View Javadoc
1   /*
2    * Copyright (c) 2002-2025, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.portal.service.html;
35  
36  import fr.paris.lutece.portal.service.spring.SpringContextService;
37  
38  /**
39   * This class provides management methods for cleaner
40   */
41  public final class XSSSanitizerService
42  {
43      /** html Cleaner */
44      private static IXSSSanitizer _xssSanitizer = SpringContextService.getBean( "XSSSanitizer" );
45      private static boolean _bInit;
46  
47      /**
48       * Constructor. Creates a new XSSSanitizerService object.
49       */
50      private XSSSanitizerService( )
51      {
52      }
53  
54      /**
55       * Clean HTML code from XSS risks
56       *
57       * @param strSource
58       *            The input string to clean
59       * @return The cleaned string
60       */
61      public static String sanitize( String strSource ) throws XSSSanitizerException
62      {
63          init( );
64  
65          if ( _xssSanitizer != null )
66          {
67              // use advanced implementation
68              return _xssSanitizer.sanitize( strSource );
69          }
70          else
71          {
72              // use default
73              return cleanXSS( strSource );
74          }
75  
76      }
77  
78      private static void init( )
79      {
80          // init XSSSanitizerService
81          if ( !_bInit && _xssSanitizer != null )
82          {
83              _xssSanitizer.init( );
84              _bInit = true;
85          }
86      }
87  
88      /**
89       * default xss clean (escape chars only)
90       * 
91       * @param value
92       * @return the cleaned value
93       */
94      private static String cleanXSS( String value )
95      {
96          if ( value != null )
97          {
98              value = value.replaceAll( "<", "&lt;" ).replaceAll( ">", "&gt;" );
99              value = value.replaceAll( "\"", "&quot;" ).replaceAll( "'", "&#x27;" ).replaceAll("`","&#96;");
100             value = value.replaceAll( "&", "&amp;" );
101         }
102         return value;
103     }
104 }