org.owasp.html
Class FilterUrlByProtocolAttributePolicy

java.lang.Object
  extended by org.owasp.html.FilterUrlByProtocolAttributePolicy
All Implemented Interfaces:
AttributePolicy

public class FilterUrlByProtocolAttributePolicy
extends java.lang.Object
implements AttributePolicy

An attribute policy for attributes whose values are URLs that requires that the value have no protocol or have an allowed protocol.

URLs with protocols must match the protocol set passed to the constructor. URLs without protocols but which specify an origin different from the containing page (e.g. //example.org) are only allowed if the policy allows both http and https which are normally used to serve HTML. Same-origin URLs, URLs without any protocol or authority part are always allowed.

This class assumes that URLs are either hierarchical, or are opaque, but do not look like they contain an authority portion.

Author:
Mike Samuel

Nested Class Summary
 
Nested classes/interfaces inherited from interface org.owasp.html.AttributePolicy
AttributePolicy.Util
 
Field Summary
 
Fields inherited from interface org.owasp.html.AttributePolicy
IDENTITY_ATTRIBUTE_POLICY, REJECT_ALL_ATTRIBUTE_POLICY
 
Constructor Summary
FilterUrlByProtocolAttributePolicy(java.lang.Iterable<? extends java.lang.String> protocols)
           
 
Method Summary
protected  boolean allowProtocolRelativeUrls()
           
 java.lang.String apply(java.lang.String elementName, java.lang.String attributeName, java.lang.String s)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

FilterUrlByProtocolAttributePolicy

public FilterUrlByProtocolAttributePolicy(java.lang.Iterable<? extends java.lang.String> protocols)
Method Detail

apply

@Nullable
public java.lang.String apply(java.lang.String elementName,
                                       java.lang.String attributeName,
                                       java.lang.String s)
Specified by:
apply in interface AttributePolicy
Parameters:
elementName - the lower-case element name.
attributeName - the lower-case attribute name.
s - the attribute value without quotes and with HTML entities decoded.
Returns:
null to disallow the attribute or the adjusted value if allowed.

allowProtocolRelativeUrls

protected boolean allowProtocolRelativeUrls()


Copyright © 2012 OWASP. All Rights Reserved.