/** * @param configuration the configuration to use for the cleaning * @return the default {@link CleanerProperties} to be used for cleaning. */ private CleanerProperties getDefaultCleanerProperties(HTMLCleanerConfiguration configuration) { CleanerProperties defaultProperties = new CleanerProperties(); defaultProperties.setOmitUnknownTags(true); // HTML Cleaner uses the compact notation by default but we don't want that since: // - it's more work and not required since not compact notation is valid XHTML // - expanded elements can also be rendered fine in browsers that only support HTML. defaultProperties.setUseEmptyElementTags(false); // Wrap script and style content in CDATA blocks defaultProperties.setUseCdataForScriptAndStyle(true); // If the caller has defined NAMESPACE_AWARE configuration property then use it, otherwise use // our default. String param = configuration.getParameters().get(HTMLCleanerConfiguration.NAMESPACES_AWARE); boolean namespacesAware = (param != null) ? Boolean.parseBoolean(param) : true; defaultProperties.setNamespacesAware(namespacesAware); return defaultProperties; }
/** Verify that the restricted parameter works. */ @Test public void restrictedHtml() throws ComponentLookupException { HTMLCleanerConfiguration configuration = this.mocker.getComponentUnderTest().getDefaultConfiguration(); Map<String, String> parameters = new HashMap<String, String>(); parameters.putAll(configuration.getParameters()); parameters.put("restricted", "true"); configuration.setParameters(parameters); String result = HTMLUtils.toString( this.mocker .getComponentUnderTest() .clean(new StringReader("<script>alert(\"foo\")</script>"), configuration)); Assert.assertEquals(HEADER_FULL + "<pre>alert(\"foo\")</pre>" + FOOTER, result); result = HTMLUtils.toString( this.mocker .getComponentUnderTest() .clean(new StringReader("<style>p {color:white;}</style>"), configuration)); Assert.assertEquals(HEADER_FULL + "<pre>p {color:white;}</pre>" + FOOTER, result); }
/** * @param configuration The cleaner configuration. * @return the default cleaning transformations to perform on tags, in addition to the base * transformations done by HTML Cleaner */ private CleanerTransformations getDefaultCleanerTransformations( HTMLCleanerConfiguration configuration) { CleanerTransformations defaultTransformations = new CleanerTransformations(); TagTransformation tt = new TagTransformation(HTMLConstants.TAG_B, HTMLConstants.TAG_STRONG, false); defaultTransformations.addTransformation(tt); tt = new TagTransformation(HTMLConstants.TAG_I, HTMLConstants.TAG_EM, false); defaultTransformations.addTransformation(tt); tt = new TagTransformation(HTMLConstants.TAG_U, HTMLConstants.TAG_INS, false); defaultTransformations.addTransformation(tt); tt = new TagTransformation(HTMLConstants.TAG_S, HTMLConstants.TAG_DEL, false); defaultTransformations.addTransformation(tt); tt = new TagTransformation(HTMLConstants.TAG_STRIKE, HTMLConstants.TAG_DEL, false); defaultTransformations.addTransformation(tt); tt = new TagTransformation(HTMLConstants.TAG_CENTER, HTMLConstants.TAG_P, false); tt.addAttributeTransformation(HTMLConstants.ATTRIBUTE_STYLE, "text-align:center"); defaultTransformations.addTransformation(tt); String restricted = configuration.getParameters().get(HTMLCleanerConfiguration.RESTRICTED); if ("true".equalsIgnoreCase(restricted)) { tt = new TagTransformation(HTMLConstants.TAG_SCRIPT, HTMLConstants.TAG_PRE, false); defaultTransformations.addTransformation(tt); tt = new TagTransformation(HTMLConstants.TAG_STYLE, HTMLConstants.TAG_PRE, false); defaultTransformations.addTransformation(tt); } return defaultTransformations; }
@Override public Document clean(Reader originalHtmlContent, HTMLCleanerConfiguration configuration) { Document result; // Note: Instantiation of an HtmlCleaner object is cheap so there's no need to cache an instance // of it, // especially since this makes it extra safe with regards to multithreading (even though HTML // Cleaner is // already supposed to be thread safe). CleanerProperties cleanerProperties = getDefaultCleanerProperties(configuration); HtmlCleaner cleaner = new HtmlCleaner(cleanerProperties); cleaner.setTransformations(getDefaultCleanerTransformations(configuration)); TagNode cleanedNode; try { cleanedNode = cleaner.clean(originalHtmlContent); } catch (Exception e) { // This shouldn't happen since we're not doing any IO... I consider this a flaw in the design // of HTML // Cleaner. throw new RuntimeException("Unhandled error when cleaning HTML", e); } // Serialize the cleanedNode TagNode into a w3c dom. Ideally following code should be enough. // But SF's HTML Cleaner seems to omit the DocType declaration while serializing. // See // https://sourceforge.net/tracker/index.php?func=detail&aid=2062318&group_id=183053&atid=903696 // cleanedNode.setDocType(new DoctypeToken("html", "PUBLIC", "-//W3C//DTD XHTML 1.0 // Strict//EN", // "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd")); // try { // result = new DomSerializer(cleanerProperties, false).createDOM(cleanedNode); // } catch(ParserConfigurationException ex) { } // As a workaround, we must serialize the cleanedNode into a temporary w3c document, create a // new w3c document // with proper DocType declaration and move the root node from the temporary document to the new // one. try { // Since there's a bug in SF's HTML Cleaner in that it doesn't recognize CDATA blocks we need // to turn off // character escaping (hence the false value passed) and do the escaping in // XMLUtils.toString(). Note that // this can cause problem for code not serializing the W3C DOM to a String since it won't have // the // characters escaped. // See // https://sourceforge.net/tracker/index.php?func=detail&aid=2691888&group_id=183053&atid=903696 Document tempDoc = new XWikiDOMSerializer(cleanerProperties, false).createDOM(cleanedNode); DOMImplementation domImpl = DocumentBuilderFactory.newInstance().newDocumentBuilder().getDOMImplementation(); DocumentType docType = domImpl.createDocumentType( QUALIFIED_NAME_HTML, "-//W3C//DTD XHTML 1.0 Strict//EN", "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"); result = domImpl.createDocument(null, QUALIFIED_NAME_HTML, docType); result.replaceChild( result.adoptNode(tempDoc.getDocumentElement()), result.getDocumentElement()); } catch (ParserConfigurationException ex) { throw new RuntimeException("Error while serializing TagNode into w3c dom.", ex); } // Finally apply filters. for (HTMLFilter filter : configuration.getFilters()) { filter.filter(result, configuration.getParameters()); } return result; }