org.directwebremoting
Class Security

java.lang.Object
  extended by org.directwebremoting.Security

public class Security
extends java.lang.Object

Some simple replacement utilities to help people protect themselves from XSS attacks.

This class represents some simple filters which may protect from simple attacks in low risk environments. There is no replacement for a full security review which assesses the risks that you face.

Author:
Joe Walker [joe at getahead dot ltd dot uk]

Constructor Summary
Security()
           
 
Method Summary
static boolean containsXssRiskyCharacters(java.lang.String original)
          Return true iff the input string contains any of the characters that are special to XML: &, <, >, ' or "
static java.lang.String escapeHtml(java.lang.String original)
          Perform the following replacements: & to &amp; < to &lt; > to &gt; ' to &apos; " to &quot; These replacements are useful when the original sense is important, but when we wish to reduce the risk of XSS attacks.
static java.lang.String replaceXmlCharacters(java.lang.String original)
          Perform the following replacements: & to + < to \\u2039 () > to \\u203A () ' to \\u2018 () " to \\u201C () These replacements are useful when readability is more important than retaining the exact character string of the original.
static java.lang.String unescapeHtml(java.lang.String original)
          Perform the following replacements: &amp; to & &lt; to < &gt; to > &apos; to ' &quot; to " These replacements are useful to reverse the effects of escapeHtml(String).
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

Security

public Security()
Method Detail

escapeHtml

public static java.lang.String escapeHtml(java.lang.String original)
Perform the following replacements: These replacements are useful when the original sense is important, but when we wish to reduce the risk of XSS attacks.

Parameters:
original - The string to perform entity replacement on
Returns:
The original string with &, <, >, ' and " escaped.
See Also:
unescapeHtml(String)

unescapeHtml

public static java.lang.String unescapeHtml(java.lang.String original)
Perform the following replacements: These replacements are useful to reverse the effects of escapeHtml(String).

Parameters:
original - The string to perform entity replacement on
Returns:
The original string with &, <, >, ' and " replaced.
See Also:
escapeHtml(String)

replaceXmlCharacters

public static java.lang.String replaceXmlCharacters(java.lang.String original)
Perform the following replacements: These replacements are useful when readability is more important than retaining the exact character string of the original.

Parameters:
original - The string to perform entity replacement on
Returns:
The original string with &, <, >, ' and " escaped.

containsXssRiskyCharacters

public static boolean containsXssRiskyCharacters(java.lang.String original)
Return true iff the input string contains any of the characters that are special to XML: &, <, >, ' or "

Parameters:
original - The string to test for XML special characters
Returns:
True if the characters are found, false otherwise

Copyright 2008