/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.tomcat.util.security;
/**
* Provides utility methods to escape content for different contexts. It is critical that the escaping used is correct
* for the context in which the data is to be used.
*/
public class Escape {
private Escape() {
// Hide default constructor for this utility class
}
/**
* Escape content for use in HTML. This escaping is suitable for the following uses:
* <ul>
* <li>Element content when the escaped data will be placed directly inside tags such as <p>, <td>
* etc.</li>
* <li>Attribute values when the attribute value is quoted with " or '.</li>
* </ul>
*
* @param content The content to escape
*
* @return The escaped content or {@code null} if the content was {@code null}
*/
public static String htmlElementContent(String content) {
if (content == null) {
return null;
}
StringBuilder sb = new StringBuilder();
for (int i = 0; i < content.length(); i++) {
char c = content.charAt(i);
if (c == '<') {
sb.append("<");
} else if (c == '>') {
sb.append(">");
} else if (c == '\'') {
sb.append("'");
} else if (c == '&') {
sb.append("&");
} else if (c == '"') {
sb.append(""");
} else if (c == '/') {
sb.append("/");
} else {
sb.append(c);
}
}
return (sb.length() > content.length()) ? sb.toString() : content;
}
/**
* Convert the object to a string via {@link Object#toString()} and HTML escape the resulting string for use in HTML
* content.
*
* @param obj The object to convert to String and then escape
*
* @return The escaped content or <code>"?"</code> if obj is {@code null}
*/
public static String htmlElementContent(Object obj) {
if (obj == null) {
return "?";
}
return htmlElementContent(obj.toString());
}
/**
* Escape content for use in XML.
*
* @param content The content to escape
*
* @return The escaped content or {@code null} if the content was {@code null}
*/
public static String xml(String content) {
return xml(null, content);
}
/**
* Escape content for use in XML.
*
* @param ifNull The value to return if content is {@code null}
* @param content The content to escape
*
* @return The escaped content or the value of {@code ifNull} if the content was {@code null}
*/
public static String xml(String ifNull, String content) {
return xml(ifNull, false, content);
}
/**
* Escape content for use in XML.
*
* @param ifNull The value to return if content is {@code null}
* @param escapeCRLF Should CR and LF also be escaped?
* @param content The content to escape
*
* @return The escaped content or the value of ifNull if the content was {@code null}
*/
public static String xml(String ifNull, boolean escapeCRLF, String content) {
if (content == null) {
return ifNull;
}
StringBuilder sb = new StringBuilder();
for (int i = 0; i < content.length(); i++) {
char c = content.charAt(i);
if (c == '<') {
sb.append("<");
} else if (c == '>') {
sb.append(">");
} else if (c == '\'') {
sb.append("'");
} else if (c == '&') {
sb.append("&");
} else if (c == '"') {
sb.append(""");
} else if (escapeCRLF && c == ' ') {
sb.append(" ");
} else if (escapeCRLF && c == ' ') {
sb.append(" ");
} else {
sb.append(c);
}
}
return (sb.length() > content.length()) ? sb.toString() : content;
}
}