001/**
002 *
003 * Copyright (c) 2014, the Railo Company Ltd. All rights reserved.
004 *
005 * This library is free software; you can redistribute it and/or
006 * modify it under the terms of the GNU Lesser General Public
007 * License as published by the Free Software Foundation; either 
008 * version 2.1 of the License, or (at your option) any later version.
009 * 
010 * This library is distributed in the hope that it will be useful,
011 * but WITHOUT ANY WARRANTY; without even the implied warranty of
012 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
013 * Lesser General Public License for more details.
014 * 
015 * You should have received a copy of the GNU Lesser General Public 
016 * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
017 * 
018 **/
019package lucee.runtime.functions.owasp;
020
021import java.io.PrintStream;
022
023import lucee.commons.io.DevNullOutputStream;
024import lucee.commons.lang.StringUtil;
025import lucee.runtime.PageContext;
026import lucee.runtime.exp.ApplicationException;
027import lucee.runtime.exp.FunctionException;
028import lucee.runtime.exp.PageException;
029import lucee.runtime.ext.function.Function;
030import lucee.runtime.op.Caster;
031
032import org.owasp.esapi.ESAPI;
033import org.owasp.esapi.Encoder;
034import org.owasp.esapi.errors.EncodingException;
035
036public class ESAPIEncode implements Function {
037        
038        private static final long serialVersionUID = -6432679747287827759L;
039        
040        public static final short ENC_BASE64=1;
041        public static final short ENC_CSS=2;
042        public static final short ENC_DN=3;
043        public static final short ENC_HTML=4;
044        public static final short ENC_HTML_ATTR=5;
045        public static final short ENC_JAVA_SCRIPT=6;
046        public static final short ENC_LDAP=7;
047        public static final short ENC_OS=8;
048        public static final short ENC_SQl=9;
049        public static final short ENC_URL=10;
050        public static final short ENC_VB_SCRIPT=11;
051        public static final short ENC_XML=12;
052        public static final short ENC_XML_ATTR=13;
053        public static final short ENC_XPATH=14;
054        
055        
056        public static String encode(String item, short encFor) throws PageException  {
057                
058                PrintStream out = System.out;
059                try {
060                         System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM));
061                         Encoder encoder = ESAPI.encoder();
062                         switch(encFor){
063                         //case ENC_CSS:return encoder.encodeForBase64(item);
064                         case ENC_CSS:return encoder.encodeForCSS(item);
065                         case ENC_DN:return encoder.encodeForDN(item);
066                         case ENC_HTML:return encoder.encodeForHTML(item);
067                         case ENC_HTML_ATTR:return encoder.encodeForHTMLAttribute(item);
068                         case ENC_JAVA_SCRIPT:return encoder.encodeForJavaScript(item);
069                         case ENC_LDAP:return encoder.encodeForLDAP(item);
070                         //case ENC_CSS:return encoder.encodeForOS(arg0, arg1)(item);
071                         //case ENC_CSS:return encoder.encodeForSQL(arg0, arg1)CSS(item);
072                         case ENC_URL:return encoder.encodeForURL(item);
073                         case ENC_VB_SCRIPT:return encoder.encodeForVBScript(item);
074                         case ENC_XML:return encoder.encodeForXML(item);
075                         case ENC_XML_ATTR:return encoder.encodeForXMLAttribute(item);
076                         case ENC_XPATH:return encoder.encodeForXPath(item);
077                         }
078                         throw new ApplicationException("invalid target encoding defintion");
079                }
080                catch(EncodingException ee){
081                        throw Caster.toPageException(ee);
082                }
083                finally {
084                         System.setOut(out);
085                }
086        }
087        
088        public static String call(PageContext pc , String strEncodeFor, String value) throws PageException{
089                short encFor;
090                strEncodeFor=StringUtil.emptyIfNull(strEncodeFor).trim().toLowerCase();
091                //if("base64".equals(strEncodeFor)) encFor=ENC_BASE64;
092                if("css".equals(strEncodeFor)) encFor=ENC_CSS;
093                else if("dn".equals(strEncodeFor)) encFor=ENC_DN;
094                else if("html".equals(strEncodeFor)) encFor=ENC_HTML;
095                else if("html_attr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
096                else if("htmlattr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
097                else if("html-attr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
098                else if("html attr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
099                else if("html_attributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
100                else if("htmlattributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
101                else if("html-attributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
102                else if("html attributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
103                else if("js".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT;
104                else if("javascript".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT;
105                else if("java_script".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT;
106                else if("java script".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT;
107                else if("java-script".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT;
108                else if("ldap".equals(strEncodeFor)) encFor=ENC_LDAP;
109                //else if("".equals(strEncodeFor)) encFor=ENC_OS;
110                //else if("".equals(strEncodeFor)) encFor=ENC_SQl;
111                else if("url".equals(strEncodeFor)) encFor=ENC_URL;
112                else if("vbs".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT;
113                else if("vbscript".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT;
114                else if("vb-script".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT;
115                else if("vb_script".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT;
116                else if("vb script".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT;
117                else if("xml".equals(strEncodeFor)) encFor=ENC_XML;
118                else if("xmlattr".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
119                else if("xml attr".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
120                else if("xml-attr".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
121                else if("xml_attr".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
122                else if("xmlattributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
123                else if("xml attributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
124                else if("xml-attributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
125                else if("xml_attributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
126                else if("xpath".equals(strEncodeFor)) encFor=ENC_XPATH;
127                else 
128                        throw new FunctionException(pc, "ESAPIEncode", 1, "encodeFor", "value ["+strEncodeFor+"] is invalid, valid values are " +
129                                        "[css,dn,html,html_attr,javascript,ldap,vbscript,xml,xml_attr,xpath]");
130                return encode(value, encFor);
131        }
132
133        public static String canonicalize(String input, boolean restrictMultiple, boolean restrictMixed) {
134                if(StringUtil.isEmpty(input)) return null;
135                PrintStream out = System.out;
136                try {
137                         System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM));
138                         return ESAPI.encoder().canonicalize(input, restrictMultiple, restrictMixed);
139                }
140                finally {
141                         System.setOut(out);
142                }       
143        }
144        
145}