CommentSanitizerImpl.java

/**
 * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
 *
 * This library is free software; you can redistribute it and/or modify it under
 * the terms of the GNU Lesser General Public License as published by the Free
 * Software Foundation; either version 2.1 of the License, or (at your option)
 * any later version.
 *
 * This library is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
 * details.
 */

package com.liferay.comment.sanitizer.internal;

import com.liferay.portal.kernel.sanitizer.BaseSanitizer;
import com.liferay.portal.kernel.sanitizer.Sanitizer;
import com.liferay.portal.kernel.util.ContentTypes;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.MapUtil;
import com.liferay.portal.util.PropsValues;

import java.util.Map;

import org.osgi.service.component.annotations.Component;

import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;

/**
 * @author Sergio González
 */
@Component(immediate = true, service = Sanitizer.class)
public class CommentSanitizerImpl extends BaseSanitizer {

	public CommentSanitizerImpl() {
		_commentAllowedContent = new CommentAllowedContent(
			PropsValues.DISCUSSION_COMMENTS_ALLOWED_CONTENT);
	}

	@Override
	public String sanitize(
		long companyId, long groupId, long userId, String className,
		long classPK, String contentType, String[] modes, String content,
		Map<String, Object> options) {

		if (MapUtil.isEmpty(options)) {
			return content;
		}

		boolean discussion = GetterUtil.getBoolean(options.get("discussion"));

		if (!discussion || !contentType.equals(ContentTypes.TEXT_HTML)) {
			return content;
		}

		return sanitize(content);
	}

	protected String sanitize(String html) {
		HtmlPolicyBuilder htmlPolicyBuilder = new HtmlPolicyBuilder();

		htmlPolicyBuilder.allowStandardUrlProtocols();

		Map<String, String[]> attributeNames =
			_commentAllowedContent.getAttributeNames();

		for (Map.Entry<String, String[]> entry : attributeNames.entrySet()) {
			String elementName = entry.getKey();
			String[] attributesNames = entry.getValue();

			if (attributesNames != null) {
				HtmlPolicyBuilder.AttributeBuilder attributeBuilder =
					htmlPolicyBuilder.allowAttributes(attributesNames);

				attributeBuilder.onElements(elementName);
			}

			htmlPolicyBuilder.allowElements(elementName);
		}

		PolicyFactory policyFactory = htmlPolicyBuilder.toFactory();

		return policyFactory.sanitize(html);
	}

	private final CommentAllowedContent _commentAllowedContent;

}