| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.sling.scripting.jsp.taglib; |
| |
| import java.io.IOException; |
| |
| import javax.servlet.jsp.JspException; |
| import javax.servlet.jsp.tagext.BodyTagSupport; |
| |
| import org.apache.commons.lang3.StringUtils; |
| import org.apache.sling.scripting.jsp.taglib.internal.XSSSupport; |
| import org.apache.sling.scripting.jsp.taglib.internal.XSSSupport.EncodingMode; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| /** |
| * Tag for writing properly XSS encoded text to the response using the OWASP |
| * ESAPI for supporting a number of encoding modes. |
| */ |
| public class EncodeTag extends BodyTagSupport { |
| |
| private static final long serialVersionUID = 5673936481350419997L; |
| |
| private static final Logger log = LoggerFactory.getLogger(EncodeTag.class); |
| private String value; |
| private String defaultValue; |
| private EncodingMode mode; |
| private boolean readBody = false; |
| |
| /* |
| * (non-Javadoc) |
| * |
| * @see javax.servlet.jsp.tagext.TagSupport#doEndTag() |
| */ |
| @Override |
| public int doEndTag() throws JspException { |
| log.trace("doEndTag"); |
| |
| if (readBody && bodyContent != null && bodyContent.getString() != null) { |
| String encoded = XSSSupport.encode(bodyContent.getString(), mode); |
| write(encoded); |
| } |
| return EVAL_PAGE; |
| } |
| |
| /* |
| * (non-Javadoc) |
| * |
| * @see javax.servlet.jsp.tagext.BodyTagSupport#doStartTag() |
| */ |
| @Override |
| public int doStartTag() throws JspException { |
| int res = SKIP_BODY; |
| String unencoded = value; |
| if (StringUtils.isBlank(unencoded)) { |
| unencoded = defaultValue; |
| } |
| |
| if (unencoded != null) { |
| String encoded = XSSSupport.encode(unencoded, mode); |
| write(encoded); |
| } else { |
| readBody = true; |
| res = EVAL_BODY_BUFFERED; |
| } |
| return res; |
| } |
| |
| /** |
| * @return the default value |
| */ |
| public String getDefault() { |
| return defaultValue; |
| } |
| |
| /** |
| * @return the mode |
| */ |
| public String getMode() { |
| return mode.toString(); |
| } |
| |
| /** |
| * @return the value |
| */ |
| public String getValue() { |
| return value; |
| } |
| |
| /** |
| * @param defaultValue the default value to set |
| */ |
| public void setDefault(String defaultValue) { |
| this.defaultValue = defaultValue; |
| } |
| |
| /** |
| * @param mode the mode to set |
| */ |
| public void setMode(String mode) { |
| this.mode = XSSSupport.getEncodingMode(mode); |
| } |
| |
| /** |
| * @param value the value to set |
| */ |
| public void setValue(String value) { |
| this.value = value; |
| } |
| |
| /** |
| * Writes the encoded text to the response. |
| * |
| * @param encoded the encoded text to write to the page |
| * @throws JspException |
| */ |
| private void write(String encoded) throws JspException { |
| if (encoded != null && !encoded.isEmpty()) { |
| try { |
| pageContext.getOut().write(encoded); |
| } catch (IOException e) { |
| log.error("Exception writing escaped content to page", e); |
| throw new JspException("Exception writing escaped content to page", e); |
| } |
| } |
| } |
| } |