| /******************************************************************************* |
| * Licensed to the Apache Software Foundation (ASF) under one or |
| * more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information regarding |
| * copyright ownership. The ASF licenses this file to you under the |
| * Apache License, Version 2.0 (the "License"); you may not use |
| * this file except in compliance with the License. You may obtain |
| * a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 Unless required by |
| * applicable law or agreed to in writing, software distributed |
| * under the License is distributed on an "AS IS" BASIS, WITHOUT |
| * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions |
| * and limitations under the License. |
| ******************************************************************************/ |
| package org.apache.sling.xss; |
| |
| import org.osgi.annotation.versioning.ProviderType; |
| |
| /** |
| * This service should be used to protect output against potential XSS attacks. |
| * The protection is context based. |
| */ |
| @ProviderType |
| public interface XSSFilter { |
| |
| /** |
| * Default context. |
| */ |
| ProtectionContext DEFAULT_CONTEXT = ProtectionContext.HTML_HTML_CONTENT; |
| |
| /** |
| * Indicates whether or not a given source string contains XSS policy violations. |
| * |
| * @param context context to use for checking |
| * @param src source string |
| * @return true if the source is violation-free |
| * @throws NullPointerException if context is <code>null</code> |
| */ |
| boolean check(ProtectionContext context, String src); |
| |
| /** |
| * Prevents the given source string from containing XSS stuff. |
| * <p> |
| * The default protection context is used for checking. |
| * |
| * @param src source string |
| * @return string that does not contain XSS stuff |
| */ |
| String filter(String src); |
| |
| /** |
| * Protects the given source string from containing XSS stuff. |
| * |
| * @param context context to use for checking |
| * @param src source string |
| * @return string that does not contain XSS stuff |
| * @throws NullPointerException if context is <code>null</code> |
| */ |
| String filter(ProtectionContext context, String src); |
| |
| /** |
| * Checks if the given URL is valid to be used for the <code>href</code> attribute in a <code>a</code> tag. |
| * <p> |
| * The default protection context is used for checking. |
| * |
| * @param url the URL that should be validated |
| * @return true if the URL is violation-free |
| */ |
| boolean isValidHref(String url); |
| |
| } |