ESAPIEncode.java

/**
 *
 * Copyright (c) 2014, the Railo Company Ltd. All rights reserved.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either 
 * version 2.1 of the License, or (at your option) any later version.
 * 
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public 
 * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 * 
 **/
package lucee.runtime.functions.owasp;

import java.io.PrintStream;

import lucee.commons.io.DevNullOutputStream;
import lucee.commons.lang.StringUtil;
import lucee.runtime.PageContext;
import lucee.runtime.exp.ApplicationException;
import lucee.runtime.exp.PageException;
import lucee.runtime.ext.function.Function;
import lucee.runtime.op.Caster;

import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Encoder;
import org.owasp.esapi.errors.EncodingException;

public class ESAPIEncode implements Function {
	
	private static final long serialVersionUID = -6432679747287827759L;
	
	public static final short ENC_BASE64=1;
	public static final short ENC_CSS=2;
	public static final short ENC_DN=3;
	public static final short ENC_HTML=4;
	public static final short ENC_HTML_ATTR=5;
	public static final short ENC_JAVA_SCRIPT=6;
	public static final short ENC_LDAP=7;
	public static final short ENC_OS=8;
	public static final short ENC_SQl=9;
	public static final short ENC_URL=10;
	public static final short ENC_VB_SCRIPT=11;
	public static final short ENC_XML=12;
	public static final short ENC_XML_ATTR=13;
	public static final short ENC_XPATH=14;
	
	
	public static String encode(String item, short encFor, boolean canonicalize) throws PageException  {
		if(StringUtil.isEmpty(item)) return item;
		
		PrintStream out = System.out;
		try {
			 
			
			System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM));
			 Encoder encoder = ESAPI.encoder();
			 if(canonicalize)item=encoder.canonicalize(item, false);
			 
			 switch(encFor){
			 case ENC_CSS:return encoder.encodeForCSS(item);
			 case ENC_DN:return encoder.encodeForDN(item);
			 case ENC_HTML:return encoder.encodeForHTML(item);
			 case ENC_HTML_ATTR:return encoder.encodeForHTMLAttribute(item);
			 case ENC_JAVA_SCRIPT:return encoder.encodeForJavaScript(item);
			 case ENC_LDAP:return encoder.encodeForLDAP(item);
			 case ENC_URL:return encoder.encodeForURL(item);
			 case ENC_VB_SCRIPT:return encoder.encodeForVBScript(item);
			 case ENC_XML:return encoder.encodeForXML(item);
			 case ENC_XML_ATTR:return encoder.encodeForXMLAttribute(item);
			 case ENC_XPATH:return encoder.encodeForXPath(item);
			 }
			 throw new ApplicationException("invalid target encoding defintion");
		}
		catch(EncodingException ee){
			throw Caster.toPageException(ee);
		}
		finally {
			 System.setOut(out);
		}
	}

	public static String call(PageContext pc , String strEncodeFor, String value) throws PageException{
		return call(pc, strEncodeFor, value, false);
	}
	
	public static String call(PageContext pc , String strEncodeFor, String value, boolean canonicalize) throws PageException{
		return encode(value, toEncodeType(pc, strEncodeFor), canonicalize);
	}
	
	public static short toEncodeType(String strEncodeFor, short defaultValue) {
		strEncodeFor=StringUtil.emptyIfNull(strEncodeFor).trim().toLowerCase();
		
		if("css".equals(strEncodeFor)) return ENC_CSS;
		else if("dn".equals(strEncodeFor)) return ENC_DN;
		else if("html".equals(strEncodeFor)) return ENC_HTML;
		else if("html_attr".equals(strEncodeFor)) return ENC_HTML_ATTR;
		else if("htmlattr".equals(strEncodeFor)) return ENC_HTML_ATTR;
		else if("html-attr".equals(strEncodeFor)) return ENC_HTML_ATTR;
		else if("html attr".equals(strEncodeFor)) return ENC_HTML_ATTR;
		else if("html_attributes".equals(strEncodeFor)) return ENC_HTML_ATTR;
		else if("htmlattributes".equals(strEncodeFor)) return ENC_HTML_ATTR;
		else if("html-attributes".equals(strEncodeFor)) return ENC_HTML_ATTR;
		else if("html attributes".equals(strEncodeFor)) return ENC_HTML_ATTR;
		else if("js".equals(strEncodeFor)) return ENC_JAVA_SCRIPT;
		else if("javascript".equals(strEncodeFor)) return ENC_JAVA_SCRIPT;
		else if("java_script".equals(strEncodeFor)) return ENC_JAVA_SCRIPT;
		else if("java script".equals(strEncodeFor)) return ENC_JAVA_SCRIPT;
		else if("java-script".equals(strEncodeFor)) return ENC_JAVA_SCRIPT;
		else if("ldap".equals(strEncodeFor)) return ENC_LDAP;
		//else if("".equals(strEncodeFor)) encFor=ENC_OS;
		//else if("".equals(strEncodeFor)) encFor=ENC_SQl;
		else if("url".equals(strEncodeFor)) return ENC_URL;
		else if("vbs".equals(strEncodeFor)) return ENC_VB_SCRIPT;
		else if("vbscript".equals(strEncodeFor)) return ENC_VB_SCRIPT;
		else if("vb-script".equals(strEncodeFor)) return ENC_VB_SCRIPT;
		else if("vb_script".equals(strEncodeFor)) return ENC_VB_SCRIPT;
		else if("vb script".equals(strEncodeFor)) return ENC_VB_SCRIPT;
		else if("xml".equals(strEncodeFor)) return ENC_XML;
		else if("xmlattr".equals(strEncodeFor)) return ENC_XML_ATTR;
		else if("xml attr".equals(strEncodeFor)) return ENC_XML_ATTR;
		else if("xml-attr".equals(strEncodeFor)) return ENC_XML_ATTR;
		else if("xml_attr".equals(strEncodeFor)) return ENC_XML_ATTR;
		else if("xmlattributes".equals(strEncodeFor)) return ENC_XML_ATTR;
		else if("xml attributes".equals(strEncodeFor)) return ENC_XML_ATTR;
		else if("xml-attributes".equals(strEncodeFor)) return ENC_XML_ATTR;
		else if("xml_attributes".equals(strEncodeFor)) return ENC_XML_ATTR;
		else if("xpath".equals(strEncodeFor)) return ENC_XPATH;
		else return defaultValue;
	}
	public static short toEncodeType(PageContext pc, String strEncodeFor) throws PageException {
		short df=(short)-1;
		short encFor=toEncodeType(strEncodeFor, df);
		if(encFor!=df)return encFor;
		
		String msg="value ["+strEncodeFor+"] is invalid, valid values are " + "[css,dn,html,html_attr,javascript,ldap,vbscript,xml,xml_attr,xpath]";
		throw new ApplicationException(msg);
		
		
	}

	public static String canonicalize(String input, boolean restrictMultiple, boolean restrictMixed) {
		if(StringUtil.isEmpty(input)) return null;
		PrintStream out = System.out;
		try {
			 System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM));
			 return ESAPI.encoder().canonicalize(input, restrictMultiple, restrictMixed);
		}
		finally {
			 System.setOut(out);
		}	
	}
	
}