001 /** 002 * Copyright (c) 2000-present Liferay, Inc. All rights reserved. 003 * 004 * This library is free software; you can redistribute it and/or modify it under 005 * the terms of the GNU Lesser General Public License as published by the Free 006 * Software Foundation; either version 2.1 of the License, or (at your option) 007 * any later version. 008 * 009 * This library is distributed in the hope that it will be useful, but WITHOUT 010 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS 011 * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more 012 * details. 013 */ 014 015 package com.liferay.portal.kernel.util; 016 017 import com.liferay.portal.kernel.security.pacl.permission.PortalRuntimePermission; 018 019 import java.util.Map; 020 021 /** 022 * Provides utility methods for escaping, rendering, replacing, and stripping 023 * HTML text. This class uses XSS recommendations from <a 024 * href="http://www.owasp.org/index.php/Cross_Site_Scripting#How_to_Protect_Yourself">http://www.owasp.org/index.php/Cross_Site_Scripting#How_to_Protect_Yourself</a> 025 * when escaping HTML text. 026 * 027 * @author Brian Wing Shun Chan 028 * @author Clarence Shen 029 * @author Harry Mark 030 * @author Samuel Kong 031 */ 032 public class HtmlUtil { 033 034 public static String buildData(Map<String, Object> data) { 035 return getHtml().buildData(data); 036 } 037 038 /** 039 * Escapes the text so that it is safe to use in an HTML context. 040 * 041 * @param text the text to escape 042 * @return the escaped HTML text, or <code>null</code> if the text is 043 * <code>null</code> 044 */ 045 public static String escape(String text) { 046 return getHtml().escape(text); 047 } 048 049 /** 050 * Escapes the input text as a hexadecimal value, based on the mode (type). 051 * 052 * @param text the text to escape 053 * @param mode the encoding type 054 * @return the escaped hexadecimal value of the input text, based on the 055 * mode, or <code>null</code> if the text is <code>null</code> 056 * @see com.liferay.portal.util.HtmlImpl#escape(String, int) 057 */ 058 public static String escape(String text, int mode) { 059 return getHtml().escape(text, mode); 060 } 061 062 /** 063 * Escapes the attribute value so that it is safe to use as an attribute 064 * value. 065 * 066 * @param attribute the attribute to escape 067 * @return the escaped attribute value, or <code>null</code> if the 068 * attribute value is <code>null</code> 069 */ 070 public static String escapeAttribute(String attribute) { 071 return getHtml().escapeAttribute(attribute); 072 } 073 074 /** 075 * Escapes the CSS value so that it is safe to use in a CSS context. 076 * 077 * @param css the CSS value to escape 078 * @return the escaped CSS value, or <code>null</code> if the CSS value is 079 * <code>null</code> 080 */ 081 public static String escapeCSS(String css) { 082 return getHtml().escapeCSS(css); 083 } 084 085 /** 086 * Escapes the HREF attribute so that it is safe to use as an HREF 087 * attribute. 088 * 089 * @param href the HREF attribute to escape 090 * @return the escaped HREF attribute, or <code>null</code> if the HREF 091 * attribute is <code>null</code> 092 */ 093 public static String escapeHREF(String href) { 094 return getHtml().escapeHREF(href); 095 } 096 097 /** 098 * Escapes the JavaScript value so that it is safe to use in a JavaScript 099 * context. 100 * 101 * @param js the JavaScript value to escape 102 * @return the escaped JavaScript value, or <code>null</code> if the 103 * JavaScript value is <code>null</code> 104 */ 105 public static String escapeJS(String js) { 106 return getHtml().escapeJS(js); 107 } 108 109 public static String escapeJSLink(String link) { 110 return getHtml().escapeJSLink(link); 111 } 112 113 /** 114 * Escapes the URL value so that it is safe to use as a URL. 115 * 116 * @param url the URL value to escape 117 * @return the escaped URL value, or <code>null</code> if the URL value is 118 * <code>null</code> 119 */ 120 public static String escapeURL(String url) { 121 return getHtml().escapeURL(url); 122 } 123 124 public static String escapeXPath(String xPath) { 125 return getHtml().escapeXPath(xPath); 126 } 127 128 public static String escapeXPathAttribute(String xPathAttribute) { 129 return getHtml().escapeXPathAttribute(xPathAttribute); 130 } 131 132 /** 133 * Extracts the raw text from the HTML input, compressing its whitespace and 134 * removing all attributes, scripts, and styles. 135 * 136 * <p> 137 * For example, raw text returned by this method can be stored in a search 138 * index. 139 * </p> 140 * 141 * @param html the HTML text 142 * @return the raw text from the HTML input, or <code>null</code> if the 143 * HTML input is <code>null</code> 144 */ 145 public static String extractText(String html) { 146 return getHtml().extractText(html); 147 } 148 149 public static String fromInputSafe(String text) { 150 return getHtml().fromInputSafe(text); 151 } 152 153 public static String getAUICompatibleId(String html) { 154 return getHtml().getAUICompatibleId(html); 155 } 156 157 public static Html getHtml() { 158 PortalRuntimePermission.checkGetBeanProperty(HtmlUtil.class); 159 160 return _html; 161 } 162 163 /** 164 * Renders the HTML content into text. This provides a human readable 165 * version of the segment content that is modeled on the way Mozilla 166 * Thunderbird® and other email clients provide an automatic conversion 167 * of HTML content to text in their alternative MIME encoding of emails. 168 * 169 * <p> 170 * Using the default settings, the output complies with the 171 * <code>Text/Plain; Format=Flowed (DelSp=No)</code> protocol described in 172 * <a href="http://tools.ietf.org/html/rfc3676">RFC-3676</a>. 173 * </p> 174 * 175 * @param html the HTML text 176 * @return the rendered HTML text, or <code>null</code> if the HTML text is 177 * <code>null</code> 178 */ 179 public static String render(String html) { 180 return getHtml().render(html); 181 } 182 183 /** 184 * Replaces all Microsoft® Word Unicode characters with plain HTML 185 * entities or characters. 186 * 187 * @param text the text 188 * @return the converted text, or <code>null</code> if the text is 189 * <code>null</code> 190 * @deprecated As of 7.0.0, with no direct replacement 191 */ 192 @Deprecated 193 public static String replaceMsWordCharacters(String text) { 194 return getHtml().replaceMsWordCharacters(text); 195 } 196 197 /** 198 * Replaces all new lines or carriage returns with the <code><br /></code> 199 * HTML tag. 200 * 201 * @param html the text 202 * @return the converted text, or <code>null</code> if the HTML text is 203 * <code>null</code> 204 */ 205 public static String replaceNewLine(String html) { 206 return getHtml().replaceNewLine(html); 207 } 208 209 /** 210 * Strips all content delimited by the tag out of the text. 211 * 212 * <p> 213 * If the tag appears multiple times, all occurrences (including the tag) 214 * are stripped. The tag may have attributes. In order for this method to 215 * recognize the tag, it must consist of a separate opening and closing tag. 216 * Self-closing tags remain in the result. 217 * </p> 218 * 219 * @param text the text 220 * @param tag the tag used for delimiting, which should only be the tag's 221 * name (e.g. no <) 222 * @return the text, without the stripped tag and its contents, or 223 * <code>null</code> if the text is <code>null</code> 224 */ 225 public static String stripBetween(String text, String tag) { 226 return getHtml().stripBetween(text, tag); 227 } 228 229 /** 230 * Strips all XML comments out of the text. 231 * 232 * @param text the text 233 * @return the text, without the stripped XML comments, or <code>null</code> 234 * if the text is <code>null</code> 235 */ 236 public static String stripComments(String text) { 237 return getHtml().stripComments(text); 238 } 239 240 public static String stripHtml(String text) { 241 return getHtml().stripHtml(text); 242 } 243 244 /** 245 * Encodes the text so that it's safe to use as an HTML input field value. 246 * 247 * <p> 248 * For example, the <code>&</code> character is replaced by 249 * <code>&amp;</code>. 250 * </p> 251 * 252 * @param text the text 253 * @return the encoded text that is safe to use as an HTML input field 254 * value, or <code>null</code> if the text is <code>null</code> 255 */ 256 public static String toInputSafe(String text) { 257 return getHtml().toInputSafe(text); 258 } 259 260 public static String unescape(String text) { 261 return getHtml().unescape(text); 262 } 263 264 public static String unescapeCDATA(String text) { 265 return getHtml().unescapeCDATA(text); 266 } 267 268 public static String wordBreak(String text, int columns) { 269 return getHtml().wordBreak(text, columns); 270 } 271 272 public void setHtml(Html html) { 273 PortalRuntimePermission.checkSetBeanProperty(getClass()); 274 275 _html = html; 276 } 277 278 private static Html _html; 279 280 }