Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with this * work for additional information regarding copyright ownership. The ASF * licenses this file to You under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the * License for the specific language governing permissions and limitations under * the License. */ package org.apache.sling.testing.clients.util; import org.apache.commons.lang3.StringEscapeUtils; import org.apache.sling.xss.XSSAPI; import org.apache.sling.xss.impl.XSSAPIImpl; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; /** * Basic class for XSS Testing * The reliability of these methods are not critical */ public class XSSUtils { /** * Use to ensure that HTTP query strings are in proper form, by escaping * special characters such as spaces. * * @param urlString the string to be encoded * @return the encoded string */ public static String encodeUrl(String urlString) { try { return URLEncoder.encode(urlString, "UTF-8"); } catch (UnsupportedEncodingException ex) { throw new RuntimeException("UTF-8 not supported", ex); } } /** * Use to encapsulate old-style escaping of HTML (using StringEscapeUtils). * NB: newer code uses XSSAPI (based on OWASP's ESAPI). * * @param htmlString the string to be escaped * @return the escaped string */ public static String escapeHtml(String htmlString) { return StringEscapeUtils.escapeHtml4(htmlString); } /** * Use to encapsulate old-style escaping of XML (with JSTL encoding rules). * NB: newer code uses XSSAPI (based on OWASP's ESAPI). * * @param xmlString the string to be escaped * @return the escaped string */ public static String escapeXml(String xmlString) { String xssString = xmlString; if (xmlString != null) { xssString = xssString.replace(";", ";"); xssString = xssString.replace(" ", " "); xssString = xssString.replace("'", "'"); xssString = xssString.replace("\"", """); xssString = xssString.replace(">", ">"); xssString = xssString.replace("<", "<"); xssString = xssString.replace("/", "/"); xssString = xssString.replace("(", "("); xssString = xssString.replace(")", ")"); xssString = xssString.replace(":", ":"); } return xssString; } /** * Use to encapsulate new-style (XSSAPI-based) encoding for HTML element content. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForHTML(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForHTML(source); } /** * Use to encapsulate new-style (XSSAPI-based) encoding for HTML attribute values. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForHTMLAttr(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForHTMLAttr(source); } /** * Use to encapsulate new-style (XSSAPI-based) encoding for XML element content. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForXML(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForXML(source); } /** * Use to encapsulate new-style (XSSAPI-based) encoding for XML attribute values. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForXMLAttr(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForXMLAttr(source); } /** * Use to encapsulate new-style (XSSAPI-based) encoding for JavaScript strings. * * @param source the string to be encoded * @return the encoded string */ public static String encodeForJSString(String source) { XSSAPI xssAPI = new XSSAPIImpl(); return xssAPI.encodeForJSString(source); } }