View Javadoc
1   /*
2    * Copyright (c) 2011-2024 PrimeFaces Extensions
3    *
4    *  Permission is hereby granted, free of charge, to any person obtaining a copy
5    *  of this software and associated documentation files (the "Software"), to deal
6    *  in the Software without restriction, including without limitation the rights
7    *  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
8    *  copies of the Software, and to permit persons to whom the Software is
9    *  furnished to do so, subject to the following conditions:
10   *
11   *  The above copyright notice and this permission notice shall be included in
12   *  all copies or substantial portions of the Software.
13   *
14   *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15   *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16   *  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17   *  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18   *  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19   *  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
20   *  THE SOFTWARE.
21   */
22  package org.primefaces.extensions.converter;
23  
24  import java.io.Serializable;
25  
26  import javax.faces.component.UIComponent;
27  import javax.faces.context.FacesContext;
28  import javax.faces.convert.Converter;
29  import javax.faces.convert.FacesConverter;
30  
31  import org.primefaces.util.Constants;
32  import org.primefaces.util.LangUtils;
33  
34  /**
35   * {@link Converter} which sanitizes any input using an OWASP Java HTML Sanitizer PolicyFactory. Useful for cleansing input if going to be displayed in
36   * outputText with escape="false".
37   *
38   * @since 10.0.5
39   */
40  @FacesConverter(value = "primefaces.SanitizingConverter")
41  public class SanitizingConverter implements Converter<Object>, Serializable {
42  
43      private static final long serialVersionUID = 20121214L;
44  
45      /**
46       * Default policy blocks all HTML.
47       */
48      private static final org.owasp.html.PolicyFactory DEFAULT_POLICY = new org.owasp.html.HtmlPolicyBuilder().toFactory();
49  
50      /**
51       * Custom policy provided by user.
52       */
53      private org.owasp.html.PolicyFactory policy;
54  
55      /**
56       * If true use the OWASP HTML Decode to remove
57       */
58      private boolean decodeHtml = true;
59  
60      /**
61       * Method to facilitate "mis-using" this class to sanitize data coming over the network
62       *
63       * @param value the value to sanitize
64       * @return sanitized string
65       */
66      public String sanitize(final String value) {
67          if (LangUtils.isBlank(value)) {
68              return value;
69          }
70          String result = getPolicy().sanitize(value);
71          if (isDecodeHtml()) {
72              result = org.owasp.html.Encoding.decodeHtml(result, false);
73          }
74          return result.trim();
75      }
76  
77      @Override
78      public Object getAsObject(final FacesContext fc, final UIComponent uic, final String value) {
79          return value == null ? null : sanitize(value);
80      }
81  
82      @Override
83      public String getAsString(final FacesContext fc, final UIComponent uic, final Object o) {
84          return o == null ? Constants.EMPTY_STRING : sanitize(o.toString());
85      }
86  
87      public org.owasp.html.PolicyFactory getPolicy() {
88          if (policy == null) {
89              policy = DEFAULT_POLICY;
90          }
91          return policy;
92      }
93  
94      public void setPolicy(final org.owasp.html.PolicyFactory policy) {
95          this.policy = policy;
96      }
97  
98      public boolean isDecodeHtml() {
99          return decodeHtml;
100     }
101 
102     public void setDecodeHtml(final boolean decodeHtml) {
103         this.decodeHtml = decodeHtml;
104     }
105 
106 }