Package org.opencms.util

Class CmsParameterEscaper

java.lang.Object
org.opencms.util.CmsParameterEscaper
public class CmsParameterEscaper extends Object
This class is responsible for automatically escaping parameters in Flex requests. It keeps track of which parameters to escape (or not escape), and which parameters need to be processed by AntiSamy.

  • Field Details

    • DEFAULT_POLICY

      public static final String DEFAULT_POLICY
      The file name of the default policy.
      See Also:

    • defaultPolicy

      protected static org.owasp.validator.html.Policy defaultPolicy
      The default policy, which is used when no policy path is given.

  • Constructor Details

  • Method Details

    • readPolicy

      public static org.owasp.validator.html.Policy readPolicy(CmsObject cms, String sitePath)
      Helper method for reading an AntiSamy policy file from the VFS.

      Parameters:
      cms - the current CMS context
      sitePath - the site path of the policy file
      Returns:
      the policy object for the given path

    • createAntiSamy

      public org.owasp.validator.html.AntiSamy createAntiSamy(CmsObject cms, String policyPath)
      Creates a new AntiSamy instance for a given policy path.

      Parameters:
      cms - the current CMS context
      policyPath - the policy site path
      Returns:
      the new AntiSamy instance

    • enableAntiSamy

      public void enableAntiSamy(CmsObject cms, String policyPath, Set<String> params)
      Enables the AntiSamy HTML cleaning for some parameters.

      Parameters:
      cms - the current CMS context
      policyPath - the policy site path in the VFS
      params - the parameters for which HTML cleaning should be enabled

    • escape

      public String escape(String name, String value)
      Escapes a single parameter value.

      Parameters:
      name - the name of the parameter
      value - the value of the parameter
      Returns:
      the escaped parameter value

    • escape

      public String[] escape(String name, String[] values)
      Escapes an array of parameter values.

      Parameters:
      name - the parameter name
      values - the parameter values
      Returns:
      the escaped parameter values

    • filterAntiSamy

      public String filterAntiSamy(String name, String html)
      Filters HTML input using the internal AntiSamy instance.

      Parameters:
      name - the parameter name
      html - the HTML to filter
      Returns:
      the filtered HTML

    • setDummyValue

      public void setDummyValue(String dummyValue)
      Sets the dummy value.

      If the dummy value is set, then values which would otherwise be XML-escaped will be replaced with the dummy value instead.

      Parameters:
      dummyValue - the new value

    • setEscapeInvalid

      public void setEscapeInvalid(Collection<String> escapeInvalidList)
      Sets the parameters which should be escaped even if the dummy value is set.
      Parameters:
      escapeInvalidList - the collection of parameters which should be escaped even if the dummy value is set

    • setExceptions

      public void setExceptions(Collection<String> exceptions)
      Sets the set of names of parameters which shouldn't be escaped.

      Parameters:
      exceptions - a set of parameter names

    • escapeSimple

      protected String escapeSimple(String name, String value)
      Default escape function that doesn't do HTML filtering.
      Parameters:
      name - the parameter name
      value - the parameter value
      Returns:
      the escaped value