org.tinygroup.weblayer.webcontext.parser.impl

Class HTMLInputFilter

java.lang.Object

org.tinygroup.weblayer.webcontext.parser.impl.HTMLInputFilter

public class HTMLInputFilter
extends Object

HTML filtering utility for protecting against XSS (Cross Site Scripting).

This code is licensed under a Creative Commons Attribution-ShareAlike 2.5 License http://creativecommons.org/licenses/by-sa/2.5/

This code is a Java port of the original work in PHP by Cal Hendersen. http://code.iamcal.com/php/lib_filter/

The trickiest part of the translation was handling the differences in regex handling between PHP and Java. These resources were helpful in the process:

• http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
• http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
• http://www.regular-expressions.info/modifiers.html

A note on naming conventions: instance variables are prefixed with a "v"; global constants are in all caps.

 Sample use:
 String input = ...
 String clean = new HTMLInputFilter().filter( input );
 

If you find bugs or have suggestions on improvement (especially regarding perfomance), please contact me at the email below. The latest version of this source can be found at

• http://josephoconnell.com/java/xss-html-filter/

做了如下修改：

• 效率改进：顺序搜索变为搜索Set。
• 效率改进：预编译正则表达式patterns。
• 效率改进：避免了同步操作。
• 修改了构造函数，配合service进行配置。
• 修正了输入中包含$时出现异常的bug。

Version:

1.0

Author:

Joseph O'Connell , Michael Zhou

Field Summary

Fields

Modifier and Type	Field and Description
protected static boolean	ALWAYS_MAKE_TAGS flag determining whether to try to make tags when presented with "unbalanced" angle brackets (e.g.
protected static org.slf4j.Logger	log
protected static int	REGEX_FLAGS_SI regex flag union representing /si modifiers in php *
protected static boolean	STRIP_COMMENTS flag determing whether comments are allowed in input String.
protected Map	vAllowed set of allowed html elements, along with allowed attributes for each element *
protected Set	vAllowedEntities entities allowed within html markup *
protected Set	vAllowedProtocols allowed protocols *
protected Set	vDeniedTags set of denied html elements *
protected Set	vNeedClosingTags html elements which must always have separate opening and closing tags (e.g.
protected Set	vProtocolAtts attributes which should be checked for valid protocols *
protected Set	vRemoveBlanks tags which should be removed if they contain no content (e.g.
protected Set	vSelfClosingTags html elements which must always be self-closing (e.g.

Constructor Summary

Constructors

Constructor and Description
HTMLInputFilter()
HTMLInputFilter(Map allowed, String[] deniedTags, String[] selfClosingTags, String[] needClosingTags, String[] allowedProtocols, String[] protocolAtts, String[] removeBlanks, String[] allowedEntities)

Method Summary

Modifier and Type	Method and Description
static String	chr(int decimal)
String	filter(String input) given a user submitted input String, filter out any invalid or restricted html.
String	filter(String input, boolean isHtml)
static String	htmlSpecialChars(String s)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ALWAYS_MAKE_TAGS

protected static final boolean ALWAYS_MAKE_TAGS

flag determining whether to try to make tags when presented with "unbalanced" angle brackets (e.g. "" becomes " text "). If set to false, unbalanced angle brackets will be html escaped.

See Also:

Constant Field Values

STRIP_COMMENTS

protected static final boolean STRIP_COMMENTS

flag determing whether comments are allowed in input String.

See Also:

Constant Field Values

REGEX_FLAGS_SI

protected static final int REGEX_FLAGS_SI

regex flag union representing /si modifiers in php *

See Also:

Constant Field Values

log

protected static final org.slf4j.Logger log

vAllowed

protected final Map vAllowed

set of allowed html elements, along with allowed attributes for each element *

vDeniedTags

protected final Set vDeniedTags

set of denied html elements *

vSelfClosingTags

protected final Set vSelfClosingTags

html elements which must always be self-closing (e.g. "") *

vNeedClosingTags

protected final Set vNeedClosingTags

html elements which must always have separate opening and closing tags (e.g. "") *

vProtocolAtts

protected final Set vProtocolAtts

attributes which should be checked for valid protocols *

vAllowedProtocols

protected final Set vAllowedProtocols

allowed protocols *

vRemoveBlanks

protected final Set vRemoveBlanks

tags which should be removed if they contain no content (e.g. "" or "") *

vAllowedEntities

protected final Set vAllowedEntities

entities allowed within html markup *

Constructor Detail

HTMLInputFilter

public HTMLInputFilter()

HTMLInputFilter

public HTMLInputFilter(Map allowed,
                       String[] deniedTags,
                       String[] selfClosingTags,
                       String[] needClosingTags,
                       String[] allowedProtocols,
                       String[] protocolAtts,
                       String[] removeBlanks,
                       String[] allowedEntities)

Method Detail

chr

public static String chr(int decimal)

htmlSpecialChars

public static String htmlSpecialChars(String s)

filter

public String filter(String input)

given a user submitted input String, filter out any invalid or restricted html.

Parameters:

input - text (i.e. submitted by a user) than may contain html

Returns:

"clean" version of input, with only valid, whitelisted html elements allowed

filter

public String filter(String input,
                     boolean isHtml)