Package org.hibernate.validator.internal.constraintvalidators.hv

Source Code of org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
/*
* Hibernate Validator, declare and validate application constraints
*
* License: Apache License, Version 2.0
* See the license.txt file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>.
*/
package org.hibernate.validator.internal.constraintvalidators.hv;

import java.util.Iterator;
import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext;

import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Element;
import org.jsoup.parser.Parser;
import org.jsoup.safety.Cleaner;
import org.jsoup.safety.Whitelist;

import org.hibernate.validator.constraints.SafeHtml;

/**
* Validate that the string does not contain malicious code.
*
* It uses <a href="http://www.jsoup.org">JSoup</a> as the underlying parser/sanitizer library.
*
* @author George Gastaldi
* @author Hardy Ferentschik
*/
public class SafeHtmlValidator implements ConstraintValidator<SafeHtml, CharSequence> {
  private Whitelist whitelist;

  @Override
  public void initialize(SafeHtml safeHtmlAnnotation) {
    switch ( safeHtmlAnnotation.whitelistType() ) {
      case BASIC:
        whitelist = Whitelist.basic();
        break;
      case BASIC_WITH_IMAGES:
        whitelist = Whitelist.basicWithImages();
        break;
      case NONE:
        whitelist = Whitelist.none();
        break;
      case RELAXED:
        whitelist = Whitelist.relaxed();
        break;
      case SIMPLE_TEXT:
        whitelist = Whitelist.simpleText();
        break;
    }
    whitelist.addTags( safeHtmlAnnotation.additionalTags() );

    for ( SafeHtml.Tag tag : safeHtmlAnnotation.additionalTagsWithAttributes() ) {
      whitelist.addAttributes( tag.name(), tag.attributes() );
    }
  }

  @Override
  public boolean isValid(CharSequence value, ConstraintValidatorContext context) {
    if ( value == null ) {
      return true;
    }

    return new Cleaner( whitelist ).isValid( getFragmentAsDocument( value ) );
  }

  /**
   * Returns a document whose {@code <body>} element contains the given HTML fragment.
   */
  private Document getFragmentAsDocument(CharSequence value) {
    // using the XML parser ensures that all elements in the input are retained, also if they actually are not allowed at the given
    // location; E.g. a <td> element isn't allowed directly within the <body> element, so it would be used by the default HTML parser.
    // we need to retain it though to apply the given white list properly; See HV-873
    Document fragment = Jsoup.parse( value.toString(), "", Parser.xmlParser() );
    Document document = Document.createShell( "" );

    // add the fragment's nodes to the body of resulting document
    Iterator<Element> nodes = fragment.children().iterator();
    while ( nodes.hasNext() ) {
      document.body().appendChild( nodes.next() );
    }

    return document;
  }
}
TOP

Related Classes of org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator

  • org.hibernate.validator.test.internal.constraintvalidators.hv.SafeHtmlValidatorTest
  • org.jsoup.nodes.Document
  • org.jsoup.safety.Cleaner
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.