001 package railo.runtime.functions.owasp; 002 003 import java.io.PrintStream; 004 005 import org.owasp.esapi.ESAPI; 006 import org.owasp.esapi.Encoder; 007 import org.owasp.esapi.errors.EncodingException; 008 009 import railo.commons.io.DevNullOutputStream; 010 import railo.commons.lang.StringUtil; 011 import railo.runtime.PageContext; 012 import railo.runtime.exp.ApplicationException; 013 import railo.runtime.exp.FunctionException; 014 import railo.runtime.exp.PageException; 015 import railo.runtime.ext.function.Function; 016 import railo.runtime.op.Caster; 017 018 public class ESAPIDecode implements Function { 019 020 private static final long serialVersionUID = 7054200748398531363L; 021 022 public static final short DEC_BASE64=1; 023 public static final short DEC_URL=2; 024 025 public static String decode(String item, short decFrom) throws PageException { 026 027 PrintStream out = System.out; 028 try { 029 System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM)); 030 Encoder encoder = ESAPI.encoder(); 031 switch(decFrom){ 032 case DEC_URL:return encoder.decodeFromURL(item); 033 } 034 throw new ApplicationException("invalid target decoding defintion"); 035 } 036 catch(EncodingException ee){ 037 throw Caster.toPageException(ee); 038 } 039 finally { 040 System.setOut(out); 041 } 042 } 043 044 public static String call(PageContext pc , String strDecodeFrom, String value) throws PageException{ 045 short decFrom; 046 strDecodeFrom=StringUtil.emptyIfNull(strDecodeFrom).trim().toLowerCase(); 047 if("url".equals(strDecodeFrom)) decFrom=DEC_URL; 048 else 049 throw new FunctionException(pc, "ESAPIDecode", 1, "decodeFrom", "value ["+strDecodeFrom+"] is invalid, valid values are " + 050 "[url]"); 051 return decode(value, decFrom); 052 } 053 054 }