package br.com.otavio.model.helper;import java.util.ArrayList;import java.uti

1. package br.com.otavio.model.helper;
2.  
3. import java.util.ArrayList;
4. import java.util.List;
5.  
6. import javax.annotation.PostConstruct;
7. import javax.ejb.Singleton;
8.  
9. import org.owasp.validator.html.AntiSamy;
10. import org.owasp.validator.html.CleanResults;
11. import org.owasp.validator.html.Policy;
12. import org.owasp.validator.html.PolicyException;
13. import org.owasp.validator.html.ScanException;
14. import org.owasp.validator.html.model.Attribute;
15. import org.owasp.validator.html.model.Tag;
16. import org.slf4j.Logger;
17. import org.slf4j.LoggerFactory;
18.  
19. /**
20. * Singleton service that provides a sanitization for user input.
21. *
22. * @author Otávio Scherer Garcia
23. */
24. @Singleton
25. public class Sanitizer {
26.  
27. private transient Logger logger = LoggerFactory.getLogger(getClass());
28.  
29. private Policy BLOGENTRY;
30. private Policy COMMENTS;
31.  
32. /**
33. * Caches {@link Policy} instances because have more cost to create.
34. */
35. @PostConstruct
36. void create() {
37. try {
38. BLOGENTRY = Policy.getInstance(getClass().getResource("/antisamy-blogentry.xml"));
39. COMMENTS = Policy.getInstance(getClass().getResource("/antisamy-comments.xml"));
40. } catch (PolicyException e) {
41. logger.warn("An error occurs when load Antisamy API", e);
42. throw new RuntimeException(e);
43. }
44. }
45.  
46. /**
47. * Sanitize the user input using comments rules.
48. *
49. * @param dirtyInput
50. * @return
51. */
52. public String sanitizeComment(String dirtyInput) {
53. return nl2br(sanitize(dirtyInput, COMMENTS));
54. }
55.  
56. /**
57. * Sanitize the user input using entry rules.
58. *
59. * @param dirtyInput
60. * @return
61. */
62. public String sanitizeEntry(String dirtyInput) {
63. return sanitize(dirtyInput, BLOGENTRY);
64. }
65.  
66. /**
67. * Return a String that contains allowed tags for user comments.
68. *
69. * @return
70. */
71. public String getTagsForComments() {
72. final StringBuilder str = new StringBuilder(100);
73.  
74. for (Tag tag : allowedTags(COMMENTS)) {
75. str.append("<").append(tag.getName());
76.  
77. for (Attribute attr : allowedAttributes(tag)) {
78. str.append(" ").append(attr.getName()).append("=\"");
79.  
80. for (Object allowedValue : attr.getAllowedValues()) {
81. if (str.charAt(str.length() - 1) != '"') {
82. str.append("|");
83. }
84. str.append(allowedValue);
85. }
86. str.append("\"");
87. }
88. str.append("> ");
89. }
90.  
91. return str.toString();
92. }
93.  
94. private List<Tag> allowedTags(final Policy policy) {
95. List<Tag> out = new ArrayList<Tag>();
96.  
97. for (String name : policy.getTags()) {
98. Tag tag = policy.getTagByName(name);
99. if (tag.getAction().equals("validate")) {
100. out.add(tag);
101. }
102. }
103.  
104. return out;
105. }
106.  
107. @SuppressWarnings("unchecked")
108. private List<Attribute> allowedAttributes(Tag tag) {
109. return new ArrayList<Attribute>(tag.getAllowedAttributes().values());
110. }
111.  
112. private String sanitize(String dirtyInput, Policy policy) {
113. try {
114. CleanResults results = new AntiSamy().scan(dirtyInput, policy, AntiSamy.SAX);
115.  
116. if (results.getNumberOfErrors() > 0) {
117. logger.warn("sanitization result: {}, {}", dirtyInput, results.getErrorMessages());
118. }
119.  
120. return results.getCleanHTML();
121.  
122. } catch (PolicyException e) {
123. throw new IllegalStateException(e);
124. } catch (ScanException e) {
125. throw new IllegalStateException(e);
126. }
127. }
128.  
129. private String nl2br(String s) {
130. return s.replaceAll("(\r\n|\r|\n|\n\r)", "<br />");
131. }
132. }