ESAPIEncode.java

package railo.runtime.functions.owasp;

import java.io.PrintStream;

import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Encoder;
import org.owasp.esapi.errors.EncodingException;

import railo.commons.io.DevNullOutputStream;
import railo.commons.lang.StringUtil;
import railo.runtime.PageContext;
import railo.runtime.exp.ApplicationException;
import railo.runtime.exp.FunctionException;
import railo.runtime.exp.PageException;
import railo.runtime.ext.function.Function;
import railo.runtime.op.Caster;

public class ESAPIEncode implements Function {
	
	private static final long serialVersionUID = -6432679747287827759L;
	
	public static final short ENC_BASE64=1;
	public static final short ENC_CSS=2;
	public static final short ENC_DN=3;
	public static final short ENC_HTML=4;
	public static final short ENC_HTML_ATTR=5;
	public static final short ENC_JAVA_SCRIPT=6;
	public static final short ENC_LDAP=7;
	public static final short ENC_OS=8;
	public static final short ENC_SQl=9;
	public static final short ENC_URL=10;
	public static final short ENC_VB_SCRIPT=11;
	public static final short ENC_XML=12;
	public static final short ENC_XML_ATTR=13;
	public static final short ENC_XPATH=14;
	
	
	public static String encode(String item, short encFor) throws PageException  {
		
		PrintStream out = System.out;
		try {
			 System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM));
			 Encoder encoder = ESAPI.encoder();
			 switch(encFor){
			 //case ENC_CSS:return encoder.encodeForBase64(item);
			 case ENC_CSS:return encoder.encodeForCSS(item);
			 case ENC_DN:return encoder.encodeForDN(item);
			 case ENC_HTML:return encoder.encodeForHTML(item);
			 case ENC_HTML_ATTR:return encoder.encodeForHTMLAttribute(item);
			 case ENC_JAVA_SCRIPT:return encoder.encodeForJavaScript(item);
			 case ENC_LDAP:return encoder.encodeForLDAP(item);
			 //case ENC_CSS:return encoder.encodeForOS(arg0, arg1)(item);
			 //case ENC_CSS:return encoder.encodeForSQL(arg0, arg1)CSS(item);
			 case ENC_URL:return encoder.encodeForURL(item);
			 case ENC_VB_SCRIPT:return encoder.encodeForVBScript(item);
			 case ENC_XML:return encoder.encodeForXML(item);
			 case ENC_XML_ATTR:return encoder.encodeForXMLAttribute(item);
			 case ENC_XPATH:return encoder.encodeForXPath(item);
			 }
			 throw new ApplicationException("invalid target encoding defintion");
		}
		catch(EncodingException ee){
			throw Caster.toPageException(ee);
		}
		finally {
			 System.setOut(out);
		}
	}
	
	public static String call(PageContext pc , String strEncodeFor, String value) throws PageException{
		short encFor;
		strEncodeFor=StringUtil.emptyIfNull(strEncodeFor).trim().toLowerCase();
		//if("base64".equals(strEncodeFor)) encFor=ENC_BASE64;
		if("css".equals(strEncodeFor)) encFor=ENC_CSS;
		else if("dn".equals(strEncodeFor)) encFor=ENC_DN;
		else if("html".equals(strEncodeFor)) encFor=ENC_HTML;
		else if("html_attr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
		else if("htmlattr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
		else if("html-attr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
		else if("html attr".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
		else if("html_attributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
		else if("htmlattributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
		else if("html-attributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
		else if("html attributes".equals(strEncodeFor)) encFor=ENC_HTML_ATTR;
		else if("js".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT;
		else if("javascript".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT;
		else if("java_script".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT;
		else if("java script".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT;
		else if("java-script".equals(strEncodeFor)) encFor=ENC_JAVA_SCRIPT;
		else if("ldap".equals(strEncodeFor)) encFor=ENC_LDAP;
		//else if("".equals(strEncodeFor)) encFor=ENC_OS;
		//else if("".equals(strEncodeFor)) encFor=ENC_SQl;
		else if("url".equals(strEncodeFor)) encFor=ENC_URL;
		else if("vbs".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT;
		else if("vbscript".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT;
		else if("vb-script".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT;
		else if("vb_script".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT;
		else if("vb script".equals(strEncodeFor)) encFor=ENC_VB_SCRIPT;
		else if("xml".equals(strEncodeFor)) encFor=ENC_XML;
		else if("xmlattr".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
		else if("xml attr".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
		else if("xml-attr".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
		else if("xml_attr".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
		else if("xmlattributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
		else if("xml attributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
		else if("xml-attributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
		else if("xml_attributes".equals(strEncodeFor)) encFor=ENC_XML_ATTR;
		else if("xpath".equals(strEncodeFor)) encFor=ENC_XPATH;
		else 
			throw new FunctionException(pc, "ESAPIEncode", 1, "encodeFor", "value ["+strEncodeFor+"] is invalid, valid values are " +
					"[css,dn,html,html_attr,javascript,ldap,vbscript,xml,xml_attr,xpath]");
		return encode(value, encFor);
	}

	public static String canonicalize(String input, boolean restrictMultiple, boolean restrictMixed) {
		if(StringUtil.isEmpty(input)) return null;
		PrintStream out = System.out;
		try {
			 System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM));
			 return ESAPI.encoder().canonicalize(input, restrictMultiple, restrictMixed);
		}
		finally {
			 System.setOut(out);
		}	
	}
	
}