Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- package br.com.otavio.model.helper;
- import java.util.ArrayList;
- import java.util.List;
- import javax.annotation.PostConstruct;
- import javax.ejb.Singleton;
- import org.owasp.validator.html.AntiSamy;
- import org.owasp.validator.html.CleanResults;
- import org.owasp.validator.html.Policy;
- import org.owasp.validator.html.PolicyException;
- import org.owasp.validator.html.ScanException;
- import org.owasp.validator.html.model.Attribute;
- import org.owasp.validator.html.model.Tag;
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
- /**
- * Singleton service that provides a sanitization for user input.
- *
- * @author Otávio Scherer Garcia
- */
- @Singleton
- public class Sanitizer {
- private transient Logger logger = LoggerFactory.getLogger(getClass());
- private Policy BLOGENTRY;
- private Policy COMMENTS;
- /**
- * Caches {@link Policy} instances because have more cost to create.
- */
- @PostConstruct
- void create() {
- try {
- BLOGENTRY = Policy.getInstance(getClass().getResource("/antisamy-blogentry.xml"));
- COMMENTS = Policy.getInstance(getClass().getResource("/antisamy-comments.xml"));
- } catch (PolicyException e) {
- logger.warn("An error occurs when load Antisamy API", e);
- throw new RuntimeException(e);
- }
- }
- /**
- * Sanitize the user input using comments rules.
- *
- * @param dirtyInput
- * @return
- */
- public String sanitizeComment(String dirtyInput) {
- return nl2br(sanitize(dirtyInput, COMMENTS));
- }
- /**
- * Sanitize the user input using entry rules.
- *
- * @param dirtyInput
- * @return
- */
- public String sanitizeEntry(String dirtyInput) {
- return sanitize(dirtyInput, BLOGENTRY);
- }
- /**
- * Return a String that contains allowed tags for user comments.
- *
- * @return
- */
- public String getTagsForComments() {
- final StringBuilder str = new StringBuilder(100);
- for (Tag tag : allowedTags(COMMENTS)) {
- str.append("<").append(tag.getName());
- for (Attribute attr : allowedAttributes(tag)) {
- str.append(" ").append(attr.getName()).append("=\"");
- for (Object allowedValue : attr.getAllowedValues()) {
- if (str.charAt(str.length() - 1) != '"') {
- str.append("|");
- }
- str.append(allowedValue);
- }
- str.append("\"");
- }
- str.append("> ");
- }
- return str.toString();
- }
- private List<Tag> allowedTags(final Policy policy) {
- List<Tag> out = new ArrayList<Tag>();
- for (String name : policy.getTags()) {
- Tag tag = policy.getTagByName(name);
- if (tag.getAction().equals("validate")) {
- out.add(tag);
- }
- }
- return out;
- }
- @SuppressWarnings("unchecked")
- private List<Attribute> allowedAttributes(Tag tag) {
- return new ArrayList<Attribute>(tag.getAllowedAttributes().values());
- }
- private String sanitize(String dirtyInput, Policy policy) {
- try {
- CleanResults results = new AntiSamy().scan(dirtyInput, policy, AntiSamy.SAX);
- if (results.getNumberOfErrors() > 0) {
- logger.warn("sanitization result: {}, {}", dirtyInput, results.getErrorMessages());
- }
- return results.getCleanHTML();
- } catch (PolicyException e) {
- throw new IllegalStateException(e);
- } catch (ScanException e) {
- throw new IllegalStateException(e);
- }
- }
- private String nl2br(String s) {
- return s.replaceAll("(\r\n|\r|\n|\n\r)", "<br />");
- }
- }
Add Comment
Please, Sign In to add comment