1<?xml version="1.0" encoding="UTF-8" ?> 2<taglib version="2.1" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 3 <display-name>OWASP Java Encoder Project</display-name> 4 <tlib-version>1.0</tlib-version> 5 <short-name>java-encoder</short-name> 6 <uri>https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#advanced</uri> 7 <tag> 8 <description> 9 Encodes data for an XML CDATA section. On the chance that the input 10 contains a terminating 11 "]]&gt;", it will be replaced by 12 &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. 13 As with all XML contexts, characters that are invalid according to the 14 XML specification will be replaced by a space character. Caller must 15 provide the CDATA section boundaries. 16 </description> 17 <display-name>forCDATA</display-name> 18 <name>forCDATA</name> 19 <tag-class>org.owasp.encoder.tag.ForCDATATag</tag-class> 20 <body-content>empty</body-content> 21 <attribute> 22 <description>The value to be written out</description> 23 <name>value</name> 24 <required>true</required> 25 <rtexprvalue>true</rtexprvalue> 26 <type>java.lang.String</type> 27 </attribute> 28 </tag> 29 <tag> 30 <description> 31 This method encodes for HTML text content. It does not escape 32 quotation characters and is thus unsafe for use with 33 HTML attributes. Use either forHtml or forHtmlAttribute for those 34 methods. 35 </description> 36 <display-name>forHtmlContent</display-name> 37 <name>forHtmlContent</name> 38 <tag-class>org.owasp.encoder.tag.ForHtmlContentTag</tag-class> 39 <body-content>empty</body-content> 40 <attribute> 41 <description>value to be written out</description> 42 <name>value</name> 43 <required>true</required> 44 <rtexprvalue>true</rtexprvalue> 45 <type>java.lang.String</type> 46 </attribute> 47 </tag> 48 <tag> 49 <description>Encodes for XML and XHTML attribute content.</description> 50 <display-name>forXmlAttribute</display-name> 51 <name>forXmlAttribute</name> 52 <tag-class>org.owasp.encoder.tag.ForXmlAttributeTag</tag-class> 53 <body-content>empty</body-content> 54 <attribute> 55 <description>value to be written out</description> 56 <name>value</name> 57 <required>true</required> 58 <rtexprvalue>true</rtexprvalue> 59 <type>java.lang.String</type> 60 </attribute> 61 </tag> 62 <tag> 63 <description>Encodes for XML and XHTML.</description> 64 <display-name>forXml</display-name> 65 <name>forXml</name> 66 <tag-class>org.owasp.encoder.tag.ForXmlTag</tag-class> 67 <body-content>empty</body-content> 68 <attribute> 69 <description>value to be written out</description> 70 <name>value</name> 71 <required>true</required> 72 <rtexprvalue>true</rtexprvalue> 73 <type>java.lang.String</type> 74 </attribute> 75 </tag> 76 <tag> 77 <description> 78 Encodes for a JavaScript string. It is safe for use in HTML 79 script attributes (such as onclick), script 80 blocks, JSON files, and JavaScript source. The caller MUST 81 provide the surrounding quotation characters for the string. 82 Since this performs additional encoding so it can work in all 83 of the JavaScript contexts listed, it may be slightly less 84 efficient then using one of the methods targetted to a specific 85 JavaScript context: forJavaScriptAttribute, 86 forJavaScriptBlock, or forJavaScriptSource. 87 88 Unless you are interested in saving a few bytes of output or 89 are writing a framework on top of this library, it is recommend 90 that you use this method over the others. 91 </description> 92 <display-name>forJavaScript</display-name> 93 <name>forJavaScript</name> 94 <tag-class>org.owasp.encoder.tag.ForJavaScriptTag</tag-class> 95 <body-content>empty</body-content> 96 <attribute> 97 <description>value to be written out</description> 98 <name>value</name> 99 <required>true</required> 100 <rtexprvalue>true</rtexprvalue> 101 <type>java.lang.String</type> 102 </attribute> 103 </tag> 104 <tag> 105 <description> 106 This method encodes for JavaScript strings contained within 107 HTML script attributes (such as onclick). It is 108 NOT safe for use in script blocks. The caller MUST provide the 109 surrounding quotation characters. This method performs the 110 same encode as Encode.forJavaScript(String) with the 111 exception that / is not escaped. 112 </description> 113 <display-name>forJavaScriptAttribute</display-name> 114 <name>forJavaScriptAttribute</name> 115 <tag-class>org.owasp.encoder.tag.ForJavaScriptAttributeTag</tag-class> 116 <body-content>empty</body-content> 117 <attribute> 118 <description>value to be written out</description> 119 <name>value</name> 120 <required>true</required> 121 <rtexprvalue>true</rtexprvalue> 122 <type>java.lang.String</type> 123 </attribute> 124 </tag> 125 <tag> 126 <description> 127 This method encodes for JavaScript strings contained within 128 HTML script blocks. It is NOT safe for use in script 129 attributes (such as onclick). The caller must 130 provide the surrounding quotation characters. This method 131 performs the same encode as Encode.forJavaScript(String)} with 132 the exception that " and ' are encoded as \" and \' respectively. 133 </description> 134 <display-name>forJavaScriptBlock</display-name> 135 <name>forJavaScriptBlock</name> 136 <tag-class>org.owasp.encoder.tag.ForJavaScriptBlockTag</tag-class> 137 <body-content>empty</body-content> 138 <attribute> 139 <description>value to be written out</description> 140 <name>value</name> 141 <required>true</required> 142 <rtexprvalue>true</rtexprvalue> 143 <type>java.lang.String</type> 144 </attribute> 145 </tag> 146 <tag> 147 <description> 148 This method encodes for JavaScript strings contained within 149 a JavaScript or JSON file. This method is NOT safe for 150 use in ANY context embedded in HTML. The caller must 151 provide the surrounding quotation characters. This method 152 performs the same encode as Encode.forJavaScript(String) with 153 the exception that / and & are not escaped and " and ' are 154 encoded as \" and \' respectively. 155 </description> 156 <display-name>forJavaScriptSource</display-name> 157 <name>forJavaScriptSource</name> 158 <tag-class>org.owasp.encoder.tag.ForJavaScriptSourceTag</tag-class> 159 <body-content>empty</body-content> 160 <attribute> 161 <description>value to be written out</description> 162 <name>value</name> 163 <required>true</required> 164 <rtexprvalue>true</rtexprvalue> 165 <type>java.lang.String</type> 166 </attribute> 167 </tag> 168 <tag> 169 <description> 170 Encodes for unquoted HTML attribute values. forHtml(String) or 171 forHtmlAttribute(String) should usually be preferred over this 172 method as quoted attributes are XHTML compliant. 173 </description> 174 <display-name>forHtmlUnquotedAttribute</display-name> 175 <name>forHtmlUnquotedAttribute</name> 176 <tag-class>org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag</tag-class> 177 <body-content>empty</body-content> 178 <attribute> 179 <description>value to be written out</description> 180 <name>value</name> 181 <required>true</required> 182 <rtexprvalue>true</rtexprvalue> 183 <type>java.lang.String</type> 184 </attribute> 185 </tag> 186 <tag> 187 <description> 188 Performs percent-encoding of a URL according to RFC 3986. The provided 189 URL is assumed to a valid URL. This method does not do any checking on 190 the quality or safety of the URL itself. In many applications it may 191 be better to use java.net.URI instead. Note: this is a 192 particularly dangerous context to put untrusted content in, as for 193 example a "javascript:" URL provided by a malicious user would be 194 "properly" escaped, and still execute. 195 </description> 196 <display-name>forUri</display-name> 197 <name>forUri</name> 198 <tag-class>org.owasp.encoder.tag.ForUriTag</tag-class> 199 <body-content>empty</body-content> 200 <attribute> 201 <description>value to be written out</description> 202 <name>value</name> 203 <required>true</required> 204 <rtexprvalue>true</rtexprvalue> 205 <type>java.lang.String</type> 206 </attribute> 207 </tag> 208 <tag> 209 <description> 210 Encodes for CSS URL contexts. The context must be surrounded by "url()". It 211 is safe for use in both style blocks and attributes in HTML. Note: this does 212 not do any checking on the quality or safety of the URL itself. The caller 213 should insure that the URL is safe for embedding (e.g. input validation) by 214 other means. 215 </description> 216 <display-name>forCssUrl</display-name> 217 <name>forCssUrl</name> 218 <tag-class>org.owasp.encoder.tag.ForCssUrlTag</tag-class> 219 <body-content>empty</body-content> 220 <attribute> 221 <description>value to be written out</description> 222 <name>value</name> 223 <required>true</required> 224 <rtexprvalue>true</rtexprvalue> 225 <type>java.lang.String</type> 226 </attribute> 227 </tag> 228 <tag> 229 <description> 230 Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. 231 (X)HTML comments may be interpreted by browsers as something 232 other than a comment, typically in vendor specific extensions 233 (e.g. &lt;--if[IE]--&gt;. 234 For (X)HTML it is recommend that unsafe content never be included 235 in a comment. 236 </description> 237 <display-name>forXmlComment</display-name> 238 <name>forXmlComment</name> 239 <tag-class>org.owasp.encoder.tag.ForXmlCommentTag</tag-class> 240 <body-content>empty</body-content> 241 <attribute> 242 <description>value to be written out</description> 243 <name>value</name> 244 <required>true</required> 245 <rtexprvalue>true</rtexprvalue> 246 <type>java.lang.String</type> 247 </attribute> 248 </tag> 249 <tag> 250 <description>Encodes for HTML text attributes.</description> 251 <display-name>forHtmlAttribute</display-name> 252 <name>forHtmlAttribute</name> 253 <tag-class>org.owasp.encoder.tag.ForHtmlAttributeTag</tag-class> 254 <body-content>empty</body-content> 255 <attribute> 256 <description>value to be written out</description> 257 <name>value</name> 258 <required>true</required> 259 <rtexprvalue>true</rtexprvalue> 260 <type>java.lang.String</type> 261 </attribute> 262 </tag> 263 <tag> 264 <description> 265 Encodes for (X)HTML text content and text attributes. 266 </description> 267 <display-name>forHtml</display-name> 268 <name>forHtml</name> 269 <tag-class>org.owasp.encoder.tag.ForHtmlTag</tag-class> 270 <body-content>empty</body-content> 271 <attribute> 272 <description>value to be written out</description> 273 <name>value</name> 274 <required>true</required> 275 <rtexprvalue>true</rtexprvalue> 276 <type>java.lang.String</type> 277 </attribute> 278 </tag> 279 <tag> 280 <description> 281 Encodes for HTML text content. It does not escape 282 quotation characters and is thus unsafe for use with 283 HTML attributes. Use either forHtml or forHtmlAttribute for those 284 methods. 285 </description> 286 <display-name>forXmlContent</display-name> 287 <name>forXmlContent</name> 288 <tag-class>org.owasp.encoder.tag.ForXmlContentTag</tag-class> 289 <body-content>empty</body-content> 290 <attribute> 291 <description>value to be written out</description> 292 <name>value</name> 293 <required>true</required> 294 <rtexprvalue>true</rtexprvalue> 295 <type>java.lang.String</type> 296 </attribute> 297 </tag> 298 <tag> 299 <description> 300 Performs percent-encoding for a component of a URI, such as a query 301 parameter name or value, path or query-string. In particular this 302 method insures that special characters in the component do not get 303 interpreted as part of another component. 304 </description> 305 <display-name>forUriComponent</display-name> 306 <name>forUriComponent</name> 307 <tag-class>org.owasp.encoder.tag.ForUriComponentTag</tag-class> 308 <body-content>empty</body-content> 309 <attribute> 310 <description>value to be written out</description> 311 <name>value</name> 312 <required>true</required> 313 <rtexprvalue>true</rtexprvalue> 314 <type>java.lang.String</type> 315 </attribute> 316 </tag> 317 <tag> 318 <description> 319 Encodes for CSS strings. The context must be surrounded by quotation characters. 320 It is safe for use in both style blocks and attributes in HTML. 321 </description> 322 <display-name>forCssString</display-name> 323 <name>forCssString</name> 324 <tag-class>org.owasp.encoder.tag.ForCssStringTag</tag-class> 325 <body-content>empty</body-content> 326 <attribute> 327 <description>value to be written out</description> 328 <name>value</name> 329 <required>true</required> 330 <rtexprvalue>true</rtexprvalue> 331 <type>java.lang.String</type> 332 </attribute> 333 </tag> 334 <function> 335 <description> 336 Encodes for (X)HTML text content and text attributes. 337 </description> 338 <display-name>forHtml</display-name> 339 <name>forHtml</name> 340 <function-class>org.owasp.encoder.Encode</function-class> 341 <function-signature>java.lang.String forHtml(java.lang.String)</function-signature> 342 <example>forHtml(unsafeData)</example> 343 </function> 344 <function> 345 <description> 346 This method encodes for HTML text content. It does not escape 347 quotation characters and is thus unsafe for use with 348 HTML attributes. Use either forHtml or forHtmlAttribute for those 349 methods. 350 </description> 351 <display-name>forHtmlContent</display-name> 352 <name>forHtmlContent</name> 353 <function-class>org.owasp.encoder.Encode</function-class> 354 <function-signature>java.lang.String forHtmlContent(java.lang.String)</function-signature> 355 <example>forHtmlContent(unsafeData)</example> 356 </function> 357 <function> 358 <description>Encodes for HTML text attributes.</description> 359 <name>forHtmlAttribute</name> 360 <function-class>org.owasp.encoder.Encode</function-class> 361 <function-signature>java.lang.String forHtmlAttribute(java.lang.String)</function-signature> 362 <example>forHtmlAttribute(unsafeData)</example> 363 </function> 364 <function> 365 <description> 366 Encodes for unquoted HTML attribute values. forHtml(String) or 367 forHtmlAttribute(String) should usually be preferred over this 368 method as quoted attributes are XHTML compliant. 369 </description> 370 <display-name>forHtmlUnquotedAttribute</display-name> 371 <name>forHtmlUnquotedAttribute</name> 372 <function-class>org.owasp.encoder.Encode</function-class> 373 <function-signature>java.lang.String forHtmlUnquotedAttribute(java.lang.String)</function-signature> 374 <example>forHtmlUnquotedAttribute(unsafeData)</example> 375 </function> 376 <function> 377 <description> 378 Encodes for CSS strings. The context must be surrounded by quotation characters. 379 It is safe for use in both style blocks and attributes in HTML. 380 </description> 381 <display-name>forCssString</display-name> 382 <name>forCssString</name> 383 <function-class>org.owasp.encoder.Encode</function-class> 384 <function-signature>java.lang.String forCssString(java.lang.String)</function-signature> 385 <example>forCssString(unsafeData)</example> 386 </function> 387 <function> 388 <description> 389 Encodes for CSS URL contexts. The context must be surrounded by "url()". It 390 is safe for use in both style blocks and attributes in HTML. Note: this does 391 not do any checking on the quality or safety of the URL itself. The caller 392 should insure that the URL is safe for embedding (e.g. input validation) by 393 other means. 394 </description> 395 <display-name>forCssUrl</display-name> 396 <name>forCssUrl</name> 397 <function-class>org.owasp.encoder.Encode</function-class> 398 <function-signature>java.lang.String forCssUrl(java.lang.String)</function-signature> 399 <example>forCssUrl(unsafeData)</example> 400 </function> 401 <function> 402 <description> 403 Performs percent-encoding of a URL according to RFC 3986. The provided 404 URL is assumed to a valid URL. This method does not do any checking on 405 the quality or safety of the URL itself. In many applications it may 406 be better to use java.net.URI instead. Note: this is a 407 particularly dangerous context to put untrusted content in, as for 408 example a "javascript:" URL provided by a malicious user would be 409 "properly" escaped, and still execute. 410 </description> 411 <display-name>forUri</display-name> 412 <name>forUri</name> 413 <function-class>org.owasp.encoder.Encode</function-class> 414 <function-signature>java.lang.String forUri(java.lang.String)</function-signature> 415 <example>forUri(unsafeData)</example> 416 </function> 417 <function> 418 <description> 419 Performs percent-encoding for a component of a URI, such as a query 420 parameter name or value, path or query-string. In particular this 421 method insures that special characters in the component do not get 422 interpreted as part of another component. 423 </description> 424 <display-name>forUriComponent</display-name> 425 <name>forUriComponent</name> 426 <function-class>org.owasp.encoder.Encode</function-class> 427 <function-signature>java.lang.String forUriComponent(java.lang.String)</function-signature> 428 <example>forUriComponent(unsafeData)</example> 429 </function> 430 <function> 431 <description>Encodes for XML and XHTML.</description> 432 <display-name>forXml</display-name> 433 <name>forXml</name> 434 <function-class>org.owasp.encoder.Encode</function-class> 435 <function-signature>java.lang.String forXml(java.lang.String)</function-signature> 436 <example>forXml(unsafeData)</example> 437 </function> 438 <function> 439 <description> 440 Encodes for HTML text content. It does not escape 441 quotation characters and is thus unsafe for use with 442 HTML attributes. Use either forHtml or forHtmlAttribute for those 443 methods. 444 </description> 445 <display-name>forXmlContent</display-name> 446 <name>forXmlContent</name> 447 <function-class>org.owasp.encoder.Encode</function-class> 448 <function-signature>java.lang.String forXmlContent(java.lang.String)</function-signature> 449 <example>forXmlContent(unsafeData)</example> 450 </function> 451 <function> 452 <description>Encodes for XML and XHTML attribute content.</description> 453 <display-name>forXmlAttribute</display-name> 454 <name>forXmlAttribute</name> 455 <function-class>org.owasp.encoder.Encode</function-class> 456 <function-signature>java.lang.String forXmlAttribute(java.lang.String)</function-signature> 457 <example>forXmlAttribute(unsafeData)</example> 458 </function> 459 <function> 460 <description> 461 Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. 462 (X)HTML comments may be interpreted by browsers as something 463 other than a comment, typically in vendor specific extensions 464 (e.g. &lt;--if[IE]--&gt;. 465 For (X)HTML it is recommend that unsafe content never be included 466 in a comment. 467 </description> 468 <name>forXmlComment</name> 469 <function-class>org.owasp.encoder.Encode</function-class> 470 <function-signature>java.lang.String forXmlComment(java.lang.String)</function-signature> 471 <example>forXmlComment(unsafeData)</example> 472 </function> 473 <function> 474 <description> 475 Encodes data for an XML CDATA section. On the chance that the input 476 contains a terminating 477 "]]&gt;", it will be replaced by 478 &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. 479 As with all XML contexts, characters that are invalid according to the 480 XML specification will be replaced by a space character. Caller must 481 provide the CDATA section boundaries. 482 </description> 483 <display-name>forCDATA</display-name> 484 <name>forCDATA</name> 485 <function-class>org.owasp.encoder.Encode</function-class> 486 <function-signature>java.lang.String forCDATA(java.lang.String)</function-signature> 487 <example>forCDATA(unsafeData)</example> 488 </function> 489 <function> 490 <description> 491 Encodes for a JavaScript string. It is safe for use in HTML 492 script attributes (such as onclick), script 493 blocks, JSON files, and JavaScript source. The caller MUST 494 provide the surrounding quotation characters for the string. 495 Since this performs additional encoding so it can work in all 496 of the JavaScript contexts listed, it may be slightly less 497 efficient then using one of the methods targetted to a specific 498 JavaScript context: forJavaScriptAttribute, 499 forJavaScriptBlock, or forJavaScriptSource. 500 501 Unless you are interested in saving a few bytes of output or 502 are writing a framework on top of this library, it is recommend 503 that you use this method over the others. 504 </description> 505 <display-name>forJavaScript</display-name> 506 <name>forJavaScript</name> 507 <function-class>org.owasp.encoder.Encode</function-class> 508 <function-signature>java.lang.String forJavaScript(java.lang.String)</function-signature> 509 <example>forJavaScript(unsafeData)</example> 510 </function> 511 <function> 512 <description> 513 This method encodes for JavaScript strings contained within 514 HTML script attributes (such as onclick). It is 515 NOT safe for use in script blocks. The caller MUST provide the 516 surrounding quotation characters. This method performs the 517 same encode as Encode.forJavaScript(String) with the 518 exception that / is not escaped. 519 </description> 520 <display-name>forJavaScriptAttribute</display-name> 521 <name>forJavaScriptAttribute</name> 522 <function-class>org.owasp.encoder.Encode</function-class> 523 <function-signature>java.lang.String forJavaScriptAttribute(java.lang.String)</function-signature> 524 <example>forJavaScriptAttribute(unsafeData)</example> 525 </function> 526 <function> 527 <description> 528 This method encodes for JavaScript strings contained within 529 HTML script blocks. It is NOT safe for use in script 530 attributes (such as onclick). The caller must 531 provide the surrounding quotation characters. This method 532 performs the same encode as Encode.forJavaScript(String)} with 533 the exception that " and ' are encoded as \" and \' respectively. 534 </description> 535 <display-name>forJavaScriptBlock</display-name> 536 <name>forJavaScriptBlock</name> 537 <function-class>org.owasp.encoder.Encode</function-class> 538 <function-signature>java.lang.String forJavaScriptBlock(java.lang.String)</function-signature> 539 <example>forJavaScriptBlock(unsafeData)</example> 540 </function> 541 <function> 542 <description> 543 This method encodes for JavaScript strings contained within 544 a JavaScript or JSON file. This method is NOT safe for 545 use in ANY context embedded in HTML. The caller must 546 provide the surrounding quotation characters. This method 547 performs the same encode as Encode.forJavaScript(String) with 548 the exception that / and & are not escaped and " and ' are 549 encoded as \" and \' respectively. 550 </description> 551 <display-name>forJavaScriptSource</display-name> 552 <name>forJavaScriptSource</name> 553 <function-class>org.owasp.encoder.Encode</function-class> 554 <function-signature>java.lang.String forJavaScriptSource(java.lang.String)</function-signature> 555 <example> 556 <%@page contentType="text/javascript; charset=UTF-8"%> 557 var data = '${forJavaScriptSource(unsafeData)}'; 558 </example> 559 </function> 560</taglib>