View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.myfaces.tobago.internal.util;
21  
22  import java.io.IOException;
23  import java.io.Writer;
24  import java.nio.charset.Charset;
25  
26  public final class HtmlWriterHelper extends WriterHelper {
27  
28    private static final char[][] CHARS_TO_ESCAPE;
29  
30    static {
31      // init lookup table
32      CHARS_TO_ESCAPE = new char[0xA0][];
33  
34      // all "normal" character positions contains null
35  
36      // control characters are dropped
37      for (int i = 0; i < 0x20; i++) {
38        CHARS_TO_ESCAPE[i] = EMPTY;
39      }
40      for (int i = 0x7F; i < 0xA0; i++) {
41        CHARS_TO_ESCAPE[i] = EMPTY;
42      }
43  
44      CHARS_TO_ESCAPE['\t'] = "&#x09;".toCharArray(); // Horizontal tabulator
45      CHARS_TO_ESCAPE['\n'] = "&#x0a;".toCharArray(); // Line feed
46      CHARS_TO_ESCAPE['\r'] = "&#x0d;".toCharArray(); // Carriage return
47  
48      // See also https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
49      CHARS_TO_ESCAPE['\''] = "&#x27;".toCharArray();
50      CHARS_TO_ESCAPE['&'] = "&amp;".toCharArray();
51      CHARS_TO_ESCAPE['<'] = "&lt;".toCharArray();
52      CHARS_TO_ESCAPE['>'] = "&gt;".toCharArray();
53      // We are not escaping quot " and slash / here, because we not really need that in our case.
54      // It makes the HTML code better readable and shorter. There are many occurrences of quot, because of JSON.
55      //    CHARS_TO_ESCAPE['\"'] = "&quot;".toCharArray();
56      //    CHARS_TO_ESCAPE['/'] = "&#x2F;".toCharArray();
57  
58    }
59  
60    /**
61     * @deprecated since 4.3.0
62     */
63    @Deprecated
64    public HtmlWriterHelper(final Writer out, final String characterEncoding) {
65      this(out, Charset.forName(characterEncoding));
66    }
67  
68    public HtmlWriterHelper(final Writer out, final Charset charset) {
69      super(out, charset);
70    }
71  
72    @Override
73    protected void writeEncodedValue(final char[] text, final int start,
74        final int length, final boolean isAttribute) throws IOException {
75  
76      int localIndex = -1;
77  
78      final int end = start + length;
79      for (int i = start; i < end; i++) {
80        final char ch = text[i];
81        if (ch >= CHARS_TO_ESCAPE.length || CHARS_TO_ESCAPE[ch] != null) {
82          localIndex = i;
83          break;
84        }
85      }
86      final Writer out = getOut();
87  
88      if (localIndex == -1) {
89        // no need to escape
90        out.write(text, start, length);
91      } else {
92        // write until localIndex and then encode the remainder
93        out.write(text, start, localIndex);
94  
95        final ResponseWriterBuffer buffer = getBuffer();
96  
97        for (int i = localIndex; i < end; i++) {
98          final char ch = text[i];
99  
100         // Tilde or less...
101         if (ch < CHARS_TO_ESCAPE.length) {
102           if (isAttribute && ch == '&' && (i + 1 < end) && text[i + 1] == '{') {
103             // HTML 4.0, section B.7.1: ampersands followed by
104             // an open brace don't get escaped
105             buffer.addToBuffer('&');
106           } else if (CHARS_TO_ESCAPE[ch] != null) {
107             buffer.addToBuffer(CHARS_TO_ESCAPE[ch]);
108           } else {
109             buffer.addToBuffer(ch);
110           }
111         } else if (isUtf8()) {
112           buffer.addToBuffer(ch);
113         } else if (ch <= 0xff) {
114           // ISO-8859-1 entities: encode as needed
115           buffer.flushBuffer();
116 
117           out.write('&');
118           final char[] chars = ISO8859_1_ENTITIES[ch - 0xA0];
119           out.write(chars, 0, chars.length);
120           out.write(';');
121         } else {
122           buffer.flushBuffer();
123 
124           // Double-byte characters to encode.
125           // PENDING: when outputting to an encoding that
126           // supports double-byte characters (UTF-8, for example),
127           // we should not be encoding
128           writeDecRef(ch);
129         }
130       }
131 
132       buffer.flushBuffer();
133     }
134   }
135 }