diff options
author | Andrew Vuong <akvuong@google.com> | 2023-03-13 22:54:17 +0000 |
---|---|---|
committer | Andrew Vuong <akvuong@google.com> | 2023-03-13 23:11:44 +0000 |
commit | 3566f560590f91ac4e11b6b7494c9a4831804c3f (patch) | |
tree | 80cc17f224771b06e037f182dde7fc0fa2276511 /jsp/src/main | |
parent | 465c7ff7095d67b23f9c59ab117a41db03b58a0d (diff) | |
parent | 6309c0ad5d5a339f41dfa94384930f630d46bc4a (diff) | |
download | java-encoder-3566f560590f91ac4e11b6b7494c9a4831804c3f.tar.gz |
Initial import of owasp-java-encoder from upstream main
Bug: 262898801
Test: mma
Change-Id: I89d97ac6be9533b10d9add01706d59260b686cdd
Diffstat (limited to 'jsp/src/main')
21 files changed, 1938 insertions, 0 deletions
diff --git a/jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java b/jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java new file mode 100644 index 0000000..ef9b482 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java @@ -0,0 +1,57 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import javax.servlet.jsp.tagext.SimpleTagSupport; + +/** + * The base class for the encoding tags within this package. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public abstract class EncodingTag extends SimpleTagSupport { + /** + * The value to be written out by the tag. + */ + protected String _value; + /** + * Sets the value to be written out by the tag. + * @param value the value to be written out by the tag. + */ + public void setValue(String value) { + this._value = value; + } + +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java new file mode 100644 index 0000000..23db285 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform encoding sufficient to place into a CDATA block. + * This wraps the {@link org.owasp.encoder.Encode#forCDATA(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCDATATag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCDATA(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java new file mode 100644 index 0000000..e6edb5e --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform CSS encoding for CSS strings. + * This wraps the {@link org.owasp.encoder.Encode#forCssString(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssStringTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCssString(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java new file mode 100644 index 0000000..673a975 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform CSS encoding for CSS URL contexts. + * This wraps the {@link org.owasp.encoder.Encode#forCssUrl(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssUrlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCssUrl(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java new file mode 100644 index 0000000..866b933 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding for HTML text attributes. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java new file mode 100644 index 0000000..9ebf3c7 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding for text content. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlContent(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlContentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlContent(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java new file mode 100644 index 0000000..71c7d73 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding. + * This wraps the {@link org.owasp.encoder.Encode#forHtml(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtml(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java new file mode 100644 index 0000000..5b895f9 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML Attribute encoding for an unquoted attribute. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlUnquotedAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlUnquotedAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlUnquotedAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java new file mode 100644 index 0000000..71ff6b6 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Attribute encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java new file mode 100644 index 0000000..439f963 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Block encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptBlock(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptBlockTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptBlock(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java new file mode 100644 index 0000000..4b6b3b1 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Source encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptSource(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptSourceTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptSource(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java new file mode 100644 index 0000000..c3edc17 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScript(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScript(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java new file mode 100644 index 0000000..ab1552e --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java @@ -0,0 +1,53 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag that performs percent-encoding for a component of a URI, such as a query + * parameter name or value, path, or query-string. + * This wraps the {@link org.owasp.encoder.Encode#forUriComponent(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriComponentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forUriComponent(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java new file mode 100644 index 0000000..9b975f5 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform percent-encoding of a URL according to RFC 3986. + * This wraps the {@link org.owasp.encoder.Encode#forUri(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forUri(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java new file mode 100644 index 0000000..e2820d9 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Attribute Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java new file mode 100644 index 0000000..fd3e0d5 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Comment Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlCommentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlComment(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java new file mode 100644 index 0000000..c5540ef --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Content Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlContentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlContent(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java new file mode 100644 index 0000000..ea9ebea --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXml(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXml(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/resources/META-INF/LICENSE b/jsp/src/main/resources/META-INF/LICENSE new file mode 100644 index 0000000..f66c375 --- /dev/null +++ b/jsp/src/main/resources/META-INF/LICENSE @@ -0,0 +1,33 @@ +Copyright (c) 2015 Jeff Ichnowski +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + + * Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + * Neither the name of the OWASP nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +OF THE POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file diff --git a/jsp/src/main/resources/META-INF/java-encoder-advanced.tld b/jsp/src/main/resources/META-INF/java-encoder-advanced.tld new file mode 100644 index 0000000..becab48 --- /dev/null +++ b/jsp/src/main/resources/META-INF/java-encoder-advanced.tld @@ -0,0 +1,560 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<taglib version="2.1" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <display-name>OWASP Java Encoder Project</display-name> + <tlib-version>1.0</tlib-version> + <short-name>java-encoder</short-name> + <uri>https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#advanced</uri> + <tag> + <description> + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + </description> + <display-name>forCDATA</display-name> + <name>forCDATA</name> + <tag-class>org.owasp.encoder.tag.ForCDATATag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>The value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forHtmlContent</display-name> + <name>forHtmlContent</name> + <tag-class>org.owasp.encoder.tag.ForHtmlContentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description>Encodes for XML and XHTML attribute content.</description> + <display-name>forXmlAttribute</display-name> + <name>forXmlAttribute</name> + <tag-class>org.owasp.encoder.tag.ForXmlAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description>Encodes for XML and XHTML.</description> + <display-name>forXml</display-name> + <name>forXml</name> + <tag-class>org.owasp.encoder.tag.ForXmlTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + </description> + <display-name>forJavaScript</display-name> + <name>forJavaScript</name> + <tag-class>org.owasp.encoder.tag.ForJavaScriptTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + This method encodes for JavaScript strings contained within + HTML script attributes (such as onclick). It is + NOT safe for use in script blocks. The caller MUST provide the + surrounding quotation characters. This method performs the + same encode as Encode.forJavaScript(String) with the + exception that / is not escaped. + </description> + <display-name>forJavaScriptAttribute</display-name> + <name>forJavaScriptAttribute</name> + <tag-class>org.owasp.encoder.tag.ForJavaScriptAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + This method encodes for JavaScript strings contained within + HTML script blocks. It is NOT safe for use in script + attributes (such as onclick). The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String)} with + the exception that " and ' are encoded as \" and \' respectively. + </description> + <display-name>forJavaScriptBlock</display-name> + <name>forJavaScriptBlock</name> + <tag-class>org.owasp.encoder.tag.ForJavaScriptBlockTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + This method encodes for JavaScript strings contained within + a JavaScript or JSON file. This method is NOT safe for + use in ANY context embedded in HTML. The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String) with + the exception that / and & are not escaped and " and ' are + encoded as \" and \' respectively. + </description> + <display-name>forJavaScriptSource</display-name> + <name>forJavaScriptSource</name> + <tag-class>org.owasp.encoder.tag.ForJavaScriptSourceTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + </description> + <display-name>forHtmlUnquotedAttribute</display-name> + <name>forHtmlUnquotedAttribute</name> + <tag-class>org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + </description> + <display-name>forUri</display-name> + <name>forUri</name> + <tag-class>org.owasp.encoder.tag.ForUriTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + </description> + <display-name>forCssUrl</display-name> + <name>forCssUrl</name> + <tag-class>org.owasp.encoder.tag.ForCssUrlTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. + (X)HTML comments may be interpreted by browsers as something + other than a comment, typically in vendor specific extensions + (e.g. &lt;--if[IE]--&gt;. + For (X)HTML it is recommend that unsafe content never be included + in a comment. + </description> + <display-name>forXmlComment</display-name> + <name>forXmlComment</name> + <tag-class>org.owasp.encoder.tag.ForXmlCommentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description>Encodes for HTML text attributes.</description> + <display-name>forHtmlAttribute</display-name> + <name>forHtmlAttribute</name> + <tag-class>org.owasp.encoder.tag.ForHtmlAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for (X)HTML text content and text attributes. + </description> + <display-name>forHtml</display-name> + <name>forHtml</name> + <tag-class>org.owasp.encoder.tag.ForHtmlTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forXmlContent</display-name> + <name>forXmlContent</name> + <tag-class>org.owasp.encoder.tag.ForXmlContentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + </description> + <display-name>forUriComponent</display-name> + <name>forUriComponent</name> + <tag-class>org.owasp.encoder.tag.ForUriComponentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + </description> + <display-name>forCssString</display-name> + <name>forCssString</name> + <tag-class>org.owasp.encoder.tag.ForCssStringTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <function> + <description> + Encodes for (X)HTML text content and text attributes. + </description> + <display-name>forHtml</display-name> + <name>forHtml</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtml(java.lang.String)</function-signature> + <example>forHtml(unsafeData)</example> + </function> + <function> + <description> + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forHtmlContent</display-name> + <name>forHtmlContent</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtmlContent(java.lang.String)</function-signature> + <example>forHtmlContent(unsafeData)</example> + </function> + <function> + <description>Encodes for HTML text attributes.</description> + <name>forHtmlAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtmlAttribute(java.lang.String)</function-signature> + <example>forHtmlAttribute(unsafeData)</example> + </function> + <function> + <description> + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + </description> + <display-name>forHtmlUnquotedAttribute</display-name> + <name>forHtmlUnquotedAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtmlUnquotedAttribute(java.lang.String)</function-signature> + <example>forHtmlUnquotedAttribute(unsafeData)</example> + </function> + <function> + <description> + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + </description> + <display-name>forCssString</display-name> + <name>forCssString</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forCssString(java.lang.String)</function-signature> + <example>forCssString(unsafeData)</example> + </function> + <function> + <description> + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + </description> + <display-name>forCssUrl</display-name> + <name>forCssUrl</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forCssUrl(java.lang.String)</function-signature> + <example>forCssUrl(unsafeData)</example> + </function> + <function> + <description> + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + </description> + <display-name>forUri</display-name> + <name>forUri</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forUri(java.lang.String)</function-signature> + <example>forUri(unsafeData)</example> + </function> + <function> + <description> + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + </description> + <display-name>forUriComponent</display-name> + <name>forUriComponent</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forUriComponent(java.lang.String)</function-signature> + <example>forUriComponent(unsafeData)</example> + </function> + <function> + <description>Encodes for XML and XHTML.</description> + <display-name>forXml</display-name> + <name>forXml</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXml(java.lang.String)</function-signature> + <example>forXml(unsafeData)</example> + </function> + <function> + <description> + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forXmlContent</display-name> + <name>forXmlContent</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXmlContent(java.lang.String)</function-signature> + <example>forXmlContent(unsafeData)</example> + </function> + <function> + <description>Encodes for XML and XHTML attribute content.</description> + <display-name>forXmlAttribute</display-name> + <name>forXmlAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXmlAttribute(java.lang.String)</function-signature> + <example>forXmlAttribute(unsafeData)</example> + </function> + <function> + <description> + Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. + (X)HTML comments may be interpreted by browsers as something + other than a comment, typically in vendor specific extensions + (e.g. &lt;--if[IE]--&gt;. + For (X)HTML it is recommend that unsafe content never be included + in a comment. + </description> + <name>forXmlComment</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXmlComment(java.lang.String)</function-signature> + <example>forXmlComment(unsafeData)</example> + </function> + <function> + <description> + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + </description> + <display-name>forCDATA</display-name> + <name>forCDATA</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forCDATA(java.lang.String)</function-signature> + <example>forCDATA(unsafeData)</example> + </function> + <function> + <description> + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + </description> + <display-name>forJavaScript</display-name> + <name>forJavaScript</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forJavaScript(java.lang.String)</function-signature> + <example>forJavaScript(unsafeData)</example> + </function> + <function> + <description> + This method encodes for JavaScript strings contained within + HTML script attributes (such as onclick). It is + NOT safe for use in script blocks. The caller MUST provide the + surrounding quotation characters. This method performs the + same encode as Encode.forJavaScript(String) with the + exception that / is not escaped. + </description> + <display-name>forJavaScriptAttribute</display-name> + <name>forJavaScriptAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forJavaScriptAttribute(java.lang.String)</function-signature> + <example>forJavaScriptAttribute(unsafeData)</example> + </function> + <function> + <description> + This method encodes for JavaScript strings contained within + HTML script blocks. It is NOT safe for use in script + attributes (such as onclick). The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String)} with + the exception that " and ' are encoded as \" and \' respectively. + </description> + <display-name>forJavaScriptBlock</display-name> + <name>forJavaScriptBlock</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forJavaScriptBlock(java.lang.String)</function-signature> + <example>forJavaScriptBlock(unsafeData)</example> + </function> + <function> + <description> + This method encodes for JavaScript strings contained within + a JavaScript or JSON file. This method is NOT safe for + use in ANY context embedded in HTML. The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String) with + the exception that / and & are not escaped and " and ' are + encoded as \" and \' respectively. + </description> + <display-name>forJavaScriptSource</display-name> + <name>forJavaScriptSource</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forJavaScriptSource(java.lang.String)</function-signature> + <example> + <%@page contentType="text/javascript; charset=UTF-8"%> + var data = '${forJavaScriptSource(unsafeData)}'; + </example> + </function> +</taglib>
\ No newline at end of file diff --git a/jsp/src/main/resources/META-INF/java-encoder.tld b/jsp/src/main/resources/META-INF/java-encoder.tld new file mode 100644 index 0000000..b761de0 --- /dev/null +++ b/jsp/src/main/resources/META-INF/java-encoder.tld @@ -0,0 +1,403 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<taglib version="2.1" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <display-name>OWASP Java Encoder Project</display-name> + <tlib-version>1.0</tlib-version> + <short-name>java-encoder</short-name> + <uri>https://www.owasp.org/index.php/OWASP_Java_Encoder_Project</uri> + <tag> + <description> + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + </description> + <display-name>forCDATA</display-name> + <name>forCDATA</name> + <tag-class>org.owasp.encoder.tag.ForCDATATag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>The value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forHtmlContent</display-name> + <name>forHtmlContent</name> + <tag-class>org.owasp.encoder.tag.ForHtmlContentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description>Encodes for XML and XHTML attribute content.</description> + <display-name>forXmlAttribute</display-name> + <name>forXmlAttribute</name> + <tag-class>org.owasp.encoder.tag.ForXmlAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description>Encodes for XML and XHTML.</description> + <display-name>forXml</display-name> + <name>forXml</name> + <tag-class>org.owasp.encoder.tag.ForXmlTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + </description> + <display-name>forJavaScript</display-name> + <name>forJavaScript</name> + <tag-class>org.owasp.encoder.tag.ForJavaScriptTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + </description> + <display-name>forHtmlUnquotedAttribute</display-name> + <name>forHtmlUnquotedAttribute</name> + <tag-class>org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + </description> + <display-name>forUri</display-name> + <name>forUri</name> + <tag-class>org.owasp.encoder.tag.ForUriTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + </description> + <display-name>forCssUrl</display-name> + <name>forCssUrl</name> + <tag-class>org.owasp.encoder.tag.ForCssUrlTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description>Encodes for HTML text attributes.</description> + <display-name>forHtmlAttribute</display-name> + <name>forHtmlAttribute</name> + <tag-class>org.owasp.encoder.tag.ForHtmlAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for (X)HTML text content and text attributes. + </description> + <display-name>forHtml</display-name> + <name>forHtml</name> + <tag-class>org.owasp.encoder.tag.ForHtmlTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forXmlContent</display-name> + <name>forXmlContent</name> + <tag-class>org.owasp.encoder.tag.ForXmlContentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + </description> + <display-name>forUriComponent</display-name> + <name>forUriComponent</name> + <tag-class>org.owasp.encoder.tag.ForUriComponentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + </description> + <display-name>forCssString</display-name> + <name>forCssString</name> + <tag-class>org.owasp.encoder.tag.ForCssStringTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <function> + <description> + Encodes for (X)HTML text content and text attributes. + </description> + <display-name>forHtml</display-name> + <name>forHtml</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtml(java.lang.String)</function-signature> + <example>forHtml(unsafeData)</example> + </function> + <function> + <description> + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forHtmlContent</display-name> + <name>forHtmlContent</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtmlContent(java.lang.String)</function-signature> + <example>forHtmlContent(unsafeData)</example> + </function> + <function> + <description>Encodes for HTML text attributes.</description> + <name>forHtmlAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtmlAttribute(java.lang.String)</function-signature> + <example>forHtmlAttribute(unsafeData)</example> + </function> + <function> + <description> + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + </description> + <display-name>forHtmlUnquotedAttribute</display-name> + <name>forHtmlUnquotedAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtmlUnquotedAttribute(java.lang.String)</function-signature> + <example>forHtmlUnquotedAttribute(unsafeData)</example> + </function> + <function> + <description> + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + </description> + <display-name>forCssString</display-name> + <name>forCssString</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forCssString(java.lang.String)</function-signature> + <example>forCssString(unsafeData)</example> + </function> + <function> + <description> + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + </description> + <display-name>forCssUrl</display-name> + <name>forCssUrl</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forCssUrl(java.lang.String)</function-signature> + <example>forCssUrl(unsafeData)</example> + </function> + <function> + <description> + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + </description> + <display-name>forUri</display-name> + <name>forUri</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forUri(java.lang.String)</function-signature> + <example>forUri(unsafeData)</example> + </function> + <function> + <description> + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + </description> + <display-name>forUriComponent</display-name> + <name>forUriComponent</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forUriComponent(java.lang.String)</function-signature> + <example>forUriComponent(unsafeData)</example> + </function> + <function> + <description>Encodes for XML and XHTML.</description> + <display-name>forXml</display-name> + <name>forXml</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXml(java.lang.String)</function-signature> + <example>forXml(unsafeData)</example> + </function> + <function> + <description> + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forXmlContent</display-name> + <name>forXmlContent</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXmlContent(java.lang.String)</function-signature> + <example>forXmlContent(unsafeData)</example> + </function> + <function> + <description>Encodes for XML and XHTML attribute content.</description> + <display-name>forXmlAttribute</display-name> + <name>forXmlAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXmlAttribute(java.lang.String)</function-signature> + <example>forXmlAttribute(unsafeData)</example> + </function> + <function> + <description> + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + </description> + <display-name>forCDATA</display-name> + <name>forCDATA</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forCDATA(java.lang.String)</function-signature> + <example>forCDATA(unsafeData)</example> + </function> + <function> + <description> + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + </description> + <display-name>forJavaScript</display-name> + <name>forJavaScript</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forJavaScript(java.lang.String)</function-signature> + <example>forJavaScript(unsafeData)</example> + </function> +</taglib>
\ No newline at end of file |