diff --git a/src/java/com/samskivert/servlet/util/HTMLUtil.java b/src/java/com/samskivert/servlet/util/HTMLUtil.java index a018cb0f..6da07eba 100644 --- a/src/java/com/samskivert/servlet/util/HTMLUtil.java +++ b/src/java/com/samskivert/servlet/util/HTMLUtil.java @@ -20,6 +20,7 @@ package com.samskivert.servlet.util; +import java.util.ArrayList; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -154,6 +155,90 @@ public class HTMLUtil return lbuf.toString().trim(); } + /** + * Restrict all HTML from the specified String. + */ + public static String restrictHTML (String src) + { + return restrictHTML(src, new String[0]); + } + + /** + * Restrict HTML except for the specified tags. + * + * @param allowFormatting enables <i>, <b>, <u>, + * <font>, <br>, <p>, and + * <hr>. + * @param allowImages enabled <img ...>. + * @param allowLinks enabled <a href ...>. + */ + public static String restrictHTML (String src, boolean allowFormatting, + boolean allowImages, boolean allowLinks) + { + // TODO: these regexes should probably be checked to make + // sure that javascript can't live inside a link + ArrayList allow = new ArrayList(); + if (allowFormatting) { + allow.add(""); allow.add(""); + allow.add(""); allow.add(""); + allow.add(""); allow.add(""); + allow.add("!-]*(\"[^\"<>!-]*\"[^\"<>!-]*)*>"); + allow.add(""); + allow.add("
"); allow.add("
"); + allow.add("

"); allow.add("

"); + allow.add("
"); allow.add(""); + } + if (allowImages) { + // Until I find a way to disallow "---", no - can be in a url + allow.add("!-]*(\"[^\"<>!-]*\"[^\"<>!-]*)*>"); + allow.add(""); + } + if (allowLinks) { + allow.add("!-]*(\"[^\"<>!-]*\"[^\"<>!-]*)*>"); + allow.add(""); + } + return restrictHTML(src, allow.toArray(new String[allow.size()])); + } + + /** + * Restrict HTML from the specified string except for the specified + * regular expressions. + */ + public static String restrictHTML (String src, String[] regexes) + { + if (StringUtil.isBlank(src)) { + return src; + } + + ArrayList list = new ArrayList(); + list.add(src); + for (int ii=0, nn = regexes.length; ii < nn; ii++) { + Pattern p = Pattern.compile(regexes[ii], Pattern.CASE_INSENSITIVE); + for (int jj=0; jj < list.size(); jj += 2) { + String piece = list.get(jj); + Matcher m = p.matcher(piece); + if (m.find()) { + list.set(jj, piece.substring(0, m.start())); + list.add(jj + 1, piece.substring(m.start(), m.end())); + list.add(jj + 2, piece.substring(m.end())); + } + } + } + + // now, the even elements of list contain untrusted text, the + // odd elements contain stuff that matched a regex + StringBuilder buf = new StringBuilder(); + for (int jj=0, nn = list.size(); jj < nn; jj++) { + String s = list.get(jj); + if (jj % 2 == 0) { + s = StringUtil.replace(s, "<", "<"); + s = StringUtil.replace(s, ">", ">"); + } + buf.append(s); + } + return buf.toString(); + } + protected static Pattern _url = - Pattern.compile("http://\\S+", Pattern.MULTILINE); + Pattern.compile("^http://\\S+", Pattern.MULTILINE); } diff --git a/src/java/com/samskivert/util/StringUtil.java b/src/java/com/samskivert/util/StringUtil.java index 66f88962..ecc2c167 100644 --- a/src/java/com/samskivert/util/StringUtil.java +++ b/src/java/com/samskivert/util/StringUtil.java @@ -154,90 +154,6 @@ public class StringUtil }); } - /** - * Restrict all HTML from the specified String. - */ - public static String restrictHTML (String src) - { - return restrictHTML(src, new String[0]); - } - - /** - * Restrict HTML except for the specified tags. - * - * @param allowFormatting enables <i>, <b>, <u>, - * <font>, <br>, <p>, and - * <hr>. - * @param allowImages enabled <img ...>. - * @param allowLinks enabled <a href ...>. - */ - public static String restrictHTML (String src, boolean allowFormatting, - boolean allowImages, boolean allowLinks) - { - // TODO: these regexes should probably be checked to make - // sure that javascript can't live inside a link - ArrayList allow = new ArrayList(); - if (allowFormatting) { - allow.add(""); allow.add(""); - allow.add(""); allow.add(""); - allow.add(""); allow.add(""); - allow.add("!-]*(\"[^\"<>!-]*\"[^\"<>!-]*)*>"); - allow.add(""); - allow.add("
"); allow.add("
"); - allow.add("

"); allow.add("

"); - allow.add("
"); allow.add(""); - } - if (allowImages) { - // Until I find a way to disallow "---", no - can be in a url - allow.add("!-]*(\"[^\"<>!-]*\"[^\"<>!-]*)*>"); - allow.add(""); - } - if (allowLinks) { - allow.add("!-]*(\"[^\"<>!-]*\"[^\"<>!-]*)*>"); - allow.add(""); - } - return restrictHTML(src, allow.toArray(new String[allow.size()])); - } - - /** - * Restrict HTML from the specified string except for the specified - * regular expressions. - */ - public static String restrictHTML (String src, String[] regexes) - { - if (isBlank(src)) { - return src; - } - - ArrayList list = new ArrayList(); - list.add(src); - for (int ii=0, nn = regexes.length; ii < nn; ii++) { - Pattern p = Pattern.compile(regexes[ii], Pattern.CASE_INSENSITIVE); - for (int jj=0; jj < list.size(); jj += 2) { - String piece = list.get(jj); - Matcher m = p.matcher(piece); - if (m.find()) { - list.set(jj, piece.substring(0, m.start())); - list.add(jj + 1, piece.substring(m.start(), m.end())); - list.add(jj + 2, piece.substring(m.end())); - } - } - } - - // now, the even elements of list contain untrusted text, the - // odd elements contain stuff that matched a regex - StringBuilder buf = new StringBuilder(); - for (int jj=0, nn = list.size(); jj < nn; jj++) { - String s = list.get(jj); - if (jj % 2 == 0) { - s = replace(s, "<", "<"); - s = replace(s, ">", ">"); - } - buf.append(s); - } - return buf.toString(); - } - /** * Returns a new string based on source with all * instances of before replaced with after. diff --git a/src/java/com/samskivert/velocity/StringTool.java b/src/java/com/samskivert/velocity/StringTool.java index cc3c1a1c..a970ff2d 100644 --- a/src/java/com/samskivert/velocity/StringTool.java +++ b/src/java/com/samskivert/velocity/StringTool.java @@ -119,7 +119,7 @@ public class StringTool */ public static String restrictHTML (String text) { - return StringUtil.restrictHTML(text); + return HTMLUtil.restrictHTML(text); } /**