001/* 002 * This library is part of OpenCms - 003 * the Open Source Content Management System 004 * 005 * Copyright (C) Alkacon Software (http://www.alkacon.com) 006 * 007 * This library is free software; you can redistribute it and/or 008 * modify it under the terms of the GNU Lesser General Public 009 * License as published by the Free Software Foundation; either 010 * version 2.1 of the License, or (at your option) any later version. 011 * 012 * This library is distributed in the hope that it will be useful, 013 * but WITHOUT ANY WARRANTY; without even the implied warranty of 014 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 015 * Lesser General Public License for more details. 016 * 017 * For further information about Alkacon Software, please see the 018 * company website: http://www.alkacon.com 019 * 020 * For further information about OpenCms, please see the 021 * project website: http://www.opencms.org 022 * 023 * You should have received a copy of the GNU Lesser General Public 024 * License along with this library; if not, write to the Free Software 025 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 026 */ 027 028package org.opencms.jsp; 029 030import org.opencms.file.CmsObject; 031import org.opencms.flex.CmsFlexController; 032import org.opencms.flex.CmsFlexRequest; 033import org.opencms.util.CmsStringUtil; 034 035import java.util.Collections; 036import java.util.HashSet; 037import java.util.List; 038import java.util.Set; 039 040import javax.servlet.ServletRequest; 041import javax.servlet.jsp.tagext.TagSupport; 042 043/** 044 * This tag is used to enable parameter escaping for a single Flex Request.<p> 045 */ 046public class CmsJspTagSecureParams extends TagSupport { 047 048 /** Serial version id. */ 049 private static final long serialVersionUID = -3571347944585254L; 050 051 /** The comma-separated list of parameters for which HTML will be allowed, but be escaped. */ 052 private String m_allowHtml; 053 054 /** The comma-separated list of parameters for which XML characters will not be escaped. */ 055 private String m_allowXml; 056 057 /** List of parameters which should be escaped even if replaceInvalid is set. */ 058 private String m_escapeInvalid; 059 060 /** The policy path. */ 061 private String m_policy; 062 063 /** The 'bad value'. */ 064 private String m_replaceInvalid; 065 066 /** 067 * Static method which provides the actual functionality of this tag.<p> 068 * 069 * @param request the request for which the parameters should be escaped 070 * 071 * @param allowXml the comma-separated list of parameters for which XML characters will not be escaped 072 * @param allowHtml the comma-separated list of parameters for which HTML will be allowed, but be escaped 073 * @param policy the site path of an AntiSamy policy file 074 * @param replaceInvalid if not null, replaces parameters that would otherwise be 075 * @param escapeInvalid a comma-separated list of the names of parameters which should still be escaped even if replaceInvalid is set 076 */ 077 public static void secureParamsTagAction( 078 ServletRequest request, 079 String allowXml, 080 String allowHtml, 081 String policy, 082 String replaceInvalid, 083 String escapeInvalid) { 084 085 if (request instanceof CmsFlexRequest) { 086 CmsFlexRequest flexRequest = (CmsFlexRequest)request; 087 CmsObject cms = CmsFlexController.getCmsObject(flexRequest); 088 List<String> exceptions = Collections.emptyList(); 089 if (allowXml != null) { 090 exceptions = CmsStringUtil.splitAsList(allowXml, ","); 091 } 092 flexRequest.enableParameterEscaping(); 093 flexRequest.getParameterEscaper().setExceptions(exceptions); 094 flexRequest.getParameterEscaper().setDummyValue(replaceInvalid); 095 if (escapeInvalid != null) { 096 List<String> escapeInvalidList = CmsStringUtil.splitAsList(escapeInvalid.trim(), ","); 097 flexRequest.getParameterEscaper().setEscapeInvalid(escapeInvalidList); 098 099 } 100 Set<String> allowHtmlSet = Collections.emptySet(); 101 if (allowHtml != null) { 102 allowHtmlSet = new HashSet<String>(CmsStringUtil.splitAsList(allowHtml, ",")); 103 flexRequest.getParameterEscaper().enableAntiSamy(cms, policy, allowHtmlSet); 104 } 105 } 106 } 107 108 /** 109 * @see javax.servlet.jsp.tagext.Tag#doStartTag() 110 */ 111 @Override 112 public int doStartTag() { 113 114 secureParamsTagAction( 115 pageContext.getRequest(), 116 m_allowXml, 117 m_allowHtml, 118 m_policy, 119 m_replaceInvalid, 120 m_escapeInvalid); 121 return SKIP_BODY; 122 } 123 124 /** 125 * Sets the 'allowHtml' parameter.<p> 126 * 127 * @param allowHtml the new 'allowHtml' parameter 128 */ 129 public void setAllowHtml(String allowHtml) { 130 131 m_allowHtml = allowHtml; 132 } 133 134 /** 135 * Sets the 'allowXml' parameter.<p> 136 * 137 * @param allowXml the new 'allowXml' parameter 138 */ 139 public void setAllowXml(String allowXml) { 140 141 m_allowXml = allowXml; 142 } 143 144 /** 145 * Sets the parameters which should still be XML escaped, even if replaceInvalid is set. 146 * 147 * @param escapeInvalid a comma-separated list of parameter names 148 */ 149 public void setEscapeInvalid(String escapeInvalid) { 150 151 m_escapeInvalid = escapeInvalid; 152 } 153 154 /** 155 * Sets the 'policy' parameter.<p> 156 * 157 * @param policy the new 'policy' parameter 158 */ 159 public void setPolicy(String policy) { 160 161 m_policy = policy; 162 } 163 164 /** 165 * Sets the 'bad value', which, if set, is used as a replacement for values that would otherwise be XML-escaped. 166 * 167 * @param replaceInvalid the bad value 168 */ 169 public void setReplaceInvalid(String replaceInvalid) { 170 171 m_replaceInvalid = replaceInvalid; 172 173 } 174 175}