eXept Software AG Logo

Smalltalk/X Webserver

Documentation of class 'HtmlSanitizer':

Home

Documentation
www.exept.de
Everywhere
for:
[back]

Class: HtmlSanitizer


Inheritance:

   Object
   |
   +--HtmlSanitizer

Package:
stx:goodies/webServer
Category:
Net-Communication-HTTP-Server
Version:
rev: 1.7 date: 2011/02/09 14:15:37
user: stefan
file: HtmlSanitizer.st directory: goodies/webServer
module: stx stc-classLibrary: webServer
Author:
james (james@kokxnix)

Description:


A port of http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php.

The function should take a string and sanitize so it is safe from cross side scripting attacks (XSS).
It adds <x> to dangerous keywords and removes non viewable characters.

The main function of the class is #sanitizeHtml:aString.


[instance variables:]

[class variables:]


Related information:



Class protocol:

api
o  sanitizeHtml: aString
return a html string that has all potential crossscripting attacks disabled.
This version does not take Unicode into account

usage example(s):

      self sanitizeHtml:(self encodeToHtmlHex:'äabcdef').  
      self sanitizeHtml:''.  
      self sanitizeHtml:''.  

encoding
o  encodeToHtmlDec: aStringOrStream
encoding aStringOrStream to HTML decimal encoding

usage example(s):

      self encodeToHtmlDec:'123'  

o  encodeToHtmlHex: aStringOrStream
encoding a aStringOrStream to HTML hex encoding

usage example(s):

      self encodeToHtmlHex:'123'

o  encodeToUrlHex: aString
encoding a String to URL hex encoding

usage example(s):

      self encodeToUrlHex:'123'

helpers
o  recursivelyDecodeHtml: aStringOrStream
recursively decode all characters

o  recursivelyDecodeHtml: aStringOrStream do: aTwoArgCallbackBlock
Recursively decode aString to decode hexadecimal and decimal encodings in
html strings. Decide how and what to decode by returning a string from the
aTwoArgCallbackBlock. The returned string is then set as the replaced character.

The aTwoArgCallbackBlock receives a Char and the encoding as arguments.

return: <String>

o  sanitizeKeywordsAndRemoveIllegalSpaces: aString
add <x> to dangerous keywords and remove the characters with ascii values: 9 10 13

usage example(s):

     self sanitizeKeywordsAndRemoveIllegalSpaces:''.     

initialization
o  emptyOrTNRWhitespaceAttacksRegex
a Regex that matches an emptyString or the hexadecimal or
decimal encodings of cr lf and tab

o  initializeSanitizedKeywordsNerfedKeywordsAndPatterns

o  keywordRegex

o  nerfedKeywords
keywords, that are changed to avoid a possible XSS security thread.

o  sanitizeKeywords
keywords that are considered a possible XSS attack



ST/X 7.2.0.0; WebServer 1.670 at bd0aa1f87cdd.unknown:8081; Tue, 19 Mar 2024 03:34:00 GMT