001/*
002 * This library is part of OpenCms -
003 * the Open Source Content Management System
004 *
005 * Copyright (C) Alkacon Software (http://www.alkacon.com)
006 *
007 * This library is free software; you can redistribute it and/or
008 * modify it under the terms of the GNU Lesser General Public
009 * License as published by the Free Software Foundation; either
010 * version 2.1 of the License, or (at your option) any later version.
011 *
012 * This library is distributed in the hope that it will be useful,
013 * but WITHOUT ANY WARRANTY; without even the implied warranty of
014 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015 * Lesser General Public License for more details.
016 *
017 * For further information about Alkacon Software, please see the
018 * company website: http://www.alkacon.com
019 *
020 * For further information about OpenCms, please see the
021 * project website: http://www.opencms.org
022 *
023 * You should have received a copy of the GNU Lesser General Public
024 * License along with this library; if not, write to the Free Software
025 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
026 */
027
028package org.opencms.jsp;
029
030import org.opencms.file.CmsObject;
031import org.opencms.flex.CmsFlexController;
032import org.opencms.flex.CmsFlexRequest;
033import org.opencms.util.CmsStringUtil;
034
035import java.util.Collections;
036import java.util.HashSet;
037import java.util.List;
038import java.util.Set;
039
040import javax.servlet.ServletRequest;
041import javax.servlet.jsp.tagext.TagSupport;
042
043/**
044 * This tag is used to enable parameter escaping for a single Flex Request.<p>
045 */
046public class CmsJspTagSecureParams extends TagSupport {
047
048    /** Serial version id. */
049    private static final long serialVersionUID = -3571347944585254L;
050
051    /** The comma-separated list of parameters for which HTML will be allowed, but be escaped. */
052    private String m_allowHtml;
053
054    /** The comma-separated list of parameters for which XML characters will not be escaped. */
055    private String m_allowXml;
056
057    /** List of parameters which should be escaped even if replaceInvalid is set. */
058    private String m_escapeInvalid;
059
060    /** The policy path. */
061    private String m_policy;
062
063    /** The 'bad value'. */
064    private String m_replaceInvalid;
065
066    /**
067     * Static method which provides the actual functionality of this tag.<p>
068     *
069     * @param request the request for which the parameters should be escaped
070     *
071     * @param allowXml the comma-separated list of parameters for which XML characters will not be escaped
072     * @param allowHtml the comma-separated list of parameters for which HTML will be allowed, but be escaped
073     * @param policy  the site path of an AntiSamy policy file
074     * @param replaceInvalid if not null, replaces parameters that would otherwise be
075     * @param escapeInvalid a comma-separated list of the names of parameters which should still be escaped even if replaceInvalid is set
076     */
077    public static void secureParamsTagAction(
078        ServletRequest request,
079        String allowXml,
080        String allowHtml,
081        String policy,
082        String replaceInvalid,
083        String escapeInvalid) {
084
085        if (request instanceof CmsFlexRequest) {
086            CmsFlexRequest flexRequest = (CmsFlexRequest)request;
087            CmsObject cms = CmsFlexController.getCmsObject(flexRequest);
088            List<String> exceptions = Collections.emptyList();
089            if (allowXml != null) {
090                exceptions = CmsStringUtil.splitAsList(allowXml, ",");
091            }
092            flexRequest.enableParameterEscaping();
093            flexRequest.getParameterEscaper().setExceptions(exceptions);
094            flexRequest.getParameterEscaper().setDummyValue(replaceInvalid);
095            if (escapeInvalid != null) {
096                List<String> escapeInvalidList = CmsStringUtil.splitAsList(escapeInvalid.trim(), ",");
097                flexRequest.getParameterEscaper().setEscapeInvalid(escapeInvalidList);
098
099            }
100            Set<String> allowHtmlSet = Collections.emptySet();
101            if (allowHtml != null) {
102                allowHtmlSet = new HashSet<String>(CmsStringUtil.splitAsList(allowHtml, ","));
103                flexRequest.getParameterEscaper().enableAntiSamy(cms, policy, allowHtmlSet);
104            }
105        }
106    }
107
108    /**
109     * @see javax.servlet.jsp.tagext.Tag#doStartTag()
110     */
111    @Override
112    public int doStartTag() {
113
114        secureParamsTagAction(
115            pageContext.getRequest(),
116            m_allowXml,
117            m_allowHtml,
118            m_policy,
119            m_replaceInvalid,
120            m_escapeInvalid);
121        return SKIP_BODY;
122    }
123
124    /**
125     * Sets the 'allowHtml' parameter.<p>
126     *
127     * @param allowHtml the new 'allowHtml' parameter
128     */
129    public void setAllowHtml(String allowHtml) {
130
131        m_allowHtml = allowHtml;
132    }
133
134    /**
135     * Sets the 'allowXml' parameter.<p>
136     *
137     * @param allowXml the new 'allowXml' parameter
138     */
139    public void setAllowXml(String allowXml) {
140
141        m_allowXml = allowXml;
142    }
143
144    /**
145     * Sets the parameters which should still be XML escaped, even if replaceInvalid is set.
146     *
147     * @param escapeInvalid a comma-separated list of parameter names
148     */
149    public void setEscapeInvalid(String escapeInvalid) {
150
151        m_escapeInvalid = escapeInvalid;
152    }
153
154    /**
155     * Sets the 'policy' parameter.<p>
156     *
157     * @param policy the new 'policy' parameter
158     */
159    public void setPolicy(String policy) {
160
161        m_policy = policy;
162    }
163
164    /**
165     * Sets the 'bad value', which, if set, is used as a replacement for values that would otherwise be XML-escaped.
166     *
167     * @param replaceInvalid the bad value
168     */
169    public void setReplaceInvalid(String replaceInvalid) {
170
171        m_replaceInvalid = replaceInvalid;
172
173    }
174
175}