Package com.webmethods.rtl.markup.html.parser

Class ScriptSafeHTMLSerializer

java.lang.Object
org.xml.sax.helpers.DefaultHandler
com.webmethods.rtl.markup.xml.parser.XMLSerializer
com.webmethods.rtl.markup.html.parser.HTMLSerializer
com.webmethods.rtl.markup.html.parser.ScriptSafeHTMLSerializer
All Implemented Interfaces:
ContentHandler, DTDHandler, EntityResolver, ErrorHandler, LexicalHandler
public class ScriptSafeHTMLSerializer extends HTMLSerializer
Serializes SAX events into HTML, stripping JavaScript blocks and event handlers (and other dangerous tags, like APPLET or IFRAME).

  • Field Details

    • m_unsafe

      protected int m_unsafe

    • m_atts

      protected AttributesImpl m_atts

    • m_safeElements

      protected Set m_safeElements

    • m_unsafeElements

      protected Set m_unsafeElements

    • m_skipElements

      protected Set m_skipElements

    • m_dangerousAttrs

      protected Set m_dangerousAttrs

    • SAFE_ELEMENTS

      public static Set SAFE_ELEMENTS
      whitelist

    • UNSAFE_ELEMENTS

      public static Set UNSAFE_ELEMENTS
      blacklist

    • SKIP_ELEMENTS

      public static Set SKIP_ELEMENTS
      skip tag, process content

    • DANGEROUS_ATTRS

      public static Set DANGEROUS_ATTRS
      uri attributes

    • RE_HTML_NAME

      public static final Pattern RE_HTML_NAME
      (html 4.01 6.2) ID and NAME tokens must begin with a letter ([A-Za-z]) and may be followed by any number of letters, digits ([0-9]), hyphens ("-"), underscores ("_"), colons (":"), and periods (".").

    • RE_SAFE_URL_SCHEME

      public static final Pattern RE_SAFE_URL_SCHEME

    • RE_UNSAFE_CSS_CONTENT

      public static final Pattern RE_UNSAFE_CSS_CONTENT

  • Constructor Details

    • ScriptSafeHTMLSerializer

      public ScriptSafeHTMLSerializer()

    • ScriptSafeHTMLSerializer

      public ScriptSafeHTMLSerializer(Writer out)

  • Method Details

    • getSafeElements

      public Set getSafeElements()
      Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.

    • setSafeElements

      public void setSafeElements(Set safeElements)
      Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.

    • getUnsafeElements

      public Set getUnsafeElements()
      Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.

    • setUnsafeElements

      public void setUnsafeElements(Set unsafeElements)
      Uses safe elements (whitelist) if unsafe elements (blacklist) not set or empty.

    • getSkipElements

      public Set getSkipElements()
      Ignores elements, processes content.

    • setSkipElements

      public void setSkipElements(Set skipElements)
      Ignores elements, processes content.

    • processHTML

      public static String processHTML(String html) throws SAXException, IOException
      Processes tag-soup html, stripping JavaScript blocks and event handlers (and other dangerous tags, like APPLET or IFRAME).
      This is a convenience utility method that parses the input html, processes it, and serializes it back to html. You generally can perform this processing more effeciently if you create your own sax pipeline and plug in an instance of this class to serialize it.
      Parameters:
      html - HTML to process.
      Returns:
      Processed HTML.
      Throws:
      SAXException
      IOException

    • startDocument

      public void startDocument() throws SAXException
      Receive notification of the beginning of a document.

      The SAX parser will invoke this method only once, before any other event callbacks (except for setDocumentLocator).

      Specified by:
      startDocument in interface ContentHandler
      Overrides:
      startDocument in class HTMLSerializer
      Throws:
      SAXException - Any SAX exception, possibly wrapping another exception.
      See Also:

    • startElement

      public void startElement(String uri, String localName, String qName, Attributes atts) throws SAXException
      Receive notification of the beginning of an element.

      The Parser will invoke this method at the beginning of every element in the XML document; there will be a corresponding endElement event for every startElement event (even when the element is empty). All of the element's content will be reported, in order, before the corresponding endElement event.

      This event allows up to three name components for each element:

      1. the Namespace URI;
      2. the local name; and
      3. the qualified (prefixed) name.

      Any or all of these may be provided, depending on the values of the http://xml.org/sax/features/namespaces and the http://xml.org/sax/features/namespace-prefixes properties:

      • the Namespace URI and local name are required when the namespaces property is true (the default), and are optional when the namespaces property is false (if one is specified, both must be);
      • the qualified name is required when the namespace-prefixes property is true, and is optional when the namespace-prefixes property is false (the default).

      Note that the attribute list provided will contain only attributes with explicit values (specified or defaulted): #IMPLIED attributes will be omitted. The attribute list will contain attributes used for Namespace declarations (xmlns* attributes) only if the http://xml.org/sax/features/namespace-prefixes property is true (it is false by default, and support for a true value is optional).

      Like characters(), attribute values may have characters that need more than one char value.

      Specified by:
      startElement in interface ContentHandler
      Overrides:
      startElement in class HTMLSerializer
      Parameters:
      uri - The Namespace URI, or the empty string if the element has no Namespace URI or if Namespace processing is not being performed.
      localName - The local name (without prefix), or the empty string if Namespace processing is not being performed.
      qName - The qualified name (with prefix), or the empty string if qualified names are not available.
      atts - The attributes attached to the element. If there are no attributes, it shall be an empty Attributes object.
      Throws:
      SAXException - Any SAX exception, possibly wrapping another exception.
      See Also:

    • endElement

      public void endElement(String uri, String localName, String qName) throws SAXException
      Receive notification of the end of an element.

      The SAX parser will invoke this method at the end of every element in the XML document; there will be a corresponding startElement event for every endElement event (even when the element is empty).

      For information on the names, see startElement.

      Specified by:
      endElement in interface ContentHandler
      Overrides:
      endElement in class HTMLSerializer
      Parameters:
      uri - The Namespace URI, or the empty string if the element has no Namespace URI or if Namespace processing is not being performed.
      localName - The local name (without prefix), or the empty string if Namespace processing is not being performed.
      qName - The qualified XML 1.0 name (with prefix), or the empty string if qualified names are not available.
      Throws:
      SAXException - Any SAX exception, possibly wrapping another exception.

    • characters

      public void characters(char[] ch, int start, int length) throws SAXException
      Receive notification of character data.

      The Parser will call this method to report each chunk of character data. SAX parsers may return all contiguous character data in a single chunk, or they may split it into several chunks; however, all of the characters in any single event must come from the same external entity so that the Locator provides useful information.

      The application must not attempt to read from the array outside of the specified range.

      Individual characters may consist of more than one Java char value. There are two important cases where this happens, because characters can't be represented in just sixteen bits. In one case, characters are represented in a Surrogate Pair, using two special Unicode values. Such characters are in the so-called "Astral Planes", with a code point above U+FFFF. A second case involves composite characters, such as a base character combining with one or more accent characters.

      Your code should not assume that algorithms using char-at-a-time idioms will be working in character units; in some cases they will split characters. This is relevant wherever XML permits arbitrary characters, such as attribute values, processing instruction data, and comments as well as in data reported from this method. It's also generally relevant whenever Java code manipulates internationalized text; the issue isn't unique to XML.

      Note that some parsers will report whitespace in element content using the ignorableWhitespace method rather than this one (validating parsers must do so).

      Specified by:
      characters in interface ContentHandler
      Overrides:
      characters in class HTMLSerializer
      Parameters:
      ch - The characters from the XML document.
      start - The start position in the array.
      length - The number of characters to read from the array.
      Throws:
      SAXException - Any SAX exception, possibly wrapping another exception.
      See Also:

    • processingInstruction

      public void processingInstruction(String target, String data) throws SAXException
      Receive notification of a processing instruction.

      The Parser will invoke this method once for each processing instruction found: note that processing instructions may occur before or after the main document element.

      A SAX parser must never report an XML declaration (XML 1.0, section 2.8) or a text declaration (XML 1.0, section 4.3.1) using this method.

      Like characters(), processing instruction data may have characters that need more than one char value.

      Specified by:
      processingInstruction in interface ContentHandler
      Overrides:
      processingInstruction in class XMLSerializer
      Parameters:
      target - The processing instruction target.
      data - The processing instruction data, or null if none was supplied. The data does not include any whitespace separating it from the target.
      Throws:
      SAXException - Any SAX exception, possibly wrapping another exception.

    • skippedEntity

      public void skippedEntity(String name) throws SAXException
      Receive notification of a skipped entity. This is not called for entity references within markup constructs such as element start tags or markup declarations. (The XML recommendation requires reporting skipped external entities. SAX also reports internal entity expansion/non-expansion, except within markup constructs.)

      The Parser will invoke this method each time the entity is skipped. Non-validating processors may skip entities if they have not seen the declarations (because, for example, the entity was declared in an external DTD subset). All processors may skip external entities, depending on the values of the http://xml.org/sax/features/external-general-entities and the http://xml.org/sax/features/external-parameter-entities properties.

      Specified by:
      skippedEntity in interface ContentHandler
      Overrides:
      skippedEntity in class HTMLSerializer
      Parameters:
      name - The name of the skipped entity. If it is a parameter entity, the name will begin with '%', and if it is the external DTD subset, it will be the string "[dtd]".
      Throws:
      SAXException - Any SAX exception, possibly wrapping another exception.

    • startEntity

      public void startEntity(String name) throws SAXException
      Report the beginning of some internal and external XML entities.

      The reporting of parameter entities (including the external DTD subset) is optional, and SAX2 drivers that report LexicalHandler events may not implement it; you can use the http://xml.org/sax/features/lexical-handler/parameter-entities feature to query or control the reporting of parameter entities.

      General entities are reported with their regular names, parameter entities have '%' prepended to their names, and the external DTD subset has the pseudo-entity name "[dtd]".

      When a SAX2 driver is providing these events, all other events must be properly nested within start/end entity events. There is no additional requirement that events from DeclHandler or DTDHandler be properly ordered.

      Note that skipped entities will be reported through the skippedEntity event, which is part of the ContentHandler interface.

      Because of the streaming event model that SAX uses, some entity boundaries cannot be reported under any circumstances:

      • general entities within attribute values
      • parameter entities within declarations

      These will be silently expanded, with no indication of where the original entity boundaries were.

      Note also that the boundaries of character references (which are not really entities anyway) are not reported.

      All start/endEntity events must be properly nested.

      Specified by:
      startEntity in interface LexicalHandler
      Overrides:
      startEntity in class HTMLSerializer
      Parameters:
      name - The name of the entity. If it is a parameter entity, the name will begin with '%', and if it is the external DTD subset, it will be "[dtd]".
      Throws:
      SAXException - The application may raise an exception.
      See Also:

    • endEntity

      public void endEntity(String name) throws SAXException
      Report the end of an entity.
      Specified by:
      endEntity in interface LexicalHandler
      Overrides:
      endEntity in class HTMLSerializer
      Parameters:
      name - The name of the entity that is ending.
      Throws:
      SAXException - The application may raise an exception.
      See Also:

    • startCDATA

      public void startCDATA() throws SAXException
      Report the start of a CDATA section.

      The contents of the CDATA section will be reported through the regular characters event; this event is intended only to report the boundary.

      Specified by:
      startCDATA in interface LexicalHandler
      Overrides:
      startCDATA in class HTMLSerializer
      Throws:
      SAXException - The application may raise an exception.
      See Also:

    • endCDATA

      public void endCDATA() throws SAXException
      Report the end of a CDATA section.
      Specified by:
      endCDATA in interface LexicalHandler
      Overrides:
      endCDATA in class HTMLSerializer
      Throws:
      SAXException - The application may raise an exception.
      See Also:

    • comment

      public void comment(char[] ch, int start, int length) throws SAXException
      Report an XML comment anywhere in the document.

      This callback will be used for comments inside or outside the document element, including comments in the external DTD subset (if read). Comments in the DTD must be properly nested inside start/endDTD and start/endEntity events (if used).

      Specified by:
      comment in interface LexicalHandler
      Overrides:
      comment in class XMLSerializer
      Parameters:
      ch - An array holding the characters in the comment.
      start - The starting position in the array.
      length - The number of characters to use from the array.
      Throws:
      SAXException - The application may raise an exception.

    • initConfiguration

      protected void initConfiguration()

    • isUnsafeElement

      public static boolean isUnsafeElement(String qname, Set unsafeElements, Set safeElements)
      Returns:
      If unsafeElements not null/empty, true if element name in unsafe set; if safeElements not null/empty, true if element name not in safe set.

    • startsWithIgnoreCaseAscii

      public static boolean startsWithIgnoreCaseAscii(String s1, String s2)
      Returns:
      True if s1 starts with s2.

    • equalsIgnoreCaseAscii

      public static boolean equalsIgnoreCaseAscii(String s1, String s2)

    • toLowerCaseAscii

      public static String toLowerCaseAscii(String s)