diff options
Diffstat (limited to 'jsp/src/main/resources/META-INF/java-encoder-advanced.tld')
| -rw-r--r-- | jsp/src/main/resources/META-INF/java-encoder-advanced.tld | 560 |
1 files changed, 560 insertions, 0 deletions
diff --git a/jsp/src/main/resources/META-INF/java-encoder-advanced.tld b/jsp/src/main/resources/META-INF/java-encoder-advanced.tld new file mode 100644 index 0000000..becab48 --- /dev/null +++ b/jsp/src/main/resources/META-INF/java-encoder-advanced.tld @@ -0,0 +1,560 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<taglib version="2.1" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <display-name>OWASP Java Encoder Project</display-name> + <tlib-version>1.0</tlib-version> + <short-name>java-encoder</short-name> + <uri>https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#advanced</uri> + <tag> + <description> + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + </description> + <display-name>forCDATA</display-name> + <name>forCDATA</name> + <tag-class>org.owasp.encoder.tag.ForCDATATag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>The value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forHtmlContent</display-name> + <name>forHtmlContent</name> + <tag-class>org.owasp.encoder.tag.ForHtmlContentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description>Encodes for XML and XHTML attribute content.</description> + <display-name>forXmlAttribute</display-name> + <name>forXmlAttribute</name> + <tag-class>org.owasp.encoder.tag.ForXmlAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description>Encodes for XML and XHTML.</description> + <display-name>forXml</display-name> + <name>forXml</name> + <tag-class>org.owasp.encoder.tag.ForXmlTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + </description> + <display-name>forJavaScript</display-name> + <name>forJavaScript</name> + <tag-class>org.owasp.encoder.tag.ForJavaScriptTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + This method encodes for JavaScript strings contained within + HTML script attributes (such as onclick). It is + NOT safe for use in script blocks. The caller MUST provide the + surrounding quotation characters. This method performs the + same encode as Encode.forJavaScript(String) with the + exception that / is not escaped. + </description> + <display-name>forJavaScriptAttribute</display-name> + <name>forJavaScriptAttribute</name> + <tag-class>org.owasp.encoder.tag.ForJavaScriptAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + This method encodes for JavaScript strings contained within + HTML script blocks. It is NOT safe for use in script + attributes (such as onclick). The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String)} with + the exception that " and ' are encoded as \" and \' respectively. + </description> + <display-name>forJavaScriptBlock</display-name> + <name>forJavaScriptBlock</name> + <tag-class>org.owasp.encoder.tag.ForJavaScriptBlockTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + This method encodes for JavaScript strings contained within + a JavaScript or JSON file. This method is NOT safe for + use in ANY context embedded in HTML. The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String) with + the exception that / and & are not escaped and " and ' are + encoded as \" and \' respectively. + </description> + <display-name>forJavaScriptSource</display-name> + <name>forJavaScriptSource</name> + <tag-class>org.owasp.encoder.tag.ForJavaScriptSourceTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + </description> + <display-name>forHtmlUnquotedAttribute</display-name> + <name>forHtmlUnquotedAttribute</name> + <tag-class>org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + </description> + <display-name>forUri</display-name> + <name>forUri</name> + <tag-class>org.owasp.encoder.tag.ForUriTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + </description> + <display-name>forCssUrl</display-name> + <name>forCssUrl</name> + <tag-class>org.owasp.encoder.tag.ForCssUrlTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. + (X)HTML comments may be interpreted by browsers as something + other than a comment, typically in vendor specific extensions + (e.g. &lt;--if[IE]--&gt;. + For (X)HTML it is recommend that unsafe content never be included + in a comment. + </description> + <display-name>forXmlComment</display-name> + <name>forXmlComment</name> + <tag-class>org.owasp.encoder.tag.ForXmlCommentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description>Encodes for HTML text attributes.</description> + <display-name>forHtmlAttribute</display-name> + <name>forHtmlAttribute</name> + <tag-class>org.owasp.encoder.tag.ForHtmlAttributeTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for (X)HTML text content and text attributes. + </description> + <display-name>forHtml</display-name> + <name>forHtml</name> + <tag-class>org.owasp.encoder.tag.ForHtmlTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forXmlContent</display-name> + <name>forXmlContent</name> + <tag-class>org.owasp.encoder.tag.ForXmlContentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + </description> + <display-name>forUriComponent</display-name> + <name>forUriComponent</name> + <tag-class>org.owasp.encoder.tag.ForUriComponentTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <tag> + <description> + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + </description> + <display-name>forCssString</display-name> + <name>forCssString</name> + <tag-class>org.owasp.encoder.tag.ForCssStringTag</tag-class> + <body-content>empty</body-content> + <attribute> + <description>value to be written out</description> + <name>value</name> + <required>true</required> + <rtexprvalue>true</rtexprvalue> + <type>java.lang.String</type> + </attribute> + </tag> + <function> + <description> + Encodes for (X)HTML text content and text attributes. + </description> + <display-name>forHtml</display-name> + <name>forHtml</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtml(java.lang.String)</function-signature> + <example>forHtml(unsafeData)</example> + </function> + <function> + <description> + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forHtmlContent</display-name> + <name>forHtmlContent</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtmlContent(java.lang.String)</function-signature> + <example>forHtmlContent(unsafeData)</example> + </function> + <function> + <description>Encodes for HTML text attributes.</description> + <name>forHtmlAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtmlAttribute(java.lang.String)</function-signature> + <example>forHtmlAttribute(unsafeData)</example> + </function> + <function> + <description> + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + </description> + <display-name>forHtmlUnquotedAttribute</display-name> + <name>forHtmlUnquotedAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forHtmlUnquotedAttribute(java.lang.String)</function-signature> + <example>forHtmlUnquotedAttribute(unsafeData)</example> + </function> + <function> + <description> + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + </description> + <display-name>forCssString</display-name> + <name>forCssString</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forCssString(java.lang.String)</function-signature> + <example>forCssString(unsafeData)</example> + </function> + <function> + <description> + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + </description> + <display-name>forCssUrl</display-name> + <name>forCssUrl</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forCssUrl(java.lang.String)</function-signature> + <example>forCssUrl(unsafeData)</example> + </function> + <function> + <description> + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + </description> + <display-name>forUri</display-name> + <name>forUri</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forUri(java.lang.String)</function-signature> + <example>forUri(unsafeData)</example> + </function> + <function> + <description> + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + </description> + <display-name>forUriComponent</display-name> + <name>forUriComponent</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forUriComponent(java.lang.String)</function-signature> + <example>forUriComponent(unsafeData)</example> + </function> + <function> + <description>Encodes for XML and XHTML.</description> + <display-name>forXml</display-name> + <name>forXml</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXml(java.lang.String)</function-signature> + <example>forXml(unsafeData)</example> + </function> + <function> + <description> + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + </description> + <display-name>forXmlContent</display-name> + <name>forXmlContent</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXmlContent(java.lang.String)</function-signature> + <example>forXmlContent(unsafeData)</example> + </function> + <function> + <description>Encodes for XML and XHTML attribute content.</description> + <display-name>forXmlAttribute</display-name> + <name>forXmlAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXmlAttribute(java.lang.String)</function-signature> + <example>forXmlAttribute(unsafeData)</example> + </function> + <function> + <description> + Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. + (X)HTML comments may be interpreted by browsers as something + other than a comment, typically in vendor specific extensions + (e.g. &lt;--if[IE]--&gt;. + For (X)HTML it is recommend that unsafe content never be included + in a comment. + </description> + <name>forXmlComment</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forXmlComment(java.lang.String)</function-signature> + <example>forXmlComment(unsafeData)</example> + </function> + <function> + <description> + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + </description> + <display-name>forCDATA</display-name> + <name>forCDATA</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forCDATA(java.lang.String)</function-signature> + <example>forCDATA(unsafeData)</example> + </function> + <function> + <description> + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + </description> + <display-name>forJavaScript</display-name> + <name>forJavaScript</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forJavaScript(java.lang.String)</function-signature> + <example>forJavaScript(unsafeData)</example> + </function> + <function> + <description> + This method encodes for JavaScript strings contained within + HTML script attributes (such as onclick). It is + NOT safe for use in script blocks. The caller MUST provide the + surrounding quotation characters. This method performs the + same encode as Encode.forJavaScript(String) with the + exception that / is not escaped. + </description> + <display-name>forJavaScriptAttribute</display-name> + <name>forJavaScriptAttribute</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forJavaScriptAttribute(java.lang.String)</function-signature> + <example>forJavaScriptAttribute(unsafeData)</example> + </function> + <function> + <description> + This method encodes for JavaScript strings contained within + HTML script blocks. It is NOT safe for use in script + attributes (such as onclick). The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String)} with + the exception that " and ' are encoded as \" and \' respectively. + </description> + <display-name>forJavaScriptBlock</display-name> + <name>forJavaScriptBlock</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forJavaScriptBlock(java.lang.String)</function-signature> + <example>forJavaScriptBlock(unsafeData)</example> + </function> + <function> + <description> + This method encodes for JavaScript strings contained within + a JavaScript or JSON file. This method is NOT safe for + use in ANY context embedded in HTML. The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String) with + the exception that / and & are not escaped and " and ' are + encoded as \" and \' respectively. + </description> + <display-name>forJavaScriptSource</display-name> + <name>forJavaScriptSource</name> + <function-class>org.owasp.encoder.Encode</function-class> + <function-signature>java.lang.String forJavaScriptSource(java.lang.String)</function-signature> + <example> + <%@page contentType="text/javascript; charset=UTF-8"%> + var data = '${forJavaScriptSource(unsafeData)}'; + </example> + </function> +</taglib>
\ No newline at end of file |