linkplain Encode#forXmlAttribute(String) XML attribute} context. */ + /** + * Name of {@linkplain Encode#forXmlAttribute(String) XML attribute} + * context. + */ public static final String XML_ATTRIBUTE = "xml-attribute"; - /** Name of {@linkplain Encode#forXmlComment(String) XML comment} context. */ + /** + * Name of {@linkplain Encode#forXmlComment(String) XML comment} context. + */ public static final String XML_COMMENT = "xml-comment"; - /** Name of {@linkplain Encode#forCDATA(String) CDATA} context. */ + /** + * Name of {@linkplain Encode#forCDATA(String) CDATA} context. + */ public static final String CDATA = "cdata"; - - /** Name of {@linkplain Encode#forCssString(String) CSS string} context. */ + /** + * Name of {@linkplain Encode#forCssString(String) CSS string} context. + */ public static final String CSS_STRING = "css-string"; - /** Name of {@linkplain Encode#forCssUrl(String) CSS URL} context. */ + /** + * Name of {@linkplain Encode#forCssUrl(String) CSS URL} context. + */ public static final String CSS_URL = "css-url"; - - /** Name of {@linkplain Encode#forJava(String) Java String} context. */ + /** + * Name of {@linkplain Encode#forJava(String) Java String} context. + */ public static final String JAVA = "java"; - - /** Name of {@linkplain Encode#forJavaScript(String) JavaScript general} context. */ + /** + * Name of {@linkplain Encode#forJavaScript(String) JavaScript general} + * context. + */ public static final String JAVASCRIPT = "javascript"; - /** Name of {@linkplain Encode#forJavaScriptAttribute(String) JavaScript attribute} context. */ + /** + * Name of + * {@linkplain Encode#forJavaScriptAttribute(String) JavaScript attribute} + * context. + */ public static final String JAVASCRIPT_ATTRIBUTE = "javascript-attribute"; - /** Name of {@linkplain Encode#forJavaScriptBlock(String) JavaScript block} context. */ + /** + * Name of {@linkplain Encode#forJavaScriptBlock(String) JavaScript block} + * context. + */ public static final String JAVASCRIPT_BLOCK = "javascript-block"; - /** Name of {@linkplain Encode#forJavaScriptSource(String) JavaScript source} context. */ + /** + * Name of {@linkplain Encode#forJavaScriptSource(String) JavaScript source} + * context. + */ public static final String JAVASCRIPT_SOURCE = "javascript-source"; - - /** Name of {@linkplain Encode#forUri(String) URI} context. */ + /** + * Name of {@linkplain Encode#forUri(String) URI} context. + */ public static final String URI = "uri"; - /** Name of {@linkplain Encode#forUriComponent(String) URI component} context. */ + /** + * Name of {@linkplain Encode#forUriComponent(String) URI component} + * context. + */ public static final String URI_COMPONENT = "uri-component"; - /** * Map from encoder name to encoder singleton. */ - private static final Map ENCODERS_MAP = - new HashMap(32); + private static final Map ENCODERS_MAP + = new HashMap(32); + // XML and HTML use the same encoder implementations currently + /** + * Encoder for general XML/HTML contexts. + */ + static final XMLEncoder XML_ENCODER + = map(HTML, map(XML, new XMLEncoder(XMLEncoder.Mode.ALL))); + /** + * Encoder for XML/HTML content contexts. + */ + static final XMLEncoder XML_CONTENT_ENCODER + = map(HTML_CONTENT, map(XML_CONTENT, new XMLEncoder(XMLEncoder.Mode.CONTENT))); + /** + * Encoder for XML/HTML attribute contexts. + */ + static final XMLEncoder XML_ATTRIBUTE_ENCODER + = map(HTML_ATTRIBUTE, map(XML_ATTRIBUTE, new XMLEncoder(XMLEncoder.Mode.ATTRIBUTE))); + /** + * Encoder for XML comments. + */ + static final XMLCommentEncoder XML_COMMENT_ENCODER + = map(XML_COMMENT, new XMLCommentEncoder()); + /** + * Encoder for CDATA contexts. + */ + static final CDATAEncoder CDATA_ENCODER + = map(CDATA, new CDATAEncoder()); + /** + * Encoder for unquoted HTML attributes. + */ + static final HTMLEncoder HTML_UNQUOTED_ATTRIBUTE_ENCODER + = map(HTML_UNQUOTED_ATTRIBUTE, new HTMLEncoder()); + /** + * Encoder for general JavaScript contexts. + */ + static final JavaScriptEncoder JAVASCRIPT_ENCODER + = map(JAVASCRIPT, new JavaScriptEncoder(JavaScriptEncoder.Mode.HTML, false)); + /** + * Encoder for JavaScript appearing in XML/HTML attributes. + */ + static final JavaScriptEncoder JAVASCRIPT_ATTRIBUTE_ENCODER + = map(JAVASCRIPT_ATTRIBUTE, new JavaScriptEncoder(JavaScriptEncoder.Mode.ATTRIBUTE, false)); + /** + * Encoder for JavaScript appearing in HTML script blocks. + */ + static final JavaScriptEncoder JAVASCRIPT_BLOCK_ENCODER + = map(JAVASCRIPT_BLOCK, new JavaScriptEncoder(JavaScriptEncoder.Mode.BLOCK, false)); + /** + * Encoder for JavaScript in stand-alone contexts. + */ + static final JavaScriptEncoder JAVASCRIPT_SOURCE_ENCODER + = map(JAVASCRIPT_SOURCE, new JavaScriptEncoder(JavaScriptEncoder.Mode.SOURCE, false)); + /** + * Encoder for full URIs. + */ + static final URIEncoder URI_ENCODER + = map(URI, new URIEncoder(URIEncoder.Mode.FULL_URI)); + /** + * Encoder for components of URIs. + */ + static final URIEncoder URI_COMPONENT_ENCODER + = map(URI_COMPONENT, new URIEncoder(URIEncoder.Mode.COMPONENT)); + /** + * Encoder for Java strings. + */ + static final JavaEncoder JAVA_ENCODER + = map(JAVA, new JavaEncoder()); + /** + * Encoder for CSS strings. + */ + static final CSSEncoder CSS_STRING_ENCODER + = map(CSS_STRING, new CSSEncoder(CSSEncoder.Mode.STRING)); + /** + * Encoder for CSS URL values. + */ + static final CSSEncoder CSS_URL_ENCODER + = map(CSS_URL, new CSSEncoder(CSSEncoder.Mode.URL)); /** * Internal method to setup and map encoder singletons. @@ -118,84 +230,31 @@ private static T map(String name, T encoder) { return encoder; } - // XML and HTML use the same encoder implementations currently - - /** Encoder for general XML/HTML contexts. */ - static final XMLEncoder XML_ENCODER = - map(HTML, - map(XML, new XMLEncoder(XMLEncoder.Mode.ALL))); - /** Encoder for XML/HTML content contexts. */ - static final XMLEncoder XML_CONTENT_ENCODER = - map(HTML_CONTENT, - map(XML_CONTENT, new XMLEncoder(XMLEncoder.Mode.CONTENT))); - /** Encoder for XML/HTML attribute contexts. */ - static final XMLEncoder XML_ATTRIBUTE_ENCODER = - map(HTML_ATTRIBUTE, - map(XML_ATTRIBUTE, new XMLEncoder(XMLEncoder.Mode.ATTRIBUTE))); - - /** Encoder for XML comments. */ - static final XMLCommentEncoder XML_COMMENT_ENCODER = - map(XML_COMMENT, new XMLCommentEncoder()); - /** Encoder for CDATA contexts. */ - static final CDATAEncoder CDATA_ENCODER = - map(CDATA, new CDATAEncoder()); - /** Encoder for unquoted HTML attributes. */ - static final HTMLEncoder HTML_UNQUOTED_ATTRIBUTE_ENCODER = - map(HTML_UNQUOTED_ATTRIBUTE, new HTMLEncoder()); - /** Encoder for general JavaScript contexts. */ - static final JavaScriptEncoder JAVASCRIPT_ENCODER = - map(JAVASCRIPT, new JavaScriptEncoder(JavaScriptEncoder.Mode.HTML, false)); - /** Encoder for JavaScript appearing in XML/HTML attributes. */ - static final JavaScriptEncoder JAVASCRIPT_ATTRIBUTE_ENCODER = - map(JAVASCRIPT_ATTRIBUTE, new JavaScriptEncoder(JavaScriptEncoder.Mode.ATTRIBUTE, false)); - /** Encoder for JavaScript appearing in HTML script blocks. */ - static final JavaScriptEncoder JAVASCRIPT_BLOCK_ENCODER = - map(JAVASCRIPT_BLOCK, new JavaScriptEncoder(JavaScriptEncoder.Mode.BLOCK, false)); - /** Encoder for JavaScript in stand-alone contexts. */ - static final JavaScriptEncoder JAVASCRIPT_SOURCE_ENCODER = - map(JAVASCRIPT_SOURCE, new JavaScriptEncoder(JavaScriptEncoder.Mode.SOURCE, false)); - /** Encoder for full URIs. */ - static final URIEncoder URI_ENCODER = - map(URI, new URIEncoder(URIEncoder.Mode.FULL_URI)); - /** Encoder for components of URIs. */ - static final URIEncoder URI_COMPONENT_ENCODER = - map(URI_COMPONENT, new URIEncoder(URIEncoder.Mode.COMPONENT)); - /** Encoder for Java strings. */ - static final JavaEncoder JAVA_ENCODER = - map(JAVA, new JavaEncoder()); - /** Encoder for CSS strings. */ - static final CSSEncoder CSS_STRING_ENCODER = - map(CSS_STRING, new CSSEncoder(CSSEncoder.Mode.STRING)); - /** Encoder for CSS URL values. */ - static final CSSEncoder CSS_URL_ENCODER = - map(CSS_URL, new CSSEncoder(CSSEncoder.Mode.URL)); - - /** - * Returns a new instance of an Encoder for the specified context. - * The returned instance is thread-safe. + * Returns a new instance of an Encoder for the specified context. The + * returned instance is thread-safe. * - * @param contextName the context name (one of the String constants - * defined in this class) + * @param contextName the context name (one of the String constants defined + * in this class) * @return an encoder for the specified context. * @throws NullPointerException if {@code contextName} is null * @throws UnsupportedContextException if {@code contextName} is not * recognized. */ - public static Encoder forName(String contextName) - throws NullPointerException, - UnsupportedContextException - { + public static Encoder forName(String contextName) throws NullPointerException, UnsupportedContextException { if (contextName == null) { throw new NullPointerException(); } - Encoder encoder = ENCODERS_MAP.get(contextName); - if (encoder == null) { throw new UnsupportedContextException(contextName); } - return encoder; } + + /** + * No instances. + */ + private Encoders() { + } } diff --git a/core/src/main/java/org/owasp/encoder/HTMLEncoder.java b/core/src/main/java/org/owasp/encoder/HTMLEncoder.java index e41c294..068fba0 100644 --- a/core/src/main/java/org/owasp/encoder/HTMLEncoder.java +++ b/core/src/main/java/org/owasp/encoder/HTMLEncoder.java @@ -31,40 +31,48 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.nio.CharBuffer; import java.nio.charset.CoderResult; /** - *

HTMLEncoder -- an encoder for HTML contexts. Currently most - * HTML-based contexts are properly handled by {@line XMLEncoder}. - * The remaining HTML-specific context of "unquoted attributes" could - * not be added to the XMLEncoder without slowing it down. This class - * implements that remaining context: unquoted attribute - * values.

+ *

+ * HTMLEncoder -- an encoder for HTML contexts. Currently most HTML-based + * contexts are properly handled by {@link XMLEncoder}. The remaining + * HTML-specific context of "unquoted attributes" could not be added to the + * XMLEncoder without slowing it down. This class implements that remaining + * context: unquoted attribute values.

* - *

Note: because this context is likely small strings, and - * hopefully rarely used, no effort was put into optimizing this - * encoder.

+ *

+ * Note: because this context is likely small strings, and hopefully rarely + * used, no effort was put into optimizing this encoder.

* * @author Jeff Ichnowski */ class HTMLEncoder extends Encoder { + /** - * Number of characters in the encoding prefix and suffix when using - * decimal numeric encodings of the form "&#...;". + * Number of characters in the encoding prefix and suffix when using decimal + * numeric encodings of the form "&#...;". */ private static final int ENCODE_AFFIX_CHAR_COUNT = 3; - /** Encoding for '\t'. */ + /** + * Encoding for '\t'. + */ private static final char[] TAB = " ".toCharArray(); - /** Encoding for '&'. */ + /** + * Encoding for '&'. + */ private static final char[] AMP = "&".toCharArray(); - /** Encoding for '<'. */ + /** + * Encoding for '<'. + */ private static final char[] LT = "<".toCharArray(); - /** Encoding for '>'. */ + /** + * Encoding for '>'. + */ private static final char[] GT = ">".toCharArray(); // The large table-switch implementation used here is fast to @@ -72,94 +80,167 @@ class HTMLEncoder extends Encoder { // encoders that use selective if/else's. Look at the results of // BenchmarkTest to see the difference. See note in javadoc as to // reasoning. - // On Core i7 (Sandybridge) // Baseline is 371.401009 ns/op // Benchmarked Encode.forXml: 324.219992 ns/op (-12.70% on baseline) // Benchmarked Encode.forHtmlUnquotedAttribute: 821.583263 ns/op (+121.21% on baseline) - - @Override int maxEncodedLength(int n) { // if everything is line separators and paragraph separators then // we get "⁛" - return n*(ENCODE_AFFIX_CHAR_COUNT+4); + return n * (ENCODE_AFFIX_CHAR_COUNT + 4); } @Override int firstEncodedOffset(String input, int off, int len) { - final int n = off+len; - for (int i=off ; i': - return i; - - case '!': case '#': case '$': case '%': - case '(': case ')': case '*': case '+': - case ',': case '-': case '.': - - case '0': case '1': case '2': case '3': case '4': - case '5': case '6': case '7': case '8': case '9': - case ':': case ';': case '?': case '@': - - case 'A': case 'B': case 'C': case 'D': case 'E': - case 'F': case 'G': case 'H': case 'I': case 'J': - case 'K': case 'L': case 'M': case 'N': case 'O': - case 'P': case 'Q': case 'R': case 'S': case 'T': - case 'U': case 'V': case 'W': case 'X': case 'Y': - case 'Z': - - case '[': case '\\': case ']': case '^': case '_': - - case 'a': case 'b': case 'c': case 'd': case 'e': - case 'f': case 'g': case 'h': case 'i': case 'j': - case 'k': case 'l': case 'm': case 'n': case 'o': - case 'p': case 'q': case 'r': case 's': case 't': - case 'u': case 'v': case 'w': case 'x': case 'y': - case 'z': - - case '{': case '|': case '}': case '~': - break; // valid - - default: - - if (Character.isHighSurrogate(ch)) { - if (i+1 < n) { - if (Character.isLowSurrogate(input.charAt(i+1))) { - int cp = Character.toCodePoint(ch, input.charAt(i+1)); - if (Unicode.isNonCharacter(cp)) { - return i; - } else { - ++i; + case '\t': + case '\r': + case '\f': + case '\n': + case ' ': + case Unicode.NEL: + case '\"': + case '\'': + case '/': + case '=': + case '`': + case '&': + case '<': + case '>': + return i; + + case '!': + case '#': + case '$': + case '%': + case '(': + case ')': + case '*': + case '+': + case ',': + case '-': + case '.': + + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + case ':': + case ';': + case '?': + case '@': + + case 'A': + case 'B': + case 'C': + case 'D': + case 'E': + case 'F': + case 'G': + case 'H': + case 'I': + case 'J': + case 'K': + case 'L': + case 'M': + case 'N': + case 'O': + case 'P': + case 'Q': + case 'R': + case 'S': + case 'T': + case 'U': + case 'V': + case 'W': + case 'X': + case 'Y': + case 'Z': + + case '[': + case '\\': + case ']': + case '^': + case '_': + + case 'a': + case 'b': + case 'c': + case 'd': + case 'e': + case 'f': + case 'g': + case 'h': + case 'i': + case 'j': + case 'k': + case 'l': + case 'm': + case 'n': + case 'o': + case 'p': + case 'q': + case 'r': + case 's': + case 't': + case 'u': + case 'v': + case 'w': + case 'x': + case 'y': + case 'z': + + case '{': + case '|': + case '}': + case '~': + break; // valid + + default: + + if (Character.isHighSurrogate(ch)) { + if (i + 1 < n) { + if (Character.isLowSurrogate(input.charAt(i + 1))) { + int cp = Character.toCodePoint(ch, input.charAt(i + 1)); + if (Unicode.isNonCharacter(cp)) { + return i; + } else { + ++i; + } + break; } - break; + } else { + return i; } - } else { + } + + if (ch <= Unicode.MAX_C1_CTRL_CHAR + || Character.MIN_SURROGATE <= ch && ch <= Character.MAX_SURROGATE + || ch > '\ufffd' + || ('\ufdd0' <= ch && ch <= '\ufdef') + || ch == Unicode.LINE_SEPARATOR || ch == Unicode.PARAGRAPH_SEPARATOR) + { return i; } - } - - if (ch <= Unicode.MAX_C1_CTRL_CHAR || - Character.MIN_SURROGATE <= ch && ch <= Character.MAX_SURROGATE || - ch > '\ufffd' || - ('\ufdd0' <= ch && ch <= '\ufdef') || - ch == Unicode.LINE_SEPARATOR || ch == Unicode.PARAGRAPH_SEPARATOR) - { - return i; - } } } return n; } /** - * Appends a source array verbatim to the output array. Caller must - * insure there is enough space in the array for the output. + * Appends a source array verbatim to the output array. Caller must insure + * there is enough space in the array for the output. * * @param src the characters to copy * @param out the output buffer @@ -173,8 +254,7 @@ static int append(char[] src, char[] out, int j) { /** * Appends the numerically encoded version of {@code codePoint} to the - * output buffer. Caller must insure there is enough space for the - * output. + * output buffer. Caller must insure there is enough space for the output. * * @param codePoint the character to encode * @param out the output buffer @@ -185,23 +265,22 @@ static int encode(int codePoint, char[] out, int j) { out[j++] = '&'; out[j++] = '#'; if (codePoint >= 1000) { - out[j++] = (char)(codePoint / 1000 % 10 + '0'); + out[j++] = (char) (codePoint / 1000 % 10 + '0'); } if (codePoint >= 100) { - out[j++] = (char)(codePoint / 100 % 10 + '0'); + out[j++] = (char) (codePoint / 100 % 10 + '0'); } if (codePoint >= 10) { - out[j++] = (char)(codePoint / 10 % 10 + '0'); + out[j++] = (char) (codePoint / 10 % 10 + '0'); } - out[j++] = (char)(codePoint % 10 + '0'); + out[j++] = (char) (codePoint % 10 + '0'); out[j++] = ';'; return j; } + //CSOFF: MethodLength @Override - CoderResult encodeArrays( - CharBuffer input, CharBuffer output, boolean endOfInput) - { + CoderResult encodeArrays(CharBuffer input, CharBuffer output, boolean endOfInput) { final char[] in = input.array(); final char[] out = output.array(); int i = input.arrayOffset() + input.position(); @@ -209,8 +288,8 @@ CoderResult encodeArrays( int j = output.arrayOffset() + output.position(); final int m = output.arrayOffset() + output.limit(); - charLoop: - for ( ; i m) { - return overflow(input, i, output, j); - } - j = append(TAB, out, j); - break; - - case '\r': case '\n': case '\f': case ' ': case '\"': case '\'': - case '/': case '=': case '`': - if (ENCODE_AFFIX_CHAR_COUNT+2+j > m) { - return overflow(input, i, output, j); - } - j = encode(ch, out, j); - break; - - case Unicode.NEL: - if (ENCODE_AFFIX_CHAR_COUNT+3+j > m) { - return overflow(input, i, output, j); - } - j = encode(ch, out, j); - break; - - case '&': - if (j + AMP.length > m) { - return overflow(input, i, output, j); - } - j = append(AMP, out, j); - break; - - case '<': - if (j + LT.length > m) { - return overflow(input, i, output, j); - } - j = append(LT, out, j); - break; - - case '>': - if (j + GT.length > m) { - return overflow(input, i, output, j); - } - j = append(GT, out, j); - break; - - case '!': case '#': case '$': case '%': - case '(': case ')': case '*': case '+': - case ',': case '-': case '.': - - case '0': case '1': case '2': case '3': case '4': - case '5': case '6': case '7': case '8': case '9': - case ':': case ';': case '?': case '@': - - case 'A': case 'B': case 'C': case 'D': case 'E': - case 'F': case 'G': case 'H': case 'I': case 'J': - case 'K': case 'L': case 'M': case 'N': case 'O': - case 'P': case 'Q': case 'R': case 'S': case 'T': - case 'U': case 'V': case 'W': case 'X': case 'Y': - case 'Z': - - case '[': case '\\': case ']': case '^': case '_': - - case 'a': case 'b': case 'c': case 'd': case 'e': - case 'f': case 'g': case 'h': case 'i': case 'j': - case 'k': case 'l': case 'm': case 'n': case 'o': - case 'p': case 'q': case 'r': case 's': case 't': - case 'u': case 'v': case 'w': case 'x': case 'y': - case 'z': case '{': case '|': case '}': case '~': - if (j >= m) { - return overflow(input, i, output, j); - } - out[j++] = ch; - break; - default: - - if (Character.isHighSurrogate(ch)) { - if (i+1 < n) { - if (Character.isLowSurrogate(in[i+1])) { - int cp = Character.toCodePoint(ch, in[i+1]); - if (Unicode.isNonCharacter(cp)) { - if (j >= m) { - return overflow(input, i, output, j); - } - out[j++] = '-'; - ++i; - } else { - if (j+1 >= m) { - return overflow(input, i, output, j); + case '\t': + if (j + TAB.length > m) { + return overflow(input, i, output, j); + } + j = append(TAB, out, j); + break; + + case '\r': + case '\n': + case '\f': + case ' ': + case '\"': + case '\'': + case '/': + case '=': + case '`': + if (ENCODE_AFFIX_CHAR_COUNT + 2 + j > m) { + return overflow(input, i, output, j); + } + j = encode(ch, out, j); + break; + + case Unicode.NEL: + if (ENCODE_AFFIX_CHAR_COUNT + 3 + j > m) { + return overflow(input, i, output, j); + } + j = encode(ch, out, j); + break; + + case '&': + if (j + AMP.length > m) { + return overflow(input, i, output, j); + } + j = append(AMP, out, j); + break; + + case '<': + if (j + LT.length > m) { + return overflow(input, i, output, j); + } + j = append(LT, out, j); + break; + + case '>': + if (j + GT.length > m) { + return overflow(input, i, output, j); + } + j = append(GT, out, j); + break; + + case '!': + case '#': + case '$': + case '%': + case '(': + case ')': + case '*': + case '+': + case ',': + case '-': + case '.': + + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + case ':': + case ';': + case '?': + case '@': + + case 'A': + case 'B': + case 'C': + case 'D': + case 'E': + case 'F': + case 'G': + case 'H': + case 'I': + case 'J': + case 'K': + case 'L': + case 'M': + case 'N': + case 'O': + case 'P': + case 'Q': + case 'R': + case 'S': + case 'T': + case 'U': + case 'V': + case 'W': + case 'X': + case 'Y': + case 'Z': + + case '[': + case '\\': + case ']': + case '^': + case '_': + + case 'a': + case 'b': + case 'c': + case 'd': + case 'e': + case 'f': + case 'g': + case 'h': + case 'i': + case 'j': + case 'k': + case 'l': + case 'm': + case 'n': + case 'o': + case 'p': + case 'q': + case 'r': + case 's': + case 't': + case 'u': + case 'v': + case 'w': + case 'x': + case 'y': + case 'z': + case '{': + case '|': + case '}': + case '~': + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ch; + break; + default: + + if (Character.isHighSurrogate(ch)) { + if (i + 1 < n) { + if (Character.isLowSurrogate(in[i + 1])) { + int cp = Character.toCodePoint(ch, in[i + 1]); + if (Unicode.isNonCharacter(cp)) { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = '-'; + ++i; + } else { + if (j + 1 >= m) { + return overflow(input, i, output, j); + } + out[j++] = ch; + out[j++] = in[++i]; } - out[j++] = ch; - out[j++] = in[++i]; + break; } - break; + } else if (!endOfInput) { + break charLoop; } - } else if (!endOfInput) { - break charLoop; } - } - - if (j >= m) { - return overflow(input, i, output, j); - } - - if (ch <= Unicode.MAX_C1_CTRL_CHAR || - Character.MIN_SURROGATE <= ch && ch <= Character.MAX_SURROGATE || - ch > '\ufffd' || - ('\ufdd0' <= ch && ch <= '\ufdef')) - { - // invalid - out[j++] = '-'; - } else if (ch == Unicode.LINE_SEPARATOR || ch == Unicode.PARAGRAPH_SEPARATOR) { - if (ENCODE_AFFIX_CHAR_COUNT+4+j > m) { + + if (j >= m) { return overflow(input, i, output, j); } - j = encode(ch, out, j); - } else { - out[j++] = ch; - } + + if (ch <= Unicode.MAX_C1_CTRL_CHAR + || Character.MIN_SURROGATE <= ch && ch <= Character.MAX_SURROGATE + || ch > '\ufffd' + || ('\ufdd0' <= ch && ch <= '\ufdef')) + { + // invalid + out[j++] = '-'; + } else if (ch == Unicode.LINE_SEPARATOR || ch == Unicode.PARAGRAPH_SEPARATOR) { + if (ENCODE_AFFIX_CHAR_COUNT + 4 + j > m) { + return overflow(input, i, output, j); + } + j = encode(ch, out, j); + } else { + out[j++] = ch; + } } } return underflow(input, i, output, j); } + //CSON: MethodLength } diff --git a/core/src/main/java/org/owasp/encoder/JavaEncoder.java b/core/src/main/java/org/owasp/encoder/JavaEncoder.java index 7f4231b..277a721 100644 --- a/core/src/main/java/org/owasp/encoder/JavaEncoder.java +++ b/core/src/main/java/org/owasp/encoder/JavaEncoder.java @@ -31,32 +31,39 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.nio.CharBuffer; import java.nio.charset.CoderResult; /** - * JavaEncoder -- Encoder for Java based strings. Useful if in Java code - * generators to generate efficiently encoded strings for arbitrary data. - * This encoder uses the minimal sequence of characters required to encode - * a character (e.g. standard backslash escapes, such as "\n", "\\" , "\'", - * octal escapes, and unicode escapes). This encoder does NOT check UTF-16 - * surrogate pair sequences. The target output context supports mismatched - * UTF-16 pairs (e.g. it will compile, run, etc... with them). + * JavaEncoder -- Encoder for Java based strings. Useful if in Java code + * generators to generate efficiently encoded strings for arbitrary data. This + * encoder uses the minimal sequence of characters required to encode a + * character (e.g. standard backslash escapes, such as "\n", "\\" , "\'", octal + * escapes, and unicode escapes). This encoder does NOT check UTF-16 surrogate + * pair sequences. The target output context supports mismatched UTF-16 pairs + * (e.g. it will compile, run, etc... with them). * * @author Jeff Ichnowski */ class JavaEncoder extends Encoder { - /** The length of a Unicode escape, e.g. "\\u1234". */ + /** + * The length of a Unicode escape, e.g. "\\u1234". + */ static final int U_ESCAPE_LENGTH = 6; - /** The length of a octal escape sequence, e.g. "\377". */ + /** + * The length of a octal escape sequence, e.g. "\377". + */ static final int OCT_ESCAPE_LENGTH = 4; - /** Number of bits to shift for each octal unit. */ + /** + * Number of bits to shift for each octal unit. + */ static final int OCT_SHIFT = 3; - /** The bit-mask for an octal unit. */ + /** + * The bit-mask for an octal unit. + */ static final int OCT_MASK = 7; @Override @@ -67,8 +74,8 @@ protected int maxEncodedLength(int n) { @Override protected int firstEncodedOffset(String input, int off, int len) { - final int n = off+len; - for (int i=off ; i= ' ' && ch <= '~') { if (ch == '\\' || ch == '\'' || ch == '\"') { @@ -82,9 +89,7 @@ protected int firstEncodedOffset(String input, int off, int len) { } @Override - protected CoderResult encodeArrays( - CharBuffer input, CharBuffer output, boolean endOfInput) - { + protected CoderResult encodeArrays(CharBuffer input, CharBuffer output, boolean endOfInput) { final char[] in = input.array(); final char[] out = output.array(); int i = input.arrayOffset() + input.position(); @@ -92,12 +97,12 @@ protected CoderResult encodeArrays( int j = output.arrayOffset() + output.position(); final int m = output.arrayOffset() + output.limit(); - charLoop: - for ( ; i= ' ' && ch <= '~') { if (ch == '\\' || ch == '\'' || ch == '\"') { - if (j+1 >= m) { + if (j + 1 >= m) { return overflow(input, i, output, j); } out[j++] = '\\'; @@ -110,97 +115,97 @@ protected CoderResult encodeArrays( } } else { switch (ch) { - case '\b': - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = 'b'; - break; - case '\t': - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = 't'; - break; - case '\n': - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = 'n'; - break; - case '\f': - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = 'f'; - break; - case '\r': - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = 'r'; - break; - default: - if (ch <= '\377') { - longEscapeNeeded: - { - if (ch <= '\37') { - // "short" octal escapes: '\0' to '\37' - // cannot be followed by '0' to '7' thus - // require a lookahead to use. - if (i+1 < n) { - char la = in[i + 1]; - if ('0' <= la && la <= '7') { - break longEscapeNeeded; - } - } else if (!endOfInput) { - // need more characters to see if we can use - // a short octal escape. - break charLoop; - } - - if (ch <= '\7') { - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = (char)(ch + '0'); - } else { - if (j+2 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = (char)((ch >>> OCT_SHIFT) + '0'); - out[j++] = (char)((ch & OCT_MASK) + '0'); - } - - continue; - } + case '\b': + if (j + 1 >= m) { + return overflow(input, i, output, j); } - - if (j + OCT_ESCAPE_LENGTH > m) { + out[j++] = '\\'; + out[j++] = 'b'; + break; + case '\t': + if (j + 1 >= m) { return overflow(input, i, output, j); } out[j++] = '\\'; - out[j++] = (char)((ch >>> 2*OCT_SHIFT) + '0'); - out[j++] = (char)(((ch >>> OCT_SHIFT) & OCT_MASK) + '0'); - out[j++] = (char)((ch & OCT_MASK) + '0'); - } else { - if (j+U_ESCAPE_LENGTH > m) { + out[j++] = 't'; + break; + case '\n': + if (j + 1 >= m) { return overflow(input, i, output, j); } out[j++] = '\\'; - out[j++] = 'u'; - out[j++] = HEX[ch >>> 3*HEX_SHIFT]; - out[j++] = HEX[(ch >>> 2*HEX_SHIFT) & HEX_MASK]; - out[j++] = HEX[(ch >>> HEX_SHIFT) & HEX_MASK]; - out[j++] = HEX[ch & HEX_MASK]; - } + out[j++] = 'n'; + break; + case '\f': + if (j + 1 >= m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = 'f'; + break; + case '\r': + if (j + 1 >= m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = 'r'; + break; + default: + if (ch <= '\377') { + longEscapeNeeded: + { + if (ch <= '\37') { + // "short" octal escapes: '\0' to '\37' + // cannot be followed by '0' to '7' thus + // require a lookahead to use. + if (i + 1 < n) { + char la = in[i + 1]; + if ('0' <= la && la <= '7') { + break longEscapeNeeded; + } + } else if (!endOfInput) { + // need more characters to see if we can use + // a short octal escape. + break charLoop; + } + + if (ch <= '\7') { + if (j + 1 >= m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = (char) (ch + '0'); + } else { + if (j + 2 >= m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = (char) ((ch >>> OCT_SHIFT) + '0'); + out[j++] = (char) ((ch & OCT_MASK) + '0'); + } + + continue; + } + } + + if (j + OCT_ESCAPE_LENGTH > m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = (char) ((ch >>> 2 * OCT_SHIFT) + '0'); + out[j++] = (char) (((ch >>> OCT_SHIFT) & OCT_MASK) + '0'); + out[j++] = (char) ((ch & OCT_MASK) + '0'); + } else { + if (j + U_ESCAPE_LENGTH > m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = 'u'; + out[j++] = HEX[ch >>> 3 * HEX_SHIFT]; + out[j++] = HEX[(ch >>> 2 * HEX_SHIFT) & HEX_MASK]; + out[j++] = HEX[(ch >>> HEX_SHIFT) & HEX_MASK]; + out[j++] = HEX[ch & HEX_MASK]; + } } } } diff --git a/core/src/main/java/org/owasp/encoder/JavaScriptEncoder.java b/core/src/main/java/org/owasp/encoder/JavaScriptEncoder.java index b7c0501..5ff0335 100644 --- a/core/src/main/java/org/owasp/encoder/JavaScriptEncoder.java +++ b/core/src/main/java/org/owasp/encoder/JavaScriptEncoder.java @@ -31,7 +31,6 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.nio.CharBuffer; @@ -47,38 +46,35 @@ class JavaScriptEncoder extends Encoder { /** * Mode of operation constants for the JavaScriptEncoder. */ - static enum Mode { + enum Mode { /** - * Standard encoding of JavaScript Strings. Escape sequences are chosen - * according to what is the shortest sequence possible for the character. + * Standard encoding of JavaScript Strings. Escape sequences are chosen + * according to what is the shortest sequence possible for the + * character. */ SOURCE, - /** - * Encoding for use in HTML attributes. Quote characters are escaped - * using hex encodes instead of backslashes. The alternate would be - * to use a sequence of encodes that would actually be longer. In this - * mode double-quote is "\x22" and single-quote is "\x27". (In HTML + * Encoding for use in HTML attributes. Quote characters are escaped + * using hex encodes instead of backslashes. The alternate would be to + * use a sequence of encodes that would actually be longer. In this mode + * double-quote is "\x22" and single-quote is "\x27". (In HTML * attributes the alternate would be encoding "\"" and "\'" with entity * escapes to "\&#34;" and "\&39;"). */ ATTRIBUTE, - /** - * Encoding for use in HTML script blocks. The main concern here is + * Encoding for use in HTML script blocks. The main concern here is * permaturely terminating a script block with a closing "</" inside - * the string. This encoding escapes "/" as "\/" to prevent such + * the string. This encoding escapes "/" as "\/" to prevent such * termination. */ BLOCK, - /** * Encodes for use in either HTML script attributes or blocks. * Essentially this is both special escapes from HTML_ATTRIBUTE and * HTML_CONTENT combined. */ - HTML, - ; + HTML,; } /** @@ -86,21 +82,20 @@ static enum Mode { */ private final Mode _mode; /** - * True if quotation characters should be hex encoded. Hex encoding - * quotes allows JavaScript to be included in XML attributes without - * additional XML-based encoding. + * True if quotation characters should be hex encoded. Hex encoding quotes + * allows JavaScript to be included in XML attributes without additional + * XML-based encoding. */ private final boolean _hexEncodeQuotes; /** * An array of 4 32-bit integers used as bitmasks to check if a character - * needs encoding or not. If the bit is set, the character is valid and - * does not need encoding. + * needs encoding or not. If the bit is set, the character is valid and does + * not need encoding. */ private final int[] _validMasks; /** - * True if the output should only include ASCII characters. Valid - * non-ASCII characters that would normally not be encoded, will be - * encoded. + * True if the output should only include ASCII characters. Valid non-ASCII + * characters that would normally not be encoded, will be encoded. */ private final boolean _asciiOnly; @@ -108,9 +103,8 @@ static enum Mode { * Constructs a new JavaScriptEncoder for the specified contextual mode. * * @param mode the mode of operation - * @param asciiOnly true if only ASCII characters should be included - * in the output (all code-points outside the ASCII range will be - * encoded). + * @param asciiOnly true if only ASCII characters should be included in the + * output (all code-points outside the ASCII range will be encoded). */ JavaScriptEncoder(Mode mode, boolean asciiOnly) { // TODO: after some testing it appears that an array of int masks @@ -125,12 +119,11 @@ static enum Mode { // the Java spec (x << y) where x and y are integers, is evaluated // as (x << (y & 31)). Or put another way, only the lower 5 bits // of the shift amount are considered. - _validMasks = new int[] { + _validMasks = new int[]{ 0, -1 & ~((1 << '\'') | (1 << '\"')), -1 & ~((1 << '\\')), - asciiOnly ? ~(1 << Unicode.DEL) : -1, - }; + asciiOnly ? ~(1 << Unicode.DEL) : -1,}; if (mode == Mode.BLOCK || mode == Mode.HTML) { // in ", "fancy ")); + return items; + } + + @Override + public Item addItem(Item item) { + throw new UnsupportedOperationException("Not supported yet."); // Generated from nbfs://nbhost/SystemFileSystem/Templates/Classes/Code/GeneratedMethodBody + } + +} diff --git a/jakarta-test/src/main/resources/application.properties b/jakarta-test/src/main/resources/application.properties new file mode 100644 index 0000000..899d450 --- /dev/null +++ b/jakarta-test/src/main/resources/application.properties @@ -0,0 +1,4 @@ +spring.application.name=jakarta-test +server.servlet.context-path=/jakarta-test +spring.mvc.view.prefix=/WEB-INF/jsp/ +spring.mvc.view.suffix=.jsp diff --git a/jakarta-test/src/main/resources/static/css/common.css b/jakarta-test/src/main/resources/static/css/common.css new file mode 100644 index 0000000..a32d81c --- /dev/null +++ b/jakarta-test/src/main/resources/static/css/common.css @@ -0,0 +1,10 @@ +table { + font-family: arial, sans-serif; + border-collapse: collapse; +} + +td, th { + border: 1px solid #dddddd; + text-align: left; + padding: 8px; +} \ No newline at end of file diff --git a/jakarta-test/src/main/resources/static/error/4xx.html b/jakarta-test/src/main/resources/static/error/4xx.html new file mode 100644 index 0000000..c798239 --- /dev/null +++ b/jakarta-test/src/main/resources/static/error/4xx.html @@ -0,0 +1,10 @@ + + + + + Codestin Search App + + +Apparently you don't know what you are looking for?

4xx Error Occurred + + diff --git a/jakarta-test/src/main/webapp/WEB-INF/jsp/index.jsp b/jakarta-test/src/main/webapp/WEB-INF/jsp/index.jsp new file mode 100644 index 0000000..7abf69b --- /dev/null +++ b/jakarta-test/src/main/webapp/WEB-INF/jsp/index.jsp @@ -0,0 +1,12 @@ +<%@page contentType="text/html" pageEncoding="UTF-8"%> + + + + + Codestin Search App + + +

Hello World!

+ You are likely looking for the test page located here. + + diff --git a/jakarta-test/src/main/webapp/WEB-INF/jsp/view-items.jsp b/jakarta-test/src/main/webapp/WEB-INF/jsp/view-items.jsp new file mode 100644 index 0000000..69e2488 --- /dev/null +++ b/jakarta-test/src/main/webapp/WEB-INF/jsp/view-items.jsp @@ -0,0 +1,29 @@ +<%@page contentType="text/html;charset=UTF-8" language="java"%> +<%@taglib prefix="c" uri="jakarta.tags.core"%> +<%@taglib prefix="e" uri="owasp.encoder.jakarta"%> + + + Codestin Search App + " rel="stylesheet" type="text/css"> + + +
Encoding Description
Input CharacterEncoded ResultNotes
Input CharacterEncoded ResultNotes
U+0008BS\bBackspace character
U+0008BS\bBackspace character
U+0009HT\tHorizontal tab character
U+0009HT\tHorizontal tab character
U+000ALF\nLine feed character
U+000ALF\nLine feed character
U+000CFF\fForm feed character
U+000CFF\fForm feed character
U+000DCR\rCarriage return character
U+000DCR\rCarriage return character
U+0022"\x22The encoding \" is not used here because + *
U+0022"\x22The encoding \" is not used here because * it is not safe for use in HTML attributes. (In HTML * attributes, it would also be correct to use * "\&quot;".)
U+0026&\x26Ampersand character
U+0026&\x26Ampersand character
U+0027'\x27The encoding \' is not used here because + *
U+0027'\x27The encoding \' is not used here because * it is not safe for use in HTML attributes. (In HTML * attributes, it would also be correct to use * "\&#39;".)
U+002F/\/This encoding is used to avoid an input sequence - * "</" from prematurely terminating a </script> + *
U+002F/\/This encoding is used to avoid an input sequence + * "</" from prematurely terminating a </script> * block.
U+005C\\\
U+005C\\\
U+0000 to U+001F\x##Hexadecimal encoding is used for characters in this + *
U+0000 to U+001F\x##Hexadecimal encoding is used for characters in this * range that were not already mentioned in above.
+ + + + + + + + + + + + + + + + +
IDNameDescription
${item.id}${e:forHtml(item.description)}
+ + \ No newline at end of file diff --git a/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/ItemControllerTest.java b/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/ItemControllerTest.java new file mode 100644 index 0000000..c08cbb4 --- /dev/null +++ b/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/ItemControllerTest.java @@ -0,0 +1,65 @@ +package org.owasp.encoder.testing.jakarta_test; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.openqa.selenium.By; +import org.openqa.selenium.NoSuchElementException; +import org.openqa.selenium.WebElement; +import org.openqa.selenium.chrome.ChromeOptions; +import org.openqa.selenium.remote.RemoteWebDriver; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.web.server.LocalServerPort; +import org.springframework.core.env.Environment; +import org.testcontainers.Testcontainers; +import org.testcontainers.containers.BrowserWebDriverContainer; +import org.testcontainers.junit.jupiter.Container; + +/** + * + * @author jeremy + */ +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +public class ItemControllerTest { + + @Container + static BrowserWebDriverContainer container = new BrowserWebDriverContainer<>(). + withCapabilities(new ChromeOptions()); + + @LocalServerPort + private int port; + + @BeforeAll + static void beforeAll(@Autowired Environment environment) { + Testcontainers.exposeHostPorts(environment.getProperty("local.server.port", Integer.class)); + container.start(); + } + + @Test + void shouldDisplayMessage() { + RemoteWebDriver browser = new RemoteWebDriver(container.getSeleniumAddress(), new ChromeOptions()); + browser.get("http://host.testcontainers.internal:" + port + "/jakarta-test/item/viewItems"); + WebElement first = browser.findElement(By.id("b2")); + WebElement second = browser.findElement(By.id("c2")); + assertEquals("top", first.getText()); + assertEquals("fancy ", second.getText()); + //todo yes - there are much better ways to check for an exception in junit + NoSuchElementException exception = null; + try { + first.findElement(By.tagName("script")); + } catch (NoSuchElementException ex) { + exception = ex; + } + assertNotNull(exception); + + exception = null; + try { + second.findElement(By.tagName("script")); + } catch (NoSuchElementException ex) { + exception = ex; + } + assertNotNull(exception); + } +} diff --git a/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/JakartaTestApplicationTests.java b/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/JakartaTestApplicationTests.java new file mode 100644 index 0000000..55a46fd --- /dev/null +++ b/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/JakartaTestApplicationTests.java @@ -0,0 +1,15 @@ +package org.owasp.encoder.testing.jakarta_test; + +import org.junit.jupiter.api.Test; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.context.annotation.Import; + +@Import(TestcontainersConfiguration.class) +@SpringBootTest +class JakartaTestApplicationTests { + + @Test + void contextLoads() { + } + +} diff --git a/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/TestJakartaTestApplication.java b/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/TestJakartaTestApplication.java new file mode 100644 index 0000000..d2f0dd1 --- /dev/null +++ b/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/TestJakartaTestApplication.java @@ -0,0 +1,11 @@ +package org.owasp.encoder.testing.jakarta_test; + +import org.springframework.boot.SpringApplication; + +public class TestJakartaTestApplication { + + public static void main(String[] args) { + SpringApplication.from(JakartaTestApplication::main).with(TestcontainersConfiguration.class).run(args); + } + +} diff --git a/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/TestcontainersConfiguration.java b/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/TestcontainersConfiguration.java new file mode 100644 index 0000000..d838525 --- /dev/null +++ b/jakarta-test/src/test/java/org/owasp/encoder/testing/jakarta_test/TestcontainersConfiguration.java @@ -0,0 +1,8 @@ +package org.owasp.encoder.testing.jakarta_test; + +import org.springframework.boot.test.context.TestConfiguration; + +@TestConfiguration(proxyBeanMethods = false) +class TestcontainersConfiguration { + +} diff --git a/jakarta/pom.xml b/jakarta/pom.xml new file mode 100644 index 0000000..4270a04 --- /dev/null +++ b/jakarta/pom.xml @@ -0,0 +1,93 @@ + + + + + 4.0.0 + + + org.owasp.encoder + encoder-parent + 1.3.1 + + + encoder-jakarta-jsp + jar + + Jakarta JSP Encoder + + The OWASP Encoder Jakarta JSP package contains JSP tag definitions and TLDs to allow + easy use of the OWASP Encoder Project's core API. The TLDs contain both tag + definitions and JSP EL functions. + + + + org.owasp.encoder.jakarta + + + + + org.owasp.encoder + encoder + ${project.parent.version} + + + jakarta.servlet.jsp + jakarta.servlet.jsp-api + 3.0.0 + provided + + + jakarta.servlet + jakarta.servlet-api + 6.0.0 + test + + + org.springframework + spring-test + 6.0.22 + test + + + org.springframework + spring-core + 5.3.19 + test + + + diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/EncodingTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/EncodingTag.java new file mode 100644 index 0000000..3696cbd --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/EncodingTag.java @@ -0,0 +1,57 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import jakarta.servlet.jsp.tagext.SimpleTagSupport; + +/** + * The base class for the encoding tags within this package. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public abstract class EncodingTag extends SimpleTagSupport { + /** + * The value to be written out by the tag. + */ + protected String _value; + /** + * Sets the value to be written out by the tag. + * @param value the value to be written out by the tag. + */ + public void setValue(String value) { + this._value = value; + } + +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForCDATATag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForCDATATag.java new file mode 100644 index 0000000..85d7e4a --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForCDATATag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform encoding sufficient to place into a CDATA block. + * This wraps the {@link org.owasp.encoder.Encode#forCDATA(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCDATATag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCDATA(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java new file mode 100644 index 0000000..5abcc9b --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform CSS encoding for CSS strings. + * This wraps the {@link org.owasp.encoder.Encode#forCssString(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssStringTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCssString(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java new file mode 100644 index 0000000..d4bdbbf --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform CSS encoding for CSS URL contexts. + * This wraps the {@link org.owasp.encoder.Encode#forCssUrl(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssUrlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCssUrl(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java new file mode 100644 index 0000000..686920a --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding for HTML text attributes. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java new file mode 100644 index 0000000..78b9201 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding for text content. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlContent(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlContentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlContent(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java new file mode 100644 index 0000000..d5030e4 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding. + * This wraps the {@link org.owasp.encoder.Encode#forHtml(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtml(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java new file mode 100644 index 0000000..f28ea01 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML Attribute encoding for an unquoted attribute. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlUnquotedAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlUnquotedAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlUnquotedAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java new file mode 100644 index 0000000..159d487 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Attribute encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java new file mode 100644 index 0000000..c5412a9 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Block encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptBlock(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptBlockTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptBlock(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java new file mode 100644 index 0000000..8370f7f --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Source encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptSource(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptSourceTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptSource(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java new file mode 100644 index 0000000..6211699 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScript(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScript(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java new file mode 100644 index 0000000..e93aa98 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java @@ -0,0 +1,53 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag that performs percent-encoding for a component of a URI, such as a query + * parameter name or value, path, or query-string. + * This wraps the {@link org.owasp.encoder.Encode#forUriComponent(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriComponentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forUriComponent(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForUriTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForUriTag.java new file mode 100644 index 0000000..e68903f --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForUriTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform percent-encoding of a URL according to RFC 3986. + * This wraps the {@link org.owasp.encoder.Encode#forUri(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forUri(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java new file mode 100644 index 0000000..a9c99c4 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Attribute Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java new file mode 100644 index 0000000..0e6da88 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Comment Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlCommentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlComment(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java new file mode 100644 index 0000000..23de3a5 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Content Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlContentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlContent(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlTag.java b/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlTag.java new file mode 100644 index 0000000..550dcc3 --- /dev/null +++ b/jakarta/src/main/java/org/owasp/encoder/tag/ForXmlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import jakarta.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXml(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXml(getJspContext().getOut(), _value); + } +} diff --git a/jakarta/src/main/java9/module-info.java b/jakarta/src/main/java9/module-info.java new file mode 100644 index 0000000..6f079b3 --- /dev/null +++ b/jakarta/src/main/java9/module-info.java @@ -0,0 +1,5 @@ +module owasp.encoder.jakarta { + requires owasp.encoder; + + exports org.owasp.encoder.tag; +} \ No newline at end of file diff --git a/jakarta/src/main/resources/META-INF/LICENSE b/jakarta/src/main/resources/META-INF/LICENSE new file mode 100644 index 0000000..f66c375 --- /dev/null +++ b/jakarta/src/main/resources/META-INF/LICENSE @@ -0,0 +1,33 @@ +Copyright (c) 2015 Jeff Ichnowski +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + + * Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + * Neither the name of the OWASP nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +OF THE POSSIBILITY OF SUCH DAMAGE. \ No newline at end of file diff --git a/jakarta/src/main/resources/META-INF/java-encoder-advanced.tld b/jakarta/src/main/resources/META-INF/java-encoder-advanced.tld new file mode 100644 index 0000000..335477e --- /dev/null +++ b/jakarta/src/main/resources/META-INF/java-encoder-advanced.tld @@ -0,0 +1,560 @@ + + + OWASP Java Encoder Project + 1.0 + java-encoder + owasp.encoder.jakarta.advanced + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.tag.ForCDATATag + empty + + The value to be written out + value + true + true + java.lang.String + + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.tag.ForHtmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.tag.ForXmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.tag.ForXmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + + forJavaScript + forJavaScript + org.owasp.encoder.tag.ForJavaScriptTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + This method encodes for JavaScript strings contained within + HTML script attributes (such as onclick). It is + NOT safe for use in script blocks. The caller MUST provide the + surrounding quotation characters. This method performs the + same encode as Encode.forJavaScript(String) with the + exception that / is not escaped. + + forJavaScriptAttribute + forJavaScriptAttribute + org.owasp.encoder.tag.ForJavaScriptAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + This method encodes for JavaScript strings contained within + HTML script blocks. It is NOT safe for use in script + attributes (such as onclick). The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String)} with + the exception that " and ' are encoded as \" and \' respectively. + + forJavaScriptBlock + forJavaScriptBlock + org.owasp.encoder.tag.ForJavaScriptBlockTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + This method encodes for JavaScript strings contained within + a JavaScript or JSON file. This method is NOT safe for + use in ANY context embedded in HTML. The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String) with + the exception that / and & are not escaped and " and ' are + encoded as \" and \' respectively. + + forJavaScriptSource + forJavaScriptSource + org.owasp.encoder.tag.ForJavaScriptSourceTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.tag.ForUriTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.tag.ForCssUrlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. + (X)HTML comments may be interpreted by browsers as something + other than a comment, typically in vendor specific extensions + (e.g. &lt;--if[IE]--&gt;. + For (X)HTML it is recommend that unsafe content never be included + in a comment. + + forXmlComment + forXmlComment + org.owasp.encoder.tag.ForXmlCommentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for HTML text attributes. + forHtmlAttribute + forHtmlAttribute + org.owasp.encoder.tag.ForHtmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.tag.ForHtmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.tag.ForXmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.tag.ForUriComponentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.tag.ForCssStringTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.Encode + java.lang.String forHtml(java.lang.String) + forHtml(unsafeData) + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.Encode + java.lang.String forHtmlContent(java.lang.String) + forHtmlContent(unsafeData) + + + Encodes for HTML text attributes. + forHtmlAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlAttribute(java.lang.String) + forHtmlAttribute(unsafeData) + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlUnquotedAttribute(java.lang.String) + forHtmlUnquotedAttribute(unsafeData) + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.Encode + java.lang.String forCssString(java.lang.String) + forCssString(unsafeData) + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.Encode + java.lang.String forCssUrl(java.lang.String) + forCssUrl(unsafeData) + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.Encode + java.lang.String forUri(java.lang.String) + forUri(unsafeData) + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.Encode + java.lang.String forUriComponent(java.lang.String) + forUriComponent(unsafeData) + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.Encode + java.lang.String forXml(java.lang.String) + forXml(unsafeData) + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.Encode + java.lang.String forXmlContent(java.lang.String) + forXmlContent(unsafeData) + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.Encode + java.lang.String forXmlAttribute(java.lang.String) + forXmlAttribute(unsafeData) + + + + Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. + (X)HTML comments may be interpreted by browsers as something + other than a comment, typically in vendor specific extensions + (e.g. &lt;--if[IE]--&gt;. + For (X)HTML it is recommend that unsafe content never be included + in a comment. + + forXmlComment + org.owasp.encoder.Encode + java.lang.String forXmlComment(java.lang.String) + forXmlComment(unsafeData) + + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.Encode + java.lang.String forCDATA(java.lang.String) + forCDATA(unsafeData) + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + + forJavaScript + forJavaScript + org.owasp.encoder.Encode + java.lang.String forJavaScript(java.lang.String) + forJavaScript(unsafeData) + + + + This method encodes for JavaScript strings contained within + HTML script attributes (such as onclick). It is + NOT safe for use in script blocks. The caller MUST provide the + surrounding quotation characters. This method performs the + same encode as Encode.forJavaScript(String) with the + exception that / is not escaped. + + forJavaScriptAttribute + forJavaScriptAttribute + org.owasp.encoder.Encode + java.lang.String forJavaScriptAttribute(java.lang.String) + forJavaScriptAttribute(unsafeData) + + + + This method encodes for JavaScript strings contained within + HTML script blocks. It is NOT safe for use in script + attributes (such as onclick). The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String)} with + the exception that " and ' are encoded as \" and \' respectively. + + forJavaScriptBlock + forJavaScriptBlock + org.owasp.encoder.Encode + java.lang.String forJavaScriptBlock(java.lang.String) + forJavaScriptBlock(unsafeData) + + + + This method encodes for JavaScript strings contained within + a JavaScript or JSON file. This method is NOT safe for + use in ANY context embedded in HTML. The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String) with + the exception that / and & are not escaped and " and ' are + encoded as \" and \' respectively. + + forJavaScriptSource + forJavaScriptSource + org.owasp.encoder.Encode + java.lang.String forJavaScriptSource(java.lang.String) + + <%@page contentType="text/javascript; charset=UTF-8"%> + var data = '${forJavaScriptSource(unsafeData)}'; + + + \ No newline at end of file diff --git a/jakarta/src/main/resources/META-INF/java-encoder.tld b/jakarta/src/main/resources/META-INF/java-encoder.tld new file mode 100644 index 0000000..85dab09 --- /dev/null +++ b/jakarta/src/main/resources/META-INF/java-encoder.tld @@ -0,0 +1,406 @@ + + + OWASP Java Encoder Project + 1.0 + e + owasp.encoder.jakarta + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.tag.ForCDATATag + empty + + The value to be written out + value + true + true + java.lang.String + + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.tag.ForHtmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.tag.ForXmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.tag.ForXmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + + forJavaScript + forJavaScript + org.owasp.encoder.tag.ForJavaScriptTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.tag.ForUriTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.tag.ForCssUrlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for HTML text attributes. + forHtmlAttribute + forHtmlAttribute + org.owasp.encoder.tag.ForHtmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.tag.ForHtmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.tag.ForXmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.tag.ForUriComponentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.tag.ForCssStringTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.Encode + java.lang.String forHtml(java.lang.String) + forHtml(unsafeData) + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.Encode + java.lang.String forHtmlContent(java.lang.String) + forHtmlContent(unsafeData) + + + Encodes for HTML text attributes. + forHtmlAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlAttribute(java.lang.String) + forHtmlAttribute(unsafeData) + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlUnquotedAttribute(java.lang.String) + forHtmlUnquotedAttribute(unsafeData) + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.Encode + java.lang.String forCssString(java.lang.String) + forCssString(unsafeData) + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.Encode + java.lang.String forCssUrl(java.lang.String) + forCssUrl(unsafeData) + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.Encode + java.lang.String forUri(java.lang.String) + forUri(unsafeData) + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.Encode + java.lang.String forUriComponent(java.lang.String) + forUriComponent(unsafeData) + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.Encode + java.lang.String forXml(java.lang.String) + forXml(unsafeData) + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.Encode + java.lang.String forXmlContent(java.lang.String) + forXmlContent(unsafeData) + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.Encode + java.lang.String forXmlAttribute(java.lang.String) + forXmlAttribute(unsafeData) + + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.Encode + java.lang.String forCDATA(java.lang.String) + forCDATA(unsafeData) + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + + forJavaScript + forJavaScript + org.owasp.encoder.Encode + java.lang.String forJavaScript(java.lang.String) + forJavaScript(unsafeData) + + \ No newline at end of file diff --git a/jakarta/src/site/markdown/index.md b/jakarta/src/site/markdown/index.md new file mode 100644 index 0000000..e2c305a --- /dev/null +++ b/jakarta/src/site/markdown/index.md @@ -0,0 +1,31 @@ +## OWASP JSP + +The OWASP JSP Encoder is a collection of high-performance low-overhead +contextual encoders that, when utilized correctly, is an effective tool in +preventing Web Application security vulnerabilities such as Cross-Site +Scripting (XSS). + +Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) +for more information on preventing XSS. + +### JSP Usage + +The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that +includes tags and a set of JSP EL functions: + +```xml + + org.owasp.encoder + encoder-jsp + 1.2.3 + +``` + +```JSP +<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> + +<%-- ... --%> + +

Dynamic data via EL: ${e:forHtml(param.value)}

+

Dynamic data via tag:

+``` diff --git a/jakarta/src/site/site.xml b/jakarta/src/site/site.xml new file mode 100644 index 0000000..dde2b60 --- /dev/null +++ b/jakarta/src/site/site.xml @@ -0,0 +1,41 @@ + + + + + + \ No newline at end of file diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java new file mode 100644 index 0000000..4f49e8b --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import junit.framework.TestCase; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.mock.web.MockPageContext; +import org.springframework.mock.web.MockServletContext; + +/** + * EncodingTagTest is the base class for all unit tests for the tags. + * This sets up the ServletContext so that tags can be tested. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public abstract class EncodingTagTest extends TestCase { + + protected MockServletContext _servletContext; + protected MockPageContext _pageContext; + protected MockHttpServletRequest _request; + protected MockHttpServletResponse _response; + + /** + * Constructor for the EncodingTagTest + * @param testName the name of the test + */ + public EncodingTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + _servletContext = new MockServletContext(); + _request = new MockHttpServletRequest(); + _response = new MockHttpServletResponse(); + _pageContext = new MockPageContext(_servletContext, _request, _response); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java new file mode 100644 index 0000000..c8e3847 --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForCDATATag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCDATATagTest extends EncodingTagTest { + + public ForCDATATagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForCDATATag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForCDATATag instance = new ForCDATATag(); + String value = "
]]>
"; + String expected = "
]]]]>
"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java new file mode 100644 index 0000000..0c9d6e8 --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForCssStringTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssStringTagTest extends EncodingTagTest { + + public ForCssStringTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForCssStringTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForCssStringTag instance = new ForCssStringTag(); + String value = "
"; + String expected = "\\3c div\\3e"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java new file mode 100644 index 0000000..77936c3 --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForCssUrlTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssUrlTagTest extends EncodingTagTest { + + public ForCssUrlTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForCssUrlTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForCssUrlTag instance = new ForCssUrlTag(); + String value = "\\';"; + String expected = "\\5c\\27;"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected, results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java new file mode 100644 index 0000000..3c0c64f --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlAttributeTagTest extends EncodingTagTest { + + public ForHtmlAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlAttributeTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlAttributeTag instance = new ForHtmlAttributeTag(); + String value = "
"; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java new file mode 100644 index 0000000..ef6e389 --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlContentTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlContentTagTest extends EncodingTagTest { + + public ForHtmlContentTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlContentTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlContentTag instance = new ForHtmlContentTag(); + String value = "
"; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java new file mode 100644 index 0000000..03897a7 --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlTagTest extends EncodingTagTest { + + public ForHtmlTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlTag instance = new ForHtmlTag(); + String value = "
"; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java new file mode 100644 index 0000000..bce53a4 --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlUnquotedAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlUnquotedAttributeTagTest extends EncodingTagTest { + + public ForHtmlUnquotedAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlUnquotedAttributeTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlUnquotedAttributeTag instance = new ForHtmlUnquotedAttributeTag(); + String value = "
"; + String expected = "<div> </div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java new file mode 100644 index 0000000..ad38c07 --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptAttributeTagTest extends EncodingTagTest { + + public ForJavaScriptAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptAttributeTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptAttributeTag instance = new ForJavaScriptAttributeTag(); + String value = "
\"\'"; + String expected = "
\\x22\\x27"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java new file mode 100644 index 0000000..75cf97e --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptBlockTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptBlockTagTest extends EncodingTagTest { + + public ForJavaScriptBlockTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptBlockTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptBlockTag instance = new ForJavaScriptBlockTag(); + String value = "'\"\0"; + String expected = "\\'\\\"\\x00"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java new file mode 100644 index 0000000..0ea95fc --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptSourceTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptSourceTagTest extends EncodingTagTest { + + public ForJavaScriptSourceTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptSourceTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptSourceTag instance = new ForJavaScriptSourceTag(); + String value = "\0'\""; + String expected = "\\x00\\'\\\""; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java new file mode 100644 index 0000000..2d4f67a --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java @@ -0,0 +1,46 @@ +/* + * To change this template, choose Tools | Templates + * and open the template in the editor. + */ +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptTagTest extends EncodingTagTest { + + public ForJavaScriptTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptTag instance = new ForJavaScriptTag(); + String value = "\0'\""; + String expected = "\\x00\\x27\\x22"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java new file mode 100644 index 0000000..3d9d11c --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForUriComponentTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriComponentTagTest extends EncodingTagTest { + + public ForUriComponentTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForUriComponentTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForUriComponentTag instance = new ForUriComponentTag(); + String value = "&=test"; + String expected = "%26amp%3B%3Dtest"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java new file mode 100644 index 0000000..ac16812 --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForUriTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriTagTest extends EncodingTagTest { + + public ForUriTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForUriTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForUriTag instance = new ForUriTag(); + String value = "\\\""; + String expected = "%5C%22"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java new file mode 100644 index 0000000..4246516 --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForXmlAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlAttributeTagTest extends EncodingTagTest { + + public ForXmlAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForXmlAttributeTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForXmlAttributeTag instance = new ForXmlAttributeTag(); + String value = "
"; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jakarta/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java b/jakarta/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java new file mode 100644 index 0000000..cea3db3 --- /dev/null +++ b/jakarta/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForXmlCommentTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlCommentTagTest extends EncodingTagTest { + + public ForXmlCommentTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForXmlCommentTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForXmlCommentTag instance = new ForXmlCommentTag(); + String value = "--> - - JSP - - - - - - \ No newline at end of file diff --git a/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java index 10705ae..4f49e8b 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java @@ -54,7 +54,7 @@ public abstract class EncodingTagTest extends TestCase { protected MockHttpServletResponse _response; /** - * Contructor for the EncodingTagTest + * Constructor for the EncodingTagTest * @param testName the name of the test */ public EncodingTagTest(String testName) { diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java index 1720d4e..c8e3847 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForCDATATag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ @@ -67,7 +67,7 @@ public void testDoTag() throws Exception { System.out.println("doTag"); ForCDATATag instance = new ForCDATATag(); String value = "
]]>
"; - String expected = "
]]>]]
"; + String expected = "
]]]]>
"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java index 7a79d40..0c9d6e8 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForCssStringTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java index c787988..77936c3 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForCssUrlTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java index 34d63fc..3c0c64f 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForHtmlAttributeTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java index 9a9703c..ef6e389 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForHtmlContentTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java index 9f73173..03897a7 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForHtmlTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java index 4d1cae0..bce53a4 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForHtmlUnquotedAttributeTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java index 6829820..ad38c07 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForJavaScriptAttributeTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java index 79d7163..75cf97e 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForJavaScriptBlockTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java index 400c8d9..0ea95fc 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForJavaScriptSourceTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java index c7427a7..2d4f67a 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java @@ -28,7 +28,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForJavaScriptTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java index 6709cde..3d9d11c 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForUriComponentTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java index d401d89..ac16812 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForUriTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java index ec42f28..4246516 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForXmlAttributeTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java index cf5182a..cea3db3 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForXmlCommentTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlContentTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlContentTagTest.java index 1efd061..536c265 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlContentTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlContentTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForXmlContentTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlTagTest.java index 59d54dc..b55d2be 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlTagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlTagTest.java @@ -59,7 +59,7 @@ protected void tearDown() throws Exception { /** * Test of doTag method, of class ForXmlTag. * This is a very simple test that doesn't fully - * excersize/test the encoder - only that the + * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ diff --git a/pom.xml b/pom.xml index bb9d7a3..deacc07 100755 --- a/pom.xml +++ b/pom.xml @@ -1,5 +1,4 @@ - 3.4 + + + lt.velykis.maven.skins + reflow-velocity-tools + 1.1.1 + + + + org.apache.velocity + velocity + 1.7 + + + org.apache.maven.doxia + doxia-module-markdown + 1.6 + + org.apache.maven.plugins maven-project-info-reports-plugin - 2.8 + 2.9 org.apache.maven.plugins maven-pmd-plugin - 3.4 + 3.6 + + + org.apache.felix + maven-bundle-plugin + 3.5.1 org.codehaus.mojo versions-maven-plugin - 2.1 + 2.3 org.apache.maven.plugins @@ -233,7 +257,7 @@ org.codehaus.mojo findbugs-maven-plugin - 3.0.0 + 3.0.4 @@ -242,30 +266,65 @@ org.apache.maven.plugins maven-compiler-plugin - - 1.5 - 1.5 - + + + compile-java-8 + + compile + + + 8 + + + + compile-java-9 + compile + + compile + + + 9 + + ${project.basedir}/src/main/java9 + + true + + + - org.codehaus.mojo - cobertura-maven-plugin - - - 85 - 85 - false - 85 - 85 - 85 - 85 - - + org.apache.felix + maven-bundle-plugin + default-bundle + process-classes - clean + manifest + + true + + <_noee>true + <_nouses>true + ${jigsaw.module.name} + + + + + + + org.jacoco + jacoco-maven-plugin + + + prepare-agent + + prepare-agent + + + surefireArgLine + @@ -276,6 +335,19 @@ org/owasp/encoder/BenchmarkTest.java + ${surefireArgLine} + + + + org.apache.maven.plugins + maven-jar-plugin + + + ${project.build.outputDirectory}/META-INF/MANIFEST.MF + + true + + @@ -294,6 +366,10 @@ org.apache.maven.plugins maven-javadoc-plugin + + 8 + false + attach-javadocs @@ -307,16 +383,6 @@ org.apache.maven.plugins maven-site-plugin - - - org.apache.maven.doxia - doxia-module-markdown - 1.6 - - - - true - @@ -370,14 +436,22 @@ - org.codehaus.mojo - cobertura-maven-plugin + org.jacoco + jacoco-maven-plugin + + + + + report + + + org.apache.maven.plugins maven-pmd-plugin - 1.5 + 1.8 true utf-8 @@ -391,6 +465,10 @@ javadoc + + 8 + false + @@ -435,5 +513,14 @@ + + testJakarta + + false + + + jakarta-test + + diff --git a/src/main/config/checkstyle.xml b/src/main/config/checkstyle.xml index cb56d07..3f2c8b6 100644 --- a/src/main/config/checkstyle.xml +++ b/src/main/config/checkstyle.xml @@ -25,9 +25,17 @@ - + + + + + - + + + + + @@ -75,12 +83,6 @@ - - - - - - @@ -93,7 +95,7 @@ - + @@ -145,7 +147,7 @@ --> - + diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md new file mode 100644 index 0000000..0273e4f --- /dev/null +++ b/src/site/markdown/index.md @@ -0,0 +1,56 @@ +## OWASP Java Encoder Project + +The OWASP Java Encoder Project is a collection of high-performance low-overhead +contextual encoders, that when utilized correctly, is an effective tool in +preventing Web Application security vulnerabilities such as Cross-Site +Scripting (XSS). + +Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) +for more information on preventing XSS. + +### Usage + +In addition to the usage guidance below, more examples can be found on the [OWASP Java Encoder Project Wiki](https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project). + +The JARs can be found in [Maven Central](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22). + +```xml + + org.owasp.encoder + encoder + 1.2.3 + +``` + +Utilize the encoder: + +```java +import org.owasp.encoder.Encode; + +//... + +PrintWriter out = ....; +out.println(""); +``` + +### JSP Usage + +The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that +includes tags and a set of JSP EL functions: + +```xml + + org.owasp.encoder + encoder-jsp + 1.2.3 + +``` + +```JSP +<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> + +<%-- ... --%> + +

Dynamic data via EL: ${e:forHtml(param.value)}

+

Dynamic data via tag:

+``` diff --git a/src/site/resources/images/owasp.jpg b/src/site/resources/images/owasp.jpg new file mode 100644 index 0000000..addae89 Binary files /dev/null and b/src/site/resources/images/owasp.jpg differ diff --git a/src/site/site.xml b/src/site/site.xml index a389c70..f1d4a83 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -37,56 +37,56 @@ OF THE POSSIBILITY OF SUCH DAMAGE. --> - org.apache.maven.skins - maven-fluido-skin - 1.3.1 + lt.velykis.maven.skins + reflow-maven-skin + 1.1.1 - - - true - true - - owasp/owasp-java-encoder - right - gray - - - - - + + + OWASP Java Encoder Project + Codestin Search App OWASP Java Encoder Project - + ./images/owasp.jpg + 107 + 300 - - - - - - - + + + default + true + github + + ${project.name} + https://www.owasp.org/index.php/OWASP_Java_Encoder_Project + + false + top + 6 + Modules|Maven Documentation + + Modules + Contribute + Maven Documentation + + + + + + - - - - - - - - - - - - -
Copyright © 2011-2015 OWASP. All Rights Reserved.
+ + + + + + + + + + + +