Package org.apache.sling.xss
Interface XSSFilter
-
@ProviderType public interface XSSFilter
This service should be used to protect output against potential XSS attacks. The protection is context based.
-
-
Field Summary
Fields Modifier and Type Field Description static ProtectionContext
DEFAULT_CONTEXT
Default context.
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description boolean
check(ProtectionContext context, String src)
Indicates whether or not a given source string contains XSS policy violations.String
filter(String src)
Prevents the given source string from containing XSS stuff.String
filter(ProtectionContext context, String src)
Protects the given source string from containing XSS stuff.boolean
isValidHref(String url)
Checks if the given URL is valid to be used for thehref
attribute in aa
tag.
-
-
-
Field Detail
-
DEFAULT_CONTEXT
static final ProtectionContext DEFAULT_CONTEXT
Default context.
-
-
Method Detail
-
check
boolean check(ProtectionContext context, String src)
Indicates whether or not a given source string contains XSS policy violations.- Parameters:
context
- context to use for checkingsrc
- source string- Returns:
- true if the source is violation-free
- Throws:
NullPointerException
- if context isnull
-
filter
String filter(String src)
Prevents the given source string from containing XSS stuff.The default protection context is used for checking.
- Parameters:
src
- source string- Returns:
- string that does not contain XSS stuff
-
filter
String filter(ProtectionContext context, String src)
Protects the given source string from containing XSS stuff.- Parameters:
context
- context to use for checkingsrc
- source string- Returns:
- string that does not contain XSS stuff
- Throws:
NullPointerException
- if context isnull
-
isValidHref
boolean isValidHref(String url)
Checks if the given URL is valid to be used for thehref
attribute in aa
tag.The default protection context is used for checking.
- Parameters:
url
- the URL that should be validated- Returns:
- true if the URL is violation-free
-
-