| /* |
| * Copyright (C) 2010 Google Inc. |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package com.google.clearsilver.jsilver.functions.escape; |
| |
| |
| /** |
| * This class HTML escapes a string in the same way as the ClearSilver html_escape function. |
| * |
| * This implementation has been optimized for performance. |
| * |
| */ |
| public class HtmlEscapeFunction extends SimpleEscapingFunction { |
| |
| // The escape chars |
| private static final char[] ESCAPE_CHARS = {'<', '>', '&', '\'', '"'}; |
| |
| // UNQUOTED_ESCAPE_CHARS = ESCAPE_CHARS + UNQUOTED_EXTRA_CHARS + chars < 0x20 + 0x7f |
| private static final char[] UNQUOTED_ESCAPE_CHARS; |
| |
| private static final char[] UNQUOTED_EXTRA_CHARS = {'=', ' '}; |
| |
| // The corresponding escape strings for all ascii characters. |
| // With control characters, we simply strip them out if necessary. |
| private static String[] ESCAPE_CODES = |
| {"", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", |
| "", "", "", "", "", "", "", "", "", "", "!", """, "#", "$", "%", "&", "'", |
| "(", ")", "*", "+", ",", "-", ".", "/", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", |
| ":", ";", "<", "=", ">", "?", "@", "A", "B", "C", "D", "E", "F", "G", "H", "I", |
| "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "[", |
| "\\", "]", "^", "_", "`", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", |
| "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "{", "|", "}", "~", |
| ""}; |
| |
| static { |
| UNQUOTED_ESCAPE_CHARS = new char[33 + ESCAPE_CHARS.length + UNQUOTED_EXTRA_CHARS.length]; |
| // In unquoted HTML attributes, strip out control characters also, as they could |
| // get interpreted as end of attribute, just like spaces. |
| for (int n = 0; n <= 0x1f; n++) { |
| UNQUOTED_ESCAPE_CHARS[n] = (char) n; |
| } |
| UNQUOTED_ESCAPE_CHARS[32] = (char) 0x7f; |
| System.arraycopy(ESCAPE_CHARS, 0, UNQUOTED_ESCAPE_CHARS, 33, ESCAPE_CHARS.length); |
| System.arraycopy(UNQUOTED_EXTRA_CHARS, 0, UNQUOTED_ESCAPE_CHARS, 33 + ESCAPE_CHARS.length, |
| UNQUOTED_EXTRA_CHARS.length); |
| |
| } |
| |
| /** |
| * isUnquoted should be true if the function is escaping a string that will appear inside an |
| * unquoted HTML attribute. |
| * |
| * If the string is unquoted, we strip out all characters 0 - 0x1f and 0x7f for security reasons. |
| */ |
| public HtmlEscapeFunction(boolean isUnquoted) { |
| if (isUnquoted) { |
| super.setEscapeChars(UNQUOTED_ESCAPE_CHARS); |
| } else { |
| super.setEscapeChars(ESCAPE_CHARS); |
| } |
| } |
| |
| @Override |
| protected String getEscapeString(char c) { |
| if (c < 0x80) { |
| return ESCAPE_CODES[c]; |
| } |
| throw new IllegalArgumentException("Unexpected escape character " + c + "[" + (int) c + "]"); |
| } |
| } |