Module io.jooby
Package io.jooby

Class XSS

java.lang.Object
io.jooby.XSS

public final class XSS extends Object
Set of escaping routines for fixing cross-site scripting (XSS).
  • Method Summary

    Modifier and Type
    Method
    Description
    static String
    html(String value)
    Perform an HTML5 level 2 (result is ASCII) escape operation on a String input.
    static String
    json(String value)
    Perform a JSON level 2 (basic set and all non-ASCII chars) escape operation on a String input.
    static String
    uri(String value)
    Perform am URI path escape operation on a String input using UTF-8 as encoding.

    Methods inherited from class java.lang.Object

    equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Method Details

    • uri

      @NonNull public static String uri(@Nullable String value)
      Perform am URI path escape operation on a String input using UTF-8 as encoding.

      The following are the only allowed chars in an URI path (will not be escaped):

      • A-Z a-z 0-9
      • - . _ ~
      • ! $ & ' ( ) * + , ; =
      • : @
      • /

      All other chars will be escaped by converting them to the sequence of bytes that represents them in the UTF-8 and then representing each byte in %HH syntax, being HH the hexadecimal representation of the byte.

      This method is thread-safe.

      Parameters:
      value - the String to be escaped.
      Returns:
      The escaped result String. As a memory-performance improvement, will return the exact same object as the text input argument if no escaping modifications were required (and no additional String objects will be created during processing). Will return null if input is null.
    • html

      @NonNull public static String html(@Nullable String value)
      Perform an HTML5 level 2 (result is ASCII) escape operation on a String input.

      Level 2 means this method will escape:

      • The five markup-significant characters: <, >, & , " and '
      • All non ASCII characters.

      This escape will be performed by replacing those chars by the corresponding HTML5 Named Character References (e.g. '&acute;') when such NCR exists for the replaced character, and replacing by a decimal character reference (e.g. '&#8345;') when there is no NCR for the replaced character.

      This method is thread-safe.

      Parameters:
      value - the String to be escaped.
      Returns:
      The escaped result String. As a memory-performance improvement, will return the exact same object as the text input argument if no escaping modifications were required (and no additional String objects will be created during processing). Will return null if input is null.
    • json

      @NonNull public static String json(@Nullable String value)
      Perform a JSON level 2 (basic set and all non-ASCII chars) escape operation on a String input.

      Level 2 means this method will escape:

      • The JSON basic escape set:
        • The Single Escape Characters: \b (U+0008), \t (U+0009), \n (U+000A ), \f (U+000C), \r (U+000D ), \" (U+0022), \\ ( U+005C) and \/ (U+002F). Note that \/ is optional, and will only be used when the / symbol appears after <, as in </. This is to avoid accidentally closing <script> tags in HTML.
        • Two ranges of non-displayable, control characters (some of which are already part of the single escape characters list): U+0000 to U+001F (required by the JSON spec) and U+007F to U+009F (additional).
      • All non ASCII characters.

      This escape will be performed by using the Single Escape Chars whenever possible. For escaped characters that do not have an associated SEC, default to \uFFFF Hexadecimal Escapes.

      This method is thread-safe.

      Parameters:
      value - the String to be escaped.
      Returns:
      The escaped result String. As a memory-performance improvement, will return the exact same object as the text input argument if no escaping modifications were required (and no additional String objects will be created during processing). Will return null if input is null.