View Javadoc
1   /**
2    * This file Copyright (c) 2017 Magnolia International
3    * Ltd.  (http://www.magnolia-cms.com). All rights reserved.
4    *
5    *
6    * This file is dual-licensed under both the Magnolia
7    * Network Agreement and the GNU General Public License.
8    * You may elect to use one or the other of these licenses.
9    *
10   * This file is distributed in the hope that it will be
11   * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
12   * implied warranty of MERCHANTABILITY or FITNESS FOR A
13   * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
14   * Redistribution, except as permitted by whichever of the GPL
15   * or MNA you select, is prohibited.
16   *
17   * 1. For the GPL license (GPL), you can redistribute and/or
18   * modify this file under the terms of the GNU General
19   * Public License, Version 3, as published by the Free Software
20   * Foundation.  You should have received a copy of the GNU
21   * General Public License, Version 3 along with this program;
22   * if not, write to the Free Software Foundation, Inc., 51
23   * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
24   *
25   * 2. For the Magnolia Network Agreement (MNA), this file
26   * and the accompanying materials are made available under the
27   * terms of the MNA which accompanies this distribution, and
28   * is available at http://www.magnolia-cms.com/mna.html
29   *
30   * Any modifications to this file must keep this entire header
31   * intact.
32   *
33   */
34  package info.magnolia.cms.core;
35  
36  import info.magnolia.cms.beans.runtime.File;
37  import info.magnolia.util.EscapeUtil;
38  
39  import java.util.Arrays;
40  import java.util.Locale;
41  
42  import javax.inject.Inject;
43  import javax.inject.Provider;
44  import javax.jcr.Node;
45  
46  /**
47   * Wrapper around {@code AggregationState} created in order to escape all output to rendering.
48   * See {@code info.magnolia.rendering.renderer.AbstractRenderer#getAggregationStateSafely}.
49   *
50   * Should you need the raw output, it can still be accessed from a template, with, for instance:
51   * {@code ${state.unwrap().originalURI}}. However, be warned that this may expose your webapp to XSS attacks.
52   *
53   * <b>
54   *     This class belongs to Magnolia's "private" API and it should NOT be extended/overridden, even though it is not marked as final.
55   *     Its API and/or implementation may change without notice. The class may also be removed altogether without notice.
56   * </b>
57   */
58  public class HTMLEscapingAggregationState extends AggregationState {
59  
60      final private Provider<AggregationState> aggregationStateProvider;
61  
62      @Inject
63      protected HTMLEscapingAggregationState(Provider<AggregationState> aggregationStateProvider) {
64          this.aggregationStateProvider = aggregationStateProvider;
65      }
66  
67      /**
68       * <b>WARNING:</b> doing for instance {@code ${state.unwrap()} in a template and then calling any method on the raw
69       * {@link AggregationState} will disable automatic HTML escaping provided by this wrapper thus potentially exposing
70       * your webapp to XSS attacks.
71       *
72       * @return the plain {@link AggregationState} object.
73       */
74      public AggregationState unwrap() {
75          return this.aggregationStateProvider.get();
76      }
77  
78      // escaped getters
79  
80      @Override
81      public String getCurrentURI() {
82          return EscapeUtil.escapeXss(aggregationStateProvider.get().getCurrentURI());
83      }
84  
85      @Override
86      public String getOriginalURI() {
87          return EscapeUtil.escapeXss(aggregationStateProvider.get().getOriginalURI());
88      }
89  
90      @Override
91      public String getOriginalURL() {
92          return EscapeUtil.escapeXss(aggregationStateProvider.get().getOriginalURL());
93      }
94  
95      @Override
96      public String getQueryString() {
97          return EscapeUtil.escapeXss(aggregationStateProvider.get().getQueryString());
98      }
99  
100     @Override
101     public String getCharacterEncoding() {
102         return aggregationStateProvider.get().getCharacterEncoding();
103     }
104 
105     @Override
106     public String getOriginalBrowserURI() {
107         return EscapeUtil.escapeXss(aggregationStateProvider.get().getOriginalBrowserURI());
108     }
109 
110     @Override
111     public String getOriginalBrowserURL() {
112         return EscapeUtil.escapeXss(aggregationStateProvider.get().getOriginalBrowserURL());
113     }
114 
115     @Override
116     public String getExtension() {
117         return aggregationStateProvider.get().getExtension();
118     }
119 
120     @Override
121     public String getHandle() {
122         return aggregationStateProvider.get().getHandle();
123     }
124 
125     @Override
126     public String getRepository() {
127         return aggregationStateProvider.get().getRepository();
128     }
129 
130     @Override
131     public String getSelector() {
132         return EscapeUtil.escapeXss(aggregationStateProvider.get().getSelector());
133     }
134 
135     @Override
136     public String getTemplateName() {
137         return aggregationStateProvider.get().getTemplateName();
138     }
139 
140     @Override
141     protected String stripContextPathIfExists(String uri) {
142         return aggregationStateProvider.get().stripContextPathIfExists(uri);
143     }
144 
145     @Override
146     public String[] getSelectors() {
147         return Arrays.stream(aggregationStateProvider.get().getSelectors())
148                      .map(s -> EscapeUtil.escapeXss(s))
149                      .toArray(String[]::new);
150     }
151 
152     // delegate - setters
153 
154     @Override
155     public void setOriginalURI(String originalURI) {
156         aggregationStateProvider.get().setOriginalURI(originalURI);
157     }
158 
159     @Override
160     public void setOriginalBrowserURI(String originalBrowserURI) {
161         aggregationStateProvider.get().setOriginalBrowserURI(originalBrowserURI);
162     }
163 
164     @Override
165     public void setCurrentURI(String currentURI) {
166         aggregationStateProvider.get().setCurrentURI(currentURI);
167     }
168 
169     @Override
170     public void setQueryString(String queryString) {
171         aggregationStateProvider.get().setQueryString(queryString);
172     }
173 
174     @Override
175     public void setOriginalURL(String originalURL) {
176         aggregationStateProvider.get().setOriginalURL(originalURL);
177     }
178 
179     @Override
180     public void setOriginalBrowserURL(String originalBrowserURL) {
181         aggregationStateProvider.get().setOriginalBrowserURL(originalBrowserURL);
182     }
183 
184     @Override
185     public void setCharacterEncoding(String characterEncoding) {
186         aggregationStateProvider.get().setCharacterEncoding(characterEncoding);
187     }
188 
189     @Override
190     public void setExtension(String extension) {
191         aggregationStateProvider.get().setExtension(extension);
192     }
193 
194     @Override
195     public void setFile(File file) {
196         aggregationStateProvider.get().setFile(file);
197     }
198 
199     @Override
200     public void setHandle(String handle) {
201         aggregationStateProvider.get().setHandle(handle);
202     }
203 
204     @Override
205     public void setMainContentNode(final Node mainContentNode) {
206         aggregationStateProvider.get().setMainContentNode(mainContentNode);
207     }
208 
209     @Override
210     public void setRepository(String repository) {
211         aggregationStateProvider.get().setRepository(repository);
212     }
213 
214     @Override
215     public void setSelector(String selector) {
216         aggregationStateProvider.get().setSelector(selector);
217     }
218 
219     @Override
220     public void setTemplateName(String templateName) {
221         aggregationStateProvider.get().setTemplateName(templateName);
222     }
223 
224     @Override
225     public void setLocale(Locale locale) {
226         aggregationStateProvider.get().setLocale(locale);
227     }
228 
229     @Override
230     public void setPreviewMode(boolean previewMode) {
231         aggregationStateProvider.get().setPreviewMode(previewMode);
232     }
233 
234     @Override
235     public void setChannel(Channel channel) {
236         aggregationStateProvider.get().setChannel(channel);
237     }
238 
239     @Override
240     public void setCurrentContentNode(final Node currentContentNode) {
241         aggregationStateProvider.get().setCurrentContentNode(currentContentNode);
242     }
243 
244     // misc
245 
246     @Override
247     public File getFile() {
248         return aggregationStateProvider.get().getFile();
249     }
250 
251     @Override
252     public Node getMainContentNode() {
253         return aggregationStateProvider.get().getMainContentNode();
254     }
255 
256     public Node getCurrentContentNode() {
257         return aggregationStateProvider.get().getCurrentContentNode();
258     }
259 
260     @Override
261     public Locale getLocale() {
262         return aggregationStateProvider.get().getLocale();
263     }
264 
265     @Override
266     public boolean isPreviewMode() {
267         return aggregationStateProvider.get().isPreviewMode();
268     }
269 
270     @Override
271     public Channel getChannel() {
272         return aggregationStateProvider.get().getChannel();
273     }
274 }