forked from DSpace/DSpace
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bf6e042
commit 103c8ee
Showing
2 changed files
with
53 additions
and
2 deletions.
There are no files selected for viewing
49 changes: 49 additions & 0 deletions
49
dspace-api/src/main/java/org/dspace/util/StringEscapeUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
/** | ||
* The contents of this file are subject to the license and copyright | ||
* detailed in the LICENSE and NOTICE files at the root of the source | ||
* tree and available online at | ||
* | ||
* http://www.dspace.org/license/ | ||
*/ | ||
package org.dspace.util; | ||
|
||
import java.util.Collections; | ||
import java.util.HashMap; | ||
import java.util.Map; | ||
|
||
import org.apache.commons.text.translate.AggregateTranslator; | ||
import org.apache.commons.text.translate.CharSequenceTranslator; | ||
import org.apache.commons.text.translate.EntityArrays; | ||
import org.apache.commons.text.translate.LookupTranslator; | ||
|
||
public class StringEscapeUtils extends org.apache.commons.text.StringEscapeUtils { | ||
public static final CharSequenceTranslator ESCAPE_MAIL; | ||
static { | ||
final Map<CharSequence, CharSequence> escapeMailMap = new HashMap<>(); | ||
escapeMailMap.put("#", "#"); | ||
ESCAPE_MAIL = new AggregateTranslator( | ||
new LookupTranslator(EntityArrays.BASIC_ESCAPE), | ||
new LookupTranslator(EntityArrays.APOS_ESCAPE), | ||
new LookupTranslator(Collections.unmodifiableMap(escapeMailMap)) | ||
); | ||
} | ||
|
||
/** | ||
* Escapes the characters in a {@code String} using custom rules to avoid XSS attacks. | ||
* | ||
* <p>Escapes user-entered text that is sent with mail to avoid possible XSS attacks. | ||
* It escapes double-quote, ampersand, less-than, greater-than, apostrophe, number sign (", &, <, >,',#) </p> | ||
* | ||
* <p>Example:</p> | ||
* <pre> | ||
* input string: <div attr="*x" onblur="alert(1)*"> lá lé lí ló LÚ pingüino & yo # </div>!!" | ||
* output string: <div attr="*x" onblur="alert(1)*"> lá lé lí ló LÚ pingüino & yo # </div>!! | ||
* </pre> | ||
* | ||
* @param input String to escape values in, may be null | ||
* @return String with escaped values, {@code null} if null string input | ||
*/ | ||
public static final String escapeMail(final String input) { | ||
return ESCAPE_MAIL.translate(input); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters