psdi.util

Class HTML

java.lang.Object

psdi.util.HTML

public class HTML
extends java.lang.Object

Encapsulates functionality related to HTML including Rich Text. Methods are provided that include removing script elements that can pose a security risk, converting plain text to HTML, and escaping text values so that they may be presented in HTML without posing a XSS risk.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	HTML.Entity

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	BLOCK_NODE_FOR_ENTER
static java.lang.String	BLOCK_NODE_FOR_ENTER_DEFAULT
static java.lang.String	RICH_TEXT_MARKER Marker indicating that the value already contains rich text.

Method Summary

Methods

Modifier and Type	Method and Description
static java.lang.String	cleanHtml(java.lang.String html, boolean escapeCDATA) Escape values and remove script, object, and embed tags and script from attributes
static java.lang.String	cleanHtml(java.lang.String html, boolean escapeForJavascript, boolean escapeCDATA)
static java.lang.String	cleanHtml(java.lang.String html, boolean escapeForJavascript, boolean escapeForHTML, boolean escapeCDATA)
static java.lang.String	cleanText(java.lang.String text) Plain text, need to add line breaks, and escape characters for javascript
static java.lang.String	cleanText(java.lang.String text, boolean escapeForJavascript)
static java.lang.String	cleanValue(java.lang.String value, boolean escapeForJavascript, boolean escapeCDATA)
static java.lang.String	cleanValue(java.lang.String value, boolean escapeForJavascript, boolean escapeForHTML, boolean escapeCDATA) If the value is html, removes all Javascript and embedded objects, if it is text, it converts it to html
static java.lang.String	decode(java.lang.String value)
static java.lang.String	encode(java.lang.String value) Encodes the specified value for use in HTML attribute values or text values.
static java.lang.String	encode(java.lang.String value, java.lang.String[] allowedHTMLTags) Encodes the specified value for use in HTML attribute values or text values.
static java.lang.String	encodeTolerant(java.lang.String value) Encodes the specified value for HTML but allows a basic set of fomatting tags.
static boolean	isHtml(java.lang.String value) Determine if the given string is html
static java.lang.String	replaceNewLineWithBR(java.lang.String message)
static java.lang.String	securitySafeWithHTMLEncoding(java.lang.String aText)
static java.lang.String	toPlainText(java.lang.String html)
static java.lang.String	toPlainText(java.lang.String html, boolean encodeForHtml)
static void	unittestIsHtmlForceAlwaysHtml(boolean value) For unit test only, do not use in production code
static void	unittestIsHtmlForceAlwaysText(boolean value) For unit test only, do not use in production code

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

BLOCK_NODE_FOR_ENTER_DEFAULT

public static final java.lang.String BLOCK_NODE_FOR_ENTER_DEFAULT

See Also:

Constant Field Values

BLOCK_NODE_FOR_ENTER

public static final java.lang.String BLOCK_NODE_FOR_ENTER

See Also:

Constant Field Values

RICH_TEXT_MARKER

public static final java.lang.String RICH_TEXT_MARKER

Marker indicating that the value already contains rich text. If you change this value, be sure to change the corresponding constant defined in dojo_library.js.

See Also:

Constant Field Values

Method Detail

cleanValue

public static java.lang.String cleanValue(java.lang.String value,
                          boolean escapeForJavascript,
                          boolean escapeCDATA)

cleanValue

public static java.lang.String cleanValue(java.lang.String value,
                          boolean escapeForJavascript,
                          boolean escapeForHTML,
                          boolean escapeCDATA)

If the value is html, removes all Javascript and embedded objects, if it is text, it converts it to html

Parameters:

escapeForJavascript - true to escape special so the string can be used in javascript

escapeForHTML - true to encode special characters as character or entity references so the string can be used in an html attribute

escapeCDATA - true to escape CDATA blocks so that the value can be placed in a CDATA block

encodeTolerant

public static java.lang.String encodeTolerant(java.lang.String value)

Encodes the specified value for HTML but allows a basic set of fomatting tags. Use encode(String) to completely encode all tags.

Parameters:

value - The text to be encoded.

Returns:

The encoded string.

encode

public static java.lang.String encode(java.lang.String value)

Encodes the specified value for use in HTML attribute values or text values.

Parameters:

value - The text to be encoded.

Returns:

The encoded string.

encode

public static java.lang.String encode(java.lang.String value,
                      java.lang.String[] allowedHTMLTags)

Encodes the specified value for use in HTML attribute values or text values.

Parameters:

value - The text to be encoded.

allowedHTMLTags - An array of allowed HTML tags. Note that these tags must have the < and > symbols.

Returns:

The encoded string.

decode

public static java.lang.String decode(java.lang.String value)

isHtml

public static boolean isHtml(java.lang.String value)

Determine if the given string is html

Parameters:

value - the string to evaluate

Returns:

true if the value looks like it is html

toPlainText

public static java.lang.String toPlainText(java.lang.String html,
                           boolean encodeForHtml)

toPlainText

public static java.lang.String toPlainText(java.lang.String html)

cleanText

public static java.lang.String cleanText(java.lang.String text,
                         boolean escapeForJavascript)

cleanText

public static java.lang.String cleanText(java.lang.String text)

Plain text, need to add line breaks, and escape characters for javascript

Parameters:

text - the text to be cleaned up

escapeForJavascript - True if newlines and quotes should be escaped so the resultant string can be used as-is in a javascript string.

Returns:

a cleaned up version of the text

cleanHtml

public static java.lang.String cleanHtml(java.lang.String html,
                         boolean escapeForJavascript,
                         boolean escapeForHTML,
                         boolean escapeCDATA)

cleanHtml

public static java.lang.String cleanHtml(java.lang.String html,
                         boolean escapeForJavascript,
                         boolean escapeCDATA)

cleanHtml

public static java.lang.String cleanHtml(java.lang.String html,
                         boolean escapeCDATA)

Escape values and remove script, object, and embed tags and script from attributes

Parameters:

html - the original html string

Returns:

the cleaned string

unittestIsHtmlForceAlwaysText

public static void unittestIsHtmlForceAlwaysText(boolean value)

For unit test only, do not use in production code

unittestIsHtmlForceAlwaysHtml

public static void unittestIsHtmlForceAlwaysHtml(boolean value)

For unit test only, do not use in production code

replaceNewLineWithBR

public static java.lang.String replaceNewLineWithBR(java.lang.String message)

securitySafeWithHTMLEncoding

public static java.lang.String securitySafeWithHTMLEncoding(java.lang.String aText)