- From: Sijtsche Smeman <sijtsche@dev.w3.org>
- Date: Thu, 25 Nov 2004 13:22:36 +0000
- To: www-validator-cvs@w3.org
Update of /sources/public/2002/css-validator/org/w3c/css/util
In directory hutz:/tmp/cvs-serv9875/util
Modified Files:
Util.java
Log Message:
escapeHTML method added to prevent malicious use of website
Index: Util.java
===================================================================
RCS file: /sources/public/2002/css-validator/org/w3c/css/util/Util.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- Util.java 8 Apr 2002 21:19:15 -0000 1.2
+++ Util.java 25 Nov 2004 13:22:33 -0000 1.3
@@ -8,7 +8,7 @@
* Be Careful this version is not the original version.
* I modified some sources. Philippe Le Hegaret
*
- * @(#)Util.java 0.2-2 23/03/1997
+ * @(#)Util.java 0.2-2 23/03/1997
*
* This file is part of the HTTPClient package
* Copyright (C) 1996,1997 Ronald Tschalaer
@@ -42,7 +42,7 @@
/**
* This class holds various utility methods.
*
- * @version $Revision$
+ * @version $Revision$
*/
public final class Util {
@@ -57,10 +57,10 @@
// Methods
public final static NVPair[] resizeArray(NVPair[] src, int new_size) {
- NVPair tmp[] = new NVPair[new_size];
- System.arraycopy(src, 0, tmp, 0,
- (src.length < new_size ? src.length : new_size));
- return (NVPair[]) tmp;
+ NVPair tmp[] = new NVPair[new_size];
+ System.arraycopy(src, 0, tmp, 0,
+ (src.length < new_size ? src.length : new_size));
+ return (NVPair[]) tmp;
}
/**
@@ -74,39 +74,39 @@
* findStr()).
*/
public final static int[] compile_search(byte[] search) {
- int[] cmp = {0, 1, 0, 1, 0, 1};
- int end;
-
- for (int idx=0; idx<search.length; idx++) {
- for (end=idx+1; end<search.length; end++) {
- if (search[idx] == search[end]) break;
- }
- if (end < search.length) {
- if ((end-idx) > cmp[1]) {
- cmp[4] = cmp[2];
- cmp[5] = cmp[3];
- cmp[2] = cmp[0];
- cmp[3] = cmp[1];
- cmp[0] = idx;
- cmp[1] = end - idx;
- }
- else if ((end-idx) > cmp[3]) {
- cmp[4] = cmp[2];
- cmp[5] = cmp[3];
- cmp[2] = idx;
- cmp[3] = end - idx;
- }
- else if ((end-idx) > cmp[3]) {
- cmp[4] = idx;
- cmp[5] = end - idx;
- }
- }
- }
-
- cmp[1] += cmp[0];
- cmp[3] += cmp[2];
- cmp[5] += cmp[4];
- return cmp;
+ int[] cmp = {0, 1, 0, 1, 0, 1};
+ int end;
+
+ for (int idx=0; idx<search.length; idx++) {
+ for (end=idx+1; end<search.length; end++) {
+ if (search[idx] == search[end]) break;
+ }
+ if (end < search.length) {
+ if ((end-idx) > cmp[1]) {
+ cmp[4] = cmp[2];
+ cmp[5] = cmp[3];
+ cmp[2] = cmp[0];
+ cmp[3] = cmp[1];
+ cmp[0] = idx;
+ cmp[1] = end - idx;
+ }
+ else if ((end-idx) > cmp[3]) {
+ cmp[4] = cmp[2];
+ cmp[5] = cmp[3];
+ cmp[2] = idx;
+ cmp[3] = end - idx;
+ }
+ else if ((end-idx) > cmp[3]) {
+ cmp[4] = idx;
+ cmp[5] = end - idx;
+ }
+ }
+ }
+
+ cmp[1] += cmp[0];
+ cmp[3] += cmp[2];
+ cmp[5] += cmp[4];
+ return cmp;
}
/**
@@ -123,77 +123,77 @@
* found, or -1 if not found.
*/
public final static int findStr(byte[] search, int[] cmp, byte[] str,
- int beg, int end) {
- int c1f = cmp[0],
- c1l = cmp[1],
- d1 = c1l - c1f,
- c2f = cmp[2],
- c2l = cmp[3],
- d2 = c2l - c2f,
- c3f = cmp[4],
- c3l = cmp[5],
- d3 = c3l - c3f;
-
- Find:
- while (beg+search.length <= end) {
- if (search[c1l] == str[beg+c1l]) {
- Comp:
- if (search[c1f] == str[beg+c1f]) {
- for (int idx=0; idx<search.length; idx++)
- if (search[idx] != str[beg+idx]) break Comp;
-
- break Find; // we found it
- }
- beg += d1;
- }
- else if (search[c2l] == str[beg+c2l])
- beg += d2;
- else if (search[c3l] == str[beg+c3l])
- beg += d3;
- else
- beg++;
- }
-
- if (beg+search.length > end)
- return -1;
- else
- return beg;
+ int beg, int end) {
+ int c1f = cmp[0],
+ c1l = cmp[1],
+ d1 = c1l - c1f,
+ c2f = cmp[2],
+ c2l = cmp[3],
+ d2 = c2l - c2f,
+ c3f = cmp[4],
+ c3l = cmp[5],
+ d3 = c3l - c3f;
+
+ Find:
+ while (beg+search.length <= end) {
+ if (search[c1l] == str[beg+c1l]) {
+ Comp:
+ if (search[c1f] == str[beg+c1f]) {
+ for (int idx=0; idx<search.length; idx++)
+ if (search[idx] != str[beg+idx]) break Comp;
+
+ break Find; // we found it
+ }
+ beg += d1;
+ }
+ else if (search[c2l] == str[beg+c2l])
+ beg += d2;
+ else if (search[c3l] == str[beg+c3l])
+ beg += d3;
+ else
+ beg++;
+ }
+
+ if (beg+search.length > end)
+ return -1;
+ else
+ return beg;
}
// ADD 09/15/97
public final static boolean isSpace(char c) {
- return c == ' ';
+ return c == ' ';
}
/**
* Print a message on System.err only if the user wants debug trace.
*/
public static final void verbose(String s) {
- if (onDebug) {
- System.err.println( s );
- }
+ if (onDebug) {
+ System.err.println( s );
+ }
}
/**
* Suppressed all white spaces in the beginning of the string
*/
public static final String suppressWhiteSpace(String s) {
- if (s != null) {
- int len = s.length();
- int i = 0;
- while ((i < len) &&
- (isWhiteSpace(s.charAt(i)))) {
- i++;
- }
- if (i == len) {
- return null;
- } else {
- return s.substring(i);
- }
- } else {
- return null;
- }
+ if (s != null) {
+ int len = s.length();
+ int i = 0;
+ while ((i < len) &&
+ (isWhiteSpace(s.charAt(i)))) {
+ i++;
+ }
+ if (i == len) {
+ return null;
+ } else {
+ return s.substring(i);
+ }
+ } else {
+ return null;
+ }
}
/**
@@ -202,15 +202,15 @@
* @param s the string.
*/
public final static String strip(String s) {
- int index = 0;
- char[] olds = s.toCharArray();
- char[] news = new char[olds.length];
- for (int i = 0; i < olds.length; i++) {
- if (!isWhiteSpace(olds[i])) { // inline isWhiteSpace
- news[index++] = olds[i];
- }
- }
- return new String(news, 0, index);
+ int index = 0;
+ char[] olds = s.toCharArray();
+ char[] news = new char[olds.length];
+ for (int i = 0; i < olds.length; i++) {
+ if (!isWhiteSpace(olds[i])) { // inline isWhiteSpace
+ news[index++] = olds[i];
+ }
+ }
+ return new String(news, 0, index);
}
/**
@@ -219,34 +219,138 @@
* @param c the character
*/
public final static boolean isWhiteSpace(char c) {
- return c == ' ' || c == '\n' || c == '\r' || c == '\t';
+ return c == ' ' || c == '\n' || c == '\r' || c == '\t';
}
/**
* Display a float without .0 if necessary
*/
public final static String displayFloat(Float value) {
- int intValue = value.intValue();
- float floatValue = value.floatValue();
- if (((float) intValue) == floatValue) {
- return Integer.toString(intValue, 10);
- } else {
- return value.toString();
- }
+ int intValue = value.intValue();
+ float floatValue = value.floatValue();
+ if (((float) intValue) == floatValue) {
+ return Integer.toString(intValue, 10);
+ } else {
+ return value.toString();
+ }
}
/**
* Display a float without .0 if necessary
*/
public final static String displayFloat(float value) {
- int intValue = (int) value;
- if (((float) intValue) == value) {
- return Integer.toString(intValue, 10);
- } else {
- return Float.toString(value);
- }
+ int intValue = (int) value;
+ if (((float) intValue) == value) {
+ return Integer.toString(intValue, 10);
+ } else {
+ return Float.toString(value);
+ }
+ }
+
+ /**
+ * Replaces characters that may be confused by a HTML
+ * parser with their equivalent character entity references
+ * to prevent inserted code to be executed while displaying
+ * the validation results in HTML format.
+ * <p>
+ * This method will replace HTML characters such as > with their
+ * HTML entity reference (&gt;) so that the html parser will
+ * be sure to interpret them as plain text rather than HTML or script.
+ * <p>
+ *
+ * @param s String to be escaped
+ * @return escaped String
+ * @throws NullPointerException if s is null.
+ *
+ */
+ public static String escapeHTML(String s){
+ int length = s.length();
+ int newLength = length;
+ boolean someCharacterEscaped = false;
+ // first check for characters that might
+ // be dangerous and calculate a length
+ // of the string that has escapes.
+ for (int i=0; i<length; i++){
+ char c = s.charAt(i);
+ int cint = 0xffff & c;
+ if (cint < 32){
+ switch(c){
+ case '\r':
+ case '\n':
+ case '\t':
+ case '\f':{
+ } break;
+ default: {
+ newLength -= 1;
+ someCharacterEscaped = true;
+ }
+ }
+ } else {
+ switch(c){
+ case '\"':{
+ newLength += 5;
+ someCharacterEscaped = true;
+ } break;
+ case '&':
+ case '\'':{
+ newLength += 4;
+ someCharacterEscaped = true;
+ } break;
+ case '<':
+ case '>':{
+ newLength += 3;
+ someCharacterEscaped = true;
+ } break;
+ }
+ }
+ }
+ if (!someCharacterEscaped){
+ // nothing to escape in the string
+ return s;
+ }
+ StringBuffer sb = new StringBuffer(newLength);
+ for (int i=0; i<length; i++){
+ char c = s.charAt(i);
+ int cint = 0xffff & c;
+ if (cint < 32){
+ switch(c){
+ case '\r':
+ case '\n':
+ case '\t':
+ case '\f':{
+ sb.append(c);
+ } break;
+ default: {
+ // Remove this character
+ }
+ }
+ } else {
+ switch(c){
+ case '\"':{
+ sb.append(""");
+ } break;
+ case '\'':{
+ sb.append("'");
+ } break;
+ case '&':{
+ sb.append("&");
+ } break;
+ case '<':{
+ sb.append("<");
+ } break;
+ case '>':{
+ sb.append(">");
+ } break;
+ default: {
+ sb.append(c);
+ }
+ }
+ }
+ }
+ return sb.toString();
}
+
/**
* <code>true</code> if the validator runs in a servlet (security pbs)
*/
Received on Thursday, 25 November 2004 13:22:36 UTC