Package com.adobe.granite.xss
Interface XSSAPI
-
@Deprecated public interface XSSAPI
Deprecated.UseXSSAPI
instead.A service providing validators and encoders for XSS protection during the composition of HTML pages.
Note: in general, validators are safer than encoders. Encoding only ensures that content within the encoded context cannot break out of said context. It requires that there be a context (for instance, a string context in Javascript), and that damage cannot be done from within the context (for instance, a javascript: URL within a href attribute.
When in doubt, use a validator.
-
-
Method Summary
All Methods Instance Methods Abstract Methods Deprecated Methods Modifier and Type Method Description java.lang.String
encodeForHTML(java.lang.String source)
Deprecated.Encodes a source string for HTML element content.java.lang.String
encodeForHTMLAttr(java.lang.String source)
Deprecated.Encodes a source string for writing to an HTML attribute value.java.lang.String
encodeForJSString(java.lang.String source)
Deprecated.Encodes a source string for writing to JavaScript string content.java.lang.String
encodeForXML(java.lang.String source)
Deprecated.Encodes a source string for XML element content.java.lang.String
encodeForXMLAttr(java.lang.String source)
Deprecated.Encodes a source string for writing to an XML attribute value.java.lang.String
filterHTML(java.lang.String source)
Deprecated.Filters potentially user-contributed HTML to meet the AntiSamy policy rules currently in effect for HTML output (see the XSSFilter service for details).XSSAPI
getRequestSpecificAPI(SlingHttpServletRequest request)
Deprecated.Returns an XSSAPI instance capable of mapping resource URLs.XSSAPI
getResourceResolverSpecificAPI(ResourceResolver resourceResolver)
Deprecated.Returns an XSSAPI instance capable of mapping resource URLs.java.lang.String
getValidCSSColor(java.lang.String color, java.lang.String defaultColor)
Deprecated.Validate a CSS color value.java.lang.String
getValidDimension(java.lang.String dimension, java.lang.String defaultValue)
Deprecated.Validate a string which should contain a dimension, returning a default value if the source is empyt, can't be parsed, or contains XSS risks.java.lang.String
getValidHref(java.lang.String url)
Deprecated.Sanitizes a URL for writing as an HTML href or src attribute value.java.lang.String
getValidHref(java.lang.String url, boolean isPath)
Deprecated.java.lang.Integer
getValidInteger(java.lang.String integer, int defaultValue)
Deprecated.Validate a string which should contain an integer, returning a default value if the source is empty, can't be parsed, or contains XSS risks.java.lang.String
getValidJSToken(java.lang.String token, java.lang.String defaultValue)
Deprecated.Validate a Javascript token.java.lang.Long
getValidLong(java.lang.String source, long defaultValue)
Deprecated.Validate a string which should contain a long, returning a default value if the source is empty, can't be parsed, or contains XSS risks.
-
-
-
Method Detail
-
getValidInteger
java.lang.Integer getValidInteger(java.lang.String integer, int defaultValue)
Deprecated.Validate a string which should contain an integer, returning a default value if the source is empty, can't be parsed, or contains XSS risks.- Parameters:
integer
- the source integerdefaultValue
- a default value if the source can't be used- Returns:
- a sanitized integer
-
getValidLong
java.lang.Long getValidLong(java.lang.String source, long defaultValue)
Deprecated.Validate a string which should contain a long, returning a default value if the source is empty, can't be parsed, or contains XSS risks.- Parameters:
source
- the source longdefaultValue
- a default value if the source can't be used- Returns:
- a sanitized integer
-
getValidDimension
java.lang.String getValidDimension(java.lang.String dimension, java.lang.String defaultValue)
Deprecated.Validate a string which should contain a dimension, returning a default value if the source is empyt, can't be parsed, or contains XSS risks. Allows integer dimensions and the keyword "auto".- Parameters:
dimension
- the source dimensiondefaultValue
- a default value if the source can't be used- Returns:
- a sanitized dimension
-
getValidHref
java.lang.String getValidHref(java.lang.String url)
Deprecated.Sanitizes a URL for writing as an HTML href or src attribute value.- Parameters:
url
- the source URL- Returns:
- a sanitized URL (possibly empty)
-
getValidHref
@Deprecated java.lang.String getValidHref(java.lang.String url, boolean isPath)
Deprecated.
-
getValidJSToken
java.lang.String getValidJSToken(java.lang.String token, java.lang.String defaultValue)
Deprecated.Validate a Javascript token. The value must be either a single identifier, a literal number, or a literal string.- Parameters:
token
- the source tokendefaultValue
- a default value to use if the source doesn't meet validity constraints.- Returns:
- a string containing a single identifier, a literal number, or a literal string token
-
getValidCSSColor
java.lang.String getValidCSSColor(java.lang.String color, java.lang.String defaultColor)
Deprecated.Validate a CSS color value. Color values as specified at http://www.w3.org/TR/css3-color/#colorunits are safe and definitively allowed. Vulnerable constructs will be disallowed. Currently known vulnerable constructs include url(...), expression(...), and anything with a semicolon.- Parameters:
color
- the color value to be used.defaultColor
- a default value to use if the input color value doesn't meet validity constraints.- Returns:
- a string a css color value.
-
encodeForHTML
java.lang.String encodeForHTML(java.lang.String source)
Deprecated.Encodes a source string for HTML element content. DO NOT USE FOR WRITING ATTRIBUTE VALUES!- Parameters:
source
- the source string to encode- Returns:
- an encoded version of the source
-
encodeForHTMLAttr
java.lang.String encodeForHTMLAttr(java.lang.String source)
Deprecated.Encodes a source string for writing to an HTML attribute value. DO NOT USE FOR ACTIONABLE ATTRIBUTES (href, src, event handlers); YOU MUST USE A VALIDATOR FOR THOSE!- Parameters:
source
- the source string to encode- Returns:
- an encoded version of the source
-
encodeForXML
java.lang.String encodeForXML(java.lang.String source)
Deprecated.Encodes a source string for XML element content. DO NOT USE FOR WRITING ATTRIBUTE VALUES!- Parameters:
source
- the source string to encode- Returns:
- an encoded version of the source
-
encodeForXMLAttr
java.lang.String encodeForXMLAttr(java.lang.String source)
Deprecated.Encodes a source string for writing to an XML attribute value.- Parameters:
source
- the source string to encode- Returns:
- an encoded version of the source
-
encodeForJSString
java.lang.String encodeForJSString(java.lang.String source)
Deprecated.Encodes a source string for writing to JavaScript string content. DO NOT USE FOR WRITING TO ARBITRARY JAVASCRIPT; YOU MUST USE A VALIDATOR FOR THAT. (Encoding only ensures that the source material cannot break out of its context.)- Parameters:
source
- the source string to encode- Returns:
- an encoded version of the source
-
filterHTML
java.lang.String filterHTML(java.lang.String source)
Deprecated.Filters potentially user-contributed HTML to meet the AntiSamy policy rules currently in effect for HTML output (see the XSSFilter service for details).- Parameters:
source
- a string containing the source HTML- Returns:
- a string containing the sanitized HTML
-
getRequestSpecificAPI
XSSAPI getRequestSpecificAPI(SlingHttpServletRequest request)
Deprecated.Returns an XSSAPI instance capable of mapping resource URLs. EITHER THIS OR THE RESOURCERESOLVER VERSION MUST BE USED WHEN VALIDATING HREFs!- Parameters:
request
- the request- Returns:
- an XSSAPI service capable of validating hrefs.
-
getResourceResolverSpecificAPI
XSSAPI getResourceResolverSpecificAPI(ResourceResolver resourceResolver)
Deprecated.Returns an XSSAPI instance capable of mapping resource URLs. EITHER THIS OR THE REQUEST VERSION MUST BE USED WHEN VALIDATING HREFs!- Parameters:
resourceResolver
- the resource resolver- Returns:
- an XSSAPI service capable of validating hrefs.
-
-