XSSSanitizerService.java
/*
* Copyright (c) 2002-2025, City of Paris
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright notice
* and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright notice
* and the following disclaimer in the documentation and/or other materials
* provided with the distribution.
*
* 3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* License 1.0
*/
package fr.paris.lutece.portal.service.html;
import fr.paris.lutece.portal.service.spring.SpringContextService;
/**
* This class provides management methods for cleaner
*/
public final class XSSSanitizerService
{
/** html Cleaner */
private static IXSSSanitizer _xssSanitizer = SpringContextService.getBean( "XSSSanitizer" );
private static boolean _bInit;
/**
* Constructor. Creates a new XSSSanitizerService object.
*/
private XSSSanitizerService( )
{
}
/**
* Clean HTML code from XSS risks
*
* @param strSource
* The input string to clean
* @return The cleaned string
*/
public static String sanitize( String strSource ) throws XSSSanitizerException
{
init( );
if ( _xssSanitizer != null )
{
// use advanced implementation
return _xssSanitizer.sanitize( strSource );
}
else
{
// use default
return cleanXSS( strSource );
}
}
private static void init( )
{
// init XSSSanitizerService
if ( !_bInit && _xssSanitizer != null )
{
_xssSanitizer.init( );
_bInit = true;
}
}
/**
* default xss clean (escape chars only)
*
* @param value
* @return the cleaned value
*/
private static String cleanXSS( String value )
{
if ( value != null )
{
value = value.replaceAll( "<", "<" ).replaceAll( ">", ">" );
value = value.replaceAll( "\"", """ ).replaceAll( "'", "'" ).replaceAll("`","`");
value = value.replaceAll( "&", "&" );
}
return value;
}
}