in src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java [50:186]
public AntiSamyPolicyAdapter(AntiSamyPolicy policy) {
removeAttributeGuards();
HtmlPolicyBuilder policyBuilder = new HtmlPolicyBuilder();
cssValidator = new CssValidator(policy.getCssPolicy());
// ------------ this is for the global attributes -------------
Map<String, Attribute> globalAttributes = policy.getGlobalAttributes();
for (Attribute attribute : globalAttributes.values()) {
if (attribute.getOnInvalid().equals(REMOVE_TAG_ON_INVALID_ACTION)) {
onInvalidRemoveTagList.add(attribute.getName());
}
if (CssValidator.STYLE_ATTRIBUTE_NAME.equals(attribute.getName())) {
// we match style tags separately
policyBuilder
.allowAttributes(attribute.getName())
.matching(cssValidator.newCssAttributePolicy())
.globally();
} else {
List<String> literalList = attribute.getLiterals();
List<Pattern> patternList = attribute.getPatternList();
if (!literalList.isEmpty() && !patternList.isEmpty()) {
// if both, the patterns and the literals are not empty, the value should be checked with them with
// an OR and not with an AND.
policyBuilder
.allowAttributes(attribute.getName())
.matching(matchesPatternsOrLiterals(patternList, true, literalList))
.globally();
} else if (!literalList.isEmpty()) {
policyBuilder
.allowAttributes(attribute.getName())
.matching(true, literalList.toArray(new String[0]))
.globally();
} else if (!patternList.isEmpty()) {
policyBuilder
.allowAttributes(attribute.getName())
.matching(matchesToPatterns(patternList))
.globally();
} else {
policyBuilder.allowAttributes(attribute.getName()).globally();
}
}
}
// ------------ this is for the allowed empty tags -------------
List<String> allowedEmptyTags = policy.getAllowedEmptyTags();
for (String allowedEmptyTag : allowedEmptyTags) {
policyBuilder.allowWithoutAttributes(allowedEmptyTag);
}
// ------------ this is for the tag rules -------------
Map<String, Tag> tagMap = policy.getTagRules();
for (Map.Entry<String, Tag> tag : tagMap.entrySet()) {
String tagAction = tag.getValue().getAction();
switch (tagAction) {
// Tag.action
case AntiSamyActions.TRUNCATE:
policyBuilder.allowElements(tag.getValue().getName());
break;
// filter: remove tags, but keep content,
case AntiSamyActions.FILTER:
break;
// remove: remove tag and contents
case AntiSamyActions.REMOVE:
policyBuilder.disallowElements(tag.getValue().getName());
break;
case AntiSamyActions.VALIDATE:
case "":
policyBuilder.allowElements(tag.getValue().getName());
boolean styleSeen = false;
// get the allowed Attributes for the tag
Map<String, Attribute> allowedAttributes = tag.getValue().getAttributeMap();
// if there are allowed Attributes, map over them
for (Attribute attribute : allowedAttributes.values()) {
if (attribute.getOnInvalid().equals(REMOVE_TAG_ON_INVALID_ACTION)) {
onInvalidRemoveTagList.add(attribute.getName());
}
styleSeen = CssValidator.STYLE_ATTRIBUTE_NAME.equals(attribute.getName());
List<String> literalList = attribute.getLiterals();
List<Pattern> patternList = attribute.getPatternList();
policyBuilder
.allowAttributes(attribute.getName())
.matching(matchesPatternsOrLiterals(patternList, true, literalList))
.onElements(tag.getValue().getName());
}
if (!styleSeen) {
policyBuilder
.allowAttributes(CssValidator.STYLE_ATTRIBUTE_NAME)
.matching(cssValidator.newCssAttributePolicy())
.onElements(tag.getValue().getName());
}
break;
default:
throw new IllegalArgumentException("No tag action found.");
}
}
// disallow style tag on specific elements
policyBuilder
.disallowAttributes(CssValidator.STYLE_ATTRIBUTE_NAME)
.onElements(cssValidator.getDisallowedTagNames().toArray(new String[0]));
// ---------- dynamic attributes ------------
Map<String, Attribute> dynamicAttributes = new HashMap<>();
// checks if the dynamic attributes are allowed
if (Objects.equals(policy.getDirectives().get(ALLOW_DYNAMIC_ATTRIBUTES), "true")) {
dynamicAttributes.putAll(policy.getDynamicAttributes());
for (Attribute attribute : dynamicAttributes.values()) {
if (attribute.getOnInvalid().equals(REMOVE_TAG_ON_INVALID_ACTION)) {
onInvalidRemoveTagList.add(attribute.getName());
}
List<Pattern> regexsFromAttribute = attribute.getPatternList();
List<String> allowedValuesFromAttribute = attribute.getLiterals();
dynamicAttributesPolicyMap.put(
attribute.getName(),
newDynamicAttributePolicy(regexsFromAttribute, true, allowedValuesFromAttribute));
}
}
policyFactory = policyBuilder.allowTextIn(CssValidator.STYLE_TAG_NAME).toFactory();
}