中文版
Code/Resource
- Windows Develop
- Linux-Unix program
- Internet-Socket-Network
- Web Server
- Browser Client
- Ftp Server
- Ftp Client
- Browser Plugins
- Proxy Server
- Email Server
- Email Client
- WEB Mail
- Firewall-Security
- Telnet Server
- Telnet Client
- ICQ-IM-Chat
- Search Engine
- Sniffer Package capture
- Remote Control
- xml-soap-webservice
- P2P
- WEB(ASP,PHP,...)
- TCP/IP Stack
- SNMP
- Grid Computing
- SilverLight
- DNS
- Cluster Service
- Network Security
- Communication-Mobile
- Game Program
- Editor
- Multimedia program
- Graph program
- Compiler program
- Compress-Decompress algrithms
- Crypt_Decrypt algrithms
- Mathimatics-Numerical algorithms
- MultiLanguage
- Disk/Storage
- Java Develop
- assembly language
- Applications
- Other systems
- Database system
- Embeded-SCM Develop
- FlashMX/Flex
- source in ebook
- Delphi VCL
- OS Develop
- MiddleWare
- MPI
- MacOS develop
- LabView
- ELanguage
- Software/Tools
- E-Books
- Artical/Document
SafeHtml.java
Package: jforum-2.1.8-src.zip [view]
Upload User: gdxydsw
Upload Date: 2019-01-29
Package Size: 16721k
Code Size: 9k
Category:
Java Develop
Development Platform:
Java
- /*
- * Copyright (c) JForum Team
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms,
- * with or without modification, are permitted provided
- * that the following conditions are met:
- *
- * 1) Redistributions of source code must retain the above
- * copyright notice, this list of conditions and the
- * following disclaimer.
- * 2) Redistributions in binary form must reproduce the
- * above copyright notice, this list of conditions and
- * the following disclaimer in the documentation and/or
- * other materials provided with the distribution.
- * 3) Neither the name of "Rafael Steil" nor
- * the names of its contributors may be used to endorse
- * or promote products derived from this software without
- * specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
- * HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
- * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
- * THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
- * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
- * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
- * IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
- * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE
- *
- * This file creation date: 27/09/2004 23:59:10
- * The JForum Project
- * http://www.jforum.net
- */
- package net.jforum.util;
- import java.util.HashSet;
- import java.util.Iterator;
- import java.util.Set;
- import java.util.Vector;
- import net.jforum.exceptions.ForumException;
- import net.jforum.util.preferences.ConfigKeys;
- import net.jforum.util.preferences.SystemGlobals;
- import net.jforum.view.forum.common.ViewCommon;
- import org.htmlparser.Attribute;
- import org.htmlparser.Node;
- import org.htmlparser.Tag;
- import org.htmlparser.lexer.Lexer;
- import org.htmlparser.nodes.TextNode;
- /**
- * Process text with html and remove possible malicious tags and attributes.
- * Work based on tips from Amit Klein and the following documents:
- * <br>
- * <li>http://ha.ckers.org/xss.html
- * <li>http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php
- * <br>
- * @author Rafael Steil
- * @version $Id: SafeHtml.java,v 1.25 2007/09/19 14:08:57 rafaelsteil Exp $
- */
- public class SafeHtml
- {
- private static Set welcomeTags;
- private static Set welcomeAttributes;
- private static Set allowedProtocols;
- static {
- welcomeTags = new HashSet();
- welcomeAttributes = new HashSet();
- allowedProtocols = new HashSet();
- splitAndTrim(ConfigKeys.HTML_TAGS_WELCOME, welcomeTags);
- splitAndTrim(ConfigKeys.HTML_ATTRIBUTES_WELCOME, welcomeAttributes);
- splitAndTrim(ConfigKeys.HTML_LINKS_ALLOW_PROTOCOLS, allowedProtocols);
- }
- private static void splitAndTrim(String s, Set data)
- {
- String s1 = SystemGlobals.getValue(s);
- if (s1 == null) {
- return;
- }
- String[] tags = s1.toUpperCase().split(",");
- for (int i = 0; i < tags.length; i++) {
- data.add(tags[i].trim());
- }
- }
- /**
- * Given an input, analyze each HTML tag and remove unsecure attributes from them.
- * @param contents The content to verify
- * @return the content, secure.
- */
- public String ensureAllAttributesAreSafe(String contents)
- {
- StringBuffer sb = new StringBuffer(contents.length());
- try {
- Lexer lexer = new Lexer(contents);
- Node node;
- while ((node = lexer.nextNode()) != null) {
- if (node instanceof Tag) {
- Tag tag = (Tag)node;
- this.checkAndValidateAttributes(tag, false);
- sb.append(tag.toHtml());
- }
- else {
- sb.append(node.toHtml());
- }
- }
- }
- catch (Exception e) {
- throw new ForumException("Problems while parsing HTML: " + e, e);
- }
- return sb.toString();
- }
- /**
- * Given an input, makes it safe for HTML displaying.
- * Removes any not allowed HTML tag or attribute, as well
- * unwanted Javascript statements inside the tags.
- * @param contents the input to analyze
- * @return the modified and safe string
- */
- public String makeSafe(String contents)
- {
- if (contents == null || contents.length() == 0) {
- return contents;
- }
- StringBuffer sb = new StringBuffer(contents.length());
- try {
- Lexer lexer = new Lexer(contents);
- Node node;
- while ((node = lexer.nextNode()) != null) {
- boolean isTextNode = node instanceof TextNode;
- if (isTextNode) {
- // Text nodes are raw data, so we just
- // strip off all possible html content
- String text = node.toHtml();
- if (text.indexOf('>') > -1 || text.indexOf('<') > -1) {
- StringBuffer tmp = new StringBuffer(text);
- ViewCommon.replaceAll(tmp, "<", "<");
- ViewCommon.replaceAll(tmp, ">", ">");
- ViewCommon.replaceAll(tmp, """, """);
- node.setText(tmp.toString());
- }
- }
- if (isTextNode || (node instanceof Tag && this.isTagWelcome(node))) {
- sb.append(node.toHtml());
- }
- else {
- StringBuffer tmp = new StringBuffer(node.toHtml());
- ViewCommon.replaceAll(tmp, "<", "<");
- ViewCommon.replaceAll(tmp, ">", ">");
- sb.append(tmp.toString());
- }
- }
- }
- catch (Exception e) {
- throw new ForumException("Error while parsing HTML: " + e, e);
- }
- return sb.toString();
- }
- /**
- * Returns true if a given tag is allowed.
- * Also, it checks and removes any unwanted attribute the tag may contain.
- * @param node The tag node to analyze
- * @return true if it is a valid tag.
- */
- private boolean isTagWelcome(Node node)
- {
- Tag tag = (Tag)node;
- if (!welcomeTags.contains(tag.getTagName())) {
- return false;
- }
- this.checkAndValidateAttributes(tag, true);
- return true;
- }
- /**
- * Given a tag, check its attributes, removing those unwanted or not secure
- * @param tag The tag to analyze
- * @param checkIfAttributeIsWelcome true if the attribute name should be matched
- * against the list of welcome attributes, set in the main configuration file.
- */
- private void checkAndValidateAttributes(Tag tag, boolean checkIfAttributeIsWelcome)
- {
- Vector newAttributes = new Vector();
- for (Iterator iter = tag.getAttributesEx().iterator(); iter.hasNext(); ) {
- Attribute a = (Attribute)iter.next();
- String name = a.getName();
- if (name == null) {
- newAttributes.add(a);
- }
- else {
- name = name.toUpperCase();
- if (a.getValue() == null) {
- newAttributes.add(a);
- continue;
- }
- String value = a.getValue().toLowerCase();
- if (checkIfAttributeIsWelcome && !this.isAttributeWelcome(name)) {
- continue;
- }
- if (!this.isAttributeSafe(name, value)) {
- continue;
- }
- if (a.getValue().indexOf("&#") > -1) {
- a.setValue(a.getValue().replaceAll("&#", "&#"));
- }
- newAttributes.add(a);
- }
- }
- tag.setAttributesEx(newAttributes);
- }
- /**
- * Check if the given attribute name is in the list of allowed attributes
- * @param name the attribute name
- * @return true if it is an allowed attribute name
- */
- private boolean isAttributeWelcome(String name)
- {
- return welcomeAttributes.contains(name);
- }
- /**
- * Check if the attribute is safe, checking either its name and value.
- * @param name the attribute name
- * @param value the attribute value
- * @return true if it is a safe attribute
- */
- private boolean isAttributeSafe(String name, String value)
- {
- if (name.length() >= 2 && name.charAt(0) == 'O' && name.charAt(1) == 'N') {
- return false;
- }
- if (value.indexOf('n') > -1 || value.indexOf('r') > -1 || value.indexOf('') > -1) {
- return false;
- }
- if (("HREF".equals(name) || "SRC".equals(name))) {
- if (!this.isHrefValid(value)) {
- return false;
- }
- }
- else if ("STYLE".equals(name)) {
- // It is much more a try to not allow constructions
- // like style="background-color: url(javascript:xxxx)" than anything else
- if (value.indexOf('(') > -1) {
- return false;
- }
- }
- return true;
- }
- /**
- * Checks if a given address is valid
- * @param href The address to check
- * @return true if it is valid
- */
- private boolean isHrefValid(String href)
- {
- if (SystemGlobals.getBoolValue(ConfigKeys.HTML_LINKS_ALLOW_RELATIVE)
- && href.length() > 0
- && href.charAt(0) == '/') {
- return true;
- }
- for (Iterator iter = allowedProtocols.iterator(); iter.hasNext(); ) {
- String protocol = iter.next().toString().toLowerCase();
- if (href.startsWith(protocol)) {
- return true;
- }
- }
- return false;
- }
- }
