001/** 002 * 003 * Copyright (c) 2014, the Railo Company Ltd. All rights reserved. 004 * 005 * This library is free software; you can redistribute it and/or 006 * modify it under the terms of the GNU Lesser General Public 007 * License as published by the Free Software Foundation; either 008 * version 2.1 of the License, or (at your option) any later version. 009 * 010 * This library is distributed in the hope that it will be useful, 011 * but WITHOUT ANY WARRANTY; without even the implied warranty of 012 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 013 * Lesser General Public License for more details. 014 * 015 * You should have received a copy of the GNU Lesser General Public 016 * License along with this library. If not, see <http://www.gnu.org/licenses/>. 017 * 018 **/ 019package lucee.runtime.functions.owasp; 020 021import java.io.PrintStream; 022 023import lucee.commons.io.DevNullOutputStream; 024import lucee.commons.lang.StringUtil; 025import lucee.runtime.PageContext; 026import lucee.runtime.exp.ApplicationException; 027import lucee.runtime.exp.FunctionException; 028import lucee.runtime.exp.PageException; 029import lucee.runtime.ext.function.Function; 030import lucee.runtime.op.Caster; 031 032import org.owasp.esapi.ESAPI; 033import org.owasp.esapi.Encoder; 034import org.owasp.esapi.errors.EncodingException; 035 036public class ESAPIEncode implements Function { 037 038 private static final long serialVersionUID = -6432679747287827759L; 039 040 public static final short ENC_BASE64=1; 041 public static final short ENC_CSS=2; 042 public static final short ENC_DN=3; 043 public static final short ENC_HTML=4; 044 public static final short ENC_HTML_ATTR=5; 045 public static final short ENC_JAVA_SCRIPT=6; 046 public static final short ENC_LDAP=7; 047 public static final short ENC_OS=8; 048 public static final short ENC_SQl=9; 049 public static final short ENC_URL=10; 050 public static final short ENC_VB_SCRIPT=11; 051 public static final short ENC_XML=12; 052 public static final short ENC_XML_ATTR=13; 053 public static final short ENC_XPATH=14; 054 055 056 public static String encode(String item, short encFor) throws PageException { 057 058 PrintStream out = System.out; 059 try { 060 System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM)); 061 Encoder encoder = ESAPI.encoder(); 062 switch(encFor){ 063 //case ENC_CSS:return encoder.encodeForBase64(item); 064 case ENC_CSS:return encoder.encodeForCSS(item); 065 case ENC_DN:return encoder.encodeForDN(item); 066 case ENC_HTML:return encoder.encodeForHTML(item); 067 case ENC_HTML_ATTR:return encoder.encodeForHTMLAttribute(item); 068 case ENC_JAVA_SCRIPT:return encoder.encodeForJavaScript(item); 069 case ENC_LDAP:return encoder.encodeForLDAP(item); 070 //case ENC_CSS:return encoder.encodeForOS(arg0, arg1)(item); 071 //case ENC_CSS:return encoder.encodeForSQL(arg0, arg1)CSS(item); 072 case ENC_URL:return encoder.encodeForURL(item); 073 case ENC_VB_SCRIPT:return encoder.encodeForVBScript(item); 074 case ENC_XML:return encoder.encodeForXML(item); 075 case ENC_XML_ATTR:return encoder.encodeForXMLAttribute(item); 076 case ENC_XPATH:return encoder.encodeForXPath(item); 077 } 078 throw new ApplicationException("invalid target encoding defintion"); 079 } 080 catch(EncodingException ee){ 081 throw Caster.toPageException(ee); 082 } 083 finally { 084 System.setOut(out); 085 } 086 } 087 088 public static String call(PageContext pc , String strEncodeFor, String value) throws PageException{ 089 short encFor; 090 strEncodeFor=StringUtil.emptyIfNull(strEncodeFor).trim().toLowerCase(); 091 //if("base64".equals(strEncodeFor)) encFor=ENC_BASE64; 092 if("css".equals(strEncodeFor)) encFor=ENC_CSS; 093 else if("dn".equals(strEncodeFor)) encFor=ENC_DN; 094 else if("html".equals(strEncodeFor)) encFor=ENC_HTML; 095 else if("html_attr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR; 096 else if("htmlattr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR; 097 else if("html-attr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR; 098 else if("html attr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR; 099 else if("html_attributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR; 100 else if("htmlattributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR; 101 else if("html-attributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR; 102 else if("html attributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR; 103 else if("js".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT; 104 else if("javascript".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT; 105 else if("java_script".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT; 106 else if("java script".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT; 107 else if("java-script".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT; 108 else if("ldap".equals(strEncodeFor)) encFor=ENC_LDAP; 109 //else if("".equals(strEncodeFor)) encFor=ENC_OS; 110 //else if("".equals(strEncodeFor)) encFor=ENC_SQl; 111 else if("url".equals(strEncodeFor)) encFor=ENC_URL; 112 else if("vbs".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT; 113 else if("vbscript".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT; 114 else if("vb-script".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT; 115 else if("vb_script".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT; 116 else if("vb script".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT; 117 else if("xml".equals(strEncodeFor)) encFor=ENC_XML; 118 else if("xmlattr".equals(strEncodeFor)) encFor=ENC_XML_ATTR; 119 else if("xml attr".equals(strEncodeFor)) encFor=ENC_XML_ATTR; 120 else if("xml-attr".equals(strEncodeFor)) encFor=ENC_XML_ATTR; 121 else if("xml_attr".equals(strEncodeFor)) encFor=ENC_XML_ATTR; 122 else if("xmlattributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR; 123 else if("xml attributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR; 124 else if("xml-attributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR; 125 else if("xml_attributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR; 126 else if("xpath".equals(strEncodeFor)) encFor=ENC_XPATH; 127 else 128 throw new FunctionException(pc, "ESAPIEncode", 1, "encodeFor", "value ["+strEncodeFor+"] is invalid, valid values are " + 129 "[css,dn,html,html_attr,javascript,ldap,vbscript,xml,xml_attr,xpath]"); 130 return encode(value, encFor); 131 } 132 133 public static String canonicalize(String input, boolean restrictMultiple, boolean restrictMixed) { 134 if(StringUtil.isEmpty(input)) return null; 135 PrintStream out = System.out; 136 try { 137 System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM)); 138 return ESAPI.encoder().canonicalize(input, restrictMultiple, restrictMixed); 139 } 140 finally { 141 System.setOut(out); 142 } 143 } 144 145}