View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.myfaces.tobago.sanitizer;
21  
22  import org.apache.myfaces.tobago.exception.TobagoConfigurationException;
23  import org.jsoup.Jsoup;
24  import org.jsoup.safety.Whitelist;
25  import org.slf4j.Logger;
26  import org.slf4j.LoggerFactory;
27  
28  import java.lang.invoke.MethodHandles;
29  import java.util.Properties;
30  
31  /**
32   * The JsoupSanitizer uses the jsoup library http://jsoup.org/ to check against malicious code.
33   */
34  public class JsoupSanitizer implements Sanitizer {
35  
36    private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
37  
38    private Whitelist whitelist;
39    private String whitelistName;
40  
41    private boolean unmodifiable = false;
42  
43    @Override
44    public String sanitize(final String html) {
45  
46      final String safe = Jsoup.clean(html, whitelist);
47      if (LOG.isDebugEnabled()) {
48        LOG.debug("Sanitized: " + safe);
49      }
50      return safe;
51    }
52  
53    @Override
54    public void setProperties(final Properties configuration) {
55      checkLocked();
56  
57      unmodifiable = true;
58  
59      for (final String key : configuration.stringPropertyNames()) {
60        if ("whitelist".equals(key)) {
61          whitelistName = configuration.getProperty(key);
62          if ("basic".equals(whitelistName)) {
63            whitelist = Whitelist.basic();
64          } else if ("basicWithImages".equals(whitelistName)) {
65            whitelist = Whitelist.basicWithImages();
66          } else if ("none".equals(whitelistName)) {
67            whitelist = Whitelist.none();
68          } else if ("relaxed".equals(whitelistName)) {
69            whitelist = Whitelist.relaxed();
70          } else if ("simpleText".equals(whitelistName)) {
71            whitelist = Whitelist.simpleText();
72          } else {
73            throw new TobagoConfigurationException(
74                "Unknown configuration value for 'whitelist' in tobago-config.xml found! value='" + whitelistName + "'");
75          }
76        } else {
77          throw new TobagoConfigurationException(
78              "Unknown configuration key in tobago-config.xml found! key='" + key + "'");
79        }
80      }
81  
82      if (LOG.isInfoEnabled()) {
83        LOG.warn("Using whitelist '" + whitelistName + "' for sanitizing!");
84      }
85    }
86  
87    private void checkLocked() throws IllegalStateException {
88      if (unmodifiable) {
89        throw new TobagoConfigurationException("The configuration must not be changed after initialization!");
90      }
91    }
92  
93    @Override
94    public String toString() {
95      return getClass().getSimpleName() + " whitelist='" + whitelistName + "'";
96    }
97  
98  }