[cvs]
expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/security/filters
HtmlFilter.java
JCorporate Ltd
jcorp at jcorp2.servlets.net
Wed Aug 4 16:14:48 PDT 2004
Update of /home/javacorp/.cvs/expresso/expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/security/filters
In directory jcorp2.servlets.net:/tmp/cvs-serv27956/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/security/filters
Modified Files:
HtmlFilter.java
Log Message:
remove double quote as replaced char
Index: HtmlFilter.java
===================================================================
RCS file: /home/javacorp/.cvs/expresso/expresso/expresso-web/WEB-INF/src/com/jcorporate/expresso/core/security/filters/HtmlFilter.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** HtmlFilter.java 22 Mar 2004 18:55:08 -0000 1.2
--- HtmlFilter.java 4 Aug 2004 23:14:46 -0000 1.3
***************
*** 66,70 ****
/**
! * This class provides a filter implementation of the Filter class for converting to HTML output
*
* @author Larry Hamel
--- 66,71 ----
/**
! * This class provides a filter implementation of the Filter class for stripping
! * out HTML tags in order to protect against XSS exploits
*
* @author Larry Hamel
***************
*** 73,91 ****
extends Filter {
! //Special Character List. Each item in this array should have a corresponding
! //string in the replaceList array
! public static final String[] specialStringList = {
! "<", ">", "&", "\"", "\n", "\r\n", "\t", "<br />\n"
};
! public static final String[] replaceList = {
! "<", ">", "&", """, "<br />", "<br />", " ", "<br />"
};
/**
! *
! *
! * @throws IllegalArgumentException
*/
public HtmlFilter()
throws IllegalArgumentException {
super(specialStringList, replaceList);
--- 74,118 ----
extends Filter {
! /**
! * Characters to filter out to eliminate the majority of XSS attacks
! * from http://www.cert.org/tech_tips/malicious_code_mitigation.html#4
! * <p/>
! * Assuming that this filter is only applied to text paragraphs (not
! * server side scripts or other things), we only need to filter
! * characters in content of a paragraph of text: < & >
! * <p/>
! * This basic filter doesn't allow URLs to be displayed, so we don't have
! * to filter unsafe characters in URLs (%)
! * other classes that insert HREF's (HtmlPlusURLFilter) need to worry
! * about the % character, though (not allowing unsafe encodings after it)
! */
! protected static final String[] SPECIAL_STRING_LIST = {
! "<", ">", "&",
! "\n", "\r\n", "\t",
! "<br />\n"
};
!
! // Each item in the above array needs a corresponding string in the replaceList array
! protected static final String[] REPLACE_LIST = {
! "<", ">", "&",
! "<br />", "<br />", " ",
! "<br />"
};
/**
! * No-arg constructor required
*/
public HtmlFilter()
+ throws IllegalArgumentException {
+ super(SPECIAL_STRING_LIST, REPLACE_LIST);
+ }
+
+ /**
+ * Constructor for passing strings and their replacements
+ *
+ * @param specialStringList Strings to replace
+ * @param replaceList The replacement strings
+ */
+ public HtmlFilter(String[] specialStringList, String[] replaceList)
throws IllegalArgumentException {
super(specialStringList, replaceList);
More information about the cvs
mailing list