Package io.jmix.ui.sanitizer

Class HtmlSanitizer

java.lang.Object
io.jmix.ui.sanitizer.HtmlSanitizer
@Component("ui_HtmlSanitizer") public class HtmlSanitizer extends Object
Utility bean that sanitizes a sting of HTML according to the factory's policy to prevent Cross-site Scripting (XSS) in HTML context.

The default policy factory contains special policies for the font element, because the RichTextArea component supports the font element as value. Also default policy factory contains policies that are not contained in standard Sanitizers.

  • Field Details

    • FONT_SIZE_REGEXP

      protected static final String FONT_SIZE_REGEXP
      Font size regexp. Intended to match size attribute value of font element.

      Regexp explanation:

      • [0-7] - matches a number in the range 0 to 7
      • | - acts like a boolean OR
      • [+-]?(?:[0-9]+) - matches a relative font size value

      Example: 

      
      <font size="7"/>
      See Also:

    • FONT_SIZE_PATTERN

      protected static final Pattern FONT_SIZE_PATTERN

    • FONT_SIZE_ATTRIBUTE_NAME

      protected static final String FONT_SIZE_ATTRIBUTE_NAME
      See Also:

    • FONT_FACE_REGEXP

      protected static final String FONT_FACE_REGEXP
      Font face regexp. Intended to match face attribute value of font element.

      Regexp explanation:

      • [\w;, \-]+ - matches font names separated by comma or semicolon

      Example: 

      
      <font face="Verdana"/>
      See Also:

    • FONT_FACE_PATTERN

      protected static final Pattern FONT_FACE_PATTERN

    • FONT_FACE_ATTRIBUTE_NAME

      protected static final String FONT_FACE_ATTRIBUTE_NAME
      See Also:

    • FONT_COLOR_REGEXP

      protected static final String FONT_COLOR_REGEXP
      Font color regexp. Intended to match color attribute value that of font element.

      Regexp explanation:

      • (#(?:[0-9a-f]{2}){2,4}|(#[0-9a-f]{3}) - matches hexademical color
      • | - acts like a boolean OR
      • (rgb|hsl)a?\((-?\d+%?[,\s]+){2,3}\s*[d\.]+%?\) - matches RGB, RGBA, HSL, HSLA colors
      • "color_name" - matches color by name

      Example: 

      
      <font color="#0000ff"/>
      See Also:

    • FONT_COLOR_PATTERN

      protected static final Pattern FONT_COLOR_PATTERN

    • FONT_COLOR_ATTRIBUTE_NAME

      protected static final String FONT_COLOR_ATTRIBUTE_NAME
      See Also:

    • CLASS_REGEXP

      protected static final String CLASS_REGEXP
      Html class regexp. Intended to match class attribute value.

      Regexp explanation:

      • a-zA-Z - matches a single character in the range: a-z, A-Z
      • 0-9 - matches a single character in the range: 0-9
      • , - matches a comma character
      • \\s - matches any whitespace character
      • \\- - matches a dash character
      • _ - matches an underscore character
      • []+ - matches between one and unlimited times

      Example: 

      
      <div class="v-app"/>
      See Also:

    • CLASS_PATTERN

      protected static final Pattern CLASS_PATTERN

    • CLASS_ATTRIBUTE_NAME

      protected static final String CLASS_ATTRIBUTE_NAME
      See Also:

    • A_ELEMENT_NAME

      protected static final String A_ELEMENT_NAME
      See Also:

    • HREF_ATTRIBUTE_NAME

      protected static final String HREF_ATTRIBUTE_NAME
      See Also:

    • TARGET_ATTRIBUTE_NAME

      protected static final String TARGET_ATTRIBUTE_NAME
      See Also:

    • TARGET_ATTRIBUTE_VALUES

      protected static final com.google.common.collect.ImmutableSet<String> TARGET_ATTRIBUTE_VALUES

    • NOOPENNER_REL_VALUE

      protected static final String NOOPENNER_REL_VALUE
      See Also:

    • NOREFERRER_REL_VALUE

      protected static final String NOREFERRER_REL_VALUE
      See Also:

    • DEFAULT_WHITELIST

      protected static final com.google.common.collect.ImmutableSet<String> DEFAULT_WHITELIST
      The additional css schema whitelist that was not included in the default whitelist in Sanitizers.STYLES. .

    • policyFactory

      protected org.owasp.html.PolicyFactory policyFactory

  • Constructor Details

    • HtmlSanitizer

      public HtmlSanitizer()

  • Method Details

    • sanitize

      public String sanitize(@Nullable String html)
      Sanitizes a string of HTML according to the factory's policy.
      Parameters:
      html - the string of HTML to sanitize
      Returns:
      a string of HTML that complies with the factory's policy

    • getPolicyFactory

      public org.owasp.html.PolicyFactory getPolicyFactory()
      Returns:
      a policy factory

    • setPolicyFactory

      public void setPolicyFactory(org.owasp.html.PolicyFactory policyFactory)
      Sets policy factory.
      Parameters:
      policyFactory - a policy factory

    • initDefaultPolicyFactory

      protected void initDefaultPolicyFactory()
      Init default policy factory that is used to produce HTML sanitizer policies that sanitize a sting of HTML.

    • getAdditionalStylePolicies

      protected com.google.common.collect.ImmutableMap<String,org.owasp.html.CssSchema.Property> getAdditionalStylePolicies()
      Returns:
      additional style policies that were not included in Sanitizers.STYLES.