org.owasp.html
Class FilterUrlByProtocolAttributePolicy
java.lang.Object
org.owasp.html.FilterUrlByProtocolAttributePolicy
- All Implemented Interfaces:
- AttributePolicy
public class FilterUrlByProtocolAttributePolicy
- extends java.lang.Object
- implements AttributePolicy
An attribute policy for attributes whose values are URLs that requires that
the value have no protocol or have an allowed protocol.
URLs with protocols must match the protocol set passed to the constructor.
URLs without protocols but which specify an origin different from the
containing page (e.g. //example.org
) are only allowed if the
policy
allows both http
and https
which are normally used to serve
HTML.
Same-origin URLs, URLs without any protocol or authority part are always
allowed.
This class assumes that URLs are either hierarchical, or are opaque, but
do not look like they contain an authority portion.
- Author:
- Mike Samuel
Method Summary |
protected boolean |
allowProtocolRelativeUrls()
|
java.lang.String |
apply(java.lang.String elementName,
java.lang.String attributeName,
java.lang.String s)
|
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
FilterUrlByProtocolAttributePolicy
public FilterUrlByProtocolAttributePolicy(java.lang.Iterable<? extends java.lang.String> protocols)
apply
@Nullable
public java.lang.String apply(java.lang.String elementName,
java.lang.String attributeName,
java.lang.String s)
- Specified by:
apply
in interface AttributePolicy
- Parameters:
elementName
- the lower-case element name.attributeName
- the lower-case attribute name.s
- the attribute value without quotes and with HTML entities
decoded.
- Returns:
null
to disallow the attribute or the adjusted value if
allowed.
allowProtocolRelativeUrls
protected boolean allowProtocolRelativeUrls()
Copyright © 2012 OWASP. All Rights Reserved.