Home | History | Annotate | Download | only in escape 
      1 /*
      2  * Copyright (C) 2010 Google Inc.
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  * http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 package com.google.clearsilver.jsilver.functions.escape;
     18 
     19 import com.google.clearsilver.jsilver.functions.TextFilter;
     20 
     21 import java.io.IOException;
     22 
     23 /**
     24  * This function will be used to sanitize variables introduced into javascript that are not string
     25  * literals. e.g. <script> var x = <?cs var: x ?> </script>
     26  *
     27  * Currently it only accepts boolean and numeric literals. All other values are replaced with a
     28  * 'null'. This behavior may be extended if required at a later time. This replicates the
     29  * autoescaping behavior of Clearsilver.
     30  */
     31 public class JsValidateUnquotedLiteral implements TextFilter {
     32 
     33   public void filter(String in, Appendable out) throws IOException {
     34     /* Permit boolean literals */
     35     if (in.equals("true") || in.equals("false")) {
     36       out.append(in);
     37       return;
     38     }
     39 
     40     boolean valid = true;
     41     if (in.startsWith("0x") || in.startsWith("0X")) {
     42 
     43       /*
     44        * There must be at least one hex digit after the 0x for it to be valid. Hex number. Check
     45        * that it is of the form 0(x|X)[0-9A-Fa-f]+
     46        */
     47       for (int i = 2; i < in.length(); i++) {
     48         char c = in.charAt(i);
     49         if (!((c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F') || (c >= '0' && c <= '9'))) {
     50           valid = false;
     51           break;
     52         }
     53       }
     54     } else {
     55       /*
     56        * Must be a base-10 (or octal) number. Check that it has the form [0-9+-.eE]+
     57        */
     58       for (int i = 0; i < in.length(); i++) {
     59         char c = in.charAt(i);
     60         if (!((c >= '0' && c <= '9') || c == '+' || c == '-' || c == '.' || c == 'e' || c == 'E')) {
     61           valid = false;
     62           break;
     63         }
     64       }
     65     }
     66 
     67     if (valid) {
     68       out.append(in);
     69     } else {
     70       out.append("null");
     71     }
     72   }
     73 
     74 }
     75