Package org.owasp.html
Class FilterUrlByProtocolAttributePolicy
- java.lang.Object
-
- org.owasp.html.FilterUrlByProtocolAttributePolicy
-
- All Implemented Interfaces:
AttributePolicy
public class FilterUrlByProtocolAttributePolicy extends Object implements AttributePolicy
An attribute policy for attributes whose values are URLs that requires that the value have no protocol or have an allowed protocol.URLs with protocols must match the protocol set passed to the constructor. URLs without protocols but which specify an origin different from the containing page (e.g.
//example.org
) are only allowed if thepolicy
allows bothhttp
andhttps
which are normally used to serve HTML. Same-origin URLs, URLs without any protocol or authority part are always allowed.This class assumes that URLs are either hierarchical, or are opaque, but do not look like they contain an authority portion.
- Author:
- Mike Samuel ([email protected])
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface org.owasp.html.AttributePolicy
AttributePolicy.JoinableAttributePolicy, AttributePolicy.Util
-
-
Field Summary
-
Fields inherited from interface org.owasp.html.AttributePolicy
IDENTITY_ATTRIBUTE_POLICY, REJECT_ALL_ATTRIBUTE_POLICY
-
-
Constructor Summary
Constructors Constructor Description FilterUrlByProtocolAttributePolicy(Iterable<? extends String> protocols)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description String
apply(String elementName, String attributeName, String value)
boolean
equals(Object o)
int
hashCode()
-
-
-
Method Detail
-
apply
@Nullable public String apply(String elementName, String attributeName, String value)
- Specified by:
apply
in interfaceAttributePolicy
- Parameters:
elementName
- the lower-case element name.attributeName
- the lower-case attribute name.value
- the attribute value without quotes and with HTML entities decoded.- Returns:
null
to disallow the attribute or the adjusted value if allowed.
-
-