Home | History | Annotate | Download | only in html 
      1 // Copyright (c) 2011, Mike Samuel
      2 // All rights reserved.
      3 //
      4 // Redistribution and use in source and binary forms, with or without
      5 // modification, are permitted provided that the following conditions
      6 // are met:
      7 //
      8 // Redistributions of source code must retain the above copyright
      9 // notice, this list of conditions and the following disclaimer.
     10 // Redistributions in binary form must reproduce the above copyright
     11 // notice, this list of conditions and the following disclaimer in the
     12 // documentation and/or other materials provided with the distribution.
     13 // Neither the name of the OWASP nor the names of its contributors may
     14 // be used to endorse or promote products derived from this software
     15 // without specific prior written permission.
     16 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
     17 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
     18 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
     19 // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
     20 // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
     21 // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
     22 // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     23 // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
     24 // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     25 // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
     26 // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     27 // POSSIBILITY OF SUCH DAMAGE.
     28 
     29 package org.owasp.html;
     30 
     31 /**
     32  * A URL checker optimized to avoid object allocation for the common case:
     33  * {@code http}, {@code https}, {@code mailto}.
     34  */
     35 @TCB
     36 final class StandardUrlAttributePolicy implements AttributePolicy {
     37 
     38   static final StandardUrlAttributePolicy INSTANCE
     39       = new StandardUrlAttributePolicy();
     40 
     41   private StandardUrlAttributePolicy() { /* singleton */ }
     42 
     43   public String apply(String elementName, String attributeName, String s) {
     44     protocol_loop:
     45     for (int i = 0, n = s.length(); i < n; ++i) {
     46       switch (s.charAt(i)) {
     47         case '/': case '#': case '?':  // No protocol.
     48           break protocol_loop;
     49         case ':':
     50           switch (i) {
     51             case 4:
     52               if (!Strings.regionMatchesIgnoreCase("http", 0, s, 0, 4)) {
     53                 return null;
     54               }
     55               break;
     56             case 5:
     57               if (!Strings.regionMatchesIgnoreCase("https", 0, s, 0, 5)) {
     58                 return null;
     59               }
     60               break;
     61             case 6:
     62               if (!Strings.regionMatchesIgnoreCase("mailto", 0, s, 0, 6)) {
     63                 return null;
     64               }
     65               break;
     66             default: return null;
     67           }
     68           break protocol_loop;
     69       }
     70     }
     71     return FilterUrlByProtocolAttributePolicy.normalizeUri(s);
     72   }
     73 
     74 }