Package org.owasp.html

Class FilterUrlByProtocolAttributePolicy

  • All Implemented Interfaces:
    AttributePolicy
    public class FilterUrlByProtocolAttributePolicy
extends Object
implements AttributePolicy
    An attribute policy for attributes whose values are URLs that requires that the value have no protocol or have an allowed protocol.

    URLs with protocols must match the protocol set passed to the constructor. URLs without protocols but which specify an origin different from the containing page (e.g. //example.org) are only allowed if the policy allows both http and https which are normally used to serve HTML. Same-origin URLs, URLs without any protocol or authority part are always allowed.

    This class assumes that URLs are either hierarchical, or are opaque, but do not look like they contain an authority portion.

    Author:
    Mike Samuel ([email protected])

    • Constructor Detail

      • FilterUrlByProtocolAttributePolicy

        public FilterUrlByProtocolAttributePolicy​(Iterable<? extends String> protocols)
        Parameters:
        protocols - lower-case protocol names without any trailing colon (":")

    • Method Detail

      • apply

        @Nullable
public String apply​(String elementName,
                    String attributeName,
                    String value)
        Specified by:
        apply in interface AttributePolicy
        Parameters:
        elementName - the lower-case element name.
        attributeName - the lower-case attribute name.
        value - the attribute value without quotes and with HTML entities decoded.
        Returns:
        null to disallow the attribute or the adjusted value if allowed.

      • hashCode

        public int hashCode()
        Overrides:
        hashCode in class Object