Interface XSSAPI


  • @Deprecated
    public interface XSSAPI
    Deprecated.
    Use XSSAPI instead.

    A service providing validators and encoders for XSS protection during the composition of HTML pages.

    Note: in general, validators are safer than encoders. Encoding only ensures that content within the encoded context cannot break out of said context. It requires that there be a context (for instance, a string context in Javascript), and that damage cannot be done from within the context (for instance, a javascript: URL within a href attribute.

    When in doubt, use a validator.

    • Method Summary

      All Methods Instance Methods Abstract Methods Deprecated Methods 
      Modifier and Type Method Description
      java.lang.String encodeForHTML​(java.lang.String source)
      Deprecated.
      Encodes a source string for HTML element content.
      java.lang.String encodeForHTMLAttr​(java.lang.String source)
      Deprecated.
      Encodes a source string for writing to an HTML attribute value.
      java.lang.String encodeForJSString​(java.lang.String source)
      Deprecated.
      Encodes a source string for writing to JavaScript string content.
      java.lang.String encodeForXML​(java.lang.String source)
      Deprecated.
      Encodes a source string for XML element content.
      java.lang.String encodeForXMLAttr​(java.lang.String source)
      Deprecated.
      Encodes a source string for writing to an XML attribute value.
      java.lang.String filterHTML​(java.lang.String source)
      Deprecated.
      Filters potentially user-contributed HTML to meet the AntiSamy policy rules currently in effect for HTML output (see the XSSFilter service for details).
      XSSAPI getRequestSpecificAPI​(SlingHttpServletRequest request)
      Deprecated.
      Returns an XSSAPI instance capable of mapping resource URLs.
      XSSAPI getResourceResolverSpecificAPI​(ResourceResolver resourceResolver)
      Deprecated.
      Returns an XSSAPI instance capable of mapping resource URLs.
      java.lang.String getValidCSSColor​(java.lang.String color, java.lang.String defaultColor)
      Deprecated.
      Validate a CSS color value.
      java.lang.String getValidDimension​(java.lang.String dimension, java.lang.String defaultValue)
      Deprecated.
      Validate a string which should contain a dimension, returning a default value if the source is empyt, can't be parsed, or contains XSS risks.
      java.lang.String getValidHref​(java.lang.String url)
      Deprecated.
      Sanitizes a URL for writing as an HTML href or src attribute value.
      java.lang.String getValidHref​(java.lang.String url, boolean isPath)
      Deprecated.
      java.lang.Integer getValidInteger​(java.lang.String integer, int defaultValue)
      Deprecated.
      Validate a string which should contain an integer, returning a default value if the source is empty, can't be parsed, or contains XSS risks.
      java.lang.String getValidJSToken​(java.lang.String token, java.lang.String defaultValue)
      Deprecated.
      Validate a Javascript token.
      java.lang.Long getValidLong​(java.lang.String source, long defaultValue)
      Deprecated.
      Validate a string which should contain a long, returning a default value if the source is empty, can't be parsed, or contains XSS risks.
    • Method Detail

      • getValidInteger

        java.lang.Integer getValidInteger​(java.lang.String integer,
                                          int defaultValue)
        Deprecated.
        Validate a string which should contain an integer, returning a default value if the source is empty, can't be parsed, or contains XSS risks.
        Parameters:
        integer - the source integer
        defaultValue - a default value if the source can't be used
        Returns:
        a sanitized integer
      • getValidLong

        java.lang.Long getValidLong​(java.lang.String source,
                                    long defaultValue)
        Deprecated.
        Validate a string which should contain a long, returning a default value if the source is empty, can't be parsed, or contains XSS risks.
        Parameters:
        source - the source long
        defaultValue - a default value if the source can't be used
        Returns:
        a sanitized integer
      • getValidDimension

        java.lang.String getValidDimension​(java.lang.String dimension,
                                           java.lang.String defaultValue)
        Deprecated.
        Validate a string which should contain a dimension, returning a default value if the source is empyt, can't be parsed, or contains XSS risks. Allows integer dimensions and the keyword "auto".
        Parameters:
        dimension - the source dimension
        defaultValue - a default value if the source can't be used
        Returns:
        a sanitized dimension
      • getValidHref

        java.lang.String getValidHref​(java.lang.String url)
        Deprecated.
        Sanitizes a URL for writing as an HTML href or src attribute value.
        Parameters:
        url - the source URL
        Returns:
        a sanitized URL (possibly empty)
      • getValidHref

        @Deprecated
        java.lang.String getValidHref​(java.lang.String url,
                                      boolean isPath)
        Deprecated.
      • getValidJSToken

        java.lang.String getValidJSToken​(java.lang.String token,
                                         java.lang.String defaultValue)
        Deprecated.
        Validate a Javascript token. The value must be either a single identifier, a literal number, or a literal string.
        Parameters:
        token - the source token
        defaultValue - a default value to use if the source doesn't meet validity constraints.
        Returns:
        a string containing a single identifier, a literal number, or a literal string token
      • getValidCSSColor

        java.lang.String getValidCSSColor​(java.lang.String color,
                                          java.lang.String defaultColor)
        Deprecated.
        Validate a CSS color value. Color values as specified at http://www.w3.org/TR/css3-color/#colorunits are safe and definitively allowed. Vulnerable constructs will be disallowed. Currently known vulnerable constructs include url(...), expression(...), and anything with a semicolon.
        Parameters:
        color - the color value to be used.
        defaultColor - a default value to use if the input color value doesn't meet validity constraints.
        Returns:
        a string a css color value.
      • encodeForHTML

        java.lang.String encodeForHTML​(java.lang.String source)
        Deprecated.
        Encodes a source string for HTML element content. DO NOT USE FOR WRITING ATTRIBUTE VALUES!
        Parameters:
        source - the source string to encode
        Returns:
        an encoded version of the source
      • encodeForHTMLAttr

        java.lang.String encodeForHTMLAttr​(java.lang.String source)
        Deprecated.
        Encodes a source string for writing to an HTML attribute value. DO NOT USE FOR ACTIONABLE ATTRIBUTES (href, src, event handlers); YOU MUST USE A VALIDATOR FOR THOSE!
        Parameters:
        source - the source string to encode
        Returns:
        an encoded version of the source
      • encodeForXML

        java.lang.String encodeForXML​(java.lang.String source)
        Deprecated.
        Encodes a source string for XML element content. DO NOT USE FOR WRITING ATTRIBUTE VALUES!
        Parameters:
        source - the source string to encode
        Returns:
        an encoded version of the source
      • encodeForXMLAttr

        java.lang.String encodeForXMLAttr​(java.lang.String source)
        Deprecated.
        Encodes a source string for writing to an XML attribute value.
        Parameters:
        source - the source string to encode
        Returns:
        an encoded version of the source
      • encodeForJSString

        java.lang.String encodeForJSString​(java.lang.String source)
        Deprecated.
        Encodes a source string for writing to JavaScript string content. DO NOT USE FOR WRITING TO ARBITRARY JAVASCRIPT; YOU MUST USE A VALIDATOR FOR THAT. (Encoding only ensures that the source material cannot break out of its context.)
        Parameters:
        source - the source string to encode
        Returns:
        an encoded version of the source
      • filterHTML

        java.lang.String filterHTML​(java.lang.String source)
        Deprecated.
        Filters potentially user-contributed HTML to meet the AntiSamy policy rules currently in effect for HTML output (see the XSSFilter service for details).
        Parameters:
        source - a string containing the source HTML
        Returns:
        a string containing the sanitized HTML
      • getRequestSpecificAPI

        XSSAPI getRequestSpecificAPI​(SlingHttpServletRequest request)
        Deprecated.
        Returns an XSSAPI instance capable of mapping resource URLs. EITHER THIS OR THE RESOURCERESOLVER VERSION MUST BE USED WHEN VALIDATING HREFs!
        Parameters:
        request - the request
        Returns:
        an XSSAPI service capable of validating hrefs.
      • getResourceResolverSpecificAPI

        XSSAPI getResourceResolverSpecificAPI​(ResourceResolver resourceResolver)
        Deprecated.
        Returns an XSSAPI instance capable of mapping resource URLs. EITHER THIS OR THE REQUEST VERSION MUST BE USED WHEN VALIDATING HREFs!
        Parameters:
        resourceResolver - the resource resolver
        Returns:
        an XSSAPI service capable of validating hrefs.