public class FilterUrlByProtocolAttributePolicy extends Object implements AttributePolicy
URLs with protocols must match the protocol set passed to the constructor.
URLs without protocols but which specify an origin different from the
containing page (e.g. //example.org
) are only allowed if the
policy
allows both http
and https
which are normally used to serve
HTML.
Same-origin URLs, URLs without any protocol or authority part are always
allowed.
This class assumes that URLs are either hierarchical, or are opaque, but do not look like they contain an authority portion.
AttributePolicy.Util
IDENTITY_ATTRIBUTE_POLICY, REJECT_ALL_ATTRIBUTE_POLICY
Constructor and Description |
---|
FilterUrlByProtocolAttributePolicy(Iterable<? extends String> protocols) |
Modifier and Type | Method and Description |
---|---|
String |
apply(String elementName,
String attributeName,
String value) |
boolean |
equals(Object o) |
int |
hashCode() |
@Nullable public String apply(String elementName, String attributeName, String value)
apply
in interface AttributePolicy
elementName
- the lower-case element name.attributeName
- the lower-case attribute name.value
- the attribute value without quotes and with HTML entities
decoded.null
to disallow the attribute or the adjusted value if
allowed.Copyright © 2016 OWASP. All rights reserved.