diff options
34 files changed, 2150 insertions, 565 deletions
diff --git a/distrib/javadoc/allclasses-frame.html b/distrib/javadoc/allclasses-frame.html index 28ba5e0..40b1480 100644 --- a/distrib/javadoc/allclasses-frame.html +++ b/distrib/javadoc/allclasses-frame.html @@ -34,6 +34,10 @@ All Classes (OWASP Java HTML Sanitizer) <BR> <A HREF="org/owasp/html/Handler.html" title="interface in org.owasp.html" target="classFrame"><I>Handler</I></A> <BR> +<A HREF="org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html" target="classFrame"><I>HtmlChangeListener</I></A> +<BR> +<A HREF="org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html" target="classFrame">HtmlChangeReporter</A> +<BR> <A HREF="org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html" target="classFrame">HtmlPolicyBuilder</A> <BR> <A HREF="org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html" target="classFrame">HtmlSanitizer</A> diff --git a/distrib/javadoc/allclasses-noframe.html b/distrib/javadoc/allclasses-noframe.html index 04eeed5..6b0fc59 100644 --- a/distrib/javadoc/allclasses-noframe.html +++ b/distrib/javadoc/allclasses-noframe.html @@ -34,6 +34,10 @@ All Classes (OWASP Java HTML Sanitizer) <BR> <A HREF="org/owasp/html/Handler.html" title="interface in org.owasp.html"><I>Handler</I></A> <BR> +<A HREF="org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><I>HtmlChangeListener</I></A> +<BR> +<A HREF="org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html">HtmlChangeReporter</A> +<BR> <A HREF="org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <BR> <A HREF="org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html">HtmlSanitizer</A> diff --git a/distrib/javadoc/index-files/index-1.html b/distrib/javadoc/index-files/index-1.html index cff6139..285e23b 100644 --- a/distrib/javadoc/index-files/index-1.html +++ b/distrib/javadoc/index-files/index-1.html @@ -131,7 +131,11 @@ Method in class org.owasp.html.<A HREF="../org/owasp/html/FilterUrlByProtocolAtt <DD> <DT><A HREF="../org/owasp/html/PolicyFactory.html#apply(org.owasp.html.HtmlStreamEventReceiver)"><B>apply(HtmlStreamEventReceiver)</B></A> - Method in class org.owasp.html.<A HREF="../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html">PolicyFactory</A> -<DD>Produces a sanitizer that emits tokens to out. +<DD>Produces a sanitizer that emits tokens to <code>out</code>. +<DT><A HREF="../org/owasp/html/PolicyFactory.html#apply(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)"><B>apply(HtmlStreamEventReceiver, HtmlChangeListener<CTX>, CTX)</B></A> - +Method in class org.owasp.html.<A HREF="../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html">PolicyFactory</A> +<DD>Produces a sanitizer that emits tokens to <code>out</code> and that notifies + any <code>listener</code> of any dropped tags and attributes. <DT><A HREF="../org/owasp/html/AttributePolicy.html" title="interface in org.owasp.html"><B>AttributePolicy</B></A> - Interface in <A HREF="../org/owasp/html/package-summary.html">org.owasp.html</A><DD>A policy that can be applied to an HTML attribute to decide whether or not to allow it in the output, possibly after transforming its value.<DT><A HREF="../org/owasp/html/AttributePolicy.Util.html" title="class in org.owasp.html"><B>AttributePolicy.Util</B></A> - Class in <A HREF="../org/owasp/html/package-summary.html">org.owasp.html</A><DD>Utilities for working with attribute policies.<DT><A HREF="../org/owasp/html/AttributePolicy.Util.html#AttributePolicy.Util()"><B>AttributePolicy.Util()</B></A> - Constructor for class org.owasp.html.<A HREF="../org/owasp/html/AttributePolicy.Util.html" title="class in org.owasp.html">AttributePolicy.Util</A> diff --git a/distrib/javadoc/index-files/index-16.html b/distrib/javadoc/index-files/index-16.html index 63544d5..5ca854f 100644 --- a/distrib/javadoc/index-files/index-16.html +++ b/distrib/javadoc/index-files/index-16.html @@ -89,6 +89,9 @@ Method in class org.owasp.html.<A HREF="../org/owasp/html/PolicyFactory.html" ti <DT><A HREF="../org/owasp/html/Sanitizers.html" title="class in org.owasp.html"><B>Sanitizers</B></A> - Class in <A HREF="../org/owasp/html/package-summary.html">org.owasp.html</A><DD>Pre-packaged HTML sanitizer policies.<DT><A HREF="../org/owasp/html/TagBalancingHtmlStreamEventReceiver.html#setNestingLimit(int)"><B>setNestingLimit(int)</B></A> - Method in class org.owasp.html.<A HREF="../org/owasp/html/TagBalancingHtmlStreamEventReceiver.html" title="class in org.owasp.html">TagBalancingHtmlStreamEventReceiver</A> <DD> +<DT><A HREF="../org/owasp/html/HtmlChangeReporter.html#setPolicy(org.owasp.html.HtmlSanitizer.Policy)"><B>setPolicy(HtmlSanitizer.Policy)</B></A> - +Method in class org.owasp.html.<A HREF="../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html">HtmlChangeReporter</A> +<DD>Associates an input channel. <DT><A HREF="../org/owasp/html/examples/SlashdotPolicyExample.html" title="class in org.owasp.html.examples"><B>SlashdotPolicyExample</B></A> - Class in <A HREF="../org/owasp/html/examples/package-summary.html">org.owasp.html.examples</A><DD>Based on the <a href="http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#Stage_2_-_Choosing_a_base_policy_file">AntiSamy Slashdot example</a>.<DT><A HREF="../org/owasp/html/examples/SlashdotPolicyExample.html#SlashdotPolicyExample()"><B>SlashdotPolicyExample()</B></A> - Constructor for class org.owasp.html.examples.<A HREF="../org/owasp/html/examples/SlashdotPolicyExample.html" title="class in org.owasp.html.examples">SlashdotPolicyExample</A> diff --git a/distrib/javadoc/index-files/index-2.html b/distrib/javadoc/index-files/index-2.html index 608722c..19a47f4 100644 --- a/distrib/javadoc/index-files/index-2.html +++ b/distrib/javadoc/index-files/index-2.html @@ -87,6 +87,9 @@ Static variable in class org.owasp.html.<A HREF="../org/owasp/html/Sanitizers.ht <DT><A HREF="../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver)"><B>build(HtmlStreamEventReceiver)</B></A> - Method in class org.owasp.html.<A HREF="../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <DD>Produces a policy based on the allow and disallow calls previously made. +<DT><A HREF="../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)"><B>build(HtmlStreamEventReceiver, HtmlChangeListener<? super CTX>, CTX)</B></A> - +Method in class org.owasp.html.<A HREF="../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> +<DD>Produces a policy based on the allow and disallow calls previously made. </DL> <HR> diff --git a/distrib/javadoc/index-files/index-4.html b/distrib/javadoc/index-files/index-4.html index 8ae3e59..b105727 100644 --- a/distrib/javadoc/index-files/index-4.html +++ b/distrib/javadoc/index-files/index-4.html @@ -95,6 +95,13 @@ Method in class org.owasp.html.<A HREF="../org/owasp/html/HtmlPolicyBuilder.html <DT><A HREF="../org/owasp/html/HtmlPolicyBuilder.html#disallowWithoutAttributes(java.lang.String...)"><B>disallowWithoutAttributes(String...)</B></A> - Method in class org.owasp.html.<A HREF="../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <DD>Disallows the given elements from appearing without attributes. +<DT><A HREF="../org/owasp/html/HtmlChangeListener.html#discardedAttributes(T, java.lang.String, java.lang.String...)"><B>discardedAttributes(T, String, String...)</B></A> - +Method in interface org.owasp.html.<A HREF="../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A> +<DD>Called when attributes are discarded + from the input but the containing tag is not. +<DT><A HREF="../org/owasp/html/HtmlChangeListener.html#discardedTag(T, java.lang.String)"><B>discardedTag(T, String)</B></A> - +Method in interface org.owasp.html.<A HREF="../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A> +<DD>Called when a tag is discarded from the input. <DT><A HREF="../org/owasp/html/Handler.html#DO_NOTHING"><B>DO_NOTHING</B></A> - Static variable in interface org.owasp.html.<A HREF="../org/owasp/html/Handler.html" title="interface in org.owasp.html">Handler</A> <DD>A handler that does nothing given any input. diff --git a/distrib/javadoc/index-files/index-7.html b/distrib/javadoc/index-files/index-7.html index 26f5d4f..6f10c97 100644 --- a/distrib/javadoc/index-files/index-7.html +++ b/distrib/javadoc/index-files/index-7.html @@ -80,6 +80,12 @@ function windowTitle() <A NAME="_G_"><!-- --></A><H2> <B>G</B></H2> <DL> +<DT><A HREF="../org/owasp/html/HtmlChangeReporter.html#getWrappedPolicy()"><B>getWrappedPolicy()</B></A> - +Method in class org.owasp.html.<A HREF="../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html">HtmlChangeReporter</A> +<DD> +<DT><A HREF="../org/owasp/html/HtmlChangeReporter.html#getWrappedRenderer()"><B>getWrappedRenderer()</B></A> - +Method in class org.owasp.html.<A HREF="../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html">HtmlChangeReporter</A> +<DD> <DT><A HREF="../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#globally()"><B>globally()</B></A> - Method in class org.owasp.html.<A HREF="../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <DD>Allows the given attributes on any elements but filters the diff --git a/distrib/javadoc/index-files/index-8.html b/distrib/javadoc/index-files/index-8.html index 9712799..fca5fc9 100644 --- a/distrib/javadoc/index-files/index-8.html +++ b/distrib/javadoc/index-files/index-8.html @@ -83,7 +83,11 @@ function windowTitle() <DT><A HREF="../org/owasp/html/Handler.html#handle(T)"><B>handle(T)</B></A> - Method in interface org.owasp.html.<A HREF="../org/owasp/html/Handler.html" title="interface in org.owasp.html">Handler</A> <DD> -<DT><A HREF="../org/owasp/html/Handler.html" title="interface in org.owasp.html"><B>Handler</B></A><<A HREF="../org/owasp/html/Handler.html" title="type parameter in Handler">T</A>> - Interface in <A HREF="../org/owasp/html/package-summary.html">org.owasp.html</A><DD>Receives notification of problems.<DT><A HREF="../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder</B></A> - Class in <A HREF="../org/owasp/html/package-summary.html">org.owasp.html</A><DD>Conveniences for configuring policies for the <A HREF="../org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html"><CODE>HtmlSanitizer</CODE></A>.<DT><A HREF="../org/owasp/html/HtmlPolicyBuilder.html#HtmlPolicyBuilder()"><B>HtmlPolicyBuilder()</B></A> - +<DT><A HREF="../org/owasp/html/Handler.html" title="interface in org.owasp.html"><B>Handler</B></A><<A HREF="../org/owasp/html/Handler.html" title="type parameter in Handler">T</A>> - Interface in <A HREF="../org/owasp/html/package-summary.html">org.owasp.html</A><DD>Receives notification of problems.<DT><A HREF="../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><B>HtmlChangeListener</B></A><<A HREF="../org/owasp/html/HtmlChangeListener.html" title="type parameter in HtmlChangeListener">T</A>> - Interface in <A HREF="../org/owasp/html/package-summary.html">org.owasp.html</A><DD>Receives events when an HTML tag, or attribute is discarded.<DT><A HREF="../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><B>HtmlChangeReporter</B></A><<A HREF="../org/owasp/html/HtmlChangeReporter.html" title="type parameter in HtmlChangeReporter">T</A>> - Class in <A HREF="../org/owasp/html/package-summary.html">org.owasp.html</A><DD>Sits between the HTML parser, and then policy, and the renderer so that it + can report dropped elements and attributes to an <A HREF="../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><CODE>HtmlChangeListener</CODE></A>.<DT><A HREF="../org/owasp/html/HtmlChangeReporter.html#HtmlChangeReporter(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, T)"><B>HtmlChangeReporter(HtmlStreamEventReceiver, HtmlChangeListener<? super T>, T)</B></A> - +Constructor for class org.owasp.html.<A HREF="../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html">HtmlChangeReporter</A> +<DD> +<DT><A HREF="../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder</B></A> - Class in <A HREF="../org/owasp/html/package-summary.html">org.owasp.html</A><DD>Conveniences for configuring policies for the <A HREF="../org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html"><CODE>HtmlSanitizer</CODE></A>.<DT><A HREF="../org/owasp/html/HtmlPolicyBuilder.html#HtmlPolicyBuilder()"><B>HtmlPolicyBuilder()</B></A> - Constructor for class org.owasp.html.<A HREF="../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <DD> <DT><A HREF="../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder.AttributeBuilder</B></A> - Class in <A HREF="../org/owasp/html/package-summary.html">org.owasp.html</A><DD>Builds the relationship between attributes, the values that they may have, diff --git a/distrib/javadoc/org/owasp/html/Handler.html b/distrib/javadoc/org/owasp/html/Handler.html index c35e159..1bda6b5 100644 --- a/distrib/javadoc/org/owasp/html/Handler.html +++ b/distrib/javadoc/org/owasp/html/Handler.html @@ -54,7 +54,7 @@ function windowTitle() <TR> <TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> <A HREF="../../../org/owasp/html/FilterUrlByProtocolAttributePolicy.html" title="class in org.owasp.html"><B>PREV CLASS</B></A> - <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> <TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> <A HREF="../../../index.html?org/owasp/html/Handler.html" target="_top"><B>FRAMES</B></A> <A HREF="Handler.html" target="_top"><B>NO FRAMES</B></A> @@ -237,7 +237,7 @@ void <A HREF="../../../src-html/org/owasp/html/Handler.html#line.40"><B>handle</ <TR> <TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> <A HREF="../../../org/owasp/html/FilterUrlByProtocolAttributePolicy.html" title="class in org.owasp.html"><B>PREV CLASS</B></A> - <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> <TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> <A HREF="../../../index.html?org/owasp/html/Handler.html" target="_top"><B>FRAMES</B></A> <A HREF="Handler.html" target="_top"><B>NO FRAMES</B></A> diff --git a/distrib/javadoc/org/owasp/html/HtmlChangeListener.html b/distrib/javadoc/org/owasp/html/HtmlChangeListener.html new file mode 100644 index 0000000..efcf1bf --- /dev/null +++ b/distrib/javadoc/org/owasp/html/HtmlChangeListener.html @@ -0,0 +1,242 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<!--NewPage--> +<HTML> +<HEAD> +<META http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<TITLE> +HtmlChangeListener (OWASP Java HTML Sanitizer) +</TITLE> + + +<LINK REL ="stylesheet" TYPE="text/css" HREF="../../../stylesheet.css" TITLE="Style"> + +<SCRIPT type="text/javascript"> +function windowTitle() +{ + if (location.href.indexOf('is-external=true') == -1) { + parent.document.title="HtmlChangeListener (OWASP Java HTML Sanitizer)"; + } +} +</SCRIPT> +<NOSCRIPT> +</NOSCRIPT> + +</HEAD> + +<BODY BGCOLOR="white" onload="windowTitle();"> +<HR> + + +<!-- ========= START OF TOP NAVBAR ======= --> +<A NAME="navbar_top"><!-- --></A> +<A HREF="#skip-navbar_top" title="Skip navigation links"></A> +<TABLE BORDER="0" WIDTH="100%" CELLPADDING="1" CELLSPACING="0" SUMMARY=""> +<TR> +<TD COLSPAN=2 BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> +<A NAME="navbar_top_firstrow"><!-- --></A> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="3" SUMMARY=""> + <TR ALIGN="center" VALIGN="top"> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../overview-summary.html"><FONT CLASS="NavBarFont1"><B>Overview</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-summary.html"><FONT CLASS="NavBarFont1"><B>Package</B></FONT></A> </TD> + <TD BGCOLOR="#FFFFFF" CLASS="NavBarCell1Rev"> <FONT CLASS="NavBarFont1Rev"><B>Class</B></FONT> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="class-use/HtmlChangeListener.html"><FONT CLASS="NavBarFont1"><B>Use</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-tree.html"><FONT CLASS="NavBarFont1"><B>Tree</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../deprecated-list.html"><FONT CLASS="NavBarFont1"><B>Deprecated</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../index-files/index-1.html"><FONT CLASS="NavBarFont1"><B>Index</B></FONT></A> </TD> + </TR> +</TABLE> +</TD> +<TD ALIGN="right" VALIGN="top" ROWSPAN=3><EM> +<a href="http://code.google.com/p/owasp-java-html-sanitizer" target=_top>code.google.com home</a></EM> +</TD> +</TR> + +<TR> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../org/owasp/html/Handler.html" title="interface in org.owasp.html"><B>PREV CLASS</B></A> + <A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../index.html?org/owasp/html/HtmlChangeListener.html" target="_top"><B>FRAMES</B></A> + <A HREF="HtmlChangeListener.html" target="_top"><B>NO FRAMES</B></A> + <SCRIPT type="text/javascript"> + <!-- + if(window==top) { + document.writeln('<A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A>'); + } + //--> +</SCRIPT> +<NOSCRIPT> + <A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A> +</NOSCRIPT> + + +</FONT></TD> +</TR> +<TR> +<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> + SUMMARY: NESTED | FIELD | CONSTR | <A HREF="#method_summary">METHOD</A></FONT></TD> +<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> +DETAIL: FIELD | CONSTR | <A HREF="#method_detail">METHOD</A></FONT></TD> +</TR> +</TABLE> +<A NAME="skip-navbar_top"></A> +<!-- ========= END OF TOP NAVBAR ========= --> + +<HR> +<!-- ======== START OF CLASS DATA ======== --> +<H2> +<FONT SIZE="-1"> +org.owasp.html</FONT> +<BR> +Interface HtmlChangeListener<T></H2> +<HR> +<DL> +<DT><PRE>public interface <A HREF="../../../src-html/org/owasp/html/HtmlChangeListener.html#line.38"><B>HtmlChangeListener<T></B></A></DL> +</PRE> + +<P> +Receives events when an HTML tag, or attribute is discarded. + This can be hooked into an intrusion detection system to alert code when + suspicious HTML passes through the sanitizer. +<P> + +<P> +<HR> + +<P> + +<!-- ========== METHOD SUMMARY =========== --> + +<A NAME="method_summary"><!-- --></A> +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> +<TH ALIGN="left" COLSPAN="2"><FONT SIZE="+2"> +<B>Method Summary</B></FONT></TH> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> void</CODE></FONT></TD> +<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlChangeListener.html#discardedAttributes(T, java.lang.String, java.lang.String...)">discardedAttributes</A></B>(<A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="type parameter in HtmlChangeListener">T</A> context, + java.lang.String tagName, + java.lang.String... attributeNames)</CODE> + +<BR> + Called when attributes are discarded + from the input but the containing tag is not.</TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> void</CODE></FONT></TD> +<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlChangeListener.html#discardedTag(T, java.lang.String)">discardedTag</A></B>(<A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="type parameter in HtmlChangeListener">T</A> context, + java.lang.String elementName)</CODE> + +<BR> + Called when a tag is discarded from the input.</TD> +</TR> +</TABLE> + +<P> + +<!-- ============ METHOD DETAIL ========== --> + +<A NAME="method_detail"><!-- --></A> +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> +<TH ALIGN="left" COLSPAN="1"><FONT SIZE="+2"> +<B>Method Detail</B></FONT></TH> +</TR> +</TABLE> + +<A NAME="discardedTag(java.lang.Object,java.lang.String)"><!-- --></A><A NAME="discardedTag(T, java.lang.String)"><!-- --></A><H3> +discardedTag</H3> +<PRE> +void <A HREF="../../../src-html/org/owasp/html/HtmlChangeListener.html#line.41"><B>discardedTag</B></A>(<FONT SIZE="-1">@Nullable</FONT> + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="type parameter in HtmlChangeListener">T</A> context, + java.lang.String elementName)</PRE> +<DL> +<DD>Called when a tag is discarded from the input. +<P> +<DD><DL> +</DL> +</DD> +</DL> +<HR> + +<A NAME="discardedAttributes(java.lang.Object,java.lang.String,java.lang.String[])"><!-- --></A><A NAME="discardedAttributes(T, java.lang.String, java.lang.String...)"><!-- --></A><H3> +discardedAttributes</H3> +<PRE> +void <A HREF="../../../src-html/org/owasp/html/HtmlChangeListener.html#line.47"><B>discardedAttributes</B></A>(<FONT SIZE="-1">@Nullable</FONT> + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="type parameter in HtmlChangeListener">T</A> context, + java.lang.String tagName, + java.lang.String... attributeNames)</PRE> +<DL> +<DD>Called when attributes are discarded + from the input but the containing tag is not. +<P> +<DD><DL> +</DL> +</DD> +</DL> +<!-- ========= END OF CLASS DATA ========= --> +<HR> + + +<!-- ======= START OF BOTTOM NAVBAR ====== --> +<A NAME="navbar_bottom"><!-- --></A> +<A HREF="#skip-navbar_bottom" title="Skip navigation links"></A> +<TABLE BORDER="0" WIDTH="100%" CELLPADDING="1" CELLSPACING="0" SUMMARY=""> +<TR> +<TD COLSPAN=2 BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> +<A NAME="navbar_bottom_firstrow"><!-- --></A> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="3" SUMMARY=""> + <TR ALIGN="center" VALIGN="top"> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../overview-summary.html"><FONT CLASS="NavBarFont1"><B>Overview</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-summary.html"><FONT CLASS="NavBarFont1"><B>Package</B></FONT></A> </TD> + <TD BGCOLOR="#FFFFFF" CLASS="NavBarCell1Rev"> <FONT CLASS="NavBarFont1Rev"><B>Class</B></FONT> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="class-use/HtmlChangeListener.html"><FONT CLASS="NavBarFont1"><B>Use</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-tree.html"><FONT CLASS="NavBarFont1"><B>Tree</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../deprecated-list.html"><FONT CLASS="NavBarFont1"><B>Deprecated</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../index-files/index-1.html"><FONT CLASS="NavBarFont1"><B>Index</B></FONT></A> </TD> + </TR> +</TABLE> +</TD> +<TD ALIGN="right" VALIGN="top" ROWSPAN=3><EM> +<a href="http://code.google.com/p/owasp-java-html-sanitizer" target=_top>code.google.com home</a></EM> +</TD> +</TR> + +<TR> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../org/owasp/html/Handler.html" title="interface in org.owasp.html"><B>PREV CLASS</B></A> + <A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../index.html?org/owasp/html/HtmlChangeListener.html" target="_top"><B>FRAMES</B></A> + <A HREF="HtmlChangeListener.html" target="_top"><B>NO FRAMES</B></A> + <SCRIPT type="text/javascript"> + <!-- + if(window==top) { + document.writeln('<A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A>'); + } + //--> +</SCRIPT> +<NOSCRIPT> + <A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A> +</NOSCRIPT> + + +</FONT></TD> +</TR> +<TR> +<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> + SUMMARY: NESTED | FIELD | CONSTR | <A HREF="#method_summary">METHOD</A></FONT></TD> +<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> +DETAIL: FIELD | CONSTR | <A HREF="#method_detail">METHOD</A></FONT></TD> +</TR> +</TABLE> +<A NAME="skip-navbar_bottom"></A> +<!-- ======== END OF BOTTOM NAVBAR ======= --> + +<HR> + +</BODY> +</HTML> diff --git a/distrib/javadoc/org/owasp/html/HtmlChangeReporter.html b/distrib/javadoc/org/owasp/html/HtmlChangeReporter.html new file mode 100644 index 0000000..b7dbe69 --- /dev/null +++ b/distrib/javadoc/org/owasp/html/HtmlChangeReporter.html @@ -0,0 +1,313 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<!--NewPage--> +<HTML> +<HEAD> +<META http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<TITLE> +HtmlChangeReporter (OWASP Java HTML Sanitizer) +</TITLE> + + +<LINK REL ="stylesheet" TYPE="text/css" HREF="../../../stylesheet.css" TITLE="Style"> + +<SCRIPT type="text/javascript"> +function windowTitle() +{ + if (location.href.indexOf('is-external=true') == -1) { + parent.document.title="HtmlChangeReporter (OWASP Java HTML Sanitizer)"; + } +} +</SCRIPT> +<NOSCRIPT> +</NOSCRIPT> + +</HEAD> + +<BODY BGCOLOR="white" onload="windowTitle();"> +<HR> + + +<!-- ========= START OF TOP NAVBAR ======= --> +<A NAME="navbar_top"><!-- --></A> +<A HREF="#skip-navbar_top" title="Skip navigation links"></A> +<TABLE BORDER="0" WIDTH="100%" CELLPADDING="1" CELLSPACING="0" SUMMARY=""> +<TR> +<TD COLSPAN=2 BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> +<A NAME="navbar_top_firstrow"><!-- --></A> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="3" SUMMARY=""> + <TR ALIGN="center" VALIGN="top"> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../overview-summary.html"><FONT CLASS="NavBarFont1"><B>Overview</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-summary.html"><FONT CLASS="NavBarFont1"><B>Package</B></FONT></A> </TD> + <TD BGCOLOR="#FFFFFF" CLASS="NavBarCell1Rev"> <FONT CLASS="NavBarFont1Rev"><B>Class</B></FONT> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="class-use/HtmlChangeReporter.html"><FONT CLASS="NavBarFont1"><B>Use</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-tree.html"><FONT CLASS="NavBarFont1"><B>Tree</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../deprecated-list.html"><FONT CLASS="NavBarFont1"><B>Deprecated</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../index-files/index-1.html"><FONT CLASS="NavBarFont1"><B>Index</B></FONT></A> </TD> + </TR> +</TABLE> +</TD> +<TD ALIGN="right" VALIGN="top" ROWSPAN=3><EM> +<a href="http://code.google.com/p/owasp-java-html-sanitizer" target=_top>code.google.com home</a></EM> +</TD> +</TR> + +<TR> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><B>PREV CLASS</B></A> + <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../index.html?org/owasp/html/HtmlChangeReporter.html" target="_top"><B>FRAMES</B></A> + <A HREF="HtmlChangeReporter.html" target="_top"><B>NO FRAMES</B></A> + <SCRIPT type="text/javascript"> + <!-- + if(window==top) { + document.writeln('<A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A>'); + } + //--> +</SCRIPT> +<NOSCRIPT> + <A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A> +</NOSCRIPT> + + +</FONT></TD> +</TR> +<TR> +<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> + SUMMARY: NESTED | FIELD | <A HREF="#constructor_summary">CONSTR</A> | <A HREF="#method_summary">METHOD</A></FONT></TD> +<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> +DETAIL: FIELD | <A HREF="#constructor_detail">CONSTR</A> | <A HREF="#method_detail">METHOD</A></FONT></TD> +</TR> +</TABLE> +<A NAME="skip-navbar_top"></A> +<!-- ========= END OF TOP NAVBAR ========= --> + +<HR> +<!-- ======== START OF CLASS DATA ======== --> +<H2> +<FONT SIZE="-1"> +org.owasp.html</FONT> +<BR> +Class HtmlChangeReporter<T></H2> +<PRE> +java.lang.Object + <IMG SRC="../../../resources/inherit.gif" ALT="extended by "><B>org.owasp.html.HtmlChangeReporter<T></B> +</PRE> +<DL> +<DT><DT><B>Type Parameters:</B><DD><CODE>T</CODE> - The type of context value passed to the</DL> +<HR> +<DL> +<DT><PRE>public final class <A HREF="../../../src-html/org/owasp/html/HtmlChangeReporter.html#line.54"><B>HtmlChangeReporter<T></B></A><DT>extends java.lang.Object</DL> +</PRE> + +<P> +Sits between the HTML parser, and then policy, and the renderer so that it + can report dropped elements and attributes to an <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><CODE>HtmlChangeListener</CODE></A>. + + <pre> + HtmlChangeReporter<T> hcr = new HtmlChangeReporter<T>( + renderer, htmlChangeListener, context); + hcr.setPolicy(policyFactory.apply(hcr.getWrappedRenderer())); + HtmlSanitizer.sanitize(html, hcr.getWrappedPolicy()); + </pre> + + The renderer receives events from the policy unchanged, but the reporter + notices differences between the events from the lexer and those from the + policy. +<P> + +<P> +<HR> + +<P> + +<!-- ======== CONSTRUCTOR SUMMARY ======== --> + +<A NAME="constructor_summary"><!-- --></A> +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> +<TH ALIGN="left" COLSPAN="2"><FONT SIZE="+2"> +<B>Constructor Summary</B></FONT></TH> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlChangeReporter.html#HtmlChangeReporter(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, T)">HtmlChangeReporter</A></B>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> renderer, + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super <A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="type parameter in HtmlChangeReporter">T</A>> listener, + <A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="type parameter in HtmlChangeReporter">T</A> context)</CODE> + +<BR> + </TD> +</TR> +</TABLE> + +<!-- ========== METHOD SUMMARY =========== --> + +<A NAME="method_summary"><!-- --></A> +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> +<TH ALIGN="left" COLSPAN="2"><FONT SIZE="+2"> +<B>Method Summary</B></FONT></TH> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> +<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlChangeReporter.html#getWrappedPolicy()">getWrappedPolicy</A></B>()</CODE> + +<BR> + </TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> <A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A></CODE></FONT></TD> +<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlChangeReporter.html#getWrappedRenderer()">getWrappedRenderer</A></B>()</CODE> + +<BR> + </TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> void</CODE></FONT></TD> +<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlChangeReporter.html#setPolicy(org.owasp.html.HtmlSanitizer.Policy)">setPolicy</A></B>(<A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A> policy)</CODE> + +<BR> + Associates an input channel.</TD> +</TR> +</TABLE> + <A NAME="methods_inherited_from_class_java.lang.Object"><!-- --></A> +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#EEEEFF" CLASS="TableSubHeadingColor"> +<TH ALIGN="left"><B>Methods inherited from class java.lang.Object</B></TH> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD><CODE>clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait</CODE></TD> +</TR> +</TABLE> + +<P> + +<!-- ========= CONSTRUCTOR DETAIL ======== --> + +<A NAME="constructor_detail"><!-- --></A> +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> +<TH ALIGN="left" COLSPAN="1"><FONT SIZE="+2"> +<B>Constructor Detail</B></FONT></TH> +</TR> +</TABLE> + +<A NAME="HtmlChangeReporter(org.owasp.html.HtmlStreamEventReceiver,org.owasp.html.HtmlChangeListener,java.lang.Object)"><!-- --></A><A NAME="HtmlChangeReporter(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, T)"><!-- --></A><H3> +HtmlChangeReporter</H3> +<PRE> +public <A HREF="../../../src-html/org/owasp/html/HtmlChangeReporter.html#line.58"><B>HtmlChangeReporter</B></A>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> renderer, + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super <A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="type parameter in HtmlChangeReporter">T</A>> listener, + <FONT SIZE="-1">@Nullable</FONT> + <A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="type parameter in HtmlChangeReporter">T</A> context)</PRE> +<DL> +</DL> + +<!-- ============ METHOD DETAIL ========== --> + +<A NAME="method_detail"><!-- --></A> +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> +<TH ALIGN="left" COLSPAN="1"><FONT SIZE="+2"> +<B>Method Detail</B></FONT></TH> +</TR> +</TABLE> + +<A NAME="setPolicy(org.owasp.html.HtmlSanitizer.Policy)"><!-- --></A><H3> +setPolicy</H3> +<PRE> +public void <A HREF="../../../src-html/org/owasp/html/HtmlChangeReporter.html#line.69"><B>setPolicy</B></A>(<A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A> policy)</PRE> +<DL> +<DD>Associates an input channel. <code>this</code> receives events and forwards + them to input. +<P> +<DD><DL> +</DL> +</DD> +</DL> +<HR> + +<A NAME="getWrappedRenderer()"><!-- --></A><H3> +getWrappedRenderer</H3> +<PRE> +public <A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> <A HREF="../../../src-html/org/owasp/html/HtmlChangeReporter.html#line.73"><B>getWrappedRenderer</B></A>()</PRE> +<DL> +<DD><DL> +</DL> +</DD> +</DL> +<HR> + +<A NAME="getWrappedPolicy()"><!-- --></A><H3> +getWrappedPolicy</H3> +<PRE> +public <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A> <A HREF="../../../src-html/org/owasp/html/HtmlChangeReporter.html#line.75"><B>getWrappedPolicy</B></A>()</PRE> +<DL> +<DD><DL> +</DL> +</DD> +</DL> +<!-- ========= END OF CLASS DATA ========= --> +<HR> + + +<!-- ======= START OF BOTTOM NAVBAR ====== --> +<A NAME="navbar_bottom"><!-- --></A> +<A HREF="#skip-navbar_bottom" title="Skip navigation links"></A> +<TABLE BORDER="0" WIDTH="100%" CELLPADDING="1" CELLSPACING="0" SUMMARY=""> +<TR> +<TD COLSPAN=2 BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> +<A NAME="navbar_bottom_firstrow"><!-- --></A> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="3" SUMMARY=""> + <TR ALIGN="center" VALIGN="top"> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../overview-summary.html"><FONT CLASS="NavBarFont1"><B>Overview</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-summary.html"><FONT CLASS="NavBarFont1"><B>Package</B></FONT></A> </TD> + <TD BGCOLOR="#FFFFFF" CLASS="NavBarCell1Rev"> <FONT CLASS="NavBarFont1Rev"><B>Class</B></FONT> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="class-use/HtmlChangeReporter.html"><FONT CLASS="NavBarFont1"><B>Use</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="package-tree.html"><FONT CLASS="NavBarFont1"><B>Tree</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../deprecated-list.html"><FONT CLASS="NavBarFont1"><B>Deprecated</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../index-files/index-1.html"><FONT CLASS="NavBarFont1"><B>Index</B></FONT></A> </TD> + </TR> +</TABLE> +</TD> +<TD ALIGN="right" VALIGN="top" ROWSPAN=3><EM> +<a href="http://code.google.com/p/owasp-java-html-sanitizer" target=_top>code.google.com home</a></EM> +</TD> +</TR> + +<TR> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><B>PREV CLASS</B></A> + <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../index.html?org/owasp/html/HtmlChangeReporter.html" target="_top"><B>FRAMES</B></A> + <A HREF="HtmlChangeReporter.html" target="_top"><B>NO FRAMES</B></A> + <SCRIPT type="text/javascript"> + <!-- + if(window==top) { + document.writeln('<A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A>'); + } + //--> +</SCRIPT> +<NOSCRIPT> + <A HREF="../../../allclasses-noframe.html"><B>All Classes</B></A> +</NOSCRIPT> + + +</FONT></TD> +</TR> +<TR> +<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> + SUMMARY: NESTED | FIELD | <A HREF="#constructor_summary">CONSTR</A> | <A HREF="#method_summary">METHOD</A></FONT></TD> +<TD VALIGN="top" CLASS="NavBarCell3"><FONT SIZE="-2"> +DETAIL: FIELD | <A HREF="#constructor_detail">CONSTR</A> | <A HREF="#method_detail">METHOD</A></FONT></TD> +</TR> +</TABLE> +<A NAME="skip-navbar_bottom"></A> +<!-- ======== END OF BOTTOM NAVBAR ======= --> + +<HR> + +</BODY> +</HTML> diff --git a/distrib/javadoc/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html b/distrib/javadoc/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html index 1ef8c30..ced7c90 100644 --- a/distrib/javadoc/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html +++ b/distrib/javadoc/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html @@ -98,7 +98,7 @@ java.lang.Object </DL> <HR> <DL> -<DT><PRE>public final class <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.555"><B>HtmlPolicyBuilder.AttributeBuilder</B></A><DT>extends java.lang.Object</DL> +<DT><PRE>public final class <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.575"><B>HtmlPolicyBuilder.AttributeBuilder</B></A><DT>extends java.lang.Object</DL> </PRE> <P> @@ -214,7 +214,7 @@ Builds the relationship between attributes, the values that they may have, <A NAME="matching(org.owasp.html.AttributePolicy)"><!-- --></A><H3> matching</H3> <PRE> -public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.570"><B>matching</B></A>(<A HREF="../../../org/owasp/html/AttributePolicy.html" title="interface in org.owasp.html">AttributePolicy</A> policy)</PRE> +public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.590"><B>matching</B></A>(<A HREF="../../../org/owasp/html/AttributePolicy.html" title="interface in org.owasp.html">AttributePolicy</A> policy)</PRE> <DL> <DD>Filters and/or transforms the attribute values allowed by later <code>allow*</code> calls. @@ -231,7 +231,7 @@ public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" <A NAME="matching(java.util.regex.Pattern)"><!-- --></A><H3> matching</H3> <PRE> -public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.581"><B>matching</B></A>(java.util.regex.Pattern pattern)</PRE> +public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.601"><B>matching</B></A>(java.util.regex.Pattern pattern)</PRE> <DL> <DD>Restrict the values allowed by later <code>allow*</code> calls to those matching the pattern. @@ -247,7 +247,7 @@ public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" <A NAME="matching(com.google.common.base.Predicate)"><!-- --></A><H3> matching</H3> <PRE> -public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.596"><B>matching</B></A>(com.google.common.base.Predicate<? super java.lang.String> filter)</PRE> +public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.616"><B>matching</B></A>(com.google.common.base.Predicate<? super java.lang.String> filter)</PRE> <DL> <DD>Restrict the values allowed by later <code>allow*</code> calls to those matching the given predicate. @@ -263,7 +263,7 @@ public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" <A NAME="matching(boolean, java.lang.String...)"><!-- --></A><H3> matching</H3> <PRE> -public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.612"><B>matching</B></A>(boolean ignoreCase, +public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.632"><B>matching</B></A>(boolean ignoreCase, java.lang.String... allowedValues)</PRE> <DL> <DD>Restrict the values allowed by later <code>allow*</code> calls to those @@ -280,7 +280,7 @@ public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" <A NAME="matching(boolean, java.util.Set)"><!-- --></A><H3> matching</H3> <PRE> -public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.623"><B>matching</B></A>(boolean ignoreCase, +public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.643"><B>matching</B></A>(boolean ignoreCase, java.util.Set<? extends java.lang.String> allowedValues)</PRE> <DL> <DD>Restrict the values allowed by later <code>allow*</code> calls to those @@ -297,7 +297,7 @@ public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" <A NAME="globally()"><!-- --></A><H3> globally</H3> <PRE> -public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.647"><B>globally</B></A>()</PRE> +public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.667"><B>globally</B></A>()</PRE> <DL> <DD>Allows the given attributes on any elements but filters the attributes' values based on previous calls to <code>matching(...)</code>. @@ -319,7 +319,7 @@ public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in <A NAME="onElements(java.lang.String...)"><!-- --></A><H3> onElements</H3> <PRE> -public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.656"><B>onElements</B></A>(java.lang.String... elementNames)</PRE> +public <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html#line.676"><B>onElements</B></A>(java.lang.String... elementNames)</PRE> <DL> <DD>Allows the named attributes on the given elements but filters the attributes' values based on previous calls to <code>matching(...)</code>. diff --git a/distrib/javadoc/org/owasp/html/HtmlPolicyBuilder.html b/distrib/javadoc/org/owasp/html/HtmlPolicyBuilder.html index bcdfb0c..a09fc80 100644 --- a/distrib/javadoc/org/owasp/html/HtmlPolicyBuilder.html +++ b/distrib/javadoc/org/owasp/html/HtmlPolicyBuilder.html @@ -53,7 +53,7 @@ function windowTitle() <TR> <TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> - <A HREF="../../../org/owasp/html/Handler.html" title="interface in org.owasp.html"><B>PREV CLASS</B></A> + <A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><B>PREV CLASS</B></A> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> <TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> <A HREF="../../../index.html?org/owasp/html/HtmlPolicyBuilder.html" target="_top"><B>FRAMES</B></A> @@ -106,7 +106,7 @@ Conveniences for configuring policies for the <A HREF="../../../org/owasp/html/H <p> To create a policy, first construct an instance of this class; then call <code>allow…</code> methods to turn on tags, attributes, and other - processing modes; and finally call <code>build()</code> or + processing modes; and finally call <code>build(renderer)</code> or <code>toFactory()</code>. </p> <pre class="prettyprint lang-java"> @@ -360,6 +360,23 @@ Conveniences for configuring policies for the <A HREF="../../../org/owasp/html/H </TR> <TR BGCOLOR="white" CLASS="TableRowColor"> <TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY=""> +<TR ALIGN="right" VALIGN=""> +<TD NOWRAP><FONT SIZE="-1"> +<CODE><CTX> <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> +</TR> +</TABLE> +</CODE></FONT></TD> +<TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)">build</A></B>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super CTX> listener, + CTX context)</CODE> + +<BR> + Produces a policy based on the allow and disallow calls previously made.</TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> <CODE> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder.AttributeBuilder</A></CODE></FONT></TD> <TD><CODE><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#disallowAttributes(java.lang.String...)">disallowAttributes</A></B>(java.lang.String... attributeNames)</CODE> @@ -698,10 +715,33 @@ public <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interf </DL> <HR> +<A NAME="build(org.owasp.html.HtmlStreamEventReceiver,org.owasp.html.HtmlChangeListener,java.lang.Object)"><!-- --></A><A NAME="build(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)"><!-- --></A><H3> +build</H3> +<PRE> +public <CTX> <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.427"><B>build</B></A>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, + <FONT SIZE="-1">@Nullable</FONT> + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super CTX> listener, + <FONT SIZE="-1">@Nullable</FONT> + CTX context)</PRE> +<DL> +<DD>Produces a policy based on the allow and disallow calls previously made. +<P> +<DD><DL> +<DT><B>Parameters:</B><DD><CODE>out</CODE> - receives calls to open only tags allowed by + previous calls to this object. + Typically a <A HREF="../../../org/owasp/html/HtmlStreamRenderer.html" title="class in org.owasp.html"><CODE>HtmlStreamRenderer</CODE></A>.<DD><CODE>listener</CODE> - is notified of dropped tags and attributes so that + intrusion detection systems can be alerted to questionable HTML. + If <code>null</code> then no notifications are sent.<DD><CODE>context</CODE> - if <code>(listener != null)</code> then the context value passed + with alerts. This can be used to let the listener know from which + connection or request the questionable HTML was received.</DL> +</DD> +</DL> +<HR> + <A NAME="toFactory()"><!-- --></A><H3> toFactory</H3> <PRE> -public <A HREF="../../../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html">PolicyFactory</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.418"><B>toFactory</B></A>()</PRE> +public <A HREF="../../../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html">PolicyFactory</A> <A HREF="../../../src-html/org/owasp/html/HtmlPolicyBuilder.html#line.438"><B>toFactory</B></A>()</PRE> <DL> <DD>Like <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver)"><CODE>build(org.owasp.html.HtmlStreamEventReceiver)</CODE></A> but can be reused to create many different policies each backed by a different output channel. @@ -740,7 +780,7 @@ public <A HREF="../../../org/owasp/html/PolicyFactory.html" title="class in org. <TR> <TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> - <A HREF="../../../org/owasp/html/Handler.html" title="interface in org.owasp.html"><B>PREV CLASS</B></A> + <A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><B>PREV CLASS</B></A> <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html"><B>NEXT CLASS</B></A></FONT></TD> <TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> <A HREF="../../../index.html?org/owasp/html/HtmlPolicyBuilder.html" target="_top"><B>FRAMES</B></A> diff --git a/distrib/javadoc/org/owasp/html/HtmlSanitizer.html b/distrib/javadoc/org/owasp/html/HtmlSanitizer.html index 2425394..73bde60 100644 --- a/distrib/javadoc/org/owasp/html/HtmlSanitizer.html +++ b/distrib/javadoc/org/owasp/html/HtmlSanitizer.html @@ -219,7 +219,7 @@ public static void <A HREF="../../../src-html/org/owasp/html/HtmlSanitizer.html# <DD><DL> <DT><B>Parameters:</B><DD><CODE>html</CODE> - A snippet of HTML to sanitize. <code>null</code> is treated as the empty string and will not result in a <code>NullPointerException</code>.<DD><CODE>policy</CODE> - The Policy that will receive events based on the tokens in - html. Typically, this policy ends up routing the events to an + HTML. Typically, this policy ends up routing the events to an <A HREF="../../../org/owasp/html/HtmlStreamRenderer.html" title="class in org.owasp.html"><CODE>HtmlStreamRenderer</CODE></A> after filtering. <A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><CODE>HtmlPolicyBuilder</CODE></A> provides an easy way to create policies.</DL> </DD> diff --git a/distrib/javadoc/org/owasp/html/PolicyFactory.html b/distrib/javadoc/org/owasp/html/PolicyFactory.html index ef1f325..861971a 100644 --- a/distrib/javadoc/org/owasp/html/PolicyFactory.html +++ b/distrib/javadoc/org/owasp/html/PolicyFactory.html @@ -143,7 +143,25 @@ A factory that can be used to link a sanitizer to an output receiver and that <TD><CODE><B><A HREF="../../../org/owasp/html/PolicyFactory.html#apply(org.owasp.html.HtmlStreamEventReceiver)">apply</A></B>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out)</CODE> <BR> - Produces a sanitizer that emits tokens to out.</TD> + Produces a sanitizer that emits tokens to <code>out</code>.</TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY=""> +<TR ALIGN="right" VALIGN=""> +<TD NOWRAP><FONT SIZE="-1"> +<CODE><CTX> <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> +</TR> +</TABLE> +</CODE></FONT></TD> +<TD><CODE><B><A HREF="../../../org/owasp/html/PolicyFactory.html#apply(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)">apply</A></B>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><CTX> listener, + CTX context)</CODE> + +<BR> + Produces a sanitizer that emits tokens to <code>out</code> and that notifies + any <code>listener</code> of any dropped tags and attributes.</TD> </TR> <TR BGCOLOR="white" CLASS="TableRowColor"> <TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> @@ -190,7 +208,7 @@ apply</H3> <PRE> public <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A> <A HREF="../../../src-html/org/owasp/html/PolicyFactory.html#line.64"><B>apply</B></A>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out)</PRE> <DL> -<DD>Produces a sanitizer that emits tokens to out. +<DD>Produces a sanitizer that emits tokens to <code>out</code>. <P> <DD><DL> <DT><B>Specified by:</B><DD><CODE>apply</CODE> in interface <CODE>com.google.common.base.Function<<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A>,<A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A>></CODE></DL> @@ -201,10 +219,35 @@ public <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interf </DL> <HR> +<A NAME="apply(org.owasp.html.HtmlStreamEventReceiver,org.owasp.html.HtmlChangeListener,java.lang.Object)"><!-- --></A><A NAME="apply(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)"><!-- --></A><H3> +apply</H3> +<PRE> +public <CTX> <A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A> <A HREF="../../../src-html/org/owasp/html/PolicyFactory.html#line.84"><B>apply</B></A>(<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, + <FONT SIZE="-1">@Nullable</FONT> + <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><CTX> listener, + <FONT SIZE="-1">@Nullable</FONT> + CTX context)</PRE> +<DL> +<DD>Produces a sanitizer that emits tokens to <code>out</code> and that notifies + any <code>listener</code> of any dropped tags and attributes. +<P> +<DD><DL> +</DL> +</DD> +<DD><DL> +<DT><B>Parameters:</B><DD><CODE>out</CODE> - a renderer that receives approved tokens only.<DD><CODE>listener</CODE> - if non-null, receives notifications of tags and attributes + that were rejected by the policy. This may tie into intrusion + detection systems.<DD><CODE>context</CODE> - if <code>(listener != null)</code> then the context value passed + with notifications. This can be used to let the listener know from + which connection or request the questionable HTML was received.</DL> +</DD> +</DL> +<HR> + <A NAME="sanitize(java.lang.String)"><!-- --></A><H3> sanitize</H3> <PRE> -public java.lang.String <A HREF="../../../src-html/org/owasp/html/PolicyFactory.html#line.74"><B>sanitize</B></A>(<FONT SIZE="-1">@Nullable</FONT> +public java.lang.String <A HREF="../../../src-html/org/owasp/html/PolicyFactory.html#line.98"><B>sanitize</B></A>(<FONT SIZE="-1">@Nullable</FONT> java.lang.String html)</PRE> <DL> <DD>A convenience function that sanitizes a string of HTML. @@ -221,7 +264,7 @@ public java.lang.String <A HREF="../../../src-html/org/owasp/html/PolicyFactory. <A NAME="and(org.owasp.html.PolicyFactory)"><!-- --></A><H3> and</H3> <PRE> -public <A HREF="../../../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html">PolicyFactory</A> <A HREF="../../../src-html/org/owasp/html/PolicyFactory.html#line.87"><B>and</B></A>(<A HREF="../../../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html">PolicyFactory</A> f)</PRE> +public <A HREF="../../../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html">PolicyFactory</A> <A HREF="../../../src-html/org/owasp/html/PolicyFactory.html#line.111"><B>and</B></A>(<A HREF="../../../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html">PolicyFactory</A> f)</PRE> <DL> <DD>Produces a factory that allows the union of the grants, and intersects policies where they overlap on a particular granted attribute or element diff --git a/distrib/javadoc/org/owasp/html/class-use/HtmlChangeListener.html b/distrib/javadoc/org/owasp/html/class-use/HtmlChangeListener.html new file mode 100644 index 0000000..ed7b195 --- /dev/null +++ b/distrib/javadoc/org/owasp/html/class-use/HtmlChangeListener.html @@ -0,0 +1,222 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<!--NewPage--> +<HTML> +<HEAD> +<META http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<TITLE> +Uses of Interface org.owasp.html.HtmlChangeListener (OWASP Java HTML Sanitizer) +</TITLE> + + +<LINK REL ="stylesheet" TYPE="text/css" HREF="../../../../stylesheet.css" TITLE="Style"> + +<SCRIPT type="text/javascript"> +function windowTitle() +{ + if (location.href.indexOf('is-external=true') == -1) { + parent.document.title="Uses of Interface org.owasp.html.HtmlChangeListener (OWASP Java HTML Sanitizer)"; + } +} +</SCRIPT> +<NOSCRIPT> +</NOSCRIPT> + +</HEAD> + +<BODY BGCOLOR="white" onload="windowTitle();"> +<HR> + + +<!-- ========= START OF TOP NAVBAR ======= --> +<A NAME="navbar_top"><!-- --></A> +<A HREF="#skip-navbar_top" title="Skip navigation links"></A> +<TABLE BORDER="0" WIDTH="100%" CELLPADDING="1" CELLSPACING="0" SUMMARY=""> +<TR> +<TD COLSPAN=2 BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> +<A NAME="navbar_top_firstrow"><!-- --></A> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="3" SUMMARY=""> + <TR ALIGN="center" VALIGN="top"> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../overview-summary.html"><FONT CLASS="NavBarFont1"><B>Overview</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../package-summary.html"><FONT CLASS="NavBarFont1"><B>Package</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><FONT CLASS="NavBarFont1"><B>Class</B></FONT></A> </TD> + <TD BGCOLOR="#FFFFFF" CLASS="NavBarCell1Rev"> <FONT CLASS="NavBarFont1Rev"><B>Use</B></FONT> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../overview-tree.html"><FONT CLASS="NavBarFont1"><B>Tree</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../deprecated-list.html"><FONT CLASS="NavBarFont1"><B>Deprecated</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../index-files/index-1.html"><FONT CLASS="NavBarFont1"><B>Index</B></FONT></A> </TD> + </TR> +</TABLE> +</TD> +<TD ALIGN="right" VALIGN="top" ROWSPAN=3><EM> +<a href="http://code.google.com/p/owasp-java-html-sanitizer" target=_top>code.google.com home</a></EM> +</TD> +</TR> + +<TR> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + PREV + NEXT</FONT></TD> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../../index.html?org/owasp/html//class-useHtmlChangeListener.html" target="_top"><B>FRAMES</B></A> + <A HREF="HtmlChangeListener.html" target="_top"><B>NO FRAMES</B></A> + <SCRIPT type="text/javascript"> + <!-- + if(window==top) { + document.writeln('<A HREF="../../../../allclasses-noframe.html"><B>All Classes</B></A>'); + } + //--> +</SCRIPT> +<NOSCRIPT> + <A HREF="../../../../allclasses-noframe.html"><B>All Classes</B></A> +</NOSCRIPT> + + +</FONT></TD> +</TR> +</TABLE> +<A NAME="skip-navbar_top"></A> +<!-- ========= END OF TOP NAVBAR ========= --> + +<HR> +<CENTER> +<H2> +<B>Uses of Interface<br>org.owasp.html.HtmlChangeListener</B></H2> +</CENTER> + +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> +<TH ALIGN="left" COLSPAN="2"><FONT SIZE="+2"> +Packages that use <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A></FONT></TH> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD><A HREF="#org.owasp.html"><B>org.owasp.html</B></A></TD> +<TD>An efficient <A HREF="../../../../org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html"><CODE>HtmlSanitizer</CODE></A> + configurable via a flexible + <A HREF="../../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><CODE>HtmlPolicyBuilder</CODE></A>. </TD> +</TR> +</TABLE> + +<P> +<A NAME="org.owasp.html"><!-- --></A> +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableHeadingColor"> +<TH ALIGN="left" COLSPAN="2"><FONT SIZE="+2"> +Uses of <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A> in <A HREF="../../../../org/owasp/html/package-summary.html">org.owasp.html</A></FONT></TH> +</TR> +</TABLE> + +<P> + +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableSubHeadingColor"> +<TH ALIGN="left" COLSPAN="2">Methods in <A HREF="../../../../org/owasp/html/package-summary.html">org.owasp.html</A> with parameters of type <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A></FONT></TH> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY=""> +<TR ALIGN="right" VALIGN=""> +<TD NOWRAP><FONT SIZE="-1"> +<CODE><CTX> <A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> +</TR> +</TABLE> +</CODE></FONT></TD> +<TD><CODE><B>PolicyFactory.</B><B><A HREF="../../../../org/owasp/html/PolicyFactory.html#apply(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)">apply</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, + <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><CTX> listener, + CTX context)</CODE> + +<BR> + Produces a sanitizer that emits tokens to <code>out</code> and that notifies + any <code>listener</code> of any dropped tags and attributes.</TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY=""> +<TR ALIGN="right" VALIGN=""> +<TD NOWRAP><FONT SIZE="-1"> +<CODE><CTX> <A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> +</TR> +</TABLE> +</CODE></FONT></TD> +<TD><CODE><B>HtmlPolicyBuilder.</B><B><A HREF="../../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)">build</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, + <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super CTX> listener, + CTX context)</CODE> + +<BR> + Produces a policy based on the allow and disallow calls previously made.</TD> +</TR> +</TABLE> + +<P> + +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableSubHeadingColor"> +<TH ALIGN="left" COLSPAN="2">Constructors in <A HREF="../../../../org/owasp/html/package-summary.html">org.owasp.html</A> with parameters of type <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A></FONT></TH> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD><CODE><B><A HREF="../../../../org/owasp/html/HtmlChangeReporter.html#HtmlChangeReporter(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, T)">HtmlChangeReporter</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> renderer, + <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super <A HREF="../../../../org/owasp/html/HtmlChangeReporter.html" title="type parameter in HtmlChangeReporter">T</A>> listener, + <A HREF="../../../../org/owasp/html/HtmlChangeReporter.html" title="type parameter in HtmlChangeReporter">T</A> context)</CODE> + +<BR> + </TD> +</TR> +</TABLE> + +<P> +<HR> + + +<!-- ======= START OF BOTTOM NAVBAR ====== --> +<A NAME="navbar_bottom"><!-- --></A> +<A HREF="#skip-navbar_bottom" title="Skip navigation links"></A> +<TABLE BORDER="0" WIDTH="100%" CELLPADDING="1" CELLSPACING="0" SUMMARY=""> +<TR> +<TD COLSPAN=2 BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> +<A NAME="navbar_bottom_firstrow"><!-- --></A> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="3" SUMMARY=""> + <TR ALIGN="center" VALIGN="top"> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../overview-summary.html"><FONT CLASS="NavBarFont1"><B>Overview</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../package-summary.html"><FONT CLASS="NavBarFont1"><B>Package</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><FONT CLASS="NavBarFont1"><B>Class</B></FONT></A> </TD> + <TD BGCOLOR="#FFFFFF" CLASS="NavBarCell1Rev"> <FONT CLASS="NavBarFont1Rev"><B>Use</B></FONT> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../overview-tree.html"><FONT CLASS="NavBarFont1"><B>Tree</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../deprecated-list.html"><FONT CLASS="NavBarFont1"><B>Deprecated</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../index-files/index-1.html"><FONT CLASS="NavBarFont1"><B>Index</B></FONT></A> </TD> + </TR> +</TABLE> +</TD> +<TD ALIGN="right" VALIGN="top" ROWSPAN=3><EM> +<a href="http://code.google.com/p/owasp-java-html-sanitizer" target=_top>code.google.com home</a></EM> +</TD> +</TR> + +<TR> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + PREV + NEXT</FONT></TD> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../../index.html?org/owasp/html//class-useHtmlChangeListener.html" target="_top"><B>FRAMES</B></A> + <A HREF="HtmlChangeListener.html" target="_top"><B>NO FRAMES</B></A> + <SCRIPT type="text/javascript"> + <!-- + if(window==top) { + document.writeln('<A HREF="../../../../allclasses-noframe.html"><B>All Classes</B></A>'); + } + //--> +</SCRIPT> +<NOSCRIPT> + <A HREF="../../../../allclasses-noframe.html"><B>All Classes</B></A> +</NOSCRIPT> + + +</FONT></TD> +</TR> +</TABLE> +<A NAME="skip-navbar_bottom"></A> +<!-- ======== END OF BOTTOM NAVBAR ======= --> + +<HR> + +</BODY> +</HTML> diff --git a/distrib/javadoc/org/owasp/html/class-use/HtmlChangeReporter.html b/distrib/javadoc/org/owasp/html/class-use/HtmlChangeReporter.html new file mode 100644 index 0000000..12693e8 --- /dev/null +++ b/distrib/javadoc/org/owasp/html/class-use/HtmlChangeReporter.html @@ -0,0 +1,141 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<!--NewPage--> +<HTML> +<HEAD> +<META http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<TITLE> +Uses of Class org.owasp.html.HtmlChangeReporter (OWASP Java HTML Sanitizer) +</TITLE> + + +<LINK REL ="stylesheet" TYPE="text/css" HREF="../../../../stylesheet.css" TITLE="Style"> + +<SCRIPT type="text/javascript"> +function windowTitle() +{ + if (location.href.indexOf('is-external=true') == -1) { + parent.document.title="Uses of Class org.owasp.html.HtmlChangeReporter (OWASP Java HTML Sanitizer)"; + } +} +</SCRIPT> +<NOSCRIPT> +</NOSCRIPT> + +</HEAD> + +<BODY BGCOLOR="white" onload="windowTitle();"> +<HR> + + +<!-- ========= START OF TOP NAVBAR ======= --> +<A NAME="navbar_top"><!-- --></A> +<A HREF="#skip-navbar_top" title="Skip navigation links"></A> +<TABLE BORDER="0" WIDTH="100%" CELLPADDING="1" CELLSPACING="0" SUMMARY=""> +<TR> +<TD COLSPAN=2 BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> +<A NAME="navbar_top_firstrow"><!-- --></A> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="3" SUMMARY=""> + <TR ALIGN="center" VALIGN="top"> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../overview-summary.html"><FONT CLASS="NavBarFont1"><B>Overview</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../package-summary.html"><FONT CLASS="NavBarFont1"><B>Package</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><FONT CLASS="NavBarFont1"><B>Class</B></FONT></A> </TD> + <TD BGCOLOR="#FFFFFF" CLASS="NavBarCell1Rev"> <FONT CLASS="NavBarFont1Rev"><B>Use</B></FONT> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../overview-tree.html"><FONT CLASS="NavBarFont1"><B>Tree</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../deprecated-list.html"><FONT CLASS="NavBarFont1"><B>Deprecated</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../index-files/index-1.html"><FONT CLASS="NavBarFont1"><B>Index</B></FONT></A> </TD> + </TR> +</TABLE> +</TD> +<TD ALIGN="right" VALIGN="top" ROWSPAN=3><EM> +<a href="http://code.google.com/p/owasp-java-html-sanitizer" target=_top>code.google.com home</a></EM> +</TD> +</TR> + +<TR> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + PREV + NEXT</FONT></TD> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../../index.html?org/owasp/html//class-useHtmlChangeReporter.html" target="_top"><B>FRAMES</B></A> + <A HREF="HtmlChangeReporter.html" target="_top"><B>NO FRAMES</B></A> + <SCRIPT type="text/javascript"> + <!-- + if(window==top) { + document.writeln('<A HREF="../../../../allclasses-noframe.html"><B>All Classes</B></A>'); + } + //--> +</SCRIPT> +<NOSCRIPT> + <A HREF="../../../../allclasses-noframe.html"><B>All Classes</B></A> +</NOSCRIPT> + + +</FONT></TD> +</TR> +</TABLE> +<A NAME="skip-navbar_top"></A> +<!-- ========= END OF TOP NAVBAR ========= --> + +<HR> +<CENTER> +<H2> +<B>Uses of Class<br>org.owasp.html.HtmlChangeReporter</B></H2> +</CENTER> +No usage of org.owasp.html.HtmlChangeReporter +<P> +<HR> + + +<!-- ======= START OF BOTTOM NAVBAR ====== --> +<A NAME="navbar_bottom"><!-- --></A> +<A HREF="#skip-navbar_bottom" title="Skip navigation links"></A> +<TABLE BORDER="0" WIDTH="100%" CELLPADDING="1" CELLSPACING="0" SUMMARY=""> +<TR> +<TD COLSPAN=2 BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> +<A NAME="navbar_bottom_firstrow"><!-- --></A> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="3" SUMMARY=""> + <TR ALIGN="center" VALIGN="top"> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../overview-summary.html"><FONT CLASS="NavBarFont1"><B>Overview</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../package-summary.html"><FONT CLASS="NavBarFont1"><B>Package</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><FONT CLASS="NavBarFont1"><B>Class</B></FONT></A> </TD> + <TD BGCOLOR="#FFFFFF" CLASS="NavBarCell1Rev"> <FONT CLASS="NavBarFont1Rev"><B>Use</B></FONT> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../overview-tree.html"><FONT CLASS="NavBarFont1"><B>Tree</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../deprecated-list.html"><FONT CLASS="NavBarFont1"><B>Deprecated</B></FONT></A> </TD> + <TD BGCOLOR="#EEEEFF" CLASS="NavBarCell1"> <A HREF="../../../../index-files/index-1.html"><FONT CLASS="NavBarFont1"><B>Index</B></FONT></A> </TD> + </TR> +</TABLE> +</TD> +<TD ALIGN="right" VALIGN="top" ROWSPAN=3><EM> +<a href="http://code.google.com/p/owasp-java-html-sanitizer" target=_top>code.google.com home</a></EM> +</TD> +</TR> + +<TR> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + PREV + NEXT</FONT></TD> +<TD BGCOLOR="white" CLASS="NavBarCell2"><FONT SIZE="-2"> + <A HREF="../../../../index.html?org/owasp/html//class-useHtmlChangeReporter.html" target="_top"><B>FRAMES</B></A> + <A HREF="HtmlChangeReporter.html" target="_top"><B>NO FRAMES</B></A> + <SCRIPT type="text/javascript"> + <!-- + if(window==top) { + document.writeln('<A HREF="../../../../allclasses-noframe.html"><B>All Classes</B></A>'); + } + //--> +</SCRIPT> +<NOSCRIPT> + <A HREF="../../../../allclasses-noframe.html"><B>All Classes</B></A> +</NOSCRIPT> + + +</FONT></TD> +</TR> +</TABLE> +<A NAME="skip-navbar_bottom"></A> +<!-- ======== END OF BOTTOM NAVBAR ======= --> + +<HR> + +</BODY> +</HTML> diff --git a/distrib/javadoc/org/owasp/html/class-use/HtmlSanitizer.Policy.html b/distrib/javadoc/org/owasp/html/class-use/HtmlSanitizer.Policy.html index c3d0ca4..5b0b412 100644 --- a/distrib/javadoc/org/owasp/html/class-use/HtmlSanitizer.Policy.html +++ b/distrib/javadoc/org/owasp/html/class-use/HtmlSanitizer.Policy.html @@ -120,7 +120,25 @@ Uses of <A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="in <TD><CODE><B>PolicyFactory.</B><B><A HREF="../../../../org/owasp/html/PolicyFactory.html#apply(org.owasp.html.HtmlStreamEventReceiver)">apply</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out)</CODE> <BR> - Produces a sanitizer that emits tokens to out.</TD> + Produces a sanitizer that emits tokens to <code>out</code>.</TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY=""> +<TR ALIGN="right" VALIGN=""> +<TD NOWRAP><FONT SIZE="-1"> +<CODE><CTX> <A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> +</TR> +</TABLE> +</CODE></FONT></TD> +<TD><CODE><B>PolicyFactory.</B><B><A HREF="../../../../org/owasp/html/PolicyFactory.html#apply(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)">apply</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, + <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><CTX> listener, + CTX context)</CODE> + +<BR> + Produces a sanitizer that emits tokens to <code>out</code> and that notifies + any <code>listener</code> of any dropped tags and attributes.</TD> </TR> <TR BGCOLOR="white" CLASS="TableRowColor"> <TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> @@ -130,6 +148,31 @@ Uses of <A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="in <BR> Produces a policy based on the allow and disallow calls previously made.</TD> </TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY=""> +<TR ALIGN="right" VALIGN=""> +<TD NOWRAP><FONT SIZE="-1"> +<CODE><CTX> <A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> +</TR> +</TABLE> +</CODE></FONT></TD> +<TD><CODE><B>HtmlPolicyBuilder.</B><B><A HREF="../../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)">build</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, + <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super CTX> listener, + CTX context)</CODE> + +<BR> + Produces a policy based on the allow and disallow calls previously made.</TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> <A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> +<TD><CODE><B>HtmlChangeReporter.</B><B><A HREF="../../../../org/owasp/html/HtmlChangeReporter.html#getWrappedPolicy()">getWrappedPolicy</A></B>()</CODE> + +<BR> + </TD> +</TR> </TABLE> <P> @@ -147,6 +190,14 @@ Uses of <A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="in <BR> Sanitizes the given HTML by applying the given policy to it.</TD> </TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> void</CODE></FONT></TD> +<TD><CODE><B>HtmlChangeReporter.</B><B><A HREF="../../../../org/owasp/html/HtmlChangeReporter.html#setPolicy(org.owasp.html.HtmlSanitizer.Policy)">setPolicy</A></B>(<A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A> policy)</CODE> + +<BR> + Associates an input channel.</TD> +</TR> </TABLE> <P> diff --git a/distrib/javadoc/org/owasp/html/class-use/HtmlStreamEventReceiver.html b/distrib/javadoc/org/owasp/html/class-use/HtmlStreamEventReceiver.html index cc87d84..517cee2 100644 --- a/distrib/javadoc/org/owasp/html/class-use/HtmlStreamEventReceiver.html +++ b/distrib/javadoc/org/owasp/html/class-use/HtmlStreamEventReceiver.html @@ -153,6 +153,22 @@ Uses of <A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title= <TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> <TR BGCOLOR="#CCCCFF" CLASS="TableSubHeadingColor"> +<TH ALIGN="left" COLSPAN="2">Methods in <A HREF="../../../../org/owasp/html/package-summary.html">org.owasp.html</A> that return <A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A></FONT></TH> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> <A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A></CODE></FONT></TD> +<TD><CODE><B>HtmlChangeReporter.</B><B><A HREF="../../../../org/owasp/html/HtmlChangeReporter.html#getWrappedRenderer()">getWrappedRenderer</A></B>()</CODE> + +<BR> + </TD> +</TR> +</TABLE> + +<P> + +<TABLE BORDER="1" WIDTH="100%" CELLPADDING="3" CELLSPACING="0" SUMMARY=""> +<TR BGCOLOR="#CCCCFF" CLASS="TableSubHeadingColor"> <TH ALIGN="left" COLSPAN="2">Methods in <A HREF="../../../../org/owasp/html/package-summary.html">org.owasp.html</A> with parameters of type <A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A></FONT></TH> </TR> <TR BGCOLOR="white" CLASS="TableRowColor"> @@ -161,7 +177,25 @@ Uses of <A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title= <TD><CODE><B>PolicyFactory.</B><B><A HREF="../../../../org/owasp/html/PolicyFactory.html#apply(org.owasp.html.HtmlStreamEventReceiver)">apply</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out)</CODE> <BR> - Produces a sanitizer that emits tokens to out.</TD> + Produces a sanitizer that emits tokens to <code>out</code>.</TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY=""> +<TR ALIGN="right" VALIGN=""> +<TD NOWRAP><FONT SIZE="-1"> +<CODE><CTX> <A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> +</TR> +</TABLE> +</CODE></FONT></TD> +<TD><CODE><B>PolicyFactory.</B><B><A HREF="../../../../org/owasp/html/PolicyFactory.html#apply(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)">apply</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, + <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><CTX> listener, + CTX context)</CODE> + +<BR> + Produces a sanitizer that emits tokens to <code>out</code> and that notifies + any <code>listener</code> of any dropped tags and attributes.</TD> </TR> <TR BGCOLOR="white" CLASS="TableRowColor"> <TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> @@ -171,6 +205,23 @@ Uses of <A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title= <BR> Produces a policy based on the allow and disallow calls previously made.</TD> </TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> +<TD ALIGN="right" VALIGN="top" WIDTH="1%"><FONT SIZE="-1"> +<CODE> +<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY=""> +<TR ALIGN="right" VALIGN=""> +<TD NOWRAP><FONT SIZE="-1"> +<CODE><CTX> <A HREF="../../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></CODE></FONT></TD> +</TR> +</TABLE> +</CODE></FONT></TD> +<TD><CODE><B>HtmlPolicyBuilder.</B><B><A HREF="../../../../org/owasp/html/HtmlPolicyBuilder.html#build(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, CTX)">build</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> out, + <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super CTX> listener, + CTX context)</CODE> + +<BR> + Produces a policy based on the allow and disallow calls previously made.</TD> +</TR> </TABLE> <P> @@ -180,6 +231,14 @@ Uses of <A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title= <TH ALIGN="left" COLSPAN="2">Constructors in <A HREF="../../../../org/owasp/html/package-summary.html">org.owasp.html</A> with parameters of type <A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A></FONT></TH> </TR> <TR BGCOLOR="white" CLASS="TableRowColor"> +<TD><CODE><B><A HREF="../../../../org/owasp/html/HtmlChangeReporter.html#HtmlChangeReporter(org.owasp.html.HtmlStreamEventReceiver, org.owasp.html.HtmlChangeListener, T)">HtmlChangeReporter</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> renderer, + <A HREF="../../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener</A><? super <A HREF="../../../../org/owasp/html/HtmlChangeReporter.html" title="type parameter in HtmlChangeReporter">T</A>> listener, + <A HREF="../../../../org/owasp/html/HtmlChangeReporter.html" title="type parameter in HtmlChangeReporter">T</A> context)</CODE> + +<BR> + </TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> <TD><CODE><B><A HREF="../../../../org/owasp/html/TagBalancingHtmlStreamEventReceiver.html#TagBalancingHtmlStreamEventReceiver(org.owasp.html.HtmlStreamEventReceiver)">TagBalancingHtmlStreamEventReceiver</A></B>(<A HREF="../../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A> underlying)</CODE> <BR> diff --git a/distrib/javadoc/org/owasp/html/package-frame.html b/distrib/javadoc/org/owasp/html/package-frame.html index cc45d35..a2b7624 100644 --- a/distrib/javadoc/org/owasp/html/package-frame.html +++ b/distrib/javadoc/org/owasp/html/package-frame.html @@ -28,6 +28,8 @@ Interfaces</FONT> <BR> <A HREF="Handler.html" title="interface in org.owasp.html" target="classFrame"><I>Handler</I></A> <BR> +<A HREF="HtmlChangeListener.html" title="interface in org.owasp.html" target="classFrame"><I>HtmlChangeListener</I></A> +<BR> <A HREF="HtmlSanitizer.Policy.html" title="interface in org.owasp.html" target="classFrame"><I>HtmlSanitizer.Policy</I></A> <BR> <A HREF="HtmlStreamEventReceiver.html" title="interface in org.owasp.html" target="classFrame"><I>HtmlStreamEventReceiver</I></A></FONT></TD> @@ -47,6 +49,8 @@ Classes</FONT> <BR> <A HREF="FilterUrlByProtocolAttributePolicy.html" title="class in org.owasp.html" target="classFrame">FilterUrlByProtocolAttributePolicy</A> <BR> +<A HREF="HtmlChangeReporter.html" title="class in org.owasp.html" target="classFrame">HtmlChangeReporter</A> +<BR> <A HREF="HtmlPolicyBuilder.html" title="class in org.owasp.html" target="classFrame">HtmlPolicyBuilder</A> <BR> <A HREF="HtmlSanitizer.html" title="class in org.owasp.html" target="classFrame">HtmlSanitizer</A> diff --git a/distrib/javadoc/org/owasp/html/package-summary.html b/distrib/javadoc/org/owasp/html/package-summary.html index c67a243..aa4ff96 100644 --- a/distrib/javadoc/org/owasp/html/package-summary.html +++ b/distrib/javadoc/org/owasp/html/package-summary.html @@ -110,6 +110,10 @@ An efficient <A HREF="../../../org/owasp/html/HtmlSanitizer.html" title="class i <TD>Receives notification of problems.</TD> </TR> <TR BGCOLOR="white" CLASS="TableRowColor"> +<TD WIDTH="15%"><B><A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html">HtmlChangeListener<T></A></B></TD> +<TD>Receives events when an HTML tag, or attribute is discarded.</TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> <TD WIDTH="15%"><B><A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html">HtmlSanitizer.Policy</A></B></TD> <TD>Receives events based on the HTML stream, and applies a policy to decide what HTML constructs to allow.</TD> @@ -142,6 +146,11 @@ An efficient <A HREF="../../../org/owasp/html/HtmlSanitizer.html" title="class i the value have no protocol or have an allowed protocol.</TD> </TR> <TR BGCOLOR="white" CLASS="TableRowColor"> +<TD WIDTH="15%"><B><A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html">HtmlChangeReporter<T></A></B></TD> +<TD>Sits between the HTML parser, and then policy, and the renderer so that it + can report dropped elements and attributes to an <A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><CODE>HtmlChangeListener</CODE></A>.</TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> <TD WIDTH="15%"><B><A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html">HtmlPolicyBuilder</A></B></TD> <TD>Conveniences for configuring policies for the <A HREF="../../../org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html"><CODE>HtmlSanitizer</CODE></A>.</TD> </TR> diff --git a/distrib/javadoc/org/owasp/html/package-tree.html b/distrib/javadoc/org/owasp/html/package-tree.html index c10232c..91981d9 100644 --- a/distrib/javadoc/org/owasp/html/package-tree.html +++ b/distrib/javadoc/org/owasp/html/package-tree.html @@ -91,7 +91,7 @@ Class Hierarchy <UL> <LI TYPE="circle">java.lang.Object<UL> <LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/AttributePolicy.Util.html" title="class in org.owasp.html"><B>AttributePolicy.Util</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/ElementPolicy.Util.html" title="class in org.owasp.html"><B>ElementPolicy.Util</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/FilterUrlByProtocolAttributePolicy.html" title="class in org.owasp.html"><B>FilterUrlByProtocolAttributePolicy</B></A> (implements org.owasp.html.<A HREF="../../../org/owasp/html/AttributePolicy.html" title="interface in org.owasp.html">AttributePolicy</A>) -<LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder.AttributeBuilder</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html"><B>HtmlSanitizer</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlStreamRenderer.html" title="class in org.owasp.html"><B>HtmlStreamRenderer</B></A> (implements org.owasp.html.<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A>) +<LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><B>HtmlChangeReporter</B></A><T><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder.AttributeBuilder</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html"><B>HtmlSanitizer</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlStreamRenderer.html" title="class in org.owasp.html"><B>HtmlStreamRenderer</B></A> (implements org.owasp.html.<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A>) <LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/PolicyFactory.html" title="class in org.owasp.html"><B>PolicyFactory</B></A> (implements com.google.common.base.Function<F,T>) <LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/Sanitizers.html" title="class in org.owasp.html"><B>Sanitizers</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/TagBalancingHtmlStreamEventReceiver.html" title="class in org.owasp.html"><B>TagBalancingHtmlStreamEventReceiver</B></A> (implements org.owasp.html.<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A>) </UL> @@ -100,7 +100,7 @@ Class Hierarchy Interface Hierarchy </H2> <UL> -<LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/AttributePolicy.html" title="interface in org.owasp.html"><B>AttributePolicy</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/ElementPolicy.html" title="interface in org.owasp.html"><B>ElementPolicy</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/Handler.html" title="interface in org.owasp.html"><B>Handler</B></A><T><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html"><B>HtmlStreamEventReceiver</B></A><UL> +<LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/AttributePolicy.html" title="interface in org.owasp.html"><B>AttributePolicy</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/ElementPolicy.html" title="interface in org.owasp.html"><B>ElementPolicy</B></A><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/Handler.html" title="interface in org.owasp.html"><B>Handler</B></A><T><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><B>HtmlChangeListener</B></A><T><LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html"><B>HtmlStreamEventReceiver</B></A><UL> <LI TYPE="circle">org.owasp.html.<A HREF="../../../org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html"><B>HtmlSanitizer.Policy</B></A></UL> </UL> <H2> diff --git a/distrib/javadoc/org/owasp/html/package-use.html b/distrib/javadoc/org/owasp/html/package-use.html index 0d877f1..e5312a0 100644 --- a/distrib/javadoc/org/owasp/html/package-use.html +++ b/distrib/javadoc/org/owasp/html/package-use.html @@ -127,6 +127,12 @@ Classes in <A HREF="../../../org/owasp/html/package-summary.html">org.owasp.html Receives notification of problems.</TD> </TR> <TR BGCOLOR="white" CLASS="TableRowColor"> +<TD><B><A HREF="../../../org/owasp/html/class-use/HtmlChangeListener.html#org.owasp.html"><B>HtmlChangeListener</B></A></B> + +<BR> + Receives events when an HTML tag, or attribute is discarded.</TD> +</TR> +<TR BGCOLOR="white" CLASS="TableRowColor"> <TD><B><A HREF="../../../org/owasp/html/class-use/HtmlPolicyBuilder.html#org.owasp.html"><B>HtmlPolicyBuilder</B></A></B> <BR> diff --git a/distrib/javadoc/overview-tree.html b/distrib/javadoc/overview-tree.html index 5f52389..b2cbe8f 100644 --- a/distrib/javadoc/overview-tree.html +++ b/distrib/javadoc/overview-tree.html @@ -90,7 +90,7 @@ Class Hierarchy <UL> <LI TYPE="circle">java.lang.Object<UL> <LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/AttributePolicy.Util.html" title="class in org.owasp.html"><B>AttributePolicy.Util</B></A><LI TYPE="circle">org.owasp.html.examples.<A HREF="org/owasp/html/examples/EbayPolicyExample.html" title="class in org.owasp.html.examples"><B>EbayPolicyExample</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/ElementPolicy.Util.html" title="class in org.owasp.html"><B>ElementPolicy.Util</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/FilterUrlByProtocolAttributePolicy.html" title="class in org.owasp.html"><B>FilterUrlByProtocolAttributePolicy</B></A> (implements org.owasp.html.<A HREF="org/owasp/html/AttributePolicy.html" title="interface in org.owasp.html">AttributePolicy</A>) -<LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder.AttributeBuilder</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html"><B>HtmlSanitizer</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlStreamRenderer.html" title="class in org.owasp.html"><B>HtmlStreamRenderer</B></A> (implements org.owasp.html.<A HREF="org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A>) +<LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlChangeReporter.html" title="class in org.owasp.html"><B>HtmlChangeReporter</B></A><T><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlPolicyBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html" title="class in org.owasp.html"><B>HtmlPolicyBuilder.AttributeBuilder</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlSanitizer.html" title="class in org.owasp.html"><B>HtmlSanitizer</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlStreamRenderer.html" title="class in org.owasp.html"><B>HtmlStreamRenderer</B></A> (implements org.owasp.html.<A HREF="org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A>) <LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/PolicyFactory.html" title="class in org.owasp.html"><B>PolicyFactory</B></A> (implements com.google.common.base.Function<F,T>) <LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/Sanitizers.html" title="class in org.owasp.html"><B>Sanitizers</B></A><LI TYPE="circle">org.owasp.html.examples.<A HREF="org/owasp/html/examples/SlashdotPolicyExample.html" title="class in org.owasp.html.examples"><B>SlashdotPolicyExample</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/TagBalancingHtmlStreamEventReceiver.html" title="class in org.owasp.html"><B>TagBalancingHtmlStreamEventReceiver</B></A> (implements org.owasp.html.<A HREF="org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html">HtmlStreamEventReceiver</A>) </UL> @@ -99,7 +99,7 @@ Class Hierarchy Interface Hierarchy </H2> <UL> -<LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/AttributePolicy.html" title="interface in org.owasp.html"><B>AttributePolicy</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/ElementPolicy.html" title="interface in org.owasp.html"><B>ElementPolicy</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/Handler.html" title="interface in org.owasp.html"><B>Handler</B></A><T><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html"><B>HtmlStreamEventReceiver</B></A><UL> +<LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/AttributePolicy.html" title="interface in org.owasp.html"><B>AttributePolicy</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/ElementPolicy.html" title="interface in org.owasp.html"><B>ElementPolicy</B></A><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/Handler.html" title="interface in org.owasp.html"><B>Handler</B></A><T><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlChangeListener.html" title="interface in org.owasp.html"><B>HtmlChangeListener</B></A><T><LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlStreamEventReceiver.html" title="interface in org.owasp.html"><B>HtmlStreamEventReceiver</B></A><UL> <LI TYPE="circle">org.owasp.html.<A HREF="org/owasp/html/HtmlSanitizer.Policy.html" title="interface in org.owasp.html"><B>HtmlSanitizer.Policy</B></A></UL> </UL> <H2> diff --git a/distrib/javadoc/src-html/org/owasp/html/HtmlChangeListener.html b/distrib/javadoc/src-html/org/owasp/html/HtmlChangeListener.html new file mode 100644 index 0000000..c7918af --- /dev/null +++ b/distrib/javadoc/src-html/org/owasp/html/HtmlChangeListener.html @@ -0,0 +1,115 @@ +<HTML> +<BODY BGCOLOR="white"> +<PRE> +<FONT color="green">001</FONT> // Copyright (c) 2011, Mike Samuel<a name="line.1"></a> +<FONT color="green">002</FONT> // All rights reserved.<a name="line.2"></a> +<FONT color="green">003</FONT> //<a name="line.3"></a> +<FONT color="green">004</FONT> // Redistribution and use in source and binary forms, with or without<a name="line.4"></a> +<FONT color="green">005</FONT> // modification, are permitted provided that the following conditions<a name="line.5"></a> +<FONT color="green">006</FONT> // are met:<a name="line.6"></a> +<FONT color="green">007</FONT> //<a name="line.7"></a> +<FONT color="green">008</FONT> // Redistributions of source code must retain the above copyright<a name="line.8"></a> +<FONT color="green">009</FONT> // notice, this list of conditions and the following disclaimer.<a name="line.9"></a> +<FONT color="green">010</FONT> // Redistributions in binary form must reproduce the above copyright<a name="line.10"></a> +<FONT color="green">011</FONT> // notice, this list of conditions and the following disclaimer in the<a name="line.11"></a> +<FONT color="green">012</FONT> // documentation and/or other materials provided with the distribution.<a name="line.12"></a> +<FONT color="green">013</FONT> // Neither the name of the OWASP nor the names of its contributors may<a name="line.13"></a> +<FONT color="green">014</FONT> // be used to endorse or promote products derived from this software<a name="line.14"></a> +<FONT color="green">015</FONT> // without specific prior written permission.<a name="line.15"></a> +<FONT color="green">016</FONT> // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS<a name="line.16"></a> +<FONT color="green">017</FONT> // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT<a name="line.17"></a> +<FONT color="green">018</FONT> // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS<a name="line.18"></a> +<FONT color="green">019</FONT> // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE<a name="line.19"></a> +<FONT color="green">020</FONT> // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,<a name="line.20"></a> +<FONT color="green">021</FONT> // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,<a name="line.21"></a> +<FONT color="green">022</FONT> // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<a name="line.22"></a> +<FONT color="green">023</FONT> // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER<a name="line.23"></a> +<FONT color="green">024</FONT> // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT<a name="line.24"></a> +<FONT color="green">025</FONT> // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN<a name="line.25"></a> +<FONT color="green">026</FONT> // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<a name="line.26"></a> +<FONT color="green">027</FONT> // POSSIBILITY OF SUCH DAMAGE.<a name="line.27"></a> +<FONT color="green">028</FONT> <a name="line.28"></a> +<FONT color="green">029</FONT> package org.owasp.html;<a name="line.29"></a> +<FONT color="green">030</FONT> <a name="line.30"></a> +<FONT color="green">031</FONT> import javax.annotation.Nullable;<a name="line.31"></a> +<FONT color="green">032</FONT> <a name="line.32"></a> +<FONT color="green">033</FONT> /**<a name="line.33"></a> +<FONT color="green">034</FONT> * Receives events when an HTML tag, or attribute is discarded.<a name="line.34"></a> +<FONT color="green">035</FONT> * This can be hooked into an intrusion detection system to alert code when<a name="line.35"></a> +<FONT color="green">036</FONT> * suspicious HTML passes through the sanitizer.<a name="line.36"></a> +<FONT color="green">037</FONT> */<a name="line.37"></a> +<FONT color="green">038</FONT> public interface HtmlChangeListener<T> {<a name="line.38"></a> +<FONT color="green">039</FONT> <a name="line.39"></a> +<FONT color="green">040</FONT> /** Called when a tag is discarded from the input. */<a name="line.40"></a> +<FONT color="green">041</FONT> public void discardedTag(@Nullable T context, String elementName);<a name="line.41"></a> +<FONT color="green">042</FONT> <a name="line.42"></a> +<FONT color="green">043</FONT> /**<a name="line.43"></a> +<FONT color="green">044</FONT> * Called when attributes are discarded<a name="line.44"></a> +<FONT color="green">045</FONT> * from the input but the containing tag is not.<a name="line.45"></a> +<FONT color="green">046</FONT> */<a name="line.46"></a> +<FONT color="green">047</FONT> public void discardedAttributes(<a name="line.47"></a> +<FONT color="green">048</FONT> @Nullable T context, String tagName, String... attributeNames);<a name="line.48"></a> +<FONT color="green">049</FONT> }<a name="line.49"></a> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +</PRE> +</BODY> +</HTML> diff --git a/distrib/javadoc/src-html/org/owasp/html/HtmlChangeReporter.html b/distrib/javadoc/src-html/org/owasp/html/HtmlChangeReporter.html new file mode 100644 index 0000000..ea30b8a --- /dev/null +++ b/distrib/javadoc/src-html/org/owasp/html/HtmlChangeReporter.html @@ -0,0 +1,241 @@ +<HTML> +<BODY BGCOLOR="white"> +<PRE> +<FONT color="green">001</FONT> // Copyright (c) 2011, Mike Samuel<a name="line.1"></a> +<FONT color="green">002</FONT> // All rights reserved.<a name="line.2"></a> +<FONT color="green">003</FONT> //<a name="line.3"></a> +<FONT color="green">004</FONT> // Redistribution and use in source and binary forms, with or without<a name="line.4"></a> +<FONT color="green">005</FONT> // modification, are permitted provided that the following conditions<a name="line.5"></a> +<FONT color="green">006</FONT> // are met:<a name="line.6"></a> +<FONT color="green">007</FONT> //<a name="line.7"></a> +<FONT color="green">008</FONT> // Redistributions of source code must retain the above copyright<a name="line.8"></a> +<FONT color="green">009</FONT> // notice, this list of conditions and the following disclaimer.<a name="line.9"></a> +<FONT color="green">010</FONT> // Redistributions in binary form must reproduce the above copyright<a name="line.10"></a> +<FONT color="green">011</FONT> // notice, this list of conditions and the following disclaimer in the<a name="line.11"></a> +<FONT color="green">012</FONT> // documentation and/or other materials provided with the distribution.<a name="line.12"></a> +<FONT color="green">013</FONT> // Neither the name of the OWASP nor the names of its contributors may<a name="line.13"></a> +<FONT color="green">014</FONT> // be used to endorse or promote products derived from this software<a name="line.14"></a> +<FONT color="green">015</FONT> // without specific prior written permission.<a name="line.15"></a> +<FONT color="green">016</FONT> // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS<a name="line.16"></a> +<FONT color="green">017</FONT> // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT<a name="line.17"></a> +<FONT color="green">018</FONT> // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS<a name="line.18"></a> +<FONT color="green">019</FONT> // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE<a name="line.19"></a> +<FONT color="green">020</FONT> // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,<a name="line.20"></a> +<FONT color="green">021</FONT> // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,<a name="line.21"></a> +<FONT color="green">022</FONT> // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<a name="line.22"></a> +<FONT color="green">023</FONT> // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER<a name="line.23"></a> +<FONT color="green">024</FONT> // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT<a name="line.24"></a> +<FONT color="green">025</FONT> // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN<a name="line.25"></a> +<FONT color="green">026</FONT> // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE<a name="line.26"></a> +<FONT color="green">027</FONT> // POSSIBILITY OF SUCH DAMAGE.<a name="line.27"></a> +<FONT color="green">028</FONT> <a name="line.28"></a> +<FONT color="green">029</FONT> package org.owasp.html;<a name="line.29"></a> +<FONT color="green">030</FONT> <a name="line.30"></a> +<FONT color="green">031</FONT> import java.util.LinkedHashSet;<a name="line.31"></a> +<FONT color="green">032</FONT> import java.util.List;<a name="line.32"></a> +<FONT color="green">033</FONT> import java.util.Set;<a name="line.33"></a> +<FONT color="green">034</FONT> <a name="line.34"></a> +<FONT color="green">035</FONT> import javax.annotation.Nullable;<a name="line.35"></a> +<FONT color="green">036</FONT> <a name="line.36"></a> +<FONT color="green">037</FONT> /**<a name="line.37"></a> +<FONT color="green">038</FONT> * Sits between the HTML parser, and then policy, and the renderer so that it<a name="line.38"></a> +<FONT color="green">039</FONT> * can report dropped elements and attributes to an {@link HtmlChangeListener}.<a name="line.39"></a> +<FONT color="green">040</FONT> *<a name="line.40"></a> +<FONT color="green">041</FONT> * <pre><a name="line.41"></a> +<FONT color="green">042</FONT> * HtmlChangeReporter&lt;T&gt; hcr = new HtmlChangeReporter&lt;T&gt;(<a name="line.42"></a> +<FONT color="green">043</FONT> * renderer, htmlChangeListener, context);<a name="line.43"></a> +<FONT color="green">044</FONT> * hcr.setPolicy(policyFactory.apply(hcr.getWrappedRenderer()));<a name="line.44"></a> +<FONT color="green">045</FONT> * HtmlSanitizer.sanitize(html, hcr.getWrappedPolicy());<a name="line.45"></a> +<FONT color="green">046</FONT> * </pre><a name="line.46"></a> +<FONT color="green">047</FONT> *<a name="line.47"></a> +<FONT color="green">048</FONT> * The renderer receives events from the policy unchanged, but the reporter<a name="line.48"></a> +<FONT color="green">049</FONT> * notices differences between the events from the lexer and those from the<a name="line.49"></a> +<FONT color="green">050</FONT> * policy.<a name="line.50"></a> +<FONT color="green">051</FONT> *<a name="line.51"></a> +<FONT color="green">052</FONT> * @param <T> The type of context value passed to the<a name="line.52"></a> +<FONT color="green">053</FONT> */<a name="line.53"></a> +<FONT color="green">054</FONT> public final class HtmlChangeReporter<T> {<a name="line.54"></a> +<FONT color="green">055</FONT> private final OutputChannel output;<a name="line.55"></a> +<FONT color="green">056</FONT> private final InputChannel<T> input;<a name="line.56"></a> +<FONT color="green">057</FONT> <a name="line.57"></a> +<FONT color="green">058</FONT> public HtmlChangeReporter(<a name="line.58"></a> +<FONT color="green">059</FONT> HtmlStreamEventReceiver renderer,<a name="line.59"></a> +<FONT color="green">060</FONT> HtmlChangeListener<? super T> listener, @Nullable T context) {<a name="line.60"></a> +<FONT color="green">061</FONT> this.output = new OutputChannel(renderer);<a name="line.61"></a> +<FONT color="green">062</FONT> this.input = new InputChannel<T>(output, listener, context);<a name="line.62"></a> +<FONT color="green">063</FONT> }<a name="line.63"></a> +<FONT color="green">064</FONT> <a name="line.64"></a> +<FONT color="green">065</FONT> /**<a name="line.65"></a> +<FONT color="green">066</FONT> * Associates an input channel. {@code this} receives events and forwards<a name="line.66"></a> +<FONT color="green">067</FONT> * them to input.<a name="line.67"></a> +<FONT color="green">068</FONT> */<a name="line.68"></a> +<FONT color="green">069</FONT> public void setPolicy(HtmlSanitizer.Policy policy) {<a name="line.69"></a> +<FONT color="green">070</FONT> this.input.policy = policy;<a name="line.70"></a> +<FONT color="green">071</FONT> }<a name="line.71"></a> +<FONT color="green">072</FONT> <a name="line.72"></a> +<FONT color="green">073</FONT> public HtmlStreamEventReceiver getWrappedRenderer() { return output; }<a name="line.73"></a> +<FONT color="green">074</FONT> <a name="line.74"></a> +<FONT color="green">075</FONT> public HtmlSanitizer.Policy getWrappedPolicy() { return input; }<a name="line.75"></a> +<FONT color="green">076</FONT> <a name="line.76"></a> +<FONT color="green">077</FONT> private static final class InputChannel<T> implements HtmlSanitizer.Policy {<a name="line.77"></a> +<FONT color="green">078</FONT> HtmlStreamEventReceiver policy;<a name="line.78"></a> +<FONT color="green">079</FONT> final OutputChannel output;<a name="line.79"></a> +<FONT color="green">080</FONT> final T context;<a name="line.80"></a> +<FONT color="green">081</FONT> final HtmlChangeListener<? super T> listener;<a name="line.81"></a> +<FONT color="green">082</FONT> <a name="line.82"></a> +<FONT color="green">083</FONT> InputChannel(<a name="line.83"></a> +<FONT color="green">084</FONT> OutputChannel output, HtmlChangeListener<? super T> listener,<a name="line.84"></a> +<FONT color="green">085</FONT> @Nullable T context) {<a name="line.85"></a> +<FONT color="green">086</FONT> this.output = output;<a name="line.86"></a> +<FONT color="green">087</FONT> this.context = context;<a name="line.87"></a> +<FONT color="green">088</FONT> this.listener = listener;<a name="line.88"></a> +<FONT color="green">089</FONT> }<a name="line.89"></a> +<FONT color="green">090</FONT> <a name="line.90"></a> +<FONT color="green">091</FONT> public void openDocument() {<a name="line.91"></a> +<FONT color="green">092</FONT> policy.openDocument();<a name="line.92"></a> +<FONT color="green">093</FONT> }<a name="line.93"></a> +<FONT color="green">094</FONT> <a name="line.94"></a> +<FONT color="green">095</FONT> public void closeDocument() {<a name="line.95"></a> +<FONT color="green">096</FONT> policy.closeDocument();<a name="line.96"></a> +<FONT color="green">097</FONT> }<a name="line.97"></a> +<FONT color="green">098</FONT> <a name="line.98"></a> +<FONT color="green">099</FONT> public void openTag(String elementName, List<String> attrs) {<a name="line.99"></a> +<FONT color="green">100</FONT> output.expectedElementName = elementName;<a name="line.100"></a> +<FONT color="green">101</FONT> output.expectedAttrNames.clear();<a name="line.101"></a> +<FONT color="green">102</FONT> for (int i = 0, n = attrs.size(); i < n; i += 2) {<a name="line.102"></a> +<FONT color="green">103</FONT> output.expectedAttrNames.add(attrs.get(i));<a name="line.103"></a> +<FONT color="green">104</FONT> }<a name="line.104"></a> +<FONT color="green">105</FONT> policy.openTag(elementName, attrs);<a name="line.105"></a> +<FONT color="green">106</FONT> {<a name="line.106"></a> +<FONT color="green">107</FONT> // Gather the notification details to avoid any problems with the<a name="line.107"></a> +<FONT color="green">108</FONT> // listener re-entering the stream event receiver. This shouldn't<a name="line.108"></a> +<FONT color="green">109</FONT> // occur, but if it does it will be a source of subtle confusing bugs.<a name="line.109"></a> +<FONT color="green">110</FONT> String discardedElementName = output.expectedElementName;<a name="line.110"></a> +<FONT color="green">111</FONT> output.expectedElementName = null;<a name="line.111"></a> +<FONT color="green">112</FONT> int nExpected = output.expectedAttrNames.size();<a name="line.112"></a> +<FONT color="green">113</FONT> String[] discardedAttrNames =<a name="line.113"></a> +<FONT color="green">114</FONT> nExpected != 0 && discardedElementName == null<a name="line.114"></a> +<FONT color="green">115</FONT> ? output.expectedAttrNames.toArray(new String[nExpected])<a name="line.115"></a> +<FONT color="green">116</FONT> : ZERO_STRINGS;<a name="line.116"></a> +<FONT color="green">117</FONT> output.expectedAttrNames.clear();<a name="line.117"></a> +<FONT color="green">118</FONT> // Dispatch notifications to the listener.<a name="line.118"></a> +<FONT color="green">119</FONT> if (discardedElementName != null) {<a name="line.119"></a> +<FONT color="green">120</FONT> listener.discardedTag(context, discardedElementName);<a name="line.120"></a> +<FONT color="green">121</FONT> }<a name="line.121"></a> +<FONT color="green">122</FONT> if (discardedAttrNames.length != 0) {<a name="line.122"></a> +<FONT color="green">123</FONT> listener.discardedAttributes(<a name="line.123"></a> +<FONT color="green">124</FONT> context, elementName, discardedAttrNames);<a name="line.124"></a> +<FONT color="green">125</FONT> }<a name="line.125"></a> +<FONT color="green">126</FONT> }<a name="line.126"></a> +<FONT color="green">127</FONT> }<a name="line.127"></a> +<FONT color="green">128</FONT> <a name="line.128"></a> +<FONT color="green">129</FONT> public void closeTag(String elementName) {<a name="line.129"></a> +<FONT color="green">130</FONT> policy.closeTag(elementName);<a name="line.130"></a> +<FONT color="green">131</FONT> }<a name="line.131"></a> +<FONT color="green">132</FONT> <a name="line.132"></a> +<FONT color="green">133</FONT> public void text(String textChunk) {<a name="line.133"></a> +<FONT color="green">134</FONT> policy.text(textChunk);<a name="line.134"></a> +<FONT color="green">135</FONT> }<a name="line.135"></a> +<FONT color="green">136</FONT> }<a name="line.136"></a> +<FONT color="green">137</FONT> <a name="line.137"></a> +<FONT color="green">138</FONT> private static final class OutputChannel implements HtmlStreamEventReceiver {<a name="line.138"></a> +<FONT color="green">139</FONT> private final HtmlStreamEventReceiver renderer;<a name="line.139"></a> +<FONT color="green">140</FONT> String expectedElementName;<a name="line.140"></a> +<FONT color="green">141</FONT> Set<String> expectedAttrNames = new LinkedHashSet<String>();<a name="line.141"></a> +<FONT color="green">142</FONT> <a name="line.142"></a> +<FONT color="green">143</FONT> OutputChannel(HtmlStreamEventReceiver renderer) {<a name="line.143"></a> +<FONT color="green">144</FONT> this.renderer = renderer;<a name="line.144"></a> +<FONT color="green">145</FONT> }<a name="line.145"></a> +<FONT color="green">146</FONT> <a name="line.146"></a> +<FONT color="green">147</FONT> public void openDocument() {<a name="line.147"></a> +<FONT color="green">148</FONT> renderer.openDocument();<a name="line.148"></a> +<FONT color="green">149</FONT> }<a name="line.149"></a> +<FONT color="green">150</FONT> <a name="line.150"></a> +<FONT color="green">151</FONT> public void closeDocument() {<a name="line.151"></a> +<FONT color="green">152</FONT> renderer.closeDocument();<a name="line.152"></a> +<FONT color="green">153</FONT> }<a name="line.153"></a> +<FONT color="green">154</FONT> <a name="line.154"></a> +<FONT color="green">155</FONT> public void openTag(String elementName, List<String> attrs) {<a name="line.155"></a> +<FONT color="green">156</FONT> if (elementName.equals(expectedElementName)) {<a name="line.156"></a> +<FONT color="green">157</FONT> expectedElementName = null;<a name="line.157"></a> +<FONT color="green">158</FONT> }<a name="line.158"></a> +<FONT color="green">159</FONT> for (int i = 0, n = attrs.size(); i < n; i += 2) {<a name="line.159"></a> +<FONT color="green">160</FONT> expectedAttrNames.remove(attrs.get(i));<a name="line.160"></a> +<FONT color="green">161</FONT> }<a name="line.161"></a> +<FONT color="green">162</FONT> renderer.openTag(elementName, attrs);<a name="line.162"></a> +<FONT color="green">163</FONT> }<a name="line.163"></a> +<FONT color="green">164</FONT> <a name="line.164"></a> +<FONT color="green">165</FONT> public void closeTag(String elementName) {<a name="line.165"></a> +<FONT color="green">166</FONT> renderer.closeTag(elementName);<a name="line.166"></a> +<FONT color="green">167</FONT> }<a name="line.167"></a> +<FONT color="green">168</FONT> <a name="line.168"></a> +<FONT color="green">169</FONT> public void text(String text) {<a name="line.169"></a> +<FONT color="green">170</FONT> renderer.text(text);<a name="line.170"></a> +<FONT color="green">171</FONT> }<a name="line.171"></a> +<FONT color="green">172</FONT> }<a name="line.172"></a> +<FONT color="green">173</FONT> <a name="line.173"></a> +<FONT color="green">174</FONT> private static final String[] ZERO_STRINGS = new String[0];<a name="line.174"></a> +<FONT color="green">175</FONT> }<a name="line.175"></a> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +</PRE> +</BODY> +</HTML> diff --git a/distrib/javadoc/src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html b/distrib/javadoc/src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html index 81c2bd0..f5792ee 100644 --- a/distrib/javadoc/src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html +++ b/distrib/javadoc/src-html/org/owasp/html/HtmlPolicyBuilder.AttributeBuilder.html @@ -54,7 +54,7 @@ <FONT color="green">051</FONT> * <p><a name="line.51"></a> <FONT color="green">052</FONT> * To create a policy, first construct an instance of this class; then call<a name="line.52"></a> <FONT color="green">053</FONT> * <code>allow&hellip;</code> methods to turn on tags, attributes, and other<a name="line.53"></a> -<FONT color="green">054</FONT> * processing modes; and finally call <code>build()</code> or<a name="line.54"></a> +<FONT color="green">054</FONT> * processing modes; and finally call <code>build(renderer)</code> or<a name="line.54"></a> <FONT color="green">055</FONT> * <code>toFactory()</code>.<a name="line.55"></a> <FONT color="green">056</FONT> * </p><a name="line.56"></a> <FONT color="green">057</FONT> * <pre class="prettyprint lang-java"><a name="line.57"></a> @@ -415,257 +415,277 @@ <FONT color="green">412</FONT> }<a name="line.412"></a> <FONT color="green">413</FONT> <a name="line.413"></a> <FONT color="green">414</FONT> /**<a name="line.414"></a> -<FONT color="green">415</FONT> * Like {@link #build} but can be reused to create many different policies<a name="line.415"></a> -<FONT color="green">416</FONT> * each backed by a different output channel.<a name="line.416"></a> -<FONT color="green">417</FONT> */<a name="line.417"></a> -<FONT color="green">418</FONT> public PolicyFactory toFactory() {<a name="line.418"></a> -<FONT color="green">419</FONT> return new PolicyFactory(compilePolicies(), allowStyling);<a name="line.419"></a> -<FONT color="green">420</FONT> }<a name="line.420"></a> -<FONT color="green">421</FONT> <a name="line.421"></a> -<FONT color="green">422</FONT> // Speed up subsequent builds by caching the compiled policies.<a name="line.422"></a> -<FONT color="green">423</FONT> private transient ImmutableMap<String, ElementAndAttributePolicies><a name="line.423"></a> -<FONT color="green">424</FONT> compiledPolicies;<a name="line.424"></a> -<FONT color="green">425</FONT> <a name="line.425"></a> -<FONT color="green">426</FONT> /** Called by mutators to signal that any compiled policy is out-of-date. */<a name="line.426"></a> -<FONT color="green">427</FONT> private void invalidateCompiledState() {<a name="line.427"></a> -<FONT color="green">428</FONT> compiledPolicies = null;<a name="line.428"></a> -<FONT color="green">429</FONT> }<a name="line.429"></a> -<FONT color="green">430</FONT> <a name="line.430"></a> -<FONT color="green">431</FONT> private ImmutableMap<String, ElementAndAttributePolicies> compilePolicies() {<a name="line.431"></a> -<FONT color="green">432</FONT> if (compiledPolicies != null) { return compiledPolicies; }<a name="line.432"></a> +<FONT color="green">415</FONT> * Produces a policy based on the allow and disallow calls previously made.<a name="line.415"></a> +<FONT color="green">416</FONT> *<a name="line.416"></a> +<FONT color="green">417</FONT> * @param out receives calls to open only tags allowed by<a name="line.417"></a> +<FONT color="green">418</FONT> * previous calls to this object.<a name="line.418"></a> +<FONT color="green">419</FONT> * Typically a {@link HtmlStreamRenderer}.<a name="line.419"></a> +<FONT color="green">420</FONT> * @param listener is notified of dropped tags and attributes so that<a name="line.420"></a> +<FONT color="green">421</FONT> * intrusion detection systems can be alerted to questionable HTML.<a name="line.421"></a> +<FONT color="green">422</FONT> * If {@code null} then no notifications are sent.<a name="line.422"></a> +<FONT color="green">423</FONT> * @param context if {@code (listener != null)} then the context value passed<a name="line.423"></a> +<FONT color="green">424</FONT> * with alerts. This can be used to let the listener know from which<a name="line.424"></a> +<FONT color="green">425</FONT> * connection or request the questionable HTML was received.<a name="line.425"></a> +<FONT color="green">426</FONT> */<a name="line.426"></a> +<FONT color="green">427</FONT> public <CTX> HtmlSanitizer.Policy build(<a name="line.427"></a> +<FONT color="green">428</FONT> HtmlStreamEventReceiver out,<a name="line.428"></a> +<FONT color="green">429</FONT> @Nullable HtmlChangeListener<? super CTX> listener,<a name="line.429"></a> +<FONT color="green">430</FONT> @Nullable CTX context) {<a name="line.430"></a> +<FONT color="green">431</FONT> return toFactory().apply(out, listener, context);<a name="line.431"></a> +<FONT color="green">432</FONT> }<a name="line.432"></a> <FONT color="green">433</FONT> <a name="line.433"></a> -<FONT color="green">434</FONT> // Copy maps before normalizing in case builder is reused.<a name="line.434"></a> -<FONT color="green">435</FONT> Map<String, ElementPolicy> elPolicies<a name="line.435"></a> -<FONT color="green">436</FONT> = Maps.newLinkedHashMap(this.elPolicies);<a name="line.436"></a> -<FONT color="green">437</FONT> Map<String, Map<String, AttributePolicy>> attrPolicies<a name="line.437"></a> -<FONT color="green">438</FONT> = Maps.newLinkedHashMap(this.attrPolicies);<a name="line.438"></a> -<FONT color="green">439</FONT> for (Map.Entry<String, Map<String, AttributePolicy>> e :<a name="line.439"></a> -<FONT color="green">440</FONT> attrPolicies.entrySet()) {<a name="line.440"></a> -<FONT color="green">441</FONT> e.setValue(Maps.newLinkedHashMap(e.getValue()));<a name="line.441"></a> -<FONT color="green">442</FONT> }<a name="line.442"></a> -<FONT color="green">443</FONT> Map<String, AttributePolicy> globalAttrPolicies<a name="line.443"></a> -<FONT color="green">444</FONT> = Maps.newLinkedHashMap(this.globalAttrPolicies);<a name="line.444"></a> -<FONT color="green">445</FONT> Set<String> allowedProtocols = ImmutableSet.copyOf(this.allowedProtocols);<a name="line.445"></a> -<FONT color="green">446</FONT> <a name="line.446"></a> -<FONT color="green">447</FONT> // Implement requireRelNofollowOnLinks<a name="line.447"></a> -<FONT color="green">448</FONT> if (requireRelNofollowOnLinks) {<a name="line.448"></a> -<FONT color="green">449</FONT> elPolicies.put(<a name="line.449"></a> -<FONT color="green">450</FONT> "a",<a name="line.450"></a> -<FONT color="green">451</FONT> ElementPolicy.Util.join(<a name="line.451"></a> -<FONT color="green">452</FONT> elPolicies.get("a"),<a name="line.452"></a> -<FONT color="green">453</FONT> new ElementPolicy() {<a name="line.453"></a> -<FONT color="green">454</FONT> public String apply(String elementName, List<String> attrs) {<a name="line.454"></a> -<FONT color="green">455</FONT> for (int i = 0, n = attrs.size(); i < n; i += 2) {<a name="line.455"></a> -<FONT color="green">456</FONT> if ("href".equals(attrs.get(i))) {<a name="line.456"></a> -<FONT color="green">457</FONT> attrs.add("rel");<a name="line.457"></a> -<FONT color="green">458</FONT> attrs.add("nofollow");<a name="line.458"></a> -<FONT color="green">459</FONT> break;<a name="line.459"></a> -<FONT color="green">460</FONT> }<a name="line.460"></a> -<FONT color="green">461</FONT> }<a name="line.461"></a> -<FONT color="green">462</FONT> return elementName;<a name="line.462"></a> -<FONT color="green">463</FONT> }<a name="line.463"></a> -<FONT color="green">464</FONT> }));<a name="line.464"></a> -<FONT color="green">465</FONT> }<a name="line.465"></a> +<FONT color="green">434</FONT> /**<a name="line.434"></a> +<FONT color="green">435</FONT> * Like {@link #build} but can be reused to create many different policies<a name="line.435"></a> +<FONT color="green">436</FONT> * each backed by a different output channel.<a name="line.436"></a> +<FONT color="green">437</FONT> */<a name="line.437"></a> +<FONT color="green">438</FONT> public PolicyFactory toFactory() {<a name="line.438"></a> +<FONT color="green">439</FONT> return new PolicyFactory(compilePolicies(), allowStyling);<a name="line.439"></a> +<FONT color="green">440</FONT> }<a name="line.440"></a> +<FONT color="green">441</FONT> <a name="line.441"></a> +<FONT color="green">442</FONT> // Speed up subsequent builds by caching the compiled policies.<a name="line.442"></a> +<FONT color="green">443</FONT> private transient ImmutableMap<String, ElementAndAttributePolicies><a name="line.443"></a> +<FONT color="green">444</FONT> compiledPolicies;<a name="line.444"></a> +<FONT color="green">445</FONT> <a name="line.445"></a> +<FONT color="green">446</FONT> /** Called by mutators to signal that any compiled policy is out-of-date. */<a name="line.446"></a> +<FONT color="green">447</FONT> private void invalidateCompiledState() {<a name="line.447"></a> +<FONT color="green">448</FONT> compiledPolicies = null;<a name="line.448"></a> +<FONT color="green">449</FONT> }<a name="line.449"></a> +<FONT color="green">450</FONT> <a name="line.450"></a> +<FONT color="green">451</FONT> private ImmutableMap<String, ElementAndAttributePolicies> compilePolicies() {<a name="line.451"></a> +<FONT color="green">452</FONT> if (compiledPolicies != null) { return compiledPolicies; }<a name="line.452"></a> +<FONT color="green">453</FONT> <a name="line.453"></a> +<FONT color="green">454</FONT> // Copy maps before normalizing in case builder is reused.<a name="line.454"></a> +<FONT color="green">455</FONT> Map<String, ElementPolicy> elPolicies<a name="line.455"></a> +<FONT color="green">456</FONT> = Maps.newLinkedHashMap(this.elPolicies);<a name="line.456"></a> +<FONT color="green">457</FONT> Map<String, Map<String, AttributePolicy>> attrPolicies<a name="line.457"></a> +<FONT color="green">458</FONT> = Maps.newLinkedHashMap(this.attrPolicies);<a name="line.458"></a> +<FONT color="green">459</FONT> for (Map.Entry<String, Map<String, AttributePolicy>> e :<a name="line.459"></a> +<FONT color="green">460</FONT> attrPolicies.entrySet()) {<a name="line.460"></a> +<FONT color="green">461</FONT> e.setValue(Maps.newLinkedHashMap(e.getValue()));<a name="line.461"></a> +<FONT color="green">462</FONT> }<a name="line.462"></a> +<FONT color="green">463</FONT> Map<String, AttributePolicy> globalAttrPolicies<a name="line.463"></a> +<FONT color="green">464</FONT> = Maps.newLinkedHashMap(this.globalAttrPolicies);<a name="line.464"></a> +<FONT color="green">465</FONT> Set<String> allowedProtocols = ImmutableSet.copyOf(this.allowedProtocols);<a name="line.465"></a> <FONT color="green">466</FONT> <a name="line.466"></a> -<FONT color="green">467</FONT> // Implement protocol policies.<a name="line.467"></a> -<FONT color="green">468</FONT> // For each URL attribute that is allowed, we further constrain it by<a name="line.468"></a> -<FONT color="green">469</FONT> // only allowing the value through if it specifies no protocol, or if it<a name="line.469"></a> -<FONT color="green">470</FONT> // specifies one in the allowedProtocols white-list.<a name="line.470"></a> -<FONT color="green">471</FONT> // This is done regardless of whether any protocols have been allowed, so<a name="line.471"></a> -<FONT color="green">472</FONT> // allowing the attribute "href" globally with the identity policy but<a name="line.472"></a> -<FONT color="green">473</FONT> // not white-listing any protocols, effectively disallows the "href"<a name="line.473"></a> -<FONT color="green">474</FONT> // attribute globally.<a name="line.474"></a> -<FONT color="green">475</FONT> {<a name="line.475"></a> -<FONT color="green">476</FONT> AttributePolicy urlAttributePolicy;<a name="line.476"></a> -<FONT color="green">477</FONT> if (allowedProtocols.size() == 3<a name="line.477"></a> -<FONT color="green">478</FONT> && allowedProtocols.contains("mailto")<a name="line.478"></a> -<FONT color="green">479</FONT> && allowedProtocols.contains("http")<a name="line.479"></a> -<FONT color="green">480</FONT> && allowedProtocols.contains("https")) {<a name="line.480"></a> -<FONT color="green">481</FONT> urlAttributePolicy = StandardUrlAttributePolicy.INSTANCE;<a name="line.481"></a> -<FONT color="green">482</FONT> } else {<a name="line.482"></a> -<FONT color="green">483</FONT> urlAttributePolicy = new FilterUrlByProtocolAttributePolicy(<a name="line.483"></a> -<FONT color="green">484</FONT> allowedProtocols);<a name="line.484"></a> -<FONT color="green">485</FONT> }<a name="line.485"></a> -<FONT color="green">486</FONT> Set<String> toGuard = Sets.newLinkedHashSet(URL_ATTRIBUTE_NAMES);<a name="line.486"></a> -<FONT color="green">487</FONT> for (String urlAttributeName : URL_ATTRIBUTE_NAMES) {<a name="line.487"></a> -<FONT color="green">488</FONT> if (globalAttrPolicies.containsKey(urlAttributeName)) {<a name="line.488"></a> -<FONT color="green">489</FONT> toGuard.remove(urlAttributeName);<a name="line.489"></a> -<FONT color="green">490</FONT> globalAttrPolicies.put(urlAttributeName, AttributePolicy.Util.join(<a name="line.490"></a> -<FONT color="green">491</FONT> urlAttributePolicy, globalAttrPolicies.get(urlAttributeName)));<a name="line.491"></a> -<FONT color="green">492</FONT> }<a name="line.492"></a> -<FONT color="green">493</FONT> }<a name="line.493"></a> -<FONT color="green">494</FONT> // Implement guards not implemented on global policies in the per-element<a name="line.494"></a> -<FONT color="green">495</FONT> // policy maps.<a name="line.495"></a> -<FONT color="green">496</FONT> for (Map.Entry<String, Map<String, AttributePolicy>> e<a name="line.496"></a> -<FONT color="green">497</FONT> : attrPolicies.entrySet()) {<a name="line.497"></a> -<FONT color="green">498</FONT> Map<String, AttributePolicy> policies = e.getValue();<a name="line.498"></a> -<FONT color="green">499</FONT> for (String urlAttributeName : toGuard) {<a name="line.499"></a> -<FONT color="green">500</FONT> if (policies.containsKey(urlAttributeName)) {<a name="line.500"></a> -<FONT color="green">501</FONT> policies.put(urlAttributeName, AttributePolicy.Util.join(<a name="line.501"></a> -<FONT color="green">502</FONT> urlAttributePolicy, policies.get(urlAttributeName)));<a name="line.502"></a> -<FONT color="green">503</FONT> }<a name="line.503"></a> -<FONT color="green">504</FONT> }<a name="line.504"></a> +<FONT color="green">467</FONT> // Implement requireRelNofollowOnLinks<a name="line.467"></a> +<FONT color="green">468</FONT> if (requireRelNofollowOnLinks) {<a name="line.468"></a> +<FONT color="green">469</FONT> elPolicies.put(<a name="line.469"></a> +<FONT color="green">470</FONT> "a",<a name="line.470"></a> +<FONT color="green">471</FONT> ElementPolicy.Util.join(<a name="line.471"></a> +<FONT color="green">472</FONT> elPolicies.get("a"),<a name="line.472"></a> +<FONT color="green">473</FONT> new ElementPolicy() {<a name="line.473"></a> +<FONT color="green">474</FONT> public String apply(String elementName, List<String> attrs) {<a name="line.474"></a> +<FONT color="green">475</FONT> for (int i = 0, n = attrs.size(); i < n; i += 2) {<a name="line.475"></a> +<FONT color="green">476</FONT> if ("href".equals(attrs.get(i))) {<a name="line.476"></a> +<FONT color="green">477</FONT> attrs.add("rel");<a name="line.477"></a> +<FONT color="green">478</FONT> attrs.add("nofollow");<a name="line.478"></a> +<FONT color="green">479</FONT> break;<a name="line.479"></a> +<FONT color="green">480</FONT> }<a name="line.480"></a> +<FONT color="green">481</FONT> }<a name="line.481"></a> +<FONT color="green">482</FONT> return elementName;<a name="line.482"></a> +<FONT color="green">483</FONT> }<a name="line.483"></a> +<FONT color="green">484</FONT> }));<a name="line.484"></a> +<FONT color="green">485</FONT> }<a name="line.485"></a> +<FONT color="green">486</FONT> <a name="line.486"></a> +<FONT color="green">487</FONT> // Implement protocol policies.<a name="line.487"></a> +<FONT color="green">488</FONT> // For each URL attribute that is allowed, we further constrain it by<a name="line.488"></a> +<FONT color="green">489</FONT> // only allowing the value through if it specifies no protocol, or if it<a name="line.489"></a> +<FONT color="green">490</FONT> // specifies one in the allowedProtocols white-list.<a name="line.490"></a> +<FONT color="green">491</FONT> // This is done regardless of whether any protocols have been allowed, so<a name="line.491"></a> +<FONT color="green">492</FONT> // allowing the attribute "href" globally with the identity policy but<a name="line.492"></a> +<FONT color="green">493</FONT> // not white-listing any protocols, effectively disallows the "href"<a name="line.493"></a> +<FONT color="green">494</FONT> // attribute globally.<a name="line.494"></a> +<FONT color="green">495</FONT> {<a name="line.495"></a> +<FONT color="green">496</FONT> AttributePolicy urlAttributePolicy;<a name="line.496"></a> +<FONT color="green">497</FONT> if (allowedProtocols.size() == 3<a name="line.497"></a> +<FONT color="green">498</FONT> && allowedProtocols.contains("mailto")<a name="line.498"></a> +<FONT color="green">499</FONT> && allowedProtocols.contains("http")<a name="line.499"></a> +<FONT color="green">500</FONT> && allowedProtocols.contains("https")) {<a name="line.500"></a> +<FONT color="green">501</FONT> urlAttributePolicy = StandardUrlAttributePolicy.INSTANCE;<a name="line.501"></a> +<FONT color="green">502</FONT> } else {<a name="line.502"></a> +<FONT color="green">503</FONT> urlAttributePolicy = new FilterUrlByProtocolAttributePolicy(<a name="line.503"></a> +<FONT color="green">504</FONT> allowedProtocols);<a name="line.504"></a> <FONT color="green">505</FONT> }<a name="line.505"></a> -<FONT color="green">506</FONT> }<a name="line.506"></a> -<FONT color="green">507</FONT> <a name="line.507"></a> -<FONT color="green">508</FONT> ImmutableMap.Builder<String, ElementAndAttributePolicies> policiesBuilder<a name="line.508"></a> -<FONT color="green">509</FONT> = ImmutableMap.builder();<a name="line.509"></a> -<FONT color="green">510</FONT> for (Map.Entry<String, ElementPolicy> e : elPolicies.entrySet()) {<a name="line.510"></a> -<FONT color="green">511</FONT> String elementName = e.getKey();<a name="line.511"></a> -<FONT color="green">512</FONT> ElementPolicy elPolicy = e.getValue();<a name="line.512"></a> -<FONT color="green">513</FONT> if (ElementPolicy.REJECT_ALL_ELEMENT_POLICY.equals(elPolicy)) {<a name="line.513"></a> -<FONT color="green">514</FONT> continue;<a name="line.514"></a> -<FONT color="green">515</FONT> }<a name="line.515"></a> -<FONT color="green">516</FONT> <a name="line.516"></a> -<FONT color="green">517</FONT> Map<String, AttributePolicy> elAttrPolicies<a name="line.517"></a> -<FONT color="green">518</FONT> = attrPolicies.get(elementName);<a name="line.518"></a> -<FONT color="green">519</FONT> if (elAttrPolicies == null) { elAttrPolicies = ImmutableMap.of(); }<a name="line.519"></a> -<FONT color="green">520</FONT> ImmutableMap.Builder<String, AttributePolicy> attrs<a name="line.520"></a> -<FONT color="green">521</FONT> = ImmutableMap.builder();<a name="line.521"></a> -<FONT color="green">522</FONT> for (Map.Entry<String, AttributePolicy> ape : elAttrPolicies.entrySet()) {<a name="line.522"></a> -<FONT color="green">523</FONT> String attributeName = ape.getKey();<a name="line.523"></a> -<FONT color="green">524</FONT> if (globalAttrPolicies.containsKey(attributeName)) { continue; }<a name="line.524"></a> -<FONT color="green">525</FONT> AttributePolicy policy = ape.getValue();<a name="line.525"></a> -<FONT color="green">526</FONT> if (!AttributePolicy.REJECT_ALL_ATTRIBUTE_POLICY.equals(policy)) {<a name="line.526"></a> -<FONT color="green">527</FONT> attrs.put(attributeName, policy);<a name="line.527"></a> -<FONT color="green">528</FONT> }<a name="line.528"></a> -<FONT color="green">529</FONT> }<a name="line.529"></a> -<FONT color="green">530</FONT> for (Map.Entry<String, AttributePolicy> ape<a name="line.530"></a> -<FONT color="green">531</FONT> : globalAttrPolicies.entrySet()) {<a name="line.531"></a> -<FONT color="green">532</FONT> String attributeName = ape.getKey();<a name="line.532"></a> -<FONT color="green">533</FONT> AttributePolicy policy = AttributePolicy.Util.join(<a name="line.533"></a> -<FONT color="green">534</FONT> elAttrPolicies.get(attributeName), ape.getValue());<a name="line.534"></a> -<FONT color="green">535</FONT> if (!AttributePolicy.REJECT_ALL_ATTRIBUTE_POLICY.equals(policy)) {<a name="line.535"></a> -<FONT color="green">536</FONT> attrs.put(attributeName, policy);<a name="line.536"></a> -<FONT color="green">537</FONT> }<a name="line.537"></a> -<FONT color="green">538</FONT> }<a name="line.538"></a> -<FONT color="green">539</FONT> <a name="line.539"></a> -<FONT color="green">540</FONT> policiesBuilder.put(<a name="line.540"></a> -<FONT color="green">541</FONT> elementName,<a name="line.541"></a> -<FONT color="green">542</FONT> new ElementAndAttributePolicies(<a name="line.542"></a> -<FONT color="green">543</FONT> elementName,<a name="line.543"></a> -<FONT color="green">544</FONT> elPolicy, attrs.build(), skipIfEmpty.contains(elementName)));<a name="line.544"></a> -<FONT color="green">545</FONT> }<a name="line.545"></a> -<FONT color="green">546</FONT> return compiledPolicies = policiesBuilder.build();<a name="line.546"></a> -<FONT color="green">547</FONT> }<a name="line.547"></a> -<FONT color="green">548</FONT> <a name="line.548"></a> -<FONT color="green">549</FONT> /**<a name="line.549"></a> -<FONT color="green">550</FONT> * Builds the relationship between attributes, the values that they may have,<a name="line.550"></a> -<FONT color="green">551</FONT> * and the elements on which they may appear.<a name="line.551"></a> -<FONT color="green">552</FONT> *<a name="line.552"></a> -<FONT color="green">553</FONT> * @author Mike Samuel<a name="line.553"></a> -<FONT color="green">554</FONT> */<a name="line.554"></a> -<FONT color="green">555</FONT> public final class AttributeBuilder {<a name="line.555"></a> -<FONT color="green">556</FONT> private final List<String> attributeNames;<a name="line.556"></a> -<FONT color="green">557</FONT> private AttributePolicy policy = AttributePolicy.IDENTITY_ATTRIBUTE_POLICY;<a name="line.557"></a> -<FONT color="green">558</FONT> <a name="line.558"></a> -<FONT color="green">559</FONT> AttributeBuilder(List<? extends String> attributeNames) {<a name="line.559"></a> -<FONT color="green">560</FONT> this.attributeNames = ImmutableList.copyOf(attributeNames);<a name="line.560"></a> -<FONT color="green">561</FONT> }<a name="line.561"></a> -<FONT color="green">562</FONT> <a name="line.562"></a> -<FONT color="green">563</FONT> /**<a name="line.563"></a> -<FONT color="green">564</FONT> * Filters and/or transforms the attribute values<a name="line.564"></a> -<FONT color="green">565</FONT> * allowed by later {@code allow*} calls.<a name="line.565"></a> -<FONT color="green">566</FONT> * Multiple calls to {@code matching} are combined so that the policies<a name="line.566"></a> -<FONT color="green">567</FONT> * receive the value in order, each seeing the value after any<a name="line.567"></a> -<FONT color="green">568</FONT> * transformation by a previous policy.<a name="line.568"></a> -<FONT color="green">569</FONT> */<a name="line.569"></a> -<FONT color="green">570</FONT> public AttributeBuilder matching(AttributePolicy policy) {<a name="line.570"></a> -<FONT color="green">571</FONT> this.policy = AttributePolicy.Util.join(this.policy, policy);<a name="line.571"></a> -<FONT color="green">572</FONT> return this;<a name="line.572"></a> -<FONT color="green">573</FONT> }<a name="line.573"></a> -<FONT color="green">574</FONT> <a name="line.574"></a> -<FONT color="green">575</FONT> /**<a name="line.575"></a> -<FONT color="green">576</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.576"></a> -<FONT color="green">577</FONT> * matching the pattern.<a name="line.577"></a> -<FONT color="green">578</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.578"></a> -<FONT color="green">579</FONT> * intersection of possible matched values.<a name="line.579"></a> -<FONT color="green">580</FONT> */<a name="line.580"></a> -<FONT color="green">581</FONT> public AttributeBuilder matching(final Pattern pattern) {<a name="line.581"></a> -<FONT color="green">582</FONT> return matching(new AttributePolicy() {<a name="line.582"></a> -<FONT color="green">583</FONT> public @Nullable String apply(<a name="line.583"></a> -<FONT color="green">584</FONT> String elementName, String attributeName, String value) {<a name="line.584"></a> -<FONT color="green">585</FONT> return pattern.matcher(value).matches() ? value : null;<a name="line.585"></a> -<FONT color="green">586</FONT> }<a name="line.586"></a> -<FONT color="green">587</FONT> });<a name="line.587"></a> -<FONT color="green">588</FONT> }<a name="line.588"></a> -<FONT color="green">589</FONT> <a name="line.589"></a> -<FONT color="green">590</FONT> /**<a name="line.590"></a> -<FONT color="green">591</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.591"></a> -<FONT color="green">592</FONT> * matching the given predicate.<a name="line.592"></a> -<FONT color="green">593</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.593"></a> -<FONT color="green">594</FONT> * intersection of possible matched values.<a name="line.594"></a> -<FONT color="green">595</FONT> */<a name="line.595"></a> -<FONT color="green">596</FONT> public AttributeBuilder matching(<a name="line.596"></a> -<FONT color="green">597</FONT> final Predicate<? super String> filter) {<a name="line.597"></a> -<FONT color="green">598</FONT> return matching(new AttributePolicy() {<a name="line.598"></a> -<FONT color="green">599</FONT> public @Nullable String apply(<a name="line.599"></a> -<FONT color="green">600</FONT> String elementName, String attributeName, String value) {<a name="line.600"></a> -<FONT color="green">601</FONT> return filter.apply(value) ? value : null;<a name="line.601"></a> -<FONT color="green">602</FONT> }<a name="line.602"></a> -<FONT color="green">603</FONT> });<a name="line.603"></a> -<FONT color="green">604</FONT> }<a name="line.604"></a> -<FONT color="green">605</FONT> <a name="line.605"></a> -<FONT color="green">606</FONT> /**<a name="line.606"></a> -<FONT color="green">607</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.607"></a> -<FONT color="green">608</FONT> * supplied.<a name="line.608"></a> -<FONT color="green">609</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.609"></a> -<FONT color="green">610</FONT> * intersection of possible matched values.<a name="line.610"></a> -<FONT color="green">611</FONT> */<a name="line.611"></a> -<FONT color="green">612</FONT> public AttributeBuilder matching(<a name="line.612"></a> -<FONT color="green">613</FONT> boolean ignoreCase, String... allowedValues) {<a name="line.613"></a> -<FONT color="green">614</FONT> return matching(ignoreCase, ImmutableSet.copyOf(allowedValues));<a name="line.614"></a> -<FONT color="green">615</FONT> }<a name="line.615"></a> -<FONT color="green">616</FONT> <a name="line.616"></a> -<FONT color="green">617</FONT> /**<a name="line.617"></a> -<FONT color="green">618</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.618"></a> -<FONT color="green">619</FONT> * supplied.<a name="line.619"></a> -<FONT color="green">620</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.620"></a> -<FONT color="green">621</FONT> * intersection of possible matched values.<a name="line.621"></a> -<FONT color="green">622</FONT> */<a name="line.622"></a> -<FONT color="green">623</FONT> public AttributeBuilder matching(<a name="line.623"></a> -<FONT color="green">624</FONT> final boolean ignoreCase, Set<? extends String> allowedValues) {<a name="line.624"></a> -<FONT color="green">625</FONT> final ImmutableSet<String> allowed = ImmutableSet.copyOf(allowedValues);<a name="line.625"></a> -<FONT color="green">626</FONT> return matching(new AttributePolicy() {<a name="line.626"></a> -<FONT color="green">627</FONT> public @Nullable String apply(<a name="line.627"></a> -<FONT color="green">628</FONT> String elementName, String attributeName, String value) {<a name="line.628"></a> -<FONT color="green">629</FONT> if (ignoreCase) { value = Strings.toLowerCase(value); }<a name="line.629"></a> -<FONT color="green">630</FONT> return allowed.contains(value) ? value : null;<a name="line.630"></a> -<FONT color="green">631</FONT> }<a name="line.631"></a> -<FONT color="green">632</FONT> });<a name="line.632"></a> -<FONT color="green">633</FONT> }<a name="line.633"></a> -<FONT color="green">634</FONT> <a name="line.634"></a> -<FONT color="green">635</FONT> /**<a name="line.635"></a> -<FONT color="green">636</FONT> * Allows the given attributes on any elements but filters the<a name="line.636"></a> -<FONT color="green">637</FONT> * attributes' values based on previous calls to {@code matching(...)}.<a name="line.637"></a> -<FONT color="green">638</FONT> * Global attribute policies are applied after element specific policies.<a name="line.638"></a> -<FONT color="green">639</FONT> * Be careful of using this with attributes like <code>type</code> which<a name="line.639"></a> -<FONT color="green">640</FONT> * have different meanings on different attributes.<a name="line.640"></a> -<FONT color="green">641</FONT> * Also be careful of allowing globally attributes like <code>href</code><a name="line.641"></a> -<FONT color="green">642</FONT> * which can have more far-reaching effects on tags like<a name="line.642"></a> -<FONT color="green">643</FONT> * <code>&lt;base&gt;</code> and <code>&lt;link&gt;</code> than on<a name="line.643"></a> -<FONT color="green">644</FONT> * <code>&lt;a&gt;</code> because in the former, they have an effect without<a name="line.644"></a> -<FONT color="green">645</FONT> * user interaction and can change the behavior of the current page.<a name="line.645"></a> -<FONT color="green">646</FONT> */<a name="line.646"></a> -<FONT color="green">647</FONT> public HtmlPolicyBuilder globally() {<a name="line.647"></a> -<FONT color="green">648</FONT> return HtmlPolicyBuilder.this.allowAttributesGlobally(<a name="line.648"></a> -<FONT color="green">649</FONT> policy, attributeNames);<a name="line.649"></a> -<FONT color="green">650</FONT> }<a name="line.650"></a> -<FONT color="green">651</FONT> <a name="line.651"></a> -<FONT color="green">652</FONT> /**<a name="line.652"></a> -<FONT color="green">653</FONT> * Allows the named attributes on the given elements but filters the<a name="line.653"></a> -<FONT color="green">654</FONT> * attributes' values based on previous calls to {@code matching(...)}.<a name="line.654"></a> -<FONT color="green">655</FONT> */<a name="line.655"></a> -<FONT color="green">656</FONT> public HtmlPolicyBuilder onElements(String... elementNames) {<a name="line.656"></a> -<FONT color="green">657</FONT> ImmutableList.Builder<String> b = ImmutableList.builder();<a name="line.657"></a> -<FONT color="green">658</FONT> for (String elementName : elementNames) {<a name="line.658"></a> -<FONT color="green">659</FONT> b.add(HtmlLexer.canonicalName(elementName));<a name="line.659"></a> -<FONT color="green">660</FONT> }<a name="line.660"></a> -<FONT color="green">661</FONT> return HtmlPolicyBuilder.this.allowAttributesOnElements(<a name="line.661"></a> -<FONT color="green">662</FONT> policy, attributeNames, b.build());<a name="line.662"></a> -<FONT color="green">663</FONT> }<a name="line.663"></a> -<FONT color="green">664</FONT> }<a name="line.664"></a> -<FONT color="green">665</FONT> }<a name="line.665"></a> +<FONT color="green">506</FONT> Set<String> toGuard = Sets.newLinkedHashSet(URL_ATTRIBUTE_NAMES);<a name="line.506"></a> +<FONT color="green">507</FONT> for (String urlAttributeName : URL_ATTRIBUTE_NAMES) {<a name="line.507"></a> +<FONT color="green">508</FONT> if (globalAttrPolicies.containsKey(urlAttributeName)) {<a name="line.508"></a> +<FONT color="green">509</FONT> toGuard.remove(urlAttributeName);<a name="line.509"></a> +<FONT color="green">510</FONT> globalAttrPolicies.put(urlAttributeName, AttributePolicy.Util.join(<a name="line.510"></a> +<FONT color="green">511</FONT> urlAttributePolicy, globalAttrPolicies.get(urlAttributeName)));<a name="line.511"></a> +<FONT color="green">512</FONT> }<a name="line.512"></a> +<FONT color="green">513</FONT> }<a name="line.513"></a> +<FONT color="green">514</FONT> // Implement guards not implemented on global policies in the per-element<a name="line.514"></a> +<FONT color="green">515</FONT> // policy maps.<a name="line.515"></a> +<FONT color="green">516</FONT> for (Map.Entry<String, Map<String, AttributePolicy>> e<a name="line.516"></a> +<FONT color="green">517</FONT> : attrPolicies.entrySet()) {<a name="line.517"></a> +<FONT color="green">518</FONT> Map<String, AttributePolicy> policies = e.getValue();<a name="line.518"></a> +<FONT color="green">519</FONT> for (String urlAttributeName : toGuard) {<a name="line.519"></a> +<FONT color="green">520</FONT> if (policies.containsKey(urlAttributeName)) {<a name="line.520"></a> +<FONT color="green">521</FONT> policies.put(urlAttributeName, AttributePolicy.Util.join(<a name="line.521"></a> +<FONT color="green">522</FONT> urlAttributePolicy, policies.get(urlAttributeName)));<a name="line.522"></a> +<FONT color="green">523</FONT> }<a name="line.523"></a> +<FONT color="green">524</FONT> }<a name="line.524"></a> +<FONT color="green">525</FONT> }<a name="line.525"></a> +<FONT color="green">526</FONT> }<a name="line.526"></a> +<FONT color="green">527</FONT> <a name="line.527"></a> +<FONT color="green">528</FONT> ImmutableMap.Builder<String, ElementAndAttributePolicies> policiesBuilder<a name="line.528"></a> +<FONT color="green">529</FONT> = ImmutableMap.builder();<a name="line.529"></a> +<FONT color="green">530</FONT> for (Map.Entry<String, ElementPolicy> e : elPolicies.entrySet()) {<a name="line.530"></a> +<FONT color="green">531</FONT> String elementName = e.getKey();<a name="line.531"></a> +<FONT color="green">532</FONT> ElementPolicy elPolicy = e.getValue();<a name="line.532"></a> +<FONT color="green">533</FONT> if (ElementPolicy.REJECT_ALL_ELEMENT_POLICY.equals(elPolicy)) {<a name="line.533"></a> +<FONT color="green">534</FONT> continue;<a name="line.534"></a> +<FONT color="green">535</FONT> }<a name="line.535"></a> +<FONT color="green">536</FONT> <a name="line.536"></a> +<FONT color="green">537</FONT> Map<String, AttributePolicy> elAttrPolicies<a name="line.537"></a> +<FONT color="green">538</FONT> = attrPolicies.get(elementName);<a name="line.538"></a> +<FONT color="green">539</FONT> if (elAttrPolicies == null) { elAttrPolicies = ImmutableMap.of(); }<a name="line.539"></a> +<FONT color="green">540</FONT> ImmutableMap.Builder<String, AttributePolicy> attrs<a name="line.540"></a> +<FONT color="green">541</FONT> = ImmutableMap.builder();<a name="line.541"></a> +<FONT color="green">542</FONT> for (Map.Entry<String, AttributePolicy> ape : elAttrPolicies.entrySet()) {<a name="line.542"></a> +<FONT color="green">543</FONT> String attributeName = ape.getKey();<a name="line.543"></a> +<FONT color="green">544</FONT> if (globalAttrPolicies.containsKey(attributeName)) { continue; }<a name="line.544"></a> +<FONT color="green">545</FONT> AttributePolicy policy = ape.getValue();<a name="line.545"></a> +<FONT color="green">546</FONT> if (!AttributePolicy.REJECT_ALL_ATTRIBUTE_POLICY.equals(policy)) {<a name="line.546"></a> +<FONT color="green">547</FONT> attrs.put(attributeName, policy);<a name="line.547"></a> +<FONT color="green">548</FONT> }<a name="line.548"></a> +<FONT color="green">549</FONT> }<a name="line.549"></a> +<FONT color="green">550</FONT> for (Map.Entry<String, AttributePolicy> ape<a name="line.550"></a> +<FONT color="green">551</FONT> : globalAttrPolicies.entrySet()) {<a name="line.551"></a> +<FONT color="green">552</FONT> String attributeName = ape.getKey();<a name="line.552"></a> +<FONT color="green">553</FONT> AttributePolicy policy = AttributePolicy.Util.join(<a name="line.553"></a> +<FONT color="green">554</FONT> elAttrPolicies.get(attributeName), ape.getValue());<a name="line.554"></a> +<FONT color="green">555</FONT> if (!AttributePolicy.REJECT_ALL_ATTRIBUTE_POLICY.equals(policy)) {<a name="line.555"></a> +<FONT color="green">556</FONT> attrs.put(attributeName, policy);<a name="line.556"></a> +<FONT color="green">557</FONT> }<a name="line.557"></a> +<FONT color="green">558</FONT> }<a name="line.558"></a> +<FONT color="green">559</FONT> <a name="line.559"></a> +<FONT color="green">560</FONT> policiesBuilder.put(<a name="line.560"></a> +<FONT color="green">561</FONT> elementName,<a name="line.561"></a> +<FONT color="green">562</FONT> new ElementAndAttributePolicies(<a name="line.562"></a> +<FONT color="green">563</FONT> elementName,<a name="line.563"></a> +<FONT color="green">564</FONT> elPolicy, attrs.build(), skipIfEmpty.contains(elementName)));<a name="line.564"></a> +<FONT color="green">565</FONT> }<a name="line.565"></a> +<FONT color="green">566</FONT> return compiledPolicies = policiesBuilder.build();<a name="line.566"></a> +<FONT color="green">567</FONT> }<a name="line.567"></a> +<FONT color="green">568</FONT> <a name="line.568"></a> +<FONT color="green">569</FONT> /**<a name="line.569"></a> +<FONT color="green">570</FONT> * Builds the relationship between attributes, the values that they may have,<a name="line.570"></a> +<FONT color="green">571</FONT> * and the elements on which they may appear.<a name="line.571"></a> +<FONT color="green">572</FONT> *<a name="line.572"></a> +<FONT color="green">573</FONT> * @author Mike Samuel<a name="line.573"></a> +<FONT color="green">574</FONT> */<a name="line.574"></a> +<FONT color="green">575</FONT> public final class AttributeBuilder {<a name="line.575"></a> +<FONT color="green">576</FONT> private final List<String> attributeNames;<a name="line.576"></a> +<FONT color="green">577</FONT> private AttributePolicy policy = AttributePolicy.IDENTITY_ATTRIBUTE_POLICY;<a name="line.577"></a> +<FONT color="green">578</FONT> <a name="line.578"></a> +<FONT color="green">579</FONT> AttributeBuilder(List<? extends String> attributeNames) {<a name="line.579"></a> +<FONT color="green">580</FONT> this.attributeNames = ImmutableList.copyOf(attributeNames);<a name="line.580"></a> +<FONT color="green">581</FONT> }<a name="line.581"></a> +<FONT color="green">582</FONT> <a name="line.582"></a> +<FONT color="green">583</FONT> /**<a name="line.583"></a> +<FONT color="green">584</FONT> * Filters and/or transforms the attribute values<a name="line.584"></a> +<FONT color="green">585</FONT> * allowed by later {@code allow*} calls.<a name="line.585"></a> +<FONT color="green">586</FONT> * Multiple calls to {@code matching} are combined so that the policies<a name="line.586"></a> +<FONT color="green">587</FONT> * receive the value in order, each seeing the value after any<a name="line.587"></a> +<FONT color="green">588</FONT> * transformation by a previous policy.<a name="line.588"></a> +<FONT color="green">589</FONT> */<a name="line.589"></a> +<FONT color="green">590</FONT> public AttributeBuilder matching(AttributePolicy policy) {<a name="line.590"></a> +<FONT color="green">591</FONT> this.policy = AttributePolicy.Util.join(this.policy, policy);<a name="line.591"></a> +<FONT color="green">592</FONT> return this;<a name="line.592"></a> +<FONT color="green">593</FONT> }<a name="line.593"></a> +<FONT color="green">594</FONT> <a name="line.594"></a> +<FONT color="green">595</FONT> /**<a name="line.595"></a> +<FONT color="green">596</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.596"></a> +<FONT color="green">597</FONT> * matching the pattern.<a name="line.597"></a> +<FONT color="green">598</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.598"></a> +<FONT color="green">599</FONT> * intersection of possible matched values.<a name="line.599"></a> +<FONT color="green">600</FONT> */<a name="line.600"></a> +<FONT color="green">601</FONT> public AttributeBuilder matching(final Pattern pattern) {<a name="line.601"></a> +<FONT color="green">602</FONT> return matching(new AttributePolicy() {<a name="line.602"></a> +<FONT color="green">603</FONT> public @Nullable String apply(<a name="line.603"></a> +<FONT color="green">604</FONT> String elementName, String attributeName, String value) {<a name="line.604"></a> +<FONT color="green">605</FONT> return pattern.matcher(value).matches() ? value : null;<a name="line.605"></a> +<FONT color="green">606</FONT> }<a name="line.606"></a> +<FONT color="green">607</FONT> });<a name="line.607"></a> +<FONT color="green">608</FONT> }<a name="line.608"></a> +<FONT color="green">609</FONT> <a name="line.609"></a> +<FONT color="green">610</FONT> /**<a name="line.610"></a> +<FONT color="green">611</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.611"></a> +<FONT color="green">612</FONT> * matching the given predicate.<a name="line.612"></a> +<FONT color="green">613</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.613"></a> +<FONT color="green">614</FONT> * intersection of possible matched values.<a name="line.614"></a> +<FONT color="green">615</FONT> */<a name="line.615"></a> +<FONT color="green">616</FONT> public AttributeBuilder matching(<a name="line.616"></a> +<FONT color="green">617</FONT> final Predicate<? super String> filter) {<a name="line.617"></a> +<FONT color="green">618</FONT> return matching(new AttributePolicy() {<a name="line.618"></a> +<FONT color="green">619</FONT> public @Nullable String apply(<a name="line.619"></a> +<FONT color="green">620</FONT> String elementName, String attributeName, String value) {<a name="line.620"></a> +<FONT color="green">621</FONT> return filter.apply(value) ? value : null;<a name="line.621"></a> +<FONT color="green">622</FONT> }<a name="line.622"></a> +<FONT color="green">623</FONT> });<a name="line.623"></a> +<FONT color="green">624</FONT> }<a name="line.624"></a> +<FONT color="green">625</FONT> <a name="line.625"></a> +<FONT color="green">626</FONT> /**<a name="line.626"></a> +<FONT color="green">627</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.627"></a> +<FONT color="green">628</FONT> * supplied.<a name="line.628"></a> +<FONT color="green">629</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.629"></a> +<FONT color="green">630</FONT> * intersection of possible matched values.<a name="line.630"></a> +<FONT color="green">631</FONT> */<a name="line.631"></a> +<FONT color="green">632</FONT> public AttributeBuilder matching(<a name="line.632"></a> +<FONT color="green">633</FONT> boolean ignoreCase, String... allowedValues) {<a name="line.633"></a> +<FONT color="green">634</FONT> return matching(ignoreCase, ImmutableSet.copyOf(allowedValues));<a name="line.634"></a> +<FONT color="green">635</FONT> }<a name="line.635"></a> +<FONT color="green">636</FONT> <a name="line.636"></a> +<FONT color="green">637</FONT> /**<a name="line.637"></a> +<FONT color="green">638</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.638"></a> +<FONT color="green">639</FONT> * supplied.<a name="line.639"></a> +<FONT color="green">640</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.640"></a> +<FONT color="green">641</FONT> * intersection of possible matched values.<a name="line.641"></a> +<FONT color="green">642</FONT> */<a name="line.642"></a> +<FONT color="green">643</FONT> public AttributeBuilder matching(<a name="line.643"></a> +<FONT color="green">644</FONT> final boolean ignoreCase, Set<? extends String> allowedValues) {<a name="line.644"></a> +<FONT color="green">645</FONT> final ImmutableSet<String> allowed = ImmutableSet.copyOf(allowedValues);<a name="line.645"></a> +<FONT color="green">646</FONT> return matching(new AttributePolicy() {<a name="line.646"></a> +<FONT color="green">647</FONT> public @Nullable String apply(<a name="line.647"></a> +<FONT color="green">648</FONT> String elementName, String attributeName, String value) {<a name="line.648"></a> +<FONT color="green">649</FONT> if (ignoreCase) { value = Strings.toLowerCase(value); }<a name="line.649"></a> +<FONT color="green">650</FONT> return allowed.contains(value) ? value : null;<a name="line.650"></a> +<FONT color="green">651</FONT> }<a name="line.651"></a> +<FONT color="green">652</FONT> });<a name="line.652"></a> +<FONT color="green">653</FONT> }<a name="line.653"></a> +<FONT color="green">654</FONT> <a name="line.654"></a> +<FONT color="green">655</FONT> /**<a name="line.655"></a> +<FONT color="green">656</FONT> * Allows the given attributes on any elements but filters the<a name="line.656"></a> +<FONT color="green">657</FONT> * attributes' values based on previous calls to {@code matching(...)}.<a name="line.657"></a> +<FONT color="green">658</FONT> * Global attribute policies are applied after element specific policies.<a name="line.658"></a> +<FONT color="green">659</FONT> * Be careful of using this with attributes like <code>type</code> which<a name="line.659"></a> +<FONT color="green">660</FONT> * have different meanings on different attributes.<a name="line.660"></a> +<FONT color="green">661</FONT> * Also be careful of allowing globally attributes like <code>href</code><a name="line.661"></a> +<FONT color="green">662</FONT> * which can have more far-reaching effects on tags like<a name="line.662"></a> +<FONT color="green">663</FONT> * <code>&lt;base&gt;</code> and <code>&lt;link&gt;</code> than on<a name="line.663"></a> +<FONT color="green">664</FONT> * <code>&lt;a&gt;</code> because in the former, they have an effect without<a name="line.664"></a> +<FONT color="green">665</FONT> * user interaction and can change the behavior of the current page.<a name="line.665"></a> +<FONT color="green">666</FONT> */<a name="line.666"></a> +<FONT color="green">667</FONT> public HtmlPolicyBuilder globally() {<a name="line.667"></a> +<FONT color="green">668</FONT> return HtmlPolicyBuilder.this.allowAttributesGlobally(<a name="line.668"></a> +<FONT color="green">669</FONT> policy, attributeNames);<a name="line.669"></a> +<FONT color="green">670</FONT> }<a name="line.670"></a> +<FONT color="green">671</FONT> <a name="line.671"></a> +<FONT color="green">672</FONT> /**<a name="line.672"></a> +<FONT color="green">673</FONT> * Allows the named attributes on the given elements but filters the<a name="line.673"></a> +<FONT color="green">674</FONT> * attributes' values based on previous calls to {@code matching(...)}.<a name="line.674"></a> +<FONT color="green">675</FONT> */<a name="line.675"></a> +<FONT color="green">676</FONT> public HtmlPolicyBuilder onElements(String... elementNames) {<a name="line.676"></a> +<FONT color="green">677</FONT> ImmutableList.Builder<String> b = ImmutableList.builder();<a name="line.677"></a> +<FONT color="green">678</FONT> for (String elementName : elementNames) {<a name="line.678"></a> +<FONT color="green">679</FONT> b.add(HtmlLexer.canonicalName(elementName));<a name="line.679"></a> +<FONT color="green">680</FONT> }<a name="line.680"></a> +<FONT color="green">681</FONT> return HtmlPolicyBuilder.this.allowAttributesOnElements(<a name="line.681"></a> +<FONT color="green">682</FONT> policy, attributeNames, b.build());<a name="line.682"></a> +<FONT color="green">683</FONT> }<a name="line.683"></a> +<FONT color="green">684</FONT> }<a name="line.684"></a> +<FONT color="green">685</FONT> }<a name="line.685"></a> diff --git a/distrib/javadoc/src-html/org/owasp/html/HtmlPolicyBuilder.html b/distrib/javadoc/src-html/org/owasp/html/HtmlPolicyBuilder.html index 81c2bd0..f5792ee 100644 --- a/distrib/javadoc/src-html/org/owasp/html/HtmlPolicyBuilder.html +++ b/distrib/javadoc/src-html/org/owasp/html/HtmlPolicyBuilder.html @@ -54,7 +54,7 @@ <FONT color="green">051</FONT> * <p><a name="line.51"></a> <FONT color="green">052</FONT> * To create a policy, first construct an instance of this class; then call<a name="line.52"></a> <FONT color="green">053</FONT> * <code>allow&hellip;</code> methods to turn on tags, attributes, and other<a name="line.53"></a> -<FONT color="green">054</FONT> * processing modes; and finally call <code>build()</code> or<a name="line.54"></a> +<FONT color="green">054</FONT> * processing modes; and finally call <code>build(renderer)</code> or<a name="line.54"></a> <FONT color="green">055</FONT> * <code>toFactory()</code>.<a name="line.55"></a> <FONT color="green">056</FONT> * </p><a name="line.56"></a> <FONT color="green">057</FONT> * <pre class="prettyprint lang-java"><a name="line.57"></a> @@ -415,257 +415,277 @@ <FONT color="green">412</FONT> }<a name="line.412"></a> <FONT color="green">413</FONT> <a name="line.413"></a> <FONT color="green">414</FONT> /**<a name="line.414"></a> -<FONT color="green">415</FONT> * Like {@link #build} but can be reused to create many different policies<a name="line.415"></a> -<FONT color="green">416</FONT> * each backed by a different output channel.<a name="line.416"></a> -<FONT color="green">417</FONT> */<a name="line.417"></a> -<FONT color="green">418</FONT> public PolicyFactory toFactory() {<a name="line.418"></a> -<FONT color="green">419</FONT> return new PolicyFactory(compilePolicies(), allowStyling);<a name="line.419"></a> -<FONT color="green">420</FONT> }<a name="line.420"></a> -<FONT color="green">421</FONT> <a name="line.421"></a> -<FONT color="green">422</FONT> // Speed up subsequent builds by caching the compiled policies.<a name="line.422"></a> -<FONT color="green">423</FONT> private transient ImmutableMap<String, ElementAndAttributePolicies><a name="line.423"></a> -<FONT color="green">424</FONT> compiledPolicies;<a name="line.424"></a> -<FONT color="green">425</FONT> <a name="line.425"></a> -<FONT color="green">426</FONT> /** Called by mutators to signal that any compiled policy is out-of-date. */<a name="line.426"></a> -<FONT color="green">427</FONT> private void invalidateCompiledState() {<a name="line.427"></a> -<FONT color="green">428</FONT> compiledPolicies = null;<a name="line.428"></a> -<FONT color="green">429</FONT> }<a name="line.429"></a> -<FONT color="green">430</FONT> <a name="line.430"></a> -<FONT color="green">431</FONT> private ImmutableMap<String, ElementAndAttributePolicies> compilePolicies() {<a name="line.431"></a> -<FONT color="green">432</FONT> if (compiledPolicies != null) { return compiledPolicies; }<a name="line.432"></a> +<FONT color="green">415</FONT> * Produces a policy based on the allow and disallow calls previously made.<a name="line.415"></a> +<FONT color="green">416</FONT> *<a name="line.416"></a> +<FONT color="green">417</FONT> * @param out receives calls to open only tags allowed by<a name="line.417"></a> +<FONT color="green">418</FONT> * previous calls to this object.<a name="line.418"></a> +<FONT color="green">419</FONT> * Typically a {@link HtmlStreamRenderer}.<a name="line.419"></a> +<FONT color="green">420</FONT> * @param listener is notified of dropped tags and attributes so that<a name="line.420"></a> +<FONT color="green">421</FONT> * intrusion detection systems can be alerted to questionable HTML.<a name="line.421"></a> +<FONT color="green">422</FONT> * If {@code null} then no notifications are sent.<a name="line.422"></a> +<FONT color="green">423</FONT> * @param context if {@code (listener != null)} then the context value passed<a name="line.423"></a> +<FONT color="green">424</FONT> * with alerts. This can be used to let the listener know from which<a name="line.424"></a> +<FONT color="green">425</FONT> * connection or request the questionable HTML was received.<a name="line.425"></a> +<FONT color="green">426</FONT> */<a name="line.426"></a> +<FONT color="green">427</FONT> public <CTX> HtmlSanitizer.Policy build(<a name="line.427"></a> +<FONT color="green">428</FONT> HtmlStreamEventReceiver out,<a name="line.428"></a> +<FONT color="green">429</FONT> @Nullable HtmlChangeListener<? super CTX> listener,<a name="line.429"></a> +<FONT color="green">430</FONT> @Nullable CTX context) {<a name="line.430"></a> +<FONT color="green">431</FONT> return toFactory().apply(out, listener, context);<a name="line.431"></a> +<FONT color="green">432</FONT> }<a name="line.432"></a> <FONT color="green">433</FONT> <a name="line.433"></a> -<FONT color="green">434</FONT> // Copy maps before normalizing in case builder is reused.<a name="line.434"></a> -<FONT color="green">435</FONT> Map<String, ElementPolicy> elPolicies<a name="line.435"></a> -<FONT color="green">436</FONT> = Maps.newLinkedHashMap(this.elPolicies);<a name="line.436"></a> -<FONT color="green">437</FONT> Map<String, Map<String, AttributePolicy>> attrPolicies<a name="line.437"></a> -<FONT color="green">438</FONT> = Maps.newLinkedHashMap(this.attrPolicies);<a name="line.438"></a> -<FONT color="green">439</FONT> for (Map.Entry<String, Map<String, AttributePolicy>> e :<a name="line.439"></a> -<FONT color="green">440</FONT> attrPolicies.entrySet()) {<a name="line.440"></a> -<FONT color="green">441</FONT> e.setValue(Maps.newLinkedHashMap(e.getValue()));<a name="line.441"></a> -<FONT color="green">442</FONT> }<a name="line.442"></a> -<FONT color="green">443</FONT> Map<String, AttributePolicy> globalAttrPolicies<a name="line.443"></a> -<FONT color="green">444</FONT> = Maps.newLinkedHashMap(this.globalAttrPolicies);<a name="line.444"></a> -<FONT color="green">445</FONT> Set<String> allowedProtocols = ImmutableSet.copyOf(this.allowedProtocols);<a name="line.445"></a> -<FONT color="green">446</FONT> <a name="line.446"></a> -<FONT color="green">447</FONT> // Implement requireRelNofollowOnLinks<a name="line.447"></a> -<FONT color="green">448</FONT> if (requireRelNofollowOnLinks) {<a name="line.448"></a> -<FONT color="green">449</FONT> elPolicies.put(<a name="line.449"></a> -<FONT color="green">450</FONT> "a",<a name="line.450"></a> -<FONT color="green">451</FONT> ElementPolicy.Util.join(<a name="line.451"></a> -<FONT color="green">452</FONT> elPolicies.get("a"),<a name="line.452"></a> -<FONT color="green">453</FONT> new ElementPolicy() {<a name="line.453"></a> -<FONT color="green">454</FONT> public String apply(String elementName, List<String> attrs) {<a name="line.454"></a> -<FONT color="green">455</FONT> for (int i = 0, n = attrs.size(); i < n; i += 2) {<a name="line.455"></a> -<FONT color="green">456</FONT> if ("href".equals(attrs.get(i))) {<a name="line.456"></a> -<FONT color="green">457</FONT> attrs.add("rel");<a name="line.457"></a> -<FONT color="green">458</FONT> attrs.add("nofollow");<a name="line.458"></a> -<FONT color="green">459</FONT> break;<a name="line.459"></a> -<FONT color="green">460</FONT> }<a name="line.460"></a> -<FONT color="green">461</FONT> }<a name="line.461"></a> -<FONT color="green">462</FONT> return elementName;<a name="line.462"></a> -<FONT color="green">463</FONT> }<a name="line.463"></a> -<FONT color="green">464</FONT> }));<a name="line.464"></a> -<FONT color="green">465</FONT> }<a name="line.465"></a> +<FONT color="green">434</FONT> /**<a name="line.434"></a> +<FONT color="green">435</FONT> * Like {@link #build} but can be reused to create many different policies<a name="line.435"></a> +<FONT color="green">436</FONT> * each backed by a different output channel.<a name="line.436"></a> +<FONT color="green">437</FONT> */<a name="line.437"></a> +<FONT color="green">438</FONT> public PolicyFactory toFactory() {<a name="line.438"></a> +<FONT color="green">439</FONT> return new PolicyFactory(compilePolicies(), allowStyling);<a name="line.439"></a> +<FONT color="green">440</FONT> }<a name="line.440"></a> +<FONT color="green">441</FONT> <a name="line.441"></a> +<FONT color="green">442</FONT> // Speed up subsequent builds by caching the compiled policies.<a name="line.442"></a> +<FONT color="green">443</FONT> private transient ImmutableMap<String, ElementAndAttributePolicies><a name="line.443"></a> +<FONT color="green">444</FONT> compiledPolicies;<a name="line.444"></a> +<FONT color="green">445</FONT> <a name="line.445"></a> +<FONT color="green">446</FONT> /** Called by mutators to signal that any compiled policy is out-of-date. */<a name="line.446"></a> +<FONT color="green">447</FONT> private void invalidateCompiledState() {<a name="line.447"></a> +<FONT color="green">448</FONT> compiledPolicies = null;<a name="line.448"></a> +<FONT color="green">449</FONT> }<a name="line.449"></a> +<FONT color="green">450</FONT> <a name="line.450"></a> +<FONT color="green">451</FONT> private ImmutableMap<String, ElementAndAttributePolicies> compilePolicies() {<a name="line.451"></a> +<FONT color="green">452</FONT> if (compiledPolicies != null) { return compiledPolicies; }<a name="line.452"></a> +<FONT color="green">453</FONT> <a name="line.453"></a> +<FONT color="green">454</FONT> // Copy maps before normalizing in case builder is reused.<a name="line.454"></a> +<FONT color="green">455</FONT> Map<String, ElementPolicy> elPolicies<a name="line.455"></a> +<FONT color="green">456</FONT> = Maps.newLinkedHashMap(this.elPolicies);<a name="line.456"></a> +<FONT color="green">457</FONT> Map<String, Map<String, AttributePolicy>> attrPolicies<a name="line.457"></a> +<FONT color="green">458</FONT> = Maps.newLinkedHashMap(this.attrPolicies);<a name="line.458"></a> +<FONT color="green">459</FONT> for (Map.Entry<String, Map<String, AttributePolicy>> e :<a name="line.459"></a> +<FONT color="green">460</FONT> attrPolicies.entrySet()) {<a name="line.460"></a> +<FONT color="green">461</FONT> e.setValue(Maps.newLinkedHashMap(e.getValue()));<a name="line.461"></a> +<FONT color="green">462</FONT> }<a name="line.462"></a> +<FONT color="green">463</FONT> Map<String, AttributePolicy> globalAttrPolicies<a name="line.463"></a> +<FONT color="green">464</FONT> = Maps.newLinkedHashMap(this.globalAttrPolicies);<a name="line.464"></a> +<FONT color="green">465</FONT> Set<String> allowedProtocols = ImmutableSet.copyOf(this.allowedProtocols);<a name="line.465"></a> <FONT color="green">466</FONT> <a name="line.466"></a> -<FONT color="green">467</FONT> // Implement protocol policies.<a name="line.467"></a> -<FONT color="green">468</FONT> // For each URL attribute that is allowed, we further constrain it by<a name="line.468"></a> -<FONT color="green">469</FONT> // only allowing the value through if it specifies no protocol, or if it<a name="line.469"></a> -<FONT color="green">470</FONT> // specifies one in the allowedProtocols white-list.<a name="line.470"></a> -<FONT color="green">471</FONT> // This is done regardless of whether any protocols have been allowed, so<a name="line.471"></a> -<FONT color="green">472</FONT> // allowing the attribute "href" globally with the identity policy but<a name="line.472"></a> -<FONT color="green">473</FONT> // not white-listing any protocols, effectively disallows the "href"<a name="line.473"></a> -<FONT color="green">474</FONT> // attribute globally.<a name="line.474"></a> -<FONT color="green">475</FONT> {<a name="line.475"></a> -<FONT color="green">476</FONT> AttributePolicy urlAttributePolicy;<a name="line.476"></a> -<FONT color="green">477</FONT> if (allowedProtocols.size() == 3<a name="line.477"></a> -<FONT color="green">478</FONT> && allowedProtocols.contains("mailto")<a name="line.478"></a> -<FONT color="green">479</FONT> && allowedProtocols.contains("http")<a name="line.479"></a> -<FONT color="green">480</FONT> && allowedProtocols.contains("https")) {<a name="line.480"></a> -<FONT color="green">481</FONT> urlAttributePolicy = StandardUrlAttributePolicy.INSTANCE;<a name="line.481"></a> -<FONT color="green">482</FONT> } else {<a name="line.482"></a> -<FONT color="green">483</FONT> urlAttributePolicy = new FilterUrlByProtocolAttributePolicy(<a name="line.483"></a> -<FONT color="green">484</FONT> allowedProtocols);<a name="line.484"></a> -<FONT color="green">485</FONT> }<a name="line.485"></a> -<FONT color="green">486</FONT> Set<String> toGuard = Sets.newLinkedHashSet(URL_ATTRIBUTE_NAMES);<a name="line.486"></a> -<FONT color="green">487</FONT> for (String urlAttributeName : URL_ATTRIBUTE_NAMES) {<a name="line.487"></a> -<FONT color="green">488</FONT> if (globalAttrPolicies.containsKey(urlAttributeName)) {<a name="line.488"></a> -<FONT color="green">489</FONT> toGuard.remove(urlAttributeName);<a name="line.489"></a> -<FONT color="green">490</FONT> globalAttrPolicies.put(urlAttributeName, AttributePolicy.Util.join(<a name="line.490"></a> -<FONT color="green">491</FONT> urlAttributePolicy, globalAttrPolicies.get(urlAttributeName)));<a name="line.491"></a> -<FONT color="green">492</FONT> }<a name="line.492"></a> -<FONT color="green">493</FONT> }<a name="line.493"></a> -<FONT color="green">494</FONT> // Implement guards not implemented on global policies in the per-element<a name="line.494"></a> -<FONT color="green">495</FONT> // policy maps.<a name="line.495"></a> -<FONT color="green">496</FONT> for (Map.Entry<String, Map<String, AttributePolicy>> e<a name="line.496"></a> -<FONT color="green">497</FONT> : attrPolicies.entrySet()) {<a name="line.497"></a> -<FONT color="green">498</FONT> Map<String, AttributePolicy> policies = e.getValue();<a name="line.498"></a> -<FONT color="green">499</FONT> for (String urlAttributeName : toGuard) {<a name="line.499"></a> -<FONT color="green">500</FONT> if (policies.containsKey(urlAttributeName)) {<a name="line.500"></a> -<FONT color="green">501</FONT> policies.put(urlAttributeName, AttributePolicy.Util.join(<a name="line.501"></a> -<FONT color="green">502</FONT> urlAttributePolicy, policies.get(urlAttributeName)));<a name="line.502"></a> -<FONT color="green">503</FONT> }<a name="line.503"></a> -<FONT color="green">504</FONT> }<a name="line.504"></a> +<FONT color="green">467</FONT> // Implement requireRelNofollowOnLinks<a name="line.467"></a> +<FONT color="green">468</FONT> if (requireRelNofollowOnLinks) {<a name="line.468"></a> +<FONT color="green">469</FONT> elPolicies.put(<a name="line.469"></a> +<FONT color="green">470</FONT> "a",<a name="line.470"></a> +<FONT color="green">471</FONT> ElementPolicy.Util.join(<a name="line.471"></a> +<FONT color="green">472</FONT> elPolicies.get("a"),<a name="line.472"></a> +<FONT color="green">473</FONT> new ElementPolicy() {<a name="line.473"></a> +<FONT color="green">474</FONT> public String apply(String elementName, List<String> attrs) {<a name="line.474"></a> +<FONT color="green">475</FONT> for (int i = 0, n = attrs.size(); i < n; i += 2) {<a name="line.475"></a> +<FONT color="green">476</FONT> if ("href".equals(attrs.get(i))) {<a name="line.476"></a> +<FONT color="green">477</FONT> attrs.add("rel");<a name="line.477"></a> +<FONT color="green">478</FONT> attrs.add("nofollow");<a name="line.478"></a> +<FONT color="green">479</FONT> break;<a name="line.479"></a> +<FONT color="green">480</FONT> }<a name="line.480"></a> +<FONT color="green">481</FONT> }<a name="line.481"></a> +<FONT color="green">482</FONT> return elementName;<a name="line.482"></a> +<FONT color="green">483</FONT> }<a name="line.483"></a> +<FONT color="green">484</FONT> }));<a name="line.484"></a> +<FONT color="green">485</FONT> }<a name="line.485"></a> +<FONT color="green">486</FONT> <a name="line.486"></a> +<FONT color="green">487</FONT> // Implement protocol policies.<a name="line.487"></a> +<FONT color="green">488</FONT> // For each URL attribute that is allowed, we further constrain it by<a name="line.488"></a> +<FONT color="green">489</FONT> // only allowing the value through if it specifies no protocol, or if it<a name="line.489"></a> +<FONT color="green">490</FONT> // specifies one in the allowedProtocols white-list.<a name="line.490"></a> +<FONT color="green">491</FONT> // This is done regardless of whether any protocols have been allowed, so<a name="line.491"></a> +<FONT color="green">492</FONT> // allowing the attribute "href" globally with the identity policy but<a name="line.492"></a> +<FONT color="green">493</FONT> // not white-listing any protocols, effectively disallows the "href"<a name="line.493"></a> +<FONT color="green">494</FONT> // attribute globally.<a name="line.494"></a> +<FONT color="green">495</FONT> {<a name="line.495"></a> +<FONT color="green">496</FONT> AttributePolicy urlAttributePolicy;<a name="line.496"></a> +<FONT color="green">497</FONT> if (allowedProtocols.size() == 3<a name="line.497"></a> +<FONT color="green">498</FONT> && allowedProtocols.contains("mailto")<a name="line.498"></a> +<FONT color="green">499</FONT> && allowedProtocols.contains("http")<a name="line.499"></a> +<FONT color="green">500</FONT> && allowedProtocols.contains("https")) {<a name="line.500"></a> +<FONT color="green">501</FONT> urlAttributePolicy = StandardUrlAttributePolicy.INSTANCE;<a name="line.501"></a> +<FONT color="green">502</FONT> } else {<a name="line.502"></a> +<FONT color="green">503</FONT> urlAttributePolicy = new FilterUrlByProtocolAttributePolicy(<a name="line.503"></a> +<FONT color="green">504</FONT> allowedProtocols);<a name="line.504"></a> <FONT color="green">505</FONT> }<a name="line.505"></a> -<FONT color="green">506</FONT> }<a name="line.506"></a> -<FONT color="green">507</FONT> <a name="line.507"></a> -<FONT color="green">508</FONT> ImmutableMap.Builder<String, ElementAndAttributePolicies> policiesBuilder<a name="line.508"></a> -<FONT color="green">509</FONT> = ImmutableMap.builder();<a name="line.509"></a> -<FONT color="green">510</FONT> for (Map.Entry<String, ElementPolicy> e : elPolicies.entrySet()) {<a name="line.510"></a> -<FONT color="green">511</FONT> String elementName = e.getKey();<a name="line.511"></a> -<FONT color="green">512</FONT> ElementPolicy elPolicy = e.getValue();<a name="line.512"></a> -<FONT color="green">513</FONT> if (ElementPolicy.REJECT_ALL_ELEMENT_POLICY.equals(elPolicy)) {<a name="line.513"></a> -<FONT color="green">514</FONT> continue;<a name="line.514"></a> -<FONT color="green">515</FONT> }<a name="line.515"></a> -<FONT color="green">516</FONT> <a name="line.516"></a> -<FONT color="green">517</FONT> Map<String, AttributePolicy> elAttrPolicies<a name="line.517"></a> -<FONT color="green">518</FONT> = attrPolicies.get(elementName);<a name="line.518"></a> -<FONT color="green">519</FONT> if (elAttrPolicies == null) { elAttrPolicies = ImmutableMap.of(); }<a name="line.519"></a> -<FONT color="green">520</FONT> ImmutableMap.Builder<String, AttributePolicy> attrs<a name="line.520"></a> -<FONT color="green">521</FONT> = ImmutableMap.builder();<a name="line.521"></a> -<FONT color="green">522</FONT> for (Map.Entry<String, AttributePolicy> ape : elAttrPolicies.entrySet()) {<a name="line.522"></a> -<FONT color="green">523</FONT> String attributeName = ape.getKey();<a name="line.523"></a> -<FONT color="green">524</FONT> if (globalAttrPolicies.containsKey(attributeName)) { continue; }<a name="line.524"></a> -<FONT color="green">525</FONT> AttributePolicy policy = ape.getValue();<a name="line.525"></a> -<FONT color="green">526</FONT> if (!AttributePolicy.REJECT_ALL_ATTRIBUTE_POLICY.equals(policy)) {<a name="line.526"></a> -<FONT color="green">527</FONT> attrs.put(attributeName, policy);<a name="line.527"></a> -<FONT color="green">528</FONT> }<a name="line.528"></a> -<FONT color="green">529</FONT> }<a name="line.529"></a> -<FONT color="green">530</FONT> for (Map.Entry<String, AttributePolicy> ape<a name="line.530"></a> -<FONT color="green">531</FONT> : globalAttrPolicies.entrySet()) {<a name="line.531"></a> -<FONT color="green">532</FONT> String attributeName = ape.getKey();<a name="line.532"></a> -<FONT color="green">533</FONT> AttributePolicy policy = AttributePolicy.Util.join(<a name="line.533"></a> -<FONT color="green">534</FONT> elAttrPolicies.get(attributeName), ape.getValue());<a name="line.534"></a> -<FONT color="green">535</FONT> if (!AttributePolicy.REJECT_ALL_ATTRIBUTE_POLICY.equals(policy)) {<a name="line.535"></a> -<FONT color="green">536</FONT> attrs.put(attributeName, policy);<a name="line.536"></a> -<FONT color="green">537</FONT> }<a name="line.537"></a> -<FONT color="green">538</FONT> }<a name="line.538"></a> -<FONT color="green">539</FONT> <a name="line.539"></a> -<FONT color="green">540</FONT> policiesBuilder.put(<a name="line.540"></a> -<FONT color="green">541</FONT> elementName,<a name="line.541"></a> -<FONT color="green">542</FONT> new ElementAndAttributePolicies(<a name="line.542"></a> -<FONT color="green">543</FONT> elementName,<a name="line.543"></a> -<FONT color="green">544</FONT> elPolicy, attrs.build(), skipIfEmpty.contains(elementName)));<a name="line.544"></a> -<FONT color="green">545</FONT> }<a name="line.545"></a> -<FONT color="green">546</FONT> return compiledPolicies = policiesBuilder.build();<a name="line.546"></a> -<FONT color="green">547</FONT> }<a name="line.547"></a> -<FONT color="green">548</FONT> <a name="line.548"></a> -<FONT color="green">549</FONT> /**<a name="line.549"></a> -<FONT color="green">550</FONT> * Builds the relationship between attributes, the values that they may have,<a name="line.550"></a> -<FONT color="green">551</FONT> * and the elements on which they may appear.<a name="line.551"></a> -<FONT color="green">552</FONT> *<a name="line.552"></a> -<FONT color="green">553</FONT> * @author Mike Samuel<a name="line.553"></a> -<FONT color="green">554</FONT> */<a name="line.554"></a> -<FONT color="green">555</FONT> public final class AttributeBuilder {<a name="line.555"></a> -<FONT color="green">556</FONT> private final List<String> attributeNames;<a name="line.556"></a> -<FONT color="green">557</FONT> private AttributePolicy policy = AttributePolicy.IDENTITY_ATTRIBUTE_POLICY;<a name="line.557"></a> -<FONT color="green">558</FONT> <a name="line.558"></a> -<FONT color="green">559</FONT> AttributeBuilder(List<? extends String> attributeNames) {<a name="line.559"></a> -<FONT color="green">560</FONT> this.attributeNames = ImmutableList.copyOf(attributeNames);<a name="line.560"></a> -<FONT color="green">561</FONT> }<a name="line.561"></a> -<FONT color="green">562</FONT> <a name="line.562"></a> -<FONT color="green">563</FONT> /**<a name="line.563"></a> -<FONT color="green">564</FONT> * Filters and/or transforms the attribute values<a name="line.564"></a> -<FONT color="green">565</FONT> * allowed by later {@code allow*} calls.<a name="line.565"></a> -<FONT color="green">566</FONT> * Multiple calls to {@code matching} are combined so that the policies<a name="line.566"></a> -<FONT color="green">567</FONT> * receive the value in order, each seeing the value after any<a name="line.567"></a> -<FONT color="green">568</FONT> * transformation by a previous policy.<a name="line.568"></a> -<FONT color="green">569</FONT> */<a name="line.569"></a> -<FONT color="green">570</FONT> public AttributeBuilder matching(AttributePolicy policy) {<a name="line.570"></a> -<FONT color="green">571</FONT> this.policy = AttributePolicy.Util.join(this.policy, policy);<a name="line.571"></a> -<FONT color="green">572</FONT> return this;<a name="line.572"></a> -<FONT color="green">573</FONT> }<a name="line.573"></a> -<FONT color="green">574</FONT> <a name="line.574"></a> -<FONT color="green">575</FONT> /**<a name="line.575"></a> -<FONT color="green">576</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.576"></a> -<FONT color="green">577</FONT> * matching the pattern.<a name="line.577"></a> -<FONT color="green">578</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.578"></a> -<FONT color="green">579</FONT> * intersection of possible matched values.<a name="line.579"></a> -<FONT color="green">580</FONT> */<a name="line.580"></a> -<FONT color="green">581</FONT> public AttributeBuilder matching(final Pattern pattern) {<a name="line.581"></a> -<FONT color="green">582</FONT> return matching(new AttributePolicy() {<a name="line.582"></a> -<FONT color="green">583</FONT> public @Nullable String apply(<a name="line.583"></a> -<FONT color="green">584</FONT> String elementName, String attributeName, String value) {<a name="line.584"></a> -<FONT color="green">585</FONT> return pattern.matcher(value).matches() ? value : null;<a name="line.585"></a> -<FONT color="green">586</FONT> }<a name="line.586"></a> -<FONT color="green">587</FONT> });<a name="line.587"></a> -<FONT color="green">588</FONT> }<a name="line.588"></a> -<FONT color="green">589</FONT> <a name="line.589"></a> -<FONT color="green">590</FONT> /**<a name="line.590"></a> -<FONT color="green">591</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.591"></a> -<FONT color="green">592</FONT> * matching the given predicate.<a name="line.592"></a> -<FONT color="green">593</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.593"></a> -<FONT color="green">594</FONT> * intersection of possible matched values.<a name="line.594"></a> -<FONT color="green">595</FONT> */<a name="line.595"></a> -<FONT color="green">596</FONT> public AttributeBuilder matching(<a name="line.596"></a> -<FONT color="green">597</FONT> final Predicate<? super String> filter) {<a name="line.597"></a> -<FONT color="green">598</FONT> return matching(new AttributePolicy() {<a name="line.598"></a> -<FONT color="green">599</FONT> public @Nullable String apply(<a name="line.599"></a> -<FONT color="green">600</FONT> String elementName, String attributeName, String value) {<a name="line.600"></a> -<FONT color="green">601</FONT> return filter.apply(value) ? value : null;<a name="line.601"></a> -<FONT color="green">602</FONT> }<a name="line.602"></a> -<FONT color="green">603</FONT> });<a name="line.603"></a> -<FONT color="green">604</FONT> }<a name="line.604"></a> -<FONT color="green">605</FONT> <a name="line.605"></a> -<FONT color="green">606</FONT> /**<a name="line.606"></a> -<FONT color="green">607</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.607"></a> -<FONT color="green">608</FONT> * supplied.<a name="line.608"></a> -<FONT color="green">609</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.609"></a> -<FONT color="green">610</FONT> * intersection of possible matched values.<a name="line.610"></a> -<FONT color="green">611</FONT> */<a name="line.611"></a> -<FONT color="green">612</FONT> public AttributeBuilder matching(<a name="line.612"></a> -<FONT color="green">613</FONT> boolean ignoreCase, String... allowedValues) {<a name="line.613"></a> -<FONT color="green">614</FONT> return matching(ignoreCase, ImmutableSet.copyOf(allowedValues));<a name="line.614"></a> -<FONT color="green">615</FONT> }<a name="line.615"></a> -<FONT color="green">616</FONT> <a name="line.616"></a> -<FONT color="green">617</FONT> /**<a name="line.617"></a> -<FONT color="green">618</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.618"></a> -<FONT color="green">619</FONT> * supplied.<a name="line.619"></a> -<FONT color="green">620</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.620"></a> -<FONT color="green">621</FONT> * intersection of possible matched values.<a name="line.621"></a> -<FONT color="green">622</FONT> */<a name="line.622"></a> -<FONT color="green">623</FONT> public AttributeBuilder matching(<a name="line.623"></a> -<FONT color="green">624</FONT> final boolean ignoreCase, Set<? extends String> allowedValues) {<a name="line.624"></a> -<FONT color="green">625</FONT> final ImmutableSet<String> allowed = ImmutableSet.copyOf(allowedValues);<a name="line.625"></a> -<FONT color="green">626</FONT> return matching(new AttributePolicy() {<a name="line.626"></a> -<FONT color="green">627</FONT> public @Nullable String apply(<a name="line.627"></a> -<FONT color="green">628</FONT> String elementName, String attributeName, String value) {<a name="line.628"></a> -<FONT color="green">629</FONT> if (ignoreCase) { value = Strings.toLowerCase(value); }<a name="line.629"></a> -<FONT color="green">630</FONT> return allowed.contains(value) ? value : null;<a name="line.630"></a> -<FONT color="green">631</FONT> }<a name="line.631"></a> -<FONT color="green">632</FONT> });<a name="line.632"></a> -<FONT color="green">633</FONT> }<a name="line.633"></a> -<FONT color="green">634</FONT> <a name="line.634"></a> -<FONT color="green">635</FONT> /**<a name="line.635"></a> -<FONT color="green">636</FONT> * Allows the given attributes on any elements but filters the<a name="line.636"></a> -<FONT color="green">637</FONT> * attributes' values based on previous calls to {@code matching(...)}.<a name="line.637"></a> -<FONT color="green">638</FONT> * Global attribute policies are applied after element specific policies.<a name="line.638"></a> -<FONT color="green">639</FONT> * Be careful of using this with attributes like <code>type</code> which<a name="line.639"></a> -<FONT color="green">640</FONT> * have different meanings on different attributes.<a name="line.640"></a> -<FONT color="green">641</FONT> * Also be careful of allowing globally attributes like <code>href</code><a name="line.641"></a> -<FONT color="green">642</FONT> * which can have more far-reaching effects on tags like<a name="line.642"></a> -<FONT color="green">643</FONT> * <code>&lt;base&gt;</code> and <code>&lt;link&gt;</code> than on<a name="line.643"></a> -<FONT color="green">644</FONT> * <code>&lt;a&gt;</code> because in the former, they have an effect without<a name="line.644"></a> -<FONT color="green">645</FONT> * user interaction and can change the behavior of the current page.<a name="line.645"></a> -<FONT color="green">646</FONT> */<a name="line.646"></a> -<FONT color="green">647</FONT> public HtmlPolicyBuilder globally() {<a name="line.647"></a> -<FONT color="green">648</FONT> return HtmlPolicyBuilder.this.allowAttributesGlobally(<a name="line.648"></a> -<FONT color="green">649</FONT> policy, attributeNames);<a name="line.649"></a> -<FONT color="green">650</FONT> }<a name="line.650"></a> -<FONT color="green">651</FONT> <a name="line.651"></a> -<FONT color="green">652</FONT> /**<a name="line.652"></a> -<FONT color="green">653</FONT> * Allows the named attributes on the given elements but filters the<a name="line.653"></a> -<FONT color="green">654</FONT> * attributes' values based on previous calls to {@code matching(...)}.<a name="line.654"></a> -<FONT color="green">655</FONT> */<a name="line.655"></a> -<FONT color="green">656</FONT> public HtmlPolicyBuilder onElements(String... elementNames) {<a name="line.656"></a> -<FONT color="green">657</FONT> ImmutableList.Builder<String> b = ImmutableList.builder();<a name="line.657"></a> -<FONT color="green">658</FONT> for (String elementName : elementNames) {<a name="line.658"></a> -<FONT color="green">659</FONT> b.add(HtmlLexer.canonicalName(elementName));<a name="line.659"></a> -<FONT color="green">660</FONT> }<a name="line.660"></a> -<FONT color="green">661</FONT> return HtmlPolicyBuilder.this.allowAttributesOnElements(<a name="line.661"></a> -<FONT color="green">662</FONT> policy, attributeNames, b.build());<a name="line.662"></a> -<FONT color="green">663</FONT> }<a name="line.663"></a> -<FONT color="green">664</FONT> }<a name="line.664"></a> -<FONT color="green">665</FONT> }<a name="line.665"></a> +<FONT color="green">506</FONT> Set<String> toGuard = Sets.newLinkedHashSet(URL_ATTRIBUTE_NAMES);<a name="line.506"></a> +<FONT color="green">507</FONT> for (String urlAttributeName : URL_ATTRIBUTE_NAMES) {<a name="line.507"></a> +<FONT color="green">508</FONT> if (globalAttrPolicies.containsKey(urlAttributeName)) {<a name="line.508"></a> +<FONT color="green">509</FONT> toGuard.remove(urlAttributeName);<a name="line.509"></a> +<FONT color="green">510</FONT> globalAttrPolicies.put(urlAttributeName, AttributePolicy.Util.join(<a name="line.510"></a> +<FONT color="green">511</FONT> urlAttributePolicy, globalAttrPolicies.get(urlAttributeName)));<a name="line.511"></a> +<FONT color="green">512</FONT> }<a name="line.512"></a> +<FONT color="green">513</FONT> }<a name="line.513"></a> +<FONT color="green">514</FONT> // Implement guards not implemented on global policies in the per-element<a name="line.514"></a> +<FONT color="green">515</FONT> // policy maps.<a name="line.515"></a> +<FONT color="green">516</FONT> for (Map.Entry<String, Map<String, AttributePolicy>> e<a name="line.516"></a> +<FONT color="green">517</FONT> : attrPolicies.entrySet()) {<a name="line.517"></a> +<FONT color="green">518</FONT> Map<String, AttributePolicy> policies = e.getValue();<a name="line.518"></a> +<FONT color="green">519</FONT> for (String urlAttributeName : toGuard) {<a name="line.519"></a> +<FONT color="green">520</FONT> if (policies.containsKey(urlAttributeName)) {<a name="line.520"></a> +<FONT color="green">521</FONT> policies.put(urlAttributeName, AttributePolicy.Util.join(<a name="line.521"></a> +<FONT color="green">522</FONT> urlAttributePolicy, policies.get(urlAttributeName)));<a name="line.522"></a> +<FONT color="green">523</FONT> }<a name="line.523"></a> +<FONT color="green">524</FONT> }<a name="line.524"></a> +<FONT color="green">525</FONT> }<a name="line.525"></a> +<FONT color="green">526</FONT> }<a name="line.526"></a> +<FONT color="green">527</FONT> <a name="line.527"></a> +<FONT color="green">528</FONT> ImmutableMap.Builder<String, ElementAndAttributePolicies> policiesBuilder<a name="line.528"></a> +<FONT color="green">529</FONT> = ImmutableMap.builder();<a name="line.529"></a> +<FONT color="green">530</FONT> for (Map.Entry<String, ElementPolicy> e : elPolicies.entrySet()) {<a name="line.530"></a> +<FONT color="green">531</FONT> String elementName = e.getKey();<a name="line.531"></a> +<FONT color="green">532</FONT> ElementPolicy elPolicy = e.getValue();<a name="line.532"></a> +<FONT color="green">533</FONT> if (ElementPolicy.REJECT_ALL_ELEMENT_POLICY.equals(elPolicy)) {<a name="line.533"></a> +<FONT color="green">534</FONT> continue;<a name="line.534"></a> +<FONT color="green">535</FONT> }<a name="line.535"></a> +<FONT color="green">536</FONT> <a name="line.536"></a> +<FONT color="green">537</FONT> Map<String, AttributePolicy> elAttrPolicies<a name="line.537"></a> +<FONT color="green">538</FONT> = attrPolicies.get(elementName);<a name="line.538"></a> +<FONT color="green">539</FONT> if (elAttrPolicies == null) { elAttrPolicies = ImmutableMap.of(); }<a name="line.539"></a> +<FONT color="green">540</FONT> ImmutableMap.Builder<String, AttributePolicy> attrs<a name="line.540"></a> +<FONT color="green">541</FONT> = ImmutableMap.builder();<a name="line.541"></a> +<FONT color="green">542</FONT> for (Map.Entry<String, AttributePolicy> ape : elAttrPolicies.entrySet()) {<a name="line.542"></a> +<FONT color="green">543</FONT> String attributeName = ape.getKey();<a name="line.543"></a> +<FONT color="green">544</FONT> if (globalAttrPolicies.containsKey(attributeName)) { continue; }<a name="line.544"></a> +<FONT color="green">545</FONT> AttributePolicy policy = ape.getValue();<a name="line.545"></a> +<FONT color="green">546</FONT> if (!AttributePolicy.REJECT_ALL_ATTRIBUTE_POLICY.equals(policy)) {<a name="line.546"></a> +<FONT color="green">547</FONT> attrs.put(attributeName, policy);<a name="line.547"></a> +<FONT color="green">548</FONT> }<a name="line.548"></a> +<FONT color="green">549</FONT> }<a name="line.549"></a> +<FONT color="green">550</FONT> for (Map.Entry<String, AttributePolicy> ape<a name="line.550"></a> +<FONT color="green">551</FONT> : globalAttrPolicies.entrySet()) {<a name="line.551"></a> +<FONT color="green">552</FONT> String attributeName = ape.getKey();<a name="line.552"></a> +<FONT color="green">553</FONT> AttributePolicy policy = AttributePolicy.Util.join(<a name="line.553"></a> +<FONT color="green">554</FONT> elAttrPolicies.get(attributeName), ape.getValue());<a name="line.554"></a> +<FONT color="green">555</FONT> if (!AttributePolicy.REJECT_ALL_ATTRIBUTE_POLICY.equals(policy)) {<a name="line.555"></a> +<FONT color="green">556</FONT> attrs.put(attributeName, policy);<a name="line.556"></a> +<FONT color="green">557</FONT> }<a name="line.557"></a> +<FONT color="green">558</FONT> }<a name="line.558"></a> +<FONT color="green">559</FONT> <a name="line.559"></a> +<FONT color="green">560</FONT> policiesBuilder.put(<a name="line.560"></a> +<FONT color="green">561</FONT> elementName,<a name="line.561"></a> +<FONT color="green">562</FONT> new ElementAndAttributePolicies(<a name="line.562"></a> +<FONT color="green">563</FONT> elementName,<a name="line.563"></a> +<FONT color="green">564</FONT> elPolicy, attrs.build(), skipIfEmpty.contains(elementName)));<a name="line.564"></a> +<FONT color="green">565</FONT> }<a name="line.565"></a> +<FONT color="green">566</FONT> return compiledPolicies = policiesBuilder.build();<a name="line.566"></a> +<FONT color="green">567</FONT> }<a name="line.567"></a> +<FONT color="green">568</FONT> <a name="line.568"></a> +<FONT color="green">569</FONT> /**<a name="line.569"></a> +<FONT color="green">570</FONT> * Builds the relationship between attributes, the values that they may have,<a name="line.570"></a> +<FONT color="green">571</FONT> * and the elements on which they may appear.<a name="line.571"></a> +<FONT color="green">572</FONT> *<a name="line.572"></a> +<FONT color="green">573</FONT> * @author Mike Samuel<a name="line.573"></a> +<FONT color="green">574</FONT> */<a name="line.574"></a> +<FONT color="green">575</FONT> public final class AttributeBuilder {<a name="line.575"></a> +<FONT color="green">576</FONT> private final List<String> attributeNames;<a name="line.576"></a> +<FONT color="green">577</FONT> private AttributePolicy policy = AttributePolicy.IDENTITY_ATTRIBUTE_POLICY;<a name="line.577"></a> +<FONT color="green">578</FONT> <a name="line.578"></a> +<FONT color="green">579</FONT> AttributeBuilder(List<? extends String> attributeNames) {<a name="line.579"></a> +<FONT color="green">580</FONT> this.attributeNames = ImmutableList.copyOf(attributeNames);<a name="line.580"></a> +<FONT color="green">581</FONT> }<a name="line.581"></a> +<FONT color="green">582</FONT> <a name="line.582"></a> +<FONT color="green">583</FONT> /**<a name="line.583"></a> +<FONT color="green">584</FONT> * Filters and/or transforms the attribute values<a name="line.584"></a> +<FONT color="green">585</FONT> * allowed by later {@code allow*} calls.<a name="line.585"></a> +<FONT color="green">586</FONT> * Multiple calls to {@code matching} are combined so that the policies<a name="line.586"></a> +<FONT color="green">587</FONT> * receive the value in order, each seeing the value after any<a name="line.587"></a> +<FONT color="green">588</FONT> * transformation by a previous policy.<a name="line.588"></a> +<FONT color="green">589</FONT> */<a name="line.589"></a> +<FONT color="green">590</FONT> public AttributeBuilder matching(AttributePolicy policy) {<a name="line.590"></a> +<FONT color="green">591</FONT> this.policy = AttributePolicy.Util.join(this.policy, policy);<a name="line.591"></a> +<FONT color="green">592</FONT> return this;<a name="line.592"></a> +<FONT color="green">593</FONT> }<a name="line.593"></a> +<FONT color="green">594</FONT> <a name="line.594"></a> +<FONT color="green">595</FONT> /**<a name="line.595"></a> +<FONT color="green">596</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.596"></a> +<FONT color="green">597</FONT> * matching the pattern.<a name="line.597"></a> +<FONT color="green">598</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.598"></a> +<FONT color="green">599</FONT> * intersection of possible matched values.<a name="line.599"></a> +<FONT color="green">600</FONT> */<a name="line.600"></a> +<FONT color="green">601</FONT> public AttributeBuilder matching(final Pattern pattern) {<a name="line.601"></a> +<FONT color="green">602</FONT> return matching(new AttributePolicy() {<a name="line.602"></a> +<FONT color="green">603</FONT> public @Nullable String apply(<a name="line.603"></a> +<FONT color="green">604</FONT> String elementName, String attributeName, String value) {<a name="line.604"></a> +<FONT color="green">605</FONT> return pattern.matcher(value).matches() ? value : null;<a name="line.605"></a> +<FONT color="green">606</FONT> }<a name="line.606"></a> +<FONT color="green">607</FONT> });<a name="line.607"></a> +<FONT color="green">608</FONT> }<a name="line.608"></a> +<FONT color="green">609</FONT> <a name="line.609"></a> +<FONT color="green">610</FONT> /**<a name="line.610"></a> +<FONT color="green">611</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.611"></a> +<FONT color="green">612</FONT> * matching the given predicate.<a name="line.612"></a> +<FONT color="green">613</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.613"></a> +<FONT color="green">614</FONT> * intersection of possible matched values.<a name="line.614"></a> +<FONT color="green">615</FONT> */<a name="line.615"></a> +<FONT color="green">616</FONT> public AttributeBuilder matching(<a name="line.616"></a> +<FONT color="green">617</FONT> final Predicate<? super String> filter) {<a name="line.617"></a> +<FONT color="green">618</FONT> return matching(new AttributePolicy() {<a name="line.618"></a> +<FONT color="green">619</FONT> public @Nullable String apply(<a name="line.619"></a> +<FONT color="green">620</FONT> String elementName, String attributeName, String value) {<a name="line.620"></a> +<FONT color="green">621</FONT> return filter.apply(value) ? value : null;<a name="line.621"></a> +<FONT color="green">622</FONT> }<a name="line.622"></a> +<FONT color="green">623</FONT> });<a name="line.623"></a> +<FONT color="green">624</FONT> }<a name="line.624"></a> +<FONT color="green">625</FONT> <a name="line.625"></a> +<FONT color="green">626</FONT> /**<a name="line.626"></a> +<FONT color="green">627</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.627"></a> +<FONT color="green">628</FONT> * supplied.<a name="line.628"></a> +<FONT color="green">629</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.629"></a> +<FONT color="green">630</FONT> * intersection of possible matched values.<a name="line.630"></a> +<FONT color="green">631</FONT> */<a name="line.631"></a> +<FONT color="green">632</FONT> public AttributeBuilder matching(<a name="line.632"></a> +<FONT color="green">633</FONT> boolean ignoreCase, String... allowedValues) {<a name="line.633"></a> +<FONT color="green">634</FONT> return matching(ignoreCase, ImmutableSet.copyOf(allowedValues));<a name="line.634"></a> +<FONT color="green">635</FONT> }<a name="line.635"></a> +<FONT color="green">636</FONT> <a name="line.636"></a> +<FONT color="green">637</FONT> /**<a name="line.637"></a> +<FONT color="green">638</FONT> * Restrict the values allowed by later {@code allow*} calls to those<a name="line.638"></a> +<FONT color="green">639</FONT> * supplied.<a name="line.639"></a> +<FONT color="green">640</FONT> * Multiple calls to {@code matching} are combined to restrict to the<a name="line.640"></a> +<FONT color="green">641</FONT> * intersection of possible matched values.<a name="line.641"></a> +<FONT color="green">642</FONT> */<a name="line.642"></a> +<FONT color="green">643</FONT> public AttributeBuilder matching(<a name="line.643"></a> +<FONT color="green">644</FONT> final boolean ignoreCase, Set<? extends String> allowedValues) {<a name="line.644"></a> +<FONT color="green">645</FONT> final ImmutableSet<String> allowed = ImmutableSet.copyOf(allowedValues);<a name="line.645"></a> +<FONT color="green">646</FONT> return matching(new AttributePolicy() {<a name="line.646"></a> +<FONT color="green">647</FONT> public @Nullable String apply(<a name="line.647"></a> +<FONT color="green">648</FONT> String elementName, String attributeName, String value) {<a name="line.648"></a> +<FONT color="green">649</FONT> if (ignoreCase) { value = Strings.toLowerCase(value); }<a name="line.649"></a> +<FONT color="green">650</FONT> return allowed.contains(value) ? value : null;<a name="line.650"></a> +<FONT color="green">651</FONT> }<a name="line.651"></a> +<FONT color="green">652</FONT> });<a name="line.652"></a> +<FONT color="green">653</FONT> }<a name="line.653"></a> +<FONT color="green">654</FONT> <a name="line.654"></a> +<FONT color="green">655</FONT> /**<a name="line.655"></a> +<FONT color="green">656</FONT> * Allows the given attributes on any elements but filters the<a name="line.656"></a> +<FONT color="green">657</FONT> * attributes' values based on previous calls to {@code matching(...)}.<a name="line.657"></a> +<FONT color="green">658</FONT> * Global attribute policies are applied after element specific policies.<a name="line.658"></a> +<FONT color="green">659</FONT> * Be careful of using this with attributes like <code>type</code> which<a name="line.659"></a> +<FONT color="green">660</FONT> * have different meanings on different attributes.<a name="line.660"></a> +<FONT color="green">661</FONT> * Also be careful of allowing globally attributes like <code>href</code><a name="line.661"></a> +<FONT color="green">662</FONT> * which can have more far-reaching effects on tags like<a name="line.662"></a> +<FONT color="green">663</FONT> * <code>&lt;base&gt;</code> and <code>&lt;link&gt;</code> than on<a name="line.663"></a> +<FONT color="green">664</FONT> * <code>&lt;a&gt;</code> because in the former, they have an effect without<a name="line.664"></a> +<FONT color="green">665</FONT> * user interaction and can change the behavior of the current page.<a name="line.665"></a> +<FONT color="green">666</FONT> */<a name="line.666"></a> +<FONT color="green">667</FONT> public HtmlPolicyBuilder globally() {<a name="line.667"></a> +<FONT color="green">668</FONT> return HtmlPolicyBuilder.this.allowAttributesGlobally(<a name="line.668"></a> +<FONT color="green">669</FONT> policy, attributeNames);<a name="line.669"></a> +<FONT color="green">670</FONT> }<a name="line.670"></a> +<FONT color="green">671</FONT> <a name="line.671"></a> +<FONT color="green">672</FONT> /**<a name="line.672"></a> +<FONT color="green">673</FONT> * Allows the named attributes on the given elements but filters the<a name="line.673"></a> +<FONT color="green">674</FONT> * attributes' values based on previous calls to {@code matching(...)}.<a name="line.674"></a> +<FONT color="green">675</FONT> */<a name="line.675"></a> +<FONT color="green">676</FONT> public HtmlPolicyBuilder onElements(String... elementNames) {<a name="line.676"></a> +<FONT color="green">677</FONT> ImmutableList.Builder<String> b = ImmutableList.builder();<a name="line.677"></a> +<FONT color="green">678</FONT> for (String elementName : elementNames) {<a name="line.678"></a> +<FONT color="green">679</FONT> b.add(HtmlLexer.canonicalName(elementName));<a name="line.679"></a> +<FONT color="green">680</FONT> }<a name="line.680"></a> +<FONT color="green">681</FONT> return HtmlPolicyBuilder.this.allowAttributesOnElements(<a name="line.681"></a> +<FONT color="green">682</FONT> policy, attributeNames, b.build());<a name="line.682"></a> +<FONT color="green">683</FONT> }<a name="line.683"></a> +<FONT color="green">684</FONT> }<a name="line.684"></a> +<FONT color="green">685</FONT> }<a name="line.685"></a> diff --git a/distrib/javadoc/src-html/org/owasp/html/HtmlSanitizer.Policy.html b/distrib/javadoc/src-html/org/owasp/html/HtmlSanitizer.Policy.html index 77eb5a1..3e32806 100644 --- a/distrib/javadoc/src-html/org/owasp/html/HtmlSanitizer.Policy.html +++ b/distrib/javadoc/src-html/org/owasp/html/HtmlSanitizer.Policy.html @@ -99,7 +99,7 @@ <FONT color="green">096</FONT> * @param html A snippet of HTML to sanitize. {@code null} is treated as the<a name="line.96"></a> <FONT color="green">097</FONT> * empty string and will not result in a {@code NullPointerException}.<a name="line.97"></a> <FONT color="green">098</FONT> * @param policy The Policy that will receive events based on the tokens in<a name="line.98"></a> -<FONT color="green">099</FONT> * html. Typically, this policy ends up routing the events to an<a name="line.99"></a> +<FONT color="green">099</FONT> * HTML. Typically, this policy ends up routing the events to an<a name="line.99"></a> <FONT color="green">100</FONT> * {@link HtmlStreamRenderer} after filtering.<a name="line.100"></a> <FONT color="green">101</FONT> * {@link HtmlPolicyBuilder} provides an easy way to create policies.<a name="line.101"></a> <FONT color="green">102</FONT> */<a name="line.102"></a> diff --git a/distrib/javadoc/src-html/org/owasp/html/HtmlSanitizer.html b/distrib/javadoc/src-html/org/owasp/html/HtmlSanitizer.html index 77eb5a1..3e32806 100644 --- a/distrib/javadoc/src-html/org/owasp/html/HtmlSanitizer.html +++ b/distrib/javadoc/src-html/org/owasp/html/HtmlSanitizer.html @@ -99,7 +99,7 @@ <FONT color="green">096</FONT> * @param html A snippet of HTML to sanitize. {@code null} is treated as the<a name="line.96"></a> <FONT color="green">097</FONT> * empty string and will not result in a {@code NullPointerException}.<a name="line.97"></a> <FONT color="green">098</FONT> * @param policy The Policy that will receive events based on the tokens in<a name="line.98"></a> -<FONT color="green">099</FONT> * html. Typically, this policy ends up routing the events to an<a name="line.99"></a> +<FONT color="green">099</FONT> * HTML. Typically, this policy ends up routing the events to an<a name="line.99"></a> <FONT color="green">100</FONT> * {@link HtmlStreamRenderer} after filtering.<a name="line.100"></a> <FONT color="green">101</FONT> * {@link HtmlPolicyBuilder} provides an easy way to create policies.<a name="line.101"></a> <FONT color="green">102</FONT> */<a name="line.102"></a> diff --git a/distrib/javadoc/src-html/org/owasp/html/PolicyFactory.html b/distrib/javadoc/src-html/org/owasp/html/PolicyFactory.html index 98a8e20..34c426b 100644 --- a/distrib/javadoc/src-html/org/owasp/html/PolicyFactory.html +++ b/distrib/javadoc/src-html/org/owasp/html/PolicyFactory.html @@ -63,7 +63,7 @@ <FONT color="green">060</FONT> this.allowStyling = allowStyling;<a name="line.60"></a> <FONT color="green">061</FONT> }<a name="line.61"></a> <FONT color="green">062</FONT> <a name="line.62"></a> -<FONT color="green">063</FONT> /** Produces a sanitizer that emits tokens to out. */<a name="line.63"></a> +<FONT color="green">063</FONT> /** Produces a sanitizer that emits tokens to {@code out}. */<a name="line.63"></a> <FONT color="green">064</FONT> public HtmlSanitizer.Policy apply(HtmlStreamEventReceiver out) {<a name="line.64"></a> <FONT color="green">065</FONT> if (allowStyling) {<a name="line.65"></a> <FONT color="green">066</FONT> return new StylingPolicy(out, policies);<a name="line.66"></a> @@ -73,43 +73,67 @@ <FONT color="green">070</FONT> }<a name="line.70"></a> <FONT color="green">071</FONT> }<a name="line.71"></a> <FONT color="green">072</FONT> <a name="line.72"></a> -<FONT color="green">073</FONT> /** A convenience function that sanitizes a string of HTML. */<a name="line.73"></a> -<FONT color="green">074</FONT> public String sanitize(@Nullable String html) {<a name="line.74"></a> -<FONT color="green">075</FONT> if (html == null) { return ""; }<a name="line.75"></a> -<FONT color="green">076</FONT> StringBuilder out = new StringBuilder(html.length());<a name="line.76"></a> -<FONT color="green">077</FONT> HtmlSanitizer.sanitize(<a name="line.77"></a> -<FONT color="green">078</FONT> html, apply(HtmlStreamRenderer.create(out, Handler.DO_NOTHING)));<a name="line.78"></a> -<FONT color="green">079</FONT> return out.toString();<a name="line.79"></a> -<FONT color="green">080</FONT> }<a name="line.80"></a> -<FONT color="green">081</FONT> <a name="line.81"></a> -<FONT color="green">082</FONT> /**<a name="line.82"></a> -<FONT color="green">083</FONT> * Produces a factory that allows the union of the grants, and intersects<a name="line.83"></a> -<FONT color="green">084</FONT> * policies where they overlap on a particular granted attribute or element<a name="line.84"></a> -<FONT color="green">085</FONT> * name.<a name="line.85"></a> -<FONT color="green">086</FONT> */<a name="line.86"></a> -<FONT color="green">087</FONT> public PolicyFactory and(PolicyFactory f) {<a name="line.87"></a> -<FONT color="green">088</FONT> ImmutableMap.Builder<String, ElementAndAttributePolicies> b<a name="line.88"></a> -<FONT color="green">089</FONT> = ImmutableMap.builder();<a name="line.89"></a> -<FONT color="green">090</FONT> for (Map.Entry<String, ElementAndAttributePolicies> e<a name="line.90"></a> -<FONT color="green">091</FONT> : policies.entrySet()) {<a name="line.91"></a> -<FONT color="green">092</FONT> String elName = e.getKey();<a name="line.92"></a> -<FONT color="green">093</FONT> ElementAndAttributePolicies p = e.getValue();<a name="line.93"></a> -<FONT color="green">094</FONT> ElementAndAttributePolicies q = f.policies.get(elName);<a name="line.94"></a> -<FONT color="green">095</FONT> if (q != null) {<a name="line.95"></a> -<FONT color="green">096</FONT> p = p.and(q);<a name="line.96"></a> -<FONT color="green">097</FONT> }<a name="line.97"></a> -<FONT color="green">098</FONT> b.put(elName, p);<a name="line.98"></a> -<FONT color="green">099</FONT> }<a name="line.99"></a> -<FONT color="green">100</FONT> for (Map.Entry<String, ElementAndAttributePolicies> e<a name="line.100"></a> -<FONT color="green">101</FONT> : f.policies.entrySet()) {<a name="line.101"></a> -<FONT color="green">102</FONT> String elName = e.getKey();<a name="line.102"></a> -<FONT color="green">103</FONT> if (!policies.containsKey(elName)) {<a name="line.103"></a> -<FONT color="green">104</FONT> b.put(elName, e.getValue());<a name="line.104"></a> -<FONT color="green">105</FONT> }<a name="line.105"></a> -<FONT color="green">106</FONT> }<a name="line.106"></a> -<FONT color="green">107</FONT> return new PolicyFactory(b.build(), allowStyling || f.allowStyling);<a name="line.107"></a> -<FONT color="green">108</FONT> }<a name="line.108"></a> -<FONT color="green">109</FONT> }<a name="line.109"></a> +<FONT color="green">073</FONT> /**<a name="line.73"></a> +<FONT color="green">074</FONT> * Produces a sanitizer that emits tokens to {@code out} and that notifies<a name="line.74"></a> +<FONT color="green">075</FONT> * any {@code listener} of any dropped tags and attributes.<a name="line.75"></a> +<FONT color="green">076</FONT> * @param out a renderer that receives approved tokens only.<a name="line.76"></a> +<FONT color="green">077</FONT> * @param listener if non-null, receives notifications of tags and attributes<a name="line.77"></a> +<FONT color="green">078</FONT> * that were rejected by the policy. This may tie into intrusion<a name="line.78"></a> +<FONT color="green">079</FONT> * detection systems.<a name="line.79"></a> +<FONT color="green">080</FONT> * @param context if {@code (listener != null)} then the context value passed<a name="line.80"></a> +<FONT color="green">081</FONT> * with notifications. This can be used to let the listener know from<a name="line.81"></a> +<FONT color="green">082</FONT> * which connection or request the questionable HTML was received.<a name="line.82"></a> +<FONT color="green">083</FONT> */<a name="line.83"></a> +<FONT color="green">084</FONT> public <CTX> HtmlSanitizer.Policy apply(<a name="line.84"></a> +<FONT color="green">085</FONT> HtmlStreamEventReceiver out, @Nullable HtmlChangeListener<CTX> listener,<a name="line.85"></a> +<FONT color="green">086</FONT> @Nullable CTX context) {<a name="line.86"></a> +<FONT color="green">087</FONT> if (listener == null) {<a name="line.87"></a> +<FONT color="green">088</FONT> return apply(out);<a name="line.88"></a> +<FONT color="green">089</FONT> } else {<a name="line.89"></a> +<FONT color="green">090</FONT> HtmlChangeReporter<CTX> r = new HtmlChangeReporter<CTX>(<a name="line.90"></a> +<FONT color="green">091</FONT> out, listener, context);<a name="line.91"></a> +<FONT color="green">092</FONT> r.setPolicy(apply(r.getWrappedRenderer()));<a name="line.92"></a> +<FONT color="green">093</FONT> return r.getWrappedPolicy();<a name="line.93"></a> +<FONT color="green">094</FONT> }<a name="line.94"></a> +<FONT color="green">095</FONT> }<a name="line.95"></a> +<FONT color="green">096</FONT> <a name="line.96"></a> +<FONT color="green">097</FONT> /** A convenience function that sanitizes a string of HTML. */<a name="line.97"></a> +<FONT color="green">098</FONT> public String sanitize(@Nullable String html) {<a name="line.98"></a> +<FONT color="green">099</FONT> if (html == null) { return ""; }<a name="line.99"></a> +<FONT color="green">100</FONT> StringBuilder out = new StringBuilder(html.length());<a name="line.100"></a> +<FONT color="green">101</FONT> HtmlSanitizer.sanitize(<a name="line.101"></a> +<FONT color="green">102</FONT> html, apply(HtmlStreamRenderer.create(out, Handler.DO_NOTHING)));<a name="line.102"></a> +<FONT color="green">103</FONT> return out.toString();<a name="line.103"></a> +<FONT color="green">104</FONT> }<a name="line.104"></a> +<FONT color="green">105</FONT> <a name="line.105"></a> +<FONT color="green">106</FONT> /**<a name="line.106"></a> +<FONT color="green">107</FONT> * Produces a factory that allows the union of the grants, and intersects<a name="line.107"></a> +<FONT color="green">108</FONT> * policies where they overlap on a particular granted attribute or element<a name="line.108"></a> +<FONT color="green">109</FONT> * name.<a name="line.109"></a> +<FONT color="green">110</FONT> */<a name="line.110"></a> +<FONT color="green">111</FONT> public PolicyFactory and(PolicyFactory f) {<a name="line.111"></a> +<FONT color="green">112</FONT> ImmutableMap.Builder<String, ElementAndAttributePolicies> b<a name="line.112"></a> +<FONT color="green">113</FONT> = ImmutableMap.builder();<a name="line.113"></a> +<FONT color="green">114</FONT> for (Map.Entry<String, ElementAndAttributePolicies> e<a name="line.114"></a> +<FONT color="green">115</FONT> : policies.entrySet()) {<a name="line.115"></a> +<FONT color="green">116</FONT> String elName = e.getKey();<a name="line.116"></a> +<FONT color="green">117</FONT> ElementAndAttributePolicies p = e.getValue();<a name="line.117"></a> +<FONT color="green">118</FONT> ElementAndAttributePolicies q = f.policies.get(elName);<a name="line.118"></a> +<FONT color="green">119</FONT> if (q != null) {<a name="line.119"></a> +<FONT color="green">120</FONT> p = p.and(q);<a name="line.120"></a> +<FONT color="green">121</FONT> }<a name="line.121"></a> +<FONT color="green">122</FONT> b.put(elName, p);<a name="line.122"></a> +<FONT color="green">123</FONT> }<a name="line.123"></a> +<FONT color="green">124</FONT> for (Map.Entry<String, ElementAndAttributePolicies> e<a name="line.124"></a> +<FONT color="green">125</FONT> : f.policies.entrySet()) {<a name="line.125"></a> +<FONT color="green">126</FONT> String elName = e.getKey();<a name="line.126"></a> +<FONT color="green">127</FONT> if (!policies.containsKey(elName)) {<a name="line.127"></a> +<FONT color="green">128</FONT> b.put(elName, e.getValue());<a name="line.128"></a> +<FONT color="green">129</FONT> }<a name="line.129"></a> +<FONT color="green">130</FONT> }<a name="line.130"></a> +<FONT color="green">131</FONT> return new PolicyFactory(b.build(), allowStyling || f.allowStyling);<a name="line.131"></a> +<FONT color="green">132</FONT> }<a name="line.132"></a> +<FONT color="green">133</FONT> }<a name="line.133"></a> diff --git a/distrib/lib/guava.jar b/distrib/lib/guava.jar Binary files differindex f8da8b1..c8c8d5d 100644 --- a/distrib/lib/guava.jar +++ b/distrib/lib/guava.jar diff --git a/distrib/lib/owasp-java-html-sanitizer-src.jar b/distrib/lib/owasp-java-html-sanitizer-src.jar Binary files differindex 395c5f6..43a7f4f 100644 --- a/distrib/lib/owasp-java-html-sanitizer-src.jar +++ b/distrib/lib/owasp-java-html-sanitizer-src.jar diff --git a/distrib/lib/owasp-java-html-sanitizer.jar b/distrib/lib/owasp-java-html-sanitizer.jar Binary files differindex 294c9b3..98775f8 100644 --- a/distrib/lib/owasp-java-html-sanitizer.jar +++ b/distrib/lib/owasp-java-html-sanitizer.jar |