AttributePolicy
public class FilterUrlByProtocolAttributePolicy extends java.lang.Object implements AttributePolicy
URLs with protocols must match the protocol set passed to the constructor.
URLs without protocols but which specify an origin different from the
containing page (e.g. //example.org
) are only allowed if the
policy
allows both http
and https
which are normally used to serve
HTML.
Same-origin URLs, URLs without any protocol or authority part are always
allowed.
This class assumes that URLs are either hierarchical, or are opaque, but do not look like they contain an authority portion.
AttributePolicy.JoinableAttributePolicy, AttributePolicy.Util
IDENTITY_ATTRIBUTE_POLICY, REJECT_ALL_ATTRIBUTE_POLICY
Constructor | Description |
---|---|
FilterUrlByProtocolAttributePolicy(java.lang.Iterable<? extends java.lang.String> protocols) |
Modifier and Type | Method | Description |
---|---|---|
java.lang.String |
apply(java.lang.String elementName,
java.lang.String attributeName,
java.lang.String value) |
|
boolean |
equals(java.lang.Object o) |
|
int |
hashCode() |
public FilterUrlByProtocolAttributePolicy(java.lang.Iterable<? extends java.lang.String> protocols)
protocols
- lower-case protocol names without any trailing colon (":")@Nullable public java.lang.String apply(java.lang.String elementName, java.lang.String attributeName, java.lang.String value)
apply
in interface AttributePolicy
elementName
- the lower-case element name.attributeName
- the lower-case attribute name.value
- the attribute value without quotes and with HTML entities
decoded.null
to disallow the attribute or the adjusted value if
allowed.public boolean equals(java.lang.Object o)
equals
in class java.lang.Object
public int hashCode()
hashCode
in class java.lang.Object
Copyright © 2019 OWASP. All rights reserved.