public class Escape extends Object
Constructor and Description |
---|
Escape() |
Modifier and Type | Method and Description |
---|---|
static String |
cssString(String input)
CSS String escaper.
|
static String |
html(String input)
HTML entity escaping for text content and attributes.
|
static String |
htmlText(String input)
Faster HTML entity escaping for tag content or quoted attributes values only.
|
static String |
jsRegex(String input)
JavaScript regex content escaper.
|
static String |
jsString(String input)
JavaScript String Unicode escaper.
|
static String |
sqlLikeClause(String input)
SQL LIKE clause escaper.
|
static String |
sqlLikeClause(String input,
char escape)
SQL LIKE clause escaper.
|
static String |
uri(String input)
Same as
uriParam(String) for now. |
static String |
uriParam(String input)
URI encoder.
|
public static String html(String input)
htmlText(String)
method which only escape HTML text specific
characters.
The following characters are escaped:
' (U+0022)
, " (U+0027)
,
\ (U+005C)
, / (U+002F)
,
< (U+003C)
, > (U+003E)
,
& (U+0026)
\t (U+0009)
, \n (U+000A)
,
\f (U+000C)
, \r (U+000D)
,
SPACE (U+0020)
LS (U+2028)
, PS (U+2029)
input
- the string to be escapednull
if input
is nullpublic static String htmlText(String input)
div
, p
, etc.).' (U+0022)
, " (U+0027)
,
< (U+003C)
, > (U+003E)
,
& (U+0026)
input
- the string to be escapednull
if input
is nullpublic static String uriParam(String input)
/example/?name=URI_ENCODED_VALUE_HERE
href
attribute (for example),
ensure that:
html(String)
on the entire URI' (U+0022)
, " (U+0027)
,
\ (U+005C)
, / (U+002F)
,
< (U+003C)
, > (U+003E)
,
& (U+0026)
,
< (U+003C)
, > (U+003E)
,
! (U+0021)
, # (U+0023)
,
$ (U+0024)
, % (U+0025)
,
( (U+0028)
, ) (U+0029)
,
* (U+002A)
, + (U+002B)
,
, (U+002C)
, . (U+002E)
,
: (U+003A)
, ; (U+003B)
,
= (U+003D)
, ? (U+003F)
,
@ (U+0040)
, [ (U+005B)
,
] (U+005D)
\t (U+0009)
, \n (U+000A)
,
\f (U+000C)
, \r (U+000D)
,
SPACE (U+0020)
input
- the string to be escapednull
if input
is nullpublic static String uri(String input)
uriParam(String)
for now.
Eventually, this method will evolve into filtering the URI so that
it is safely considered as a URL by a web browser, and does not contain
malicious payloads (data:text/html..., javascript:, etc.).input
- the string to be escapednull
if input
is nullpublic static String jsString(String input)
\UXXXX
) to be used in single or double quoted
JavaScript strings:
<script type="text/javascript"> window.myString = 'JS_STRING_ESCAPE_HERE'; window.yourString = "JS_STRING_ESCAPE_HERE"; </script>This JavaScript string escaper processes the following characters:
' (U+0022)
, " (U+0027)
,
\ (U+005C)
% (U+0025)
/ (U+002F)
,
< (U+003C)
, > (U+003E)
,
& (U+0026)
\b (U+0008)
, \t (U+0009)
,
\n (U+000A)
, 0x0b (U+000B)
,
\f (U+000C)
, \r (U+000D)
LS (U+2028)
, PS (U+2029)
input
- the string to be escapednull
if input
is nullpublic static String jsRegex(String input)
<script type="text/javascript"> var b = /^JS_REGEX_ESCAPE_HERE/.test(document.location); </script>Note that when using a regular expression inside a JavaScript string such as:
<script type="text/javascript"> var b = (new RegExp('^CONTENT_HERE')).test(document.location); </script>You should first escape using the
jsRegex(String)
escaper, and make sure
that the JavaScript string itself is properly rendered using the jsString(String)
escaper. This is a nested context scenario in which we have a JavaScript regex
inside a JavaScript string, for which we need to first escape the inner most context
and walking back the stack of context to the outer most one.
This JavaScript regex escaper processes the following characters:
\ (U+005C)
, / (U+002F)
,
( (U+0028)
, [ (U+005B)
,
{ (U+007B)
, ] (U+005D)
,
} (U+007D)
, ) (U+0029)
,
* (U+002A)
, + (U+002B)
,
- (U+002D)
, . (U+002E)
,
? (U+003F)
, ! (U+0021)
,
^ (U+005E)
, $ (U+0024)
,
| (U+007C)
\t (U+0009)
, \n (U+000A)
,
\v (U+000B)
,
\f (U+000C)
, \r (U+000D)
LS (U+2028)
, PS (U+2029)
input
- the string to be escapednull
if input
is nullpublic static String cssString(String input)
<style> a[href *= "DATA_HERE"] {...} li { background: url('DATA_HERE'); } </style>This CSS string escaper processes the following characters:
' (U+0022)
, " (U+0027)
,
\ (U+005C)
/ (U+002F)
,
< (U+003C)
, > (U+003E)
,
& (U+0026)
\b (U+0008)
,
\t (U+0009)
, \n (U+000A)
,
\f (U+000C)
, \r (U+000D)
LS (U+2028)
, PS (U+2029)
input
- the string to be escapednull
if input
is nullpublic static String sqlLikeClause(String input)
%
or _
:
entityManager.createQuery("FROM MyEntity e WHERE e.content LIKE :like_query ESCAPE '@'") .setParameter("like_query", "%" + Escape.sqlLikeClause(USER_DATA_HERE)) .getResultList();This escaper has to be used with a safe SQL query construct such as the JPQL named parameterized query in the previous example. This escaper uses by default the
@
as escape character. The other method
sqlLikeClause(String,char)
allows for using a different escape character such as
\
.
This SQL LIKE escaper processes the following characters:
_ (U+005F)
, % (U+0025)
,
@ (U+0040)
input
- the string to be escapednull
if input
is nullpublic static String sqlLikeClause(String input, char escape)
sqlLikeClause(String)
, but allows to specify the escape character
to be used. When a character different than @
is used, @
will
not be escaped by the escaper, and the specified escape character will be.input
- the string to be escapedescape
- the escape character to be usednull
if input
is nullCopyright © 2016. All Rights Reserved.