SafeStyles.java example

Explorer
google-web-toolkit-svnmirror-master
/*
 * Copyright 2011 Google Inc.
 * 
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License. You may obtain a copy of
 * the License at
 * 
 * http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations under
 * the License.
 */
package com.google.gwt.safecss.shared;

import java.io.Serializable;

/**
 * An object that implements this interface encapsulates zero or more CSS
 * properties that are guaranteed to be safe to use (with respect to potential
 * Cross-Site-Scripting vulnerabilities) in a CSS (Cascading Style Sheet)
 * attribute context. A CSS attribute context can be inside of a CSS rule in a
 * {@code style} element, or inside the {@code style} attribute of a DOM
 * element.
 * 
 * <p>
 * Note on usage: {@link SafeStyles} should be used to ensure user input is not
 * executed in the browser. {@link SafeStyles} should not be used to sanitize
 * input before sending it to the server: The server cannot rely on the type
 * contract of {@link SafeStyles} values received from clients, because a
 * malicious client could provide maliciously crafted serialized forms of
 * implementations of this type that violate the type contract.
 * 
 * <p>
 * All implementing classes must maintain the class invariant (by design and
 * implementation and/or convention of use), that invoking {@link #asString()}
 * on any instance will return a string that is safe to assign to a CSS
 * attribute in a browser, in the sense that doing so must not cause execution
 * of script in the browser. Generally, {@link SafeStyles} should be of the form
 * {@code cssPropertyName:value;}, where neither the name nor the value contain
 * malicious scripts.
 * 
 * <p>
 * {@link SafeStyles} may never contain literal angle brackets. Otherwise, it
 * could be unsafe to place a {@link SafeStyles} into a <style> tag (where
 * it can't be HTML escaped). For example, if the {@link SafeStyles} containing
 * "<code>font: 'foo <style><script>evil</script></code>'" is
 * used in a style sheet in a <style> tag, this could then break out of
 * the style context into HTML.
 * 
 * <p>
 * {@link SafeStyles} may contain literal single or double quotes, and as such
 * the entire style string must be escaped when used in a style attribute (if
 * this were not the case, the string could contain a matching quote that would
 * escape from the style attribute).
 * 
 * <p>
 * Furthermore, values of this type must be composable, i.e. for any two values
 * {@code A} and {@code B} of this type, {@code A.asString() + B.asString()}
 * must itself be a value that satisfies the {@link SafeStyles} type constraint.
 * This requirement implies that for any value {@code A} of this type,
 * {@code A.asString()} must not end in a "CSS value" or "CSS name" context. For
 * example, a value of {@code background:url("} or {@code font-} would not
 * satisfy the {@link SafeStyles} contract. This is because concatenating such
 * strings with a second value that itself does not contain unsafe CSS can
 * result in an overall string that does. For example, if
 * {@code javascript:evil())"} is appended to {@code background:url("}, the
 * resulting string may result in the execution of a malicious script.
 * 
 * <p>
 * The following example values comply with this type's contract:
 * <ul>
 * <li><code>width: 1em;</code></li>
 * <li><code>height:1em;</code></li>
 * <li><code>width: 1em;height: 1em;</code></li>
 * <li><code>background:url('http://url');</code></li>
 * </ul>
 * In addition, the empty string is safe for use in a CSS attribute.
 * 
 * <p>
 * The following example values do <em>not</em> comply with this type's contract:
 * <ul>
 * <li><code>background: red</code> (missing a trailing semi-colon)</li>
 * <li><code>background:</code> (missing a value and a trailing semi-colon)</li>
 * <li><code>1em</code> (missing an attribute name, which provides context for the value)</li>
 * </ul>
 * 
 * <p>
 * All implementations must implement equals() and hashCode() to behave
 * consistently with the result of asString().equals() and asString.hashCode().
 * 
 * <p>
 * Implementations must not return {@code null} from {@link #asString()}.
 */
public interface SafeStyles extends Serializable {
  /*
   * Notes regarding serialization:
   * 
   * - It may be reasonable to allow deserialization on the client of objects
   * serialized on the server (i.e. RPC responses), based on the assumption that
   * server code is trusted and would not provide a malicious serialized form
   * (if a MitM were able to modify server responses, the client would be fully
   * compromised in any case). However, the GWT RPC framework currently does not
   * seem to provide a facility for restricting deserialization on the Server
   * only (though this shouldn't be difficult to implement through a custom
   * SerializationPolicy)
   * 
   * - Some implementations of SafeStyles would in principle be able to enforce
   * their class invariant on deserialization. However, the GWT RPC framework
   * does not provide for an equivalent of readResolve() to enforce the class
   * invariant on deserialization.
   */

  /**
   * Returns this object's contained CSS as a string.
   * 
   * <p>
   * Based on this class' contract, the returned value will be non-null and a
   * string that is safe to use in an CSS attribute context.
   * 
   * @return the contents as a String
   */
  String asString();

  /**
   * Compares this string to the specified object. Must be equal to
   * asString().equals().
   * 
   * @param anObject the object to compare to
   */
  boolean equals(Object anObject);

  /**
   * Returns a hash code for this string. Must be equal to
   * asString().hashCode().
   */
  int hashCode();
}