Package org.owasp.html

Class PolicyFactory

java.lang.Object

org.owasp.html.PolicyFactory

All Implemented Interfaces:

com.google.common.base.Function<HtmlStreamEventReceiver,HtmlSanitizer.Policy>, java.util.function.Function<HtmlStreamEventReceiver,HtmlSanitizer.Policy>

@ThreadSafe
@Immutable
public final class PolicyFactory
extends java.lang.Object
implements com.google.common.base.Function<HtmlStreamEventReceiver,HtmlSanitizer.Policy>

A factory that can be used to link a sanitizer to an output receiver and that provides a convenient sanitize method and a and method to compose policies.

Author:

Mike Samuel ([email protected])

Method Summary

Modifier and Type	Method	Description
PolicyFactory	and(PolicyFactory f)	Produces a factory that allows the union of the grants, and intersects policies where they overlap on a particular granted attribute or element name.
HtmlSanitizer.Policy	apply(HtmlStreamEventReceiver out)	Produces a sanitizer that emits tokens to out.
<CTX> HtmlSanitizer.Policy	apply(HtmlStreamEventReceiver out, HtmlChangeListener<CTX> listener, CTX context)	Produces a sanitizer that emits tokens to out and that notifies any listener of any dropped tags and attributes.
java.lang.String	sanitize(java.lang.String html)	A convenience function that sanitizes a string of HTML.
<CTX> java.lang.String	sanitize(java.lang.String html, HtmlChangeListener<CTX> listener, CTX context)	A convenience function that sanitizes a string of HTML and reports the names of rejected element and attributes to listener.

Methods inherited from interface com.google.common.base.Function

equals

Methods inherited from interface java.util.function.Function

andThen, compose

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

apply

public HtmlSanitizer.Policy apply(@Nonnull
                                  HtmlStreamEventReceiver out)

Produces a sanitizer that emits tokens to out.

Specified by:

apply in interface com.google.common.base.Function<HtmlStreamEventReceiver,HtmlSanitizer.Policy>

Specified by:

apply in interface java.util.function.Function<HtmlStreamEventReceiver,HtmlSanitizer.Policy>

apply

public <CTX> HtmlSanitizer.Policy apply(HtmlStreamEventReceiver out,
                                        @Nullable
                                        HtmlChangeListener<CTX> listener,
                                        @Nullable
                                        CTX context)

Produces a sanitizer that emits tokens to out and that notifies any listener of any dropped tags and attributes.

Parameters:

out - a renderer that receives approved tokens only.

listener - if non-null, receives notifications of tags and attributes that were rejected by the policy. This may tie into intrusion detection systems.

context - if (listener != null) then the context value passed with notifications. This can be used to let the listener know from which connection or request the questionable HTML was received.

sanitize

public java.lang.String sanitize(@Nullable
                                 java.lang.String html)

A convenience function that sanitizes a string of HTML.

sanitize

public <CTX> java.lang.String sanitize(@Nullable
                                       java.lang.String html,
                                       @Nullable
                                       HtmlChangeListener<CTX> listener,
                                       @Nullable
                                       CTX context)

A convenience function that sanitizes a string of HTML and reports the names of rejected element and attributes to listener.

Parameters:

html - the string of HTML to sanitize.

listener - if non-null, receives notifications of tags and attributes that were rejected by the policy. This may tie into intrusion detection systems.

context - if (listener != null) then the context value passed with notifications. This can be used to let the listener know from which connection or request the questionable HTML was received.

Returns:

a string of HTML that complies with this factory's policy.

and

public PolicyFactory and(PolicyFactory f)

Produces a factory that allows the union of the grants, and intersects policies where they overlap on a particular granted attribute or element name.