Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
Expresso 5-6
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

com.jcorporate.expresso.core.security.filters
Class HtmlFilter

java.lang.Object
  extended bycom.jcorporate.expresso.core.security.filters.Filter
      extended bycom.jcorporate.expresso.core.security.filters.HtmlFilter
Direct Known Subclasses:
HtmlPlusURLFilter
public class HtmlFilter
extends Filter

This class provides a filter implementation of the Filter class for stripping out HTML tags in order to protect against XSS exploits

Author:
Larry Hamel

Field Summary
protected static String[] REPLACE_LIST
           
protected static String[] SPECIAL_STRING_LIST
          Characters to filter out to eliminate the majority of XSS attacks from http://www.cert.org/tech_tips/malicious_code_mitigation.html#4

Assuming that this filter is only applied to text paragraphs (not server side scripts or other things), we only need to filter characters in content of a paragraph of text: < & >

This basic filter doesn't allow URLs to be displayed, so we don't have to filter unsafe characters in URLs (%) other classes that insert HREF's (HtmlPlusURLFilter) need to worry about the % character, though (not allowing unsafe encodings after it)
 
Constructor Summary
HtmlFilter()
          No-arg constructor required
HtmlFilter(String[] specialStringList, String[] replaceList)
          Constructor for passing strings and their replacements
 
Methods inherited from class com.jcorporate.expresso.core.security.filters.Filter
rawFilter, standardFilter, stripFilter
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

SPECIAL_STRING_LIST

protected static final String[] SPECIAL_STRING_LIST
Characters to filter out to eliminate the majority of XSS attacks from http://www.cert.org/tech_tips/malicious_code_mitigation.html#4

Assuming that this filter is only applied to text paragraphs (not server side scripts or other things), we only need to filter characters in content of a paragraph of text: < & >

This basic filter doesn't allow URLs to be displayed, so we don't have to filter unsafe characters in URLs (%) other classes that insert HREF's (HtmlPlusURLFilter) need to worry about the % character, though (not allowing unsafe encodings after it)

REPLACE_LIST

protected static final String[] REPLACE_LIST
Constructor Detail

HtmlFilter

public HtmlFilter()
           throws IllegalArgumentException
No-arg constructor required

HtmlFilter

public HtmlFilter(String[] specialStringList,
                  String[] replaceList)
           throws IllegalArgumentException
Constructor for passing strings and their replacements

Parameters:
specialStringList - Strings to replace
replaceList - The replacement strings
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
Expresso 5-6
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Please see www.jcorporate.com for information about new Expresso releases.