001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.kernel.util;
016    
017    import com.liferay.portal.kernel.security.pacl.permission.PortalRuntimePermission;
018    
019    import java.util.Map;
020    
021    /**
022     * Provides utility methods for escaping, rendering, replacing, and stripping
023     * HTML text. This class uses XSS recommendations from <a
024     * href="http://www.owasp.org/index.php/Cross_Site_Scripting#How_to_Protect_Yourself">http://www.owasp.org/index.php/Cross_Site_Scripting#How_to_Protect_Yourself</a>
025     * when escaping HTML text.
026     *
027     * @author Brian Wing Shun Chan
028     * @author Clarence Shen
029     * @author Harry Mark
030     * @author Samuel Kong
031     */
032    public class HtmlUtil {
033    
034            public static String buildData(Map<String, Object> data) {
035                    return getHtml().buildData(data);
036            }
037    
038            /**
039             * Escapes the text so that it is safe to use in an HTML context.
040             *
041             * @param  text the text to escape
042             * @return the escaped HTML text, or <code>null</code> if the text is
043             *         <code>null</code>
044             */
045            public static String escape(String text) {
046                    return getHtml().escape(text);
047            }
048    
049            /**
050             * Escapes the input text as a hexadecimal value, based on the mode (type).
051             *
052             * @param  text the text to escape
053             * @param  mode the encoding type
054             * @return the escaped hexadecimal value of the input text, based on the
055             *         mode, or <code>null</code> if the text is <code>null</code>
056             * @see    com.liferay.portal.util.HtmlImpl#escape(String, int)
057             */
058            public static String escape(String text, int mode) {
059                    return getHtml().escape(text, mode);
060            }
061    
062            /**
063             * Escapes the attribute value so that it is safe to use as an attribute
064             * value.
065             *
066             * @param  attribute the attribute to escape
067             * @return the escaped attribute value, or <code>null</code> if the
068             *         attribute value is <code>null</code>
069             */
070            public static String escapeAttribute(String attribute) {
071                    return getHtml().escapeAttribute(attribute);
072            }
073    
074            /**
075             * Escapes the CSS value so that it is safe to use in a CSS context.
076             *
077             * @param  css the CSS value to escape
078             * @return the escaped CSS value, or <code>null</code> if the CSS value is
079             *         <code>null</code>
080             */
081            public static String escapeCSS(String css) {
082                    return getHtml().escapeCSS(css);
083            }
084    
085            /**
086             * Escapes the HREF attribute so that it is safe to use as an HREF
087             * attribute.
088             *
089             * @param  href the HREF attribute to escape
090             * @return the escaped HREF attribute, or <code>null</code> if the HREF
091             *         attribute is <code>null</code>
092             */
093            public static String escapeHREF(String href) {
094                    return getHtml().escapeHREF(href);
095            }
096    
097            /**
098             * Escapes the JavaScript value so that it is safe to use in a JavaScript
099             * context.
100             *
101             * @param  js the JavaScript value to escape
102             * @return the escaped JavaScript value, or <code>null</code> if the
103             *         JavaScript value is <code>null</code>
104             */
105            public static String escapeJS(String js) {
106                    return getHtml().escapeJS(js);
107            }
108    
109            public static String escapeJSLink(String link) {
110                    return getHtml().escapeJSLink(link);
111            }
112    
113            /**
114             * Escapes the URL value so that it is safe to use as a URL.
115             *
116             * @param  url the URL value to escape
117             * @return the escaped URL value, or <code>null</code> if the URL value is
118             *         <code>null</code>
119             */
120            public static String escapeURL(String url) {
121                    return getHtml().escapeURL(url);
122            }
123    
124            public static String escapeXPath(String xPath) {
125                    return getHtml().escapeXPath(xPath);
126            }
127    
128            public static String escapeXPathAttribute(String xPathAttribute) {
129                    return getHtml().escapeXPathAttribute(xPathAttribute);
130            }
131    
132            /**
133             * Extracts the raw text from the HTML input, compressing its whitespace and
134             * removing all attributes, scripts, and styles.
135             *
136             * <p>
137             * For example, raw text returned by this method can be stored in a search
138             * index.
139             * </p>
140             *
141             * @param  html the HTML text
142             * @return the raw text from the HTML input, or <code>null</code> if the
143             *         HTML input is <code>null</code>
144             */
145            public static String extractText(String html) {
146                    return getHtml().extractText(html);
147            }
148    
149            public static String fromInputSafe(String text) {
150                    return getHtml().fromInputSafe(text);
151            }
152    
153            public static String getAUICompatibleId(String html) {
154                    return getHtml().getAUICompatibleId(html);
155            }
156    
157            public static Html getHtml() {
158                    PortalRuntimePermission.checkGetBeanProperty(HtmlUtil.class);
159    
160                    return _html;
161            }
162    
163            /**
164             * Renders the HTML content into text. This provides a human readable
165             * version of the segment content that is modeled on the way Mozilla
166             * Thunderbird&reg; and other email clients provide an automatic conversion
167             * of HTML content to text in their alternative MIME encoding of emails.
168             *
169             * <p>
170             * Using the default settings, the output complies with the
171             * <code>Text/Plain; Format=Flowed (DelSp=No)</code> protocol described in
172             * <a href="http://tools.ietf.org/html/rfc3676">RFC-3676</a>.
173             * </p>
174             *
175             * @param  html the HTML text
176             * @return the rendered HTML text, or <code>null</code> if the HTML text is
177             *         <code>null</code>
178             */
179            public static String render(String html) {
180                    return getHtml().render(html);
181            }
182    
183            /**
184             * Replaces all Microsoft&reg; Word Unicode characters with plain HTML
185             * entities or characters.
186             *
187             * @param      text the text
188             * @return     the converted text, or <code>null</code> if the text is
189             *             <code>null</code>
190             * @deprecated As of 7.0.0, with no direct replacement
191             */
192            @Deprecated
193            public static String replaceMsWordCharacters(String text) {
194                    return getHtml().replaceMsWordCharacters(text);
195            }
196    
197            /**
198             * Replaces all new lines or carriage returns with the <code><br /></code>
199             * HTML tag.
200             *
201             * @param  html the text
202             * @return the converted text, or <code>null</code> if the HTML text is
203             *         <code>null</code>
204             */
205            public static String replaceNewLine(String html) {
206                    return getHtml().replaceNewLine(html);
207            }
208    
209            /**
210             * Strips all content delimited by the tag out of the text.
211             *
212             * <p>
213             * If the tag appears multiple times, all occurrences (including the tag)
214             * are stripped. The tag may have attributes. In order for this method to
215             * recognize the tag, it must consist of a separate opening and closing tag.
216             * Self-closing tags remain in the result.
217             * </p>
218             *
219             * @param  text the text
220             * @param  tag the tag used for delimiting, which should only be the tag's
221             *         name (e.g. no &lt;)
222             * @return the text, without the stripped tag and its contents, or
223             *         <code>null</code> if the text is <code>null</code>
224             */
225            public static String stripBetween(String text, String tag) {
226                    return getHtml().stripBetween(text, tag);
227            }
228    
229            /**
230             * Strips all XML comments out of the text.
231             *
232             * @param  text the text
233             * @return the text, without the stripped XML comments, or <code>null</code>
234             *         if the text is <code>null</code>
235             */
236            public static String stripComments(String text) {
237                    return getHtml().stripComments(text);
238            }
239    
240            public static String stripHtml(String text) {
241                    return getHtml().stripHtml(text);
242            }
243    
244            /**
245             * Encodes the text so that it's safe to use as an HTML input field value.
246             *
247             * <p>
248             * For example, the <code>&</code> character is replaced by
249             * <code>&amp;amp;</code>.
250             * </p>
251             *
252             * @param  text the text
253             * @return the encoded text that is safe to use as an HTML input field
254             *         value, or <code>null</code> if the text is <code>null</code>
255             */
256            public static String toInputSafe(String text) {
257                    return getHtml().toInputSafe(text);
258            }
259    
260            public static String unescape(String text) {
261                    return getHtml().unescape(text);
262            }
263    
264            public static String unescapeCDATA(String text) {
265                    return getHtml().unescapeCDATA(text);
266            }
267    
268            public static String wordBreak(String text, int columns) {
269                    return getHtml().wordBreak(text, columns);
270            }
271    
272            public void setHtml(Html html) {
273                    PortalRuntimePermission.checkSetBeanProperty(getClass());
274    
275                    _html = html;
276            }
277    
278            private static Html _html;
279    
280    }