in src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java [90:138]
private String applyXSSFilter(String text, MarkupContext xssContext) {
switch (xssContext) {
case ATTRIBUTE:
return xssApi.encodeForHTMLAttr(text);
case COMMENT:
case TEXT:
return xssApi.encodeForHTML(text);
case ATTRIBUTE_NAME:
return escapeAttributeName(text);
case NUMBER:
Number result = 0;
if (text != null) {
if (text.contains(".") || text.contains("e") || text.contains("E")) {
try {
result = Double.parseDouble(text);
} catch (NumberFormatException doubleParseError) {
result = 0;
}
} else {
try {
result = Long.parseLong(text);
} catch (NumberFormatException longParseError) {
result = 0;
}
}
}
return result.toString();
case URI:
return xssApi.getValidHref(text);
case SCRIPT_TOKEN:
return xssApi.getValidJSToken(text, "");
case STYLE_TOKEN:
return xssApi.getValidStyleToken(text, "");
case SCRIPT_STRING:
return xssApi.encodeForJSString(text);
case STYLE_STRING:
return xssApi.encodeForCSSString(text);
case JSON_STRING:
return encodeForJsonString(text);
case SCRIPT_COMMENT:
case STYLE_COMMENT:
return xssApi.getValidMultiLineComment(text, "");
case ELEMENT_NAME:
return escapeElementName(text);
case HTML:
return xssApi.filterHTML(text);
}
return text; // todo: apply the rest of XSS filters
}