psdi.util

Class HTML

  • java.lang.Object
    • psdi.util.HTML

  • public class HTML
extends java.lang.Object
    Encapsulates functionality related to HTML including Rich Text. Methods are provided that include removing script elements that can pose a security risk, converting plain text to HTML, and escaping text values so that they may be presented in HTML without posing a XSS risk.

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class and Description
      static class  HTML.Entity 

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method and Description
      static java.lang.String cleanHtml(java.lang.String html, boolean escapeCDATA)
      Escape values and remove script, object, and embed tags and script from attributes
      static java.lang.String cleanHtml(java.lang.String html, boolean escapeForJavascript, boolean escapeCDATA) 
      static java.lang.String cleanHtml(java.lang.String html, boolean escapeForJavascript, boolean escapeForHTML, boolean escapeCDATA) 
      static java.lang.String cleanText(java.lang.String text)
      Plain text, need to add line breaks, and escape characters for javascript
      static java.lang.String cleanText(java.lang.String text, boolean escapeForJavascript) 
      static java.lang.String cleanValue(java.lang.String value, boolean escapeForJavascript, boolean escapeCDATA) 
      static java.lang.String cleanValue(java.lang.String value, boolean escapeForJavascript, boolean escapeForHTML, boolean escapeCDATA)
      If the value is html, removes all Javascript and embedded objects, if it is text, it converts it to html
      static boolean containsFormattingTags(java.lang.String message) 
      static java.lang.String decode(java.lang.String value) 
      static java.lang.String encode(java.lang.String value)
      Encodes the specified value for use in HTML attribute values or text values.
      static java.lang.String encode(java.lang.String value, java.lang.String[] allowedHTMLTags)
      Encodes the specified value for use in HTML attribute values or text values.
      static java.lang.String encodeTolerant(java.lang.String value)
      Encodes the specified value for HTML but allows a basic set of fomatting tags.
      static boolean isHtml(java.lang.String value)
      Determine if the given string is html
      static java.lang.String replaceNewLineWithBR(java.lang.String message) 
      static java.lang.String richTextSanitize(java.lang.String value)
      Sanitize the value to remove malicious content based on the value of the webclient.richtext.sanitize property.
      static java.lang.String sanitize(java.lang.String value)
      Sanitize the value to remove malicious content.
      static java.lang.String securitySafeWithHTMLEncoding(java.lang.String aText) 
      static java.lang.String toPlainText(java.lang.String html) 
      static java.lang.String toPlainText(java.lang.String html, boolean encodeForHtml) 
      static java.lang.String truncateText(java.lang.String value, int limit) 
      static void unittestIsHtmlForceAlwaysHtml(boolean value)
      For unit test only, do not use in production code
      static void unittestIsHtmlForceAlwaysText(boolean value)
      For unit test only, do not use in production code

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • BLOCK_NODE_FOR_ENTER_DEFAULT

        public static final java.lang.String BLOCK_NODE_FOR_ENTER_DEFAULT
        See Also:
        Constant Field Values

      • BLOCK_NODE_FOR_ENTER

        public static final java.lang.String BLOCK_NODE_FOR_ENTER
        See Also:
        Constant Field Values

      • MAXIMOLOGGER

        public static final MXLogger MAXIMOLOGGER

      • RICH_TEXT_MARKER

        public static final java.lang.String RICH_TEXT_MARKER
        Marker indicating that the value already contains rich text. If you change this value, be sure to change the corresponding constant defined in dojo_library.js.
        See Also:
        Constant Field Values

      • testAlwaysText

        protected static boolean testAlwaysText

      • testAlwaysHtml

        protected static boolean testAlwaysHtml

    • Method Detail

      • cleanValue

        public static java.lang.String cleanValue(java.lang.String value,
                                          boolean escapeForJavascript,
                                          boolean escapeCDATA)

      • cleanValue

        public static java.lang.String cleanValue(java.lang.String value,
                                          boolean escapeForJavascript,
                                          boolean escapeForHTML,
                                          boolean escapeCDATA)
        If the value is html, removes all Javascript and embedded objects, if it is text, it converts it to html
        Parameters:
        escapeForJavascript - true to escape special so the string can be used in javascript
        escapeForHTML - true to encode special characters as character or entity references so the string can be used in an html attribute
        escapeCDATA - true to escape CDATA blocks so that the value can be placed in a CDATA block

      • richTextSanitize

        public static java.lang.String richTextSanitize(java.lang.String value)
        Sanitize the value to remove malicious content based on the value of the webclient.richtext.sanitize property.
        Parameters:
        value - The text to be sanitized.
        Returns:
        The sanitized string if the property is set, otherwise the original string.

      • sanitize

        public static java.lang.String sanitize(java.lang.String value)
        Sanitize the value to remove malicious content.
        Parameters:
        value - The text to be sanitized.
        Returns:
        The sanitized string.
        Throws:
        java.lang.Exception

      • truncateText

        public static java.lang.String truncateText(java.lang.String value,
                                            int limit)
                                     throws java.lang.Exception
        Throws:
        java.lang.Exception

      • encodeTolerant

        public static java.lang.String encodeTolerant(java.lang.String value)
        Encodes the specified value for HTML but allows a basic set of fomatting tags. Use HTML.encode(String) to completely encode all tags.
        Parameters:
        value - The text to be encoded.
        Returns:
        The encoded string.

      • encode

        public static java.lang.String encode(java.lang.String value)
        Encodes the specified value for use in HTML attribute values or text values.
        Parameters:
        value - The text to be encoded.
        Returns:
        The encoded string.

      • encode

        public static java.lang.String encode(java.lang.String value,
                                      java.lang.String[] allowedHTMLTags)
        Encodes the specified value for use in HTML attribute values or text values.
        Parameters:
        value - The text to be encoded.
        allowedHTMLTags - An array of allowed HTML tags. Note that these tags must have the < and > symbols.
        Returns:
        The encoded string.

      • decode

        public static java.lang.String decode(java.lang.String value)

      • isHtml

        public static boolean isHtml(java.lang.String value)
        Determine if the given string is html
        Parameters:
        value - the string to evaluate
        Returns:
        true if the value looks like it is html

      • toPlainText

        public static java.lang.String toPlainText(java.lang.String html,
                                           boolean encodeForHtml)

      • toPlainText

        public static java.lang.String toPlainText(java.lang.String html)

      • cleanText

        public static java.lang.String cleanText(java.lang.String text,
                                         boolean escapeForJavascript)

      • cleanText

        public static java.lang.String cleanText(java.lang.String text)
        Plain text, need to add line breaks, and escape characters for javascript
        Parameters:
        text - the text to be cleaned up
        escapeForJavascript - True if newlines and quotes should be escaped so the resultant string can be used as-is in a javascript string.
        Returns:
        a cleaned up version of the text

      • cleanHtml

        public static java.lang.String cleanHtml(java.lang.String html,
                                         boolean escapeForJavascript,
                                         boolean escapeForHTML,
                                         boolean escapeCDATA)

      • cleanHtml

        public static java.lang.String cleanHtml(java.lang.String html,
                                         boolean escapeForJavascript,
                                         boolean escapeCDATA)

      • cleanHtml

        public static java.lang.String cleanHtml(java.lang.String html,
                                         boolean escapeCDATA)
        Escape values and remove script, object, and embed tags and script from attributes
        Parameters:
        html - the original html string
        Returns:
        the cleaned string

      • unittestIsHtmlForceAlwaysText

        public static void unittestIsHtmlForceAlwaysText(boolean value)
        For unit test only, do not use in production code

      • unittestIsHtmlForceAlwaysHtml

        public static void unittestIsHtmlForceAlwaysHtml(boolean value)
        For unit test only, do not use in production code

      • replaceNewLineWithBR

        public static java.lang.String replaceNewLineWithBR(java.lang.String message)

      • securitySafeWithHTMLEncoding

        public static java.lang.String securitySafeWithHTMLEncoding(java.lang.String aText)

      • containsFormattingTags

        public static boolean containsFormattingTags(java.lang.String message)
Skip navigation links