A B C D E F G H I J L M O P R S T U V W

A

allowAttributes(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Returns an object that lets you associate policies with the given attributes, and allow them globally or on specific elements.

allowCommonBlockElements() - Method in class org.owasp.html.HtmlPolicyBuilder

A canned policy that allows a number of common block elements.

allowCommonInlineFormattingElements() - Method in class org.owasp.html.HtmlPolicyBuilder

A canned policy that allows a number of common formatting elements.

allowedProperties() - Method in class org.owasp.html.CssSchema

The set of CSS properties allowed by this schema.

allowElements(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Allows the named elements.

allowElements(ElementPolicy, String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Allow the given elements with the given policy.

allowsEscapingTextSpan(String) - Static method in enum org.owasp.html.HtmlTextEscapingMode

True iff the content following the given tag allows escaping text spans: <!--&hellip;--> that escape even things that might be an end tag for the corresponding open tag.

allowStandardUrlProtocols() - Method in class org.owasp.html.HtmlPolicyBuilder

A canned URL protocol policy that allows http, https, and mailto.

allowStyling() - Method in class org.owasp.html.HtmlPolicyBuilder

Convert style="<CSS>" to sanitized CSS which allows color, font-size, type-face, and other styling using the default schema; but which does not allow content to escape its clipping context.

allowStyling(CssSchema) - Method in class org.owasp.html.HtmlPolicyBuilder

Convert style="<CSS>" to sanitized CSS which allows color, font-size, type-face, and other styling using the given schema.

allowTextIn(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Allows text content in the named elements.

allowUrlProtocols(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Adds to the set of protocols that are allowed in URL attributes.

allowUrlsInStyles(AttributePolicy) - Method in class org.owasp.html.HtmlPolicyBuilder

Allow URLs in CSS styles.

allowWithoutAttributes(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Assuming the given elements are allowed, allows them to appear without attributes.

and(PolicyFactory) - Method in class org.owasp.html.PolicyFactory

Produces a factory that allows the union of the grants, and intersects policies where they overlap on a particular granted attribute or element name.

apply(String, String, String) - Method in interface org.owasp.html.AttributePolicy

apply(String, List<String>) - Method in interface org.owasp.html.ElementPolicy

apply(String, String, String) - Method in class org.owasp.html.FilterUrlByProtocolAttributePolicy

apply(HtmlStreamEventReceiver) - Method in class org.owasp.html.PolicyFactory

Produces a sanitizer that emits tokens to out.

apply(HtmlStreamEventReceiver, HtmlChangeListener<CTX>, CTX) - Method in class org.owasp.html.PolicyFactory

Produces a sanitizer that emits tokens to out and that notifies any listener of any dropped tags and attributes.

AttributePolicy - Interface in org.owasp.html

A policy that can be applied to an HTML attribute to decide whether or not to allow it in the output, possibly after transforming its value.

AttributePolicy.Util - Class in org.owasp.html

Utilities for working with attribute policies.

B

BLOCKS - Static variable in class org.owasp.html.Sanitizers

Allows common block elements including <p>, <h1>, etc.

build(HtmlStreamEventReceiver) - Method in class org.owasp.html.HtmlPolicyBuilder

Produces a policy based on the allow and disallow calls previously made.

build(HtmlStreamEventReceiver, HtmlChangeListener<? super CTX>, CTX) - Method in class org.owasp.html.HtmlPolicyBuilder

Produces a policy based on the allow and disallow calls previously made.

C

close() - Method in class org.owasp.html.HtmlStreamEventReceiverWrapper

closeDocument() - Method in interface org.owasp.html.HtmlStreamEventReceiver

Called first to indicate that no more events will be received.

closeDocument() - Method in class org.owasp.html.HtmlStreamEventReceiverWrapper

closeDocument() - Method in class org.owasp.html.HtmlStreamRenderer

closeDocument() - Method in class org.owasp.html.TagBalancingHtmlStreamEventReceiver

closeTag(String) - Method in interface org.owasp.html.HtmlSanitizer.Policy

Called when an HTML tag like </foo> is seen in the input.

closeTag(String) - Method in interface org.owasp.html.HtmlStreamEventReceiver

Called to specify an end tag like </elementName>.

closeTag(String) - Method in class org.owasp.html.HtmlStreamEventReceiverWrapper

closeTag(String) - Method in class org.owasp.html.HtmlStreamRenderer

closeTag(String) - Method in class org.owasp.html.TagBalancingHtmlStreamEventReceiver

compose(HtmlStreamEventProcessor, HtmlStreamEventProcessor) - Static method in class org.owasp.html.HtmlStreamEventProcessor.Processors

create(Appendable, Handler<? super IOException>, Handler<? super String>) - Static method in class org.owasp.html.HtmlStreamRenderer

Factory.

create(StringBuilder, Handler<? super String>) - Static method in class org.owasp.html.HtmlStreamRenderer

Factory.

CssSchema - Class in org.owasp.html

Describes the kinds of tokens a CSS property's value can safely contain.

D

DEFAULT - Static variable in class org.owasp.html.CssSchema

A schema that includes only those properties on the default schema white-list.

DEFAULT_RELS_ON_TARGETTED_LINKS - Static variable in class org.owasp.html.HtmlPolicyBuilder

These rel attribute values leaking information to the linked site, and prevents the linked page from redirecting your page to a phishing site when opened from a third-party link from your site.

DEFAULT_SKIP_IF_EMPTY - Static variable in class org.owasp.html.HtmlPolicyBuilder

The default set of elements that are removed if they have no attributes.

disallowAttributes(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Reverse an earlier attribute allow.

disallowElements(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Disallows the named elements.

disallowTextIn(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Disallows text in elements with the given name.

disallowUrlProtocols(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Reverses a decision made by HtmlPolicyBuilder.allowUrlProtocols(java.lang.String...).

disallowWithoutAttributes(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Disallows the given elements from appearing without attributes.

discardedAttributes(T, String, String...) - Method in interface org.owasp.html.HtmlChangeListener

Called when attributes are discarded from the input but the containing tag is not.

discardedTag(T, String) - Method in interface org.owasp.html.HtmlChangeListener

Called when a tag is discarded from the input.

DO_NOTHING - Static variable in interface org.owasp.html.Handler

A handler that does nothing given any input.

E

ElementPolicy - Interface in org.owasp.html

A policy that can be applied to an element to decide whether or not to allow it in the output, possibly after transforming attributes.

ElementPolicy.JoinableElementPolicy - Interface in org.owasp.html

ElementPolicy.Util - Class in org.owasp.html

Utilities for working with element policies.

equals(Object) - Method in class org.owasp.html.FilterUrlByProtocolAttributePolicy

F

FilterUrlByProtocolAttributePolicy - Class in org.owasp.html

An attribute policy for attributes whose values are URLs that requires that the value have no protocol or have an allowed protocol.

FilterUrlByProtocolAttributePolicy(Iterable<? extends String>) - Constructor for class org.owasp.html.FilterUrlByProtocolAttributePolicy

FORMATTING - Static variable in class org.owasp.html.Sanitizers

Allows common formatting elements including <b>, <i>, etc.

G

getModeForTag(String) - Static method in enum org.owasp.html.HtmlTextEscapingMode

The mode used for content following a start tag with the given name.

getWrappedPolicy() - Method in class org.owasp.html.HtmlChangeReporter

The underlying policy.

getWrappedRenderer() - Method in class org.owasp.html.HtmlChangeReporter

The underlying renderer.

globally() - Method in class org.owasp.html.HtmlPolicyBuilder.AttributeBuilder

Allows the given attributes on any elements but filters the attributes' values based on previous calls to matching(...).

H

handle(T) - Method in interface org.owasp.html.Handler

Called to handle x.

Handler<T> - Interface in org.owasp.html

Receives notification of problems.

hashCode() - Method in class org.owasp.html.FilterUrlByProtocolAttributePolicy

HtmlChangeListener<T> - Interface in org.owasp.html

Receives events when an HTML tag, or attribute is discarded.

HtmlChangeReporter<T> - Class in org.owasp.html

Sits between the HTML parser, and then policy, and the renderer so that it can report dropped elements and attributes to an HtmlChangeListener.

HtmlChangeReporter(HtmlStreamEventReceiver, HtmlChangeListener<? super T>, T) - Constructor for class org.owasp.html.HtmlChangeReporter

HtmlPolicyBuilder - Class in org.owasp.html

Conveniences for configuring policies for the HtmlSanitizer.

HtmlPolicyBuilder() - Constructor for class org.owasp.html.HtmlPolicyBuilder

HtmlPolicyBuilder.AttributeBuilder - Class in org.owasp.html

Builds the relationship between attributes, the values that they may have, and the elements on which they may appear.

HtmlSanitizer - Class in org.owasp.html

Consumes an HTML stream, and dispatches events to a policy object which decides which elements and attributes to allow.

HtmlSanitizer() - Constructor for class org.owasp.html.HtmlSanitizer

HtmlSanitizer.Policy - Interface in org.owasp.html

Receives events based on the HTML stream, and applies a policy to decide what HTML constructs to allow.

HtmlStreamEventProcessor - Interface in org.owasp.html

Receives the output sink to allow user-code to post-process events.

HtmlStreamEventProcessor.Processors - Class in org.owasp.html

HtmlStreamEventReceiver - Interface in org.owasp.html

A light-weight SAX-like listener for HTML.

HtmlStreamEventReceiverWrapper - Class in org.owasp.html

An event receiver that delegates to an underlying receiver and which may be overridden to do additional work.

HtmlStreamEventReceiverWrapper(HtmlStreamEventReceiver) - Constructor for class org.owasp.html.HtmlStreamEventReceiverWrapper

HtmlStreamRenderer - Class in org.owasp.html

Given a series of HTML tokens, writes valid, normalized HTML to the output.

HtmlTextEscapingMode - Enum in org.owasp.html

From section 8.1.2.6 of http://www.whatwg.org/specs/web-apps/current-work/

I

IDENTITY - Static variable in class org.owasp.html.HtmlStreamEventProcessor.Processors

A post-processor that returns the sink without wrapping it to do any additional work.

IDENTITY_ATTRIBUTE_POLICY - Static variable in interface org.owasp.html.AttributePolicy

An attribute policy that returns the value unchanged.

IDENTITY_ELEMENT_POLICY - Static variable in interface org.owasp.html.ElementPolicy

An element policy that returns the element unchanged.

IMAGES - Static variable in class org.owasp.html.Sanitizers

Allows <img> elements from HTTP, HTTPS, and relative sources.

isDocumentOpen() - Method in class org.owasp.html.HtmlStreamRenderer

True if HtmlStreamRenderer.openDocument() has been called and HtmlStreamRenderer.closeDocument() has not subsequently been called.

isInterElementWhitespace(String) - Static method in class org.owasp.html.TagBalancingHtmlStreamEventReceiver

True if text is the value of an inter-element whitespace text node as defined by HTML5.

isTagFollowedByLiteralContent(String) - Static method in enum org.owasp.html.HtmlTextEscapingMode

True if content immediately following the start tag must be treated as special CDATA so that <'s are not treated as starting tags, comments or directives.

isVoidElement(String) - Static method in enum org.owasp.html.HtmlTextEscapingMode

True iff the tag cannot contain any content -- will an HTML parser consider the element to have ended immediately after the start tag.

J

join(AttributePolicy...) - Static method in class org.owasp.html.AttributePolicy.Util

An attribute policy equivalent to applying all the given policies in order, failing early if any of them fails.

join(ElementPolicy...) - Static method in class org.owasp.html.ElementPolicy.Util

Given zero or more element policies, returns an element policy equivalent to applying them in order failing early if any of them fails.

L

LINKS - Static variable in class org.owasp.html.Sanitizers

Allows HTTP, HTTPS, MAILTO, and relative links.

M

main(String...) - Static method in class org.owasp.html.CssSchema

Dumps key and literal list to stdout for easy examination.

matching(AttributePolicy) - Method in class org.owasp.html.HtmlPolicyBuilder.AttributeBuilder

Filters and/or transforms the attribute values allowed by later allow* calls.

matching(Pattern) - Method in class org.owasp.html.HtmlPolicyBuilder.AttributeBuilder

Restrict the values allowed by later allow* calls to those matching the pattern.

matching(Predicate<? super String>) - Method in class org.owasp.html.HtmlPolicyBuilder.AttributeBuilder

Restrict the values allowed by later allow* calls to those matching the given predicate.

matching(boolean, String...) - Method in class org.owasp.html.HtmlPolicyBuilder.AttributeBuilder

Restrict the values allowed by later allow* calls to those supplied.

matching(boolean, Set<? extends String>) - Method in class org.owasp.html.HtmlPolicyBuilder.AttributeBuilder

Restrict the values allowed by later allow* calls to those supplied.

O

onElements(String...) - Method in class org.owasp.html.HtmlPolicyBuilder.AttributeBuilder

Allows the named attributes on the given elements but filters the attributes' values based on previous calls to matching(...).

openDocument() - Method in interface org.owasp.html.HtmlStreamEventReceiver

Called first to indicate that events follow.

openDocument() - Method in class org.owasp.html.HtmlStreamEventReceiverWrapper

openDocument() - Method in class org.owasp.html.HtmlStreamRenderer

openDocument() - Method in class org.owasp.html.TagBalancingHtmlStreamEventReceiver

openTag(String, List<String>) - Method in interface org.owasp.html.HtmlSanitizer.Policy

Called when an HTML tag like <foo bar=baz> is seen in the input.

openTag(String, List<String>) - Method in interface org.owasp.html.HtmlStreamEventReceiver

Called to specify a tag with the given name and attributes.

openTag(String, List<String>) - Method in class org.owasp.html.HtmlStreamEventReceiverWrapper

openTag(String, List<String>) - Method in class org.owasp.html.HtmlStreamRenderer

openTag(String, List<String>) - Method in class org.owasp.html.TagBalancingHtmlStreamEventReceiver

org.owasp.html - package org.owasp.html

An efficient HtmlSanitizer configurable via a flexible HtmlPolicyBuilder.

P

PolicyFactory - Class in org.owasp.html

A factory that can be used to link a sanitizer to an output receiver and that provides a convenient sanitize method and a and method to compose policies.

Processors() - Constructor for class org.owasp.html.HtmlStreamEventProcessor.Processors

PROPAGATE - Static variable in interface org.owasp.html.Handler

A handler that re-raises an error, wrapping it in a runtime exception if necessary.

R

REJECT_ALL_ATTRIBUTE_POLICY - Static variable in interface org.owasp.html.AttributePolicy

An attribute policy that rejects all values.

REJECT_ALL_ELEMENT_POLICY - Static variable in interface org.owasp.html.ElementPolicy

An element policy that rejects all elements.

requireRelNofollowOnLinks() - Method in class org.owasp.html.HtmlPolicyBuilder

Adds rel=nofollow to links.

requireRelsOnLinks(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Adds rel="..." to <a href="..."> tags beyond those in HtmlPolicyBuilder.DEFAULT_RELS_ON_TARGETTED_LINKS.

S

sanitize(String, HtmlSanitizer.Policy) - Static method in class org.owasp.html.HtmlSanitizer

Sanitizes the given HTML by applying the given policy to it.

sanitize(String, HtmlSanitizer.Policy, HtmlStreamEventProcessor) - Static method in class org.owasp.html.HtmlSanitizer

Sanitizes the given HTML by applying the given policy to it.

sanitize(String) - Method in class org.owasp.html.PolicyFactory

A convenience function that sanitizes a string of HTML.

sanitize(String, HtmlChangeListener<CTX>, CTX) - Method in class org.owasp.html.PolicyFactory

A convenience function that sanitizes a string of HTML and reports the names of rejected element and attributes to listener.

Sanitizers - Class in org.owasp.html

Pre-packaged HTML sanitizer policies.

setNestingLimit(int) - Method in class org.owasp.html.TagBalancingHtmlStreamEventReceiver

Set the maximum element nesting depth.

setPolicy(HtmlSanitizer.Policy) - Method in class org.owasp.html.HtmlChangeReporter

Associates an input channel.

skipRelsOnLinks(String...) - Method in class org.owasp.html.HtmlPolicyBuilder

Opts out of some of the HtmlPolicyBuilder.DEFAULT_RELS_ON_TARGETTED_LINKS from being added to links, and reverses pre

STYLES - Static variable in class org.owasp.html.Sanitizers

Allows certain safe CSS properties in style="..." attributes.

T

TABLES - Static variable in class org.owasp.html.Sanitizers

Allows common table elements.

TagBalancingHtmlStreamEventReceiver - Class in org.owasp.html

Wraps an HTML stream event receiver to fill in missing close tags.

TagBalancingHtmlStreamEventReceiver(HtmlStreamEventReceiver) - Constructor for class org.owasp.html.TagBalancingHtmlStreamEventReceiver

TCB - Annotation Type in org.owasp.html

Indicates that a program element is in the trusted computing base -- there exists a security property that could be violated if this code is not correct.

text(String) - Method in interface org.owasp.html.HtmlSanitizer.Policy

Called when textual content is seen.

text(String) - Method in interface org.owasp.html.HtmlStreamEventReceiver

Called to specify a text node.

text(String) - Method in class org.owasp.html.HtmlStreamEventReceiverWrapper

text(String) - Method in class org.owasp.html.HtmlStreamRenderer

text(String) - Method in class org.owasp.html.TagBalancingHtmlStreamEventReceiver

toFactory() - Method in class org.owasp.html.HtmlPolicyBuilder

Like HtmlPolicyBuilder.build(org.owasp.html.HtmlStreamEventReceiver) but can be reused to create many different policies each backed by a different output channel.

U

union(CssSchema...) - Static method in class org.owasp.html.CssSchema

A schema that represents the union of the input schemas.

Util() - Constructor for class org.owasp.html.AttributePolicy.Util

V

valueOf(String) - Static method in enum org.owasp.html.HtmlTextEscapingMode

Returns the enum constant of this type with the specified name.

values() - Static method in enum org.owasp.html.HtmlTextEscapingMode

Returns an array containing the constants of this enum type, in the order they are declared.

W

withPostprocessor(HtmlStreamEventProcessor) - Method in class org.owasp.html.HtmlPolicyBuilder

Inserts a post-processor into the pipeline between the policy and the output sink.

withPreprocessor(HtmlStreamEventProcessor) - Method in class org.owasp.html.HtmlPolicyBuilder

Inserts a pre-processor into the pipeline between the lexer and the policy.

withProperties(Iterable<? extends String>) - Static method in class org.owasp.html.CssSchema

A schema that includes all and only the named properties.

wrap(HtmlStreamEventReceiver) - Method in interface org.owasp.html.HtmlStreamEventProcessor

A B C D E F G H I J L M O P R S T U V W