1 /** 2 * This file Copyright (c) 2012-2013 Magnolia International 3 * Ltd. (http://www.magnolia-cms.com). All rights reserved. 4 * 5 * 6 * This file is dual-licensed under both the Magnolia 7 * Network Agreement and the GNU General Public License. 8 * You may elect to use one or the other of these licenses. 9 * 10 * This file is distributed in the hope that it will be 11 * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the 12 * implied warranty of MERCHANTABILITY or FITNESS FOR A 13 * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT. 14 * Redistribution, except as permitted by whichever of the GPL 15 * or MNA you select, is prohibited. 16 * 17 * 1. For the GPL license (GPL), you can redistribute and/or 18 * modify this file under the terms of the GNU General 19 * Public License, Version 3, as published by the Free Software 20 * Foundation. You should have received a copy of the GNU 21 * General Public License, Version 3 along with this program; 22 * if not, write to the Free Software Foundation, Inc., 51 23 * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 24 * 25 * 2. For the Magnolia Network Agreement (MNA), this file 26 * and the accompanying materials are made available under the 27 * terms of the MNA which accompanies this distribution, and 28 * is available at http://www.magnolia-cms.com/mna.html 29 * 30 * Any modifications to this file must keep this entire header 31 * intact. 32 * 33 */ 34 package info.magnolia.util; 35 36 /** 37 * <p>Utilities to escaping characters for preventing XSS attack.</p> 38 * <p>This class escapes only & (&), "("), <(<), >(>) characters, but doesn't escape others characters.</p> 39 * <p>Use when StringEscapeUtils cannot be used because of escaping more or less character entities.</p> 40 */ 41 public final class EscapeUtil { 42 43 private EscapeUtil() { 44 } 45 46 public static String escapeXss(String str) { 47 return escape(unescapeXss(str)); 48 } 49 50 public static String unescapeXss(String str) { 51 return str == null ? null : str.replace("&", "&").replace(""", "\"").replace("<", "<").replace(">", ">"); 52 } 53 54 public static String[] escapeXss(String[] str) { 55 if (str == null) { 56 return null; 57 } 58 String[] retValue = new String[str.length]; 59 for(int i = 0; i < retValue.length; i++) { 60 retValue[i] = escapeXss(str[i]); 61 } 62 return retValue; 63 } 64 65 public static String[] unescapeXss(String[] str) { 66 if (str == null) { 67 return null; 68 } 69 String[] retValue = new String[str.length]; 70 for(int i = 0; i < retValue.length; i++) { 71 retValue[i] = unescapeXss(str[i]); 72 } 73 return retValue; 74 } 75 76 private static String escape(String str) { 77 return str == null ? null : str.replace("&", "&").replace("\"", """).replace("<", "<").replace(">", ">"); 78 } 79 }