com.webmethods.rtl.markup.html.parser

Class ScriptSafeHTMLSerializer

java.lang.Object

org.xml.sax.helpers.DefaultHandler

com.webmethods.rtl.markup.xml.parser.XMLSerializer

com.webmethods.rtl.markup.html.parser.HTMLSerializer

com.webmethods.rtl.markup.html.parser.ScriptSafeHTMLSerializer

All Implemented Interfaces:

ContentHandler, DTDHandler, EntityResolver, ErrorHandler, LexicalHandler

public class ScriptSafeHTMLSerializer
extends HTMLSerializer

Serializes SAX events into HTML, stripping JavaScript blocks and event handlers (and other dangerous tags, like APPLET or IFRAME).

Nested Class Summary

Nested classes/interfaces inherited from class com.webmethods.rtl.markup.xml.parser.XMLSerializer

XMLSerializer.PrefixMapping

Field Summary

Fields

Modifier and Type	Field and Description
static Set	DANGEROUS_ATTRS uri attributes
protected AttributesImpl	m_atts
protected Set	m_dangerousAttrs
protected Set	m_safeElements
protected Set	m_skipElements
protected int	m_unsafe
protected Set	m_unsafeElements
static Pattern	RE_HTML_NAME (html 4.01 6.2) ID and NAME tokens must begin with a letter ([A-Za-z]) and may be followed by any number of letters, digits ([0-9]), hyphens ("-"), underscores ("_"), colons (":"), and periods (".").
static Pattern	RE_SAFE_URL_SCHEME
static Pattern	RE_UNSAFE_CSS_CONTENT
static Set	SAFE_ELEMENTS whitelist
static Set	SKIP_ELEMENTS skip tag, process content
static Set	UNSAFE_ELEMENTS blacklist

Fields inherited from class com.webmethods.rtl.markup.html.parser.HTMLSerializer

m_entity, m_script, NOT_EMPTY_ELEMENTS, SCRIPT_ELEMENTS

Fields inherited from class com.webmethods.rtl.markup.xml.parser.XMLSerializer

m_cdata, m_documentLocator, m_emptyElement, m_newPrefixesSize, m_out, m_prefixes, m_prefixesSize

Constructor Summary

Constructors

Constructor and Description
ScriptSafeHTMLSerializer()
ScriptSafeHTMLSerializer(Writer out)

Method Summary

Modifier and Type	Method and Description
void	characters(char[] ch, int start, int length) Receive notification of character data.
void	comment(char[] ch, int start, int length) Report an XML comment anywhere in the document.
void	endCDATA() Report the end of a CDATA section.
void	endElement(String uri, String localName, String qName) Receive notification of the end of an element.
void	endEntity(String name) Report the end of an entity.
static boolean	equalsIgnoreCaseAscii(String s1, String s2)
Set	getSafeElements() Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.
Set	getSkipElements() Ignores elements, processes content.
Set	getUnsafeElements() Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.
protected void	initConfiguration()
static boolean	isUnsafeElement(String qname, Set unsafeElements, Set safeElements)
static String	processHTML(String html) Processes tag-soup html, stripping JavaScript blocks and event handlers (and other dangerous tags, like APPLET or IFRAME).
void	processingInstruction(String target, String data) Receive notification of a processing instruction.
void	setSafeElements(Set safeElements) Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.
void	setSkipElements(Set skipElements) Ignores elements, processes content.
void	setUnsafeElements(Set unsafeElements) Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.
void	skippedEntity(String name) Receive notification of a skipped entity.
void	startCDATA() Report the start of a CDATA section.
void	startDocument() Receive notification of the beginning of a document.
void	startElement(String uri, String localName, String qName, Attributes atts) Receive notification of the beginning of an element.
void	startEntity(String name) Report the beginning of some internal and external XML entities.
static boolean	startsWithIgnoreCaseAscii(String s1, String s2)
static String	toLowerCaseAscii(String s)

Methods inherited from class com.webmethods.rtl.markup.html.parser.HTMLSerializer

escapeAttrValue

Methods inherited from class com.webmethods.rtl.markup.xml.parser.XMLSerializer

closeStartElement, endDocument, endDTD, endPrefixMapping, getDocumentLocator, getOut, ignorableWhitespace, lookupPrefix, setDocumentLocator, setOut, startDTD, startPrefixMapping

Methods inherited from class org.xml.sax.helpers.DefaultHandler

error, fatalError, notationDecl, resolveEntity, unparsedEntityDecl, warning

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

m_unsafe

protected int m_unsafe

m_atts

protected AttributesImpl m_atts

m_safeElements

protected Set m_safeElements

m_unsafeElements

protected Set m_unsafeElements

m_skipElements

protected Set m_skipElements

m_dangerousAttrs

protected Set m_dangerousAttrs

SAFE_ELEMENTS

public static Set SAFE_ELEMENTS

whitelist

UNSAFE_ELEMENTS

public static Set UNSAFE_ELEMENTS

blacklist

SKIP_ELEMENTS

public static Set SKIP_ELEMENTS

skip tag, process content

DANGEROUS_ATTRS

public static Set DANGEROUS_ATTRS

uri attributes

RE_HTML_NAME

public static final Pattern RE_HTML_NAME

(html 4.01 6.2) ID and NAME tokens must begin with a letter ([A-Za-z]) and may be followed by any number of letters, digits ([0-9]), hyphens ("-"), underscores ("_"), colons (":"), and periods (".").

RE_SAFE_URL_SCHEME

public static final Pattern RE_SAFE_URL_SCHEME

RE_UNSAFE_CSS_CONTENT

public static final Pattern RE_UNSAFE_CSS_CONTENT

Constructor Detail

ScriptSafeHTMLSerializer

public ScriptSafeHTMLSerializer()

ScriptSafeHTMLSerializer

public ScriptSafeHTMLSerializer(Writer out)

Method Detail

getSafeElements

public Set getSafeElements()

Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.

setSafeElements

public void setSafeElements(Set safeElements)

Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.

getUnsafeElements

public Set getUnsafeElements()

Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.

setUnsafeElements

public void setUnsafeElements(Set unsafeElements)

Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.

getSkipElements

public Set getSkipElements()

Ignores elements, processes content.

setSkipElements

public void setSkipElements(Set skipElements)

Ignores elements, processes content.

processHTML

public static String processHTML(String html)
                          throws SAXException,
                                 IOException

Processes tag-soup html, stripping JavaScript blocks and event handlers (and other dangerous tags, like APPLET or IFRAME).
This is a convenience utility method that parses the input html, processes it, and serializes it back to html. You generally can perform this processing more effeciently if you create your own sax pipeline and plug in an instance of this class to serialize it.

Parameters:

html - HTML to process.

Returns:

Processed HTML.

Throws:

SAXException

IOException

startDocument

public void startDocument()
                   throws SAXException

Receive notification of the beginning of a document.

The SAX parser will invoke this method only once, before any other event callbacks (except for setDocumentLocator).

Specified by:

startDocument in interface ContentHandler

Overrides:

startDocument in class HTMLSerializer

Throws:

SAXException - Any SAX exception, possibly wrapping another exception.

See Also:

XMLSerializer.endDocument()

startElement

public void startElement(String uri,
                         String localName,
                         String qName,
                         Attributes atts)
                  throws SAXException

Receive notification of the beginning of an element.

The Parser will invoke this method at the beginning of every element in the XML document; there will be a corresponding endElement event for every startElement event (even when the element is empty). All of the element's content will be reported, in order, before the corresponding endElement event.

This event allows up to three name components for each element:

1. the Namespace URI;
2. the local name; and
3. the qualified (prefixed) name.

Any or all of these may be provided, depending on the values of the http://xml.org/sax/features/namespaces and the http://xml.org/sax/features/namespace-prefixes properties:

• the Namespace URI and local name are required when the namespaces property is true (the default), and are optional when the namespaces property is false (if one is specified, both must be);
• the qualified name is required when the namespace-prefixes property is true, and is optional when the namespace-prefixes property is false (the default).

Note that the attribute list provided will contain only attributes with explicit values (specified or defaulted): #IMPLIED attributes will be omitted. The attribute list will contain attributes used for Namespace declarations (xmlns* attributes) only if the http://xml.org/sax/features/namespace-prefixes property is true (it is false by default, and support for a true value is optional).

Like characters(), attribute values may have characters that need more than one char value.

Specified by:

startElement in interface ContentHandler

Overrides:

startElement in class HTMLSerializer

Parameters:

uri - The Namespace URI, or the empty string if the element has no Namespace URI or if Namespace processing is not being performed.

localName - The local name (without prefix), or the empty string if Namespace processing is not being performed.

qName - The qualified name (with prefix), or the empty string if qualified names are not available.

atts - The attributes attached to the element. If there are no attributes, it shall be an empty Attributes object.

Throws:

SAXException - Any SAX exception, possibly wrapping another exception.

See Also:

endElement(java.lang.String, java.lang.String, java.lang.String), Attributes

endElement

public void endElement(String uri,
                       String localName,
                       String qName)
                throws SAXException

Receive notification of the end of an element.

The SAX parser will invoke this method at the end of every element in the XML document; there will be a corresponding startElement event for every endElement event (even when the element is empty).

For information on the names, see startElement.

Specified by:

endElement in interface ContentHandler

Overrides:

endElement in class HTMLSerializer

Parameters:

uri - The Namespace URI, or the empty string if the element has no Namespace URI or if Namespace processing is not being performed.

localName - The local name (without prefix), or the empty string if Namespace processing is not being performed.

qName - The qualified XML 1.0 name (with prefix), or the empty string if qualified names are not available.

Throws:

SAXException - Any SAX exception, possibly wrapping another exception.

characters

public void characters(char[] ch,
                       int start,
                       int length)
                throws SAXException

Receive notification of character data.

The Parser will call this method to report each chunk of character data. SAX parsers may return all contiguous character data in a single chunk, or they may split it into several chunks; however, all of the characters in any single event must come from the same external entity so that the Locator provides useful information.

The application must not attempt to read from the array outside of the specified range.

Individual characters may consist of more than one Java char value. There are two important cases where this happens, because characters can't be represented in just sixteen bits. In one case, characters are represented in a Surrogate Pair, using two special Unicode values. Such characters are in the so-called "Astral Planes", with a code point above U+FFFF. A second case involves composite characters, such as a base character combining with one or more accent characters.

Your code should not assume that algorithms using char-at-a-time idioms will be working in character units; in some cases they will split characters. This is relevant wherever XML permits arbitrary characters, such as attribute values, processing instruction data, and comments as well as in data reported from this method. It's also generally relevant whenever Java code manipulates internationalized text; the issue isn't unique to XML.

Note that some parsers will report whitespace in element content using the ignorableWhitespace method rather than this one (validating parsers must do so).

Specified by:

characters in interface ContentHandler

Overrides:

characters in class HTMLSerializer

Parameters:

ch - The characters from the XML document.

start - The start position in the array.

length - The number of characters to read from the array.

Throws:

SAXException - Any SAX exception, possibly wrapping another exception.

See Also:

XMLSerializer.ignorableWhitespace(char[], int, int), Locator

processingInstruction

public void processingInstruction(String target,
                                  String data)
                           throws SAXException

Receive notification of a processing instruction.

The Parser will invoke this method once for each processing instruction found: note that processing instructions may occur before or after the main document element.

A SAX parser must never report an XML declaration (XML 1.0, section 2.8) or a text declaration (XML 1.0, section 4.3.1) using this method.

Like characters(), processing instruction data may have characters that need more than one char value.

Specified by:

processingInstruction in interface ContentHandler

Overrides:

processingInstruction in class XMLSerializer

Parameters:

target - The processing instruction target.

data - The processing instruction data, or null if none was supplied. The data does not include any whitespace separating it from the target.

Throws:

SAXException - Any SAX exception, possibly wrapping another exception.

skippedEntity

public void skippedEntity(String name)
                   throws SAXException

Receive notification of a skipped entity. This is not called for entity references within markup constructs such as element start tags or markup declarations. (The XML recommendation requires reporting skipped external entities. SAX also reports internal entity expansion/non-expansion, except within markup constructs.)

The Parser will invoke this method each time the entity is skipped. Non-validating processors may skip entities if they have not seen the declarations (because, for example, the entity was declared in an external DTD subset). All processors may skip external entities, depending on the values of the http://xml.org/sax/features/external-general-entities and the http://xml.org/sax/features/external-parameter-entities properties.

Specified by:

skippedEntity in interface ContentHandler

Overrides:

skippedEntity in class HTMLSerializer

Parameters:

name - The name of the skipped entity. If it is a parameter entity, the name will begin with '%', and if it is the external DTD subset, it will be the string "[dtd]".

Throws:

SAXException - Any SAX exception, possibly wrapping another exception.

startEntity

public void startEntity(String name)
                 throws SAXException

Report the beginning of some internal and external XML entities.

The reporting of parameter entities (including the external DTD subset) is optional, and SAX2 drivers that report LexicalHandler events may not implement it; you can use the http://xml.org/sax/features/lexical-handler/parameter-entities feature to query or control the reporting of parameter entities.

General entities are reported with their regular names, parameter entities have '%' prepended to their names, and the external DTD subset has the pseudo-entity name "[dtd]".

When a SAX2 driver is providing these events, all other events must be properly nested within start/end entity events. There is no additional requirement that events from DeclHandler or DTDHandler be properly ordered.

Note that skipped entities will be reported through the skippedEntity event, which is part of the ContentHandler interface.

Because of the streaming event model that SAX uses, some entity boundaries cannot be reported under any circumstances:

• general entities within attribute values
• parameter entities within declarations

These will be silently expanded, with no indication of where the original entity boundaries were.

Note also that the boundaries of character references (which are not really entities anyway) are not reported.

All start/endEntity events must be properly nested.

Specified by:

startEntity in interface LexicalHandler

Overrides:

startEntity in class HTMLSerializer

Parameters:

name - The name of the entity. If it is a parameter entity, the name will begin with '%', and if it is the external DTD subset, it will be "[dtd]".

Throws:

SAXException - The application may raise an exception.

See Also:

endEntity(java.lang.String), DeclHandler.internalEntityDecl(java.lang.String, java.lang.String), DeclHandler.externalEntityDecl(java.lang.String, java.lang.String, java.lang.String)

endEntity

public void endEntity(String name)
               throws SAXException

Report the end of an entity.

Specified by:

endEntity in interface LexicalHandler

Overrides:

endEntity in class HTMLSerializer

Parameters:

name - The name of the entity that is ending.

Throws:

SAXException - The application may raise an exception.

See Also:

startEntity(java.lang.String)

startCDATA

public void startCDATA()
                throws SAXException

Report the start of a CDATA section.

The contents of the CDATA section will be reported through the regular characters event; this event is intended only to report the boundary.

Specified by:

startCDATA in interface LexicalHandler

Overrides:

startCDATA in class HTMLSerializer

Throws:

SAXException - The application may raise an exception.

See Also:

endCDATA()

endCDATA

public void endCDATA()
              throws SAXException

Report the end of a CDATA section.

Specified by:

endCDATA in interface LexicalHandler

Overrides:

endCDATA in class HTMLSerializer

Throws:

SAXException - The application may raise an exception.

See Also:

startCDATA()

comment

public void comment(char[] ch,
                    int start,
                    int length)
             throws SAXException

Report an XML comment anywhere in the document.

This callback will be used for comments inside or outside the document element, including comments in the external DTD subset (if read). Comments in the DTD must be properly nested inside start/endDTD and start/endEntity events (if used).

Specified by:

comment in interface LexicalHandler

Overrides:

comment in class XMLSerializer

Parameters:

ch - An array holding the characters in the comment.

start - The starting position in the array.

length - The number of characters to use from the array.

Throws:

SAXException - The application may raise an exception.

initConfiguration

protected void initConfiguration()

isUnsafeElement

public static boolean isUnsafeElement(String qname,
                                      Set unsafeElements,
                                      Set safeElements)

Returns:

If unsafeElements not null/empty, true if element name in unsafe set; if safeElements not null/empty, true if element name not in safe set.

startsWithIgnoreCaseAscii

public static boolean startsWithIgnoreCaseAscii(String s1,
                                                String s2)

Returns:

True if s1 starts with s2.

equalsIgnoreCaseAscii

public static boolean equalsIgnoreCaseAscii(String s1,
                                            String s2)

toLowerCaseAscii

public static String toLowerCaseAscii(String s)