001/*
002 * This library is part of OpenCms -
003 * the Open Source Content Management System
004 *
005 * Copyright (C) Alkacon Software (http://www.alkacon.com)
006 *
007 * This library is free software; you can redistribute it and/or
008 * modify it under the terms of the GNU Lesser General Public
009 * License as published by the Free Software Foundation; either
010 * version 2.1 of the License, or (at your option) any later version.
011 *
012 * This library is distributed in the hope that it will be useful,
013 * but WITHOUT ANY WARRANTY; without even the implied warranty of
014 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015 * Lesser General Public License for more details.
016 *
017 * For further information about Alkacon Software, please see the
018 * company website: http://www.alkacon.com
019 *
020 * For further information about OpenCms, please see the
021 * project website: http://www.opencms.org
022 *
023 * You should have received a copy of the GNU Lesser General Public
024 * License along with this library; if not, write to the Free Software
025 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
026 */
027
028package org.opencms.jsp;
029
030import org.opencms.file.CmsObject;
031import org.opencms.flex.CmsFlexController;
032import org.opencms.flex.CmsFlexRequest;
033import org.opencms.util.CmsStringUtil;
034
035import java.util.Collections;
036import java.util.HashSet;
037import java.util.List;
038import java.util.Set;
039
040import javax.servlet.ServletRequest;
041import javax.servlet.jsp.tagext.TagSupport;
042
043/**
044 * This tag is used to enable parameter escaping for a single Flex Request.<p>
045 */
046public class CmsJspTagSecureParams extends TagSupport {
047
048    /** Serial version id. */
049    private static final long serialVersionUID = -3571347944585254L;
050
051    /** The policy path. */
052    private String m_policy;
053
054    /** The comma-separated list of parameters for which XML characters will not be escaped. */
055    private String m_allowXml;
056
057    /** The comma-separated list of parameters for which HTML will be allowed, but be escaped. */
058    private String m_allowHtml;
059
060    /**
061     * Static method which provides the actual functionality of this tag.<p>
062     *
063     * @param request the request for which the parameters should be escaped
064     *
065     * @param allowXml the comma-separated list of parameters for which XML characters will not be escaped
066     * @param allowHtml the comma-separated list of parameters for which HTML will be allowed, but be escaped
067     * @param policy  the site path of an AntiSamy policy file
068     */
069    public static void secureParamsTagAction(ServletRequest request, String allowXml, String allowHtml, String policy) {
070
071        if (request instanceof CmsFlexRequest) {
072            CmsFlexRequest flexRequest = (CmsFlexRequest)request;
073            CmsObject cms = CmsFlexController.getCmsObject(flexRequest);
074            List<String> exceptions = Collections.emptyList();
075            if (allowXml != null) {
076                exceptions = CmsStringUtil.splitAsList(allowXml, ",");
077            }
078            flexRequest.enableParameterEscaping();
079            flexRequest.getParameterEscaper().setExceptions(exceptions);
080            Set<String> allowHtmlSet = Collections.emptySet();
081            if (allowHtml != null) {
082                allowHtmlSet = new HashSet<String>(CmsStringUtil.splitAsList(allowHtml, ","));
083                flexRequest.getParameterEscaper().enableAntiSamy(cms, policy, allowHtmlSet);
084            }
085        }
086    }
087
088    /**
089     * @see javax.servlet.jsp.tagext.Tag#doStartTag()
090     */
091    @Override
092    public int doStartTag() {
093
094        secureParamsTagAction(pageContext.getRequest(), m_allowXml, m_allowHtml, m_policy);
095        return SKIP_BODY;
096    }
097
098    /**
099     * Sets the 'allowHtml' parameter.<p>
100     *
101     * @param allowHtml the new 'allowHtml' parameter
102     */
103    public void setAllowHtml(String allowHtml) {
104
105        m_allowHtml = allowHtml;
106    }
107
108    /**
109     * Sets the 'allowXml' parameter.<p>
110     *
111     * @param allowXml the new 'allowXml' parameter
112     */
113    public void setAllowXml(String allowXml) {
114
115        m_allowXml = allowXml;
116    }
117
118    /**
119     * Sets the 'policy' parameter.<p>
120     *
121     * @param policy the new 'policy' parameter
122     */
123    public void setPolicy(String policy) {
124
125        m_policy = policy;
126    }
127
128}