1 /** 2 * This file Copyright (c) 2012-2016 Magnolia International 3 * Ltd. (http://www.magnolia-cms.com). All rights reserved. 4 * 5 * 6 * This file is dual-licensed under both the Magnolia 7 * Network Agreement and the GNU General Public License. 8 * You may elect to use one or the other of these licenses. 9 * 10 * This file is distributed in the hope that it will be 11 * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the 12 * implied warranty of MERCHANTABILITY or FITNESS FOR A 13 * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT. 14 * Redistribution, except as permitted by whichever of the GPL 15 * or MNA you select, is prohibited. 16 * 17 * 1. For the GPL license (GPL), you can redistribute and/or 18 * modify this file under the terms of the GNU General 19 * Public License, Version 3, as published by the Free Software 20 * Foundation. You should have received a copy of the GNU 21 * General Public License, Version 3 along with this program; 22 * if not, write to the Free Software Foundation, Inc., 51 23 * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 24 * 25 * 2. For the Magnolia Network Agreement (MNA), this file 26 * and the accompanying materials are made available under the 27 * terms of the MNA which accompanies this distribution, and 28 * is available at http://www.magnolia-cms.com/mna.html 29 * 30 * Any modifications to this file must keep this entire header 31 * intact. 32 * 33 */ 34 package info.magnolia.util; 35 36 import org.apache.commons.lang3.StringUtils; 37 38 /** 39 * <p> 40 * Utilities to escaping characters for preventing XSS attack. 41 * </p> 42 * <p> 43 * This class escapes only & (&), "("), <(<), >(>) and '(') characters. Others characters are left untouched. See rule #1 at <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#XSS_Prevention_Rules">XSS_Prevention_Rules</a>. 44 * </p> 45 * <p> 46 * Use when StringEscapeUtils cannot be used because of escaping more or less character entities. 47 * </p> 48 */ 49 public final class EscapeUtil { 50 51 private EscapeUtil() { 52 } 53 54 public static String escapeXss(String str) { 55 return escape(unescapeXss(str)); 56 } 57 58 public static String unescapeXss(String str) { 59 return str == null ? null : str.replace("&", "&").replace(""", "\"").replace("<", "<").replace(">", ">").replace("'", "'"); 60 } 61 62 public static String[] escapeXss(String[] str) { 63 if (str == null) { 64 return null; 65 } 66 String[] retValue = new String[str.length]; 67 for (int i = 0; i < retValue.length; i++) { 68 retValue[i] = escapeXss(str[i]); 69 } 70 return retValue; 71 } 72 73 public static String[] unescapeXss(String[] str) { 74 if (str == null) { 75 return null; 76 } 77 String[] retValue = new String[str.length]; 78 for (int i = 0; i < retValue.length; i++) { 79 retValue[i] = unescapeXss(str[i]); 80 } 81 return retValue; 82 } 83 84 private static String escape(String raw) { 85 if (raw == null) { 86 return null; 87 } 88 StringBuilder ret = new StringBuilder(raw.length()); 89 for (int i = 0; i < raw.length(); i++) { 90 char ch = raw.charAt(i); 91 switch (ch) { 92 93 case '<': 94 ret.append("<"); 95 break; 96 case '>': 97 ret.append(">"); 98 break; 99 case '&': 100 ret.append("&"); 101 break; 102 // XML defines the ', but HTML 4 does not. 103 // To ensure backwards compatibility use ' instead 104 // as recommended by the XHTML specification, see 105 // http://www.w3.org/TR/2002/REC-xhtml1-20020801/#C_16 106 case '\'': 107 ret.append("'"); 108 break; 109 case '"': 110 ret.append("""); 111 break; 112 default: 113 ret.append(ch); 114 } 115 } 116 return ret.toString(); 117 } 118 119 /** 120 * <p>Escapes the characters in a <code>String</code> to be suitable to pass as value to an SQL query.</p> 121 * 122 * ['] (single quote) is replaced with [''] (two consecutive single quote characters) 123 * @see <a href="http://wiki.apache.org/jackrabbit/EncodingAndEscaping">EncodingAndEscaping - Jackrabbit Wiki</a> 124 */ 125 public static String escapeSql(String str) { 126 if (str == null) { 127 return null; 128 } 129 return StringUtils.replace(str, "'", "''"); 130 } 131 132 /** 133 * Unescape previously escaped chars. 134 */ 135 public static String unescapeSql(String str) { 136 if (str == null) { 137 return null; 138 } 139 return StringUtils.replace(str, "''", "'"); 140 } 141 }