1<?xml version="1.0" encoding="UTF-8" ?>
2<taglib version="2.1" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
3    <display-name>OWASP Java Encoder Project</display-name>
4    <tlib-version>1.0</tlib-version>
5    <short-name>java-encoder</short-name>
6    <uri>https://www.owasp.org/index.php/OWASP_Java_Encoder_Project</uri>
7    <tag>
8        <description>
9            Encodes data for an XML CDATA section.  On the chance that the input
10            contains a terminating
11            &quot;]]&amp;gt;&quot;, it will be replaced by
12            &amp;quot;]]&amp;gt;]]&amp;lt;![CDATA[&amp;gt;&amp;quot;.
13            As with all XML contexts, characters that are invalid according to the
14            XML specification will be replaced by a space character.  Caller must
15            provide the CDATA section boundaries.
16        </description>
17        <display-name>forCDATA</display-name>
18        <name>forCDATA</name>
19        <tag-class>org.owasp.encoder.tag.ForCDATATag</tag-class>
20        <body-content>empty</body-content>
21        <attribute>
22            <description>The value to be written out</description>
23            <name>value</name>
24            <required>true</required>
25            <rtexprvalue>true</rtexprvalue>
26            <type>java.lang.String</type>
27        </attribute>
28    </tag>
29    <tag>
30        <description>
31			This method encodes for HTML text content.  It does not escape
32			quotation characters and is thus unsafe for use with
33			HTML attributes.  Use either forHtml or forHtmlAttribute for those
34			methods.
35        </description>
36        <display-name>forHtmlContent</display-name>
37        <name>forHtmlContent</name>
38        <tag-class>org.owasp.encoder.tag.ForHtmlContentTag</tag-class>
39        <body-content>empty</body-content>
40        <attribute>
41            <description>value to be written out</description>
42            <name>value</name>
43            <required>true</required>
44            <rtexprvalue>true</rtexprvalue>
45            <type>java.lang.String</type>
46        </attribute>
47    </tag>
48    <tag>
49        <description>Encodes for XML and XHTML attribute content.</description>
50        <display-name>forXmlAttribute</display-name>
51        <name>forXmlAttribute</name>
52        <tag-class>org.owasp.encoder.tag.ForXmlAttributeTag</tag-class>
53        <body-content>empty</body-content>
54        <attribute>
55            <description>value to be written out</description>
56            <name>value</name>
57            <required>true</required>
58            <rtexprvalue>true</rtexprvalue>
59            <type>java.lang.String</type>
60        </attribute>
61    </tag>
62    <tag>
63        <description>Encodes for XML and XHTML.</description>
64        <display-name>forXml</display-name>
65        <name>forXml</name>
66        <tag-class>org.owasp.encoder.tag.ForXmlTag</tag-class>
67        <body-content>empty</body-content>
68        <attribute>
69            <description>value to be written out</description>
70            <name>value</name>
71            <required>true</required>
72            <rtexprvalue>true</rtexprvalue>
73            <type>java.lang.String</type>
74        </attribute>
75    </tag>
76    <tag>
77        <description>
78			Encodes for a JavaScript string.  It is safe for use in HTML
79			script attributes (such as onclick), script
80			blocks, JSON files, and JavaScript source.  The caller MUST
81			provide the surrounding quotation characters for the string.
82			Since this performs additional encoding so it can work in all
83			of the JavaScript contexts listed, it may be slightly less
84			efficient then using one of the methods targetted to a specific
85			JavaScript context: forJavaScriptAttribute,
86			forJavaScriptBlock, or forJavaScriptSource.
87
88			Unless you are interested in saving a few bytes of output or
89			are writing a framework on top of this library, it is recommend
90			that you use this method over the others.
91        </description>
92        <display-name>forJavaScript</display-name>
93        <name>forJavaScript</name>
94        <tag-class>org.owasp.encoder.tag.ForJavaScriptTag</tag-class>
95        <body-content>empty</body-content>
96        <attribute>
97            <description>value to be written out</description>
98            <name>value</name>
99            <required>true</required>
100            <rtexprvalue>true</rtexprvalue>
101            <type>java.lang.String</type>
102        </attribute>
103    </tag>
104    <tag>
105        <description>
106			Encodes for unquoted HTML attribute values. forHtml(String) or
107			forHtmlAttribute(String) should usually be preferred over this
108			method as quoted attributes are XHTML compliant.
109        </description>
110        <display-name>forHtmlUnquotedAttribute</display-name>
111        <name>forHtmlUnquotedAttribute</name>
112        <tag-class>org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag</tag-class>
113        <body-content>empty</body-content>
114        <attribute>
115            <description>value to be written out</description>
116            <name>value</name>
117            <required>true</required>
118            <rtexprvalue>true</rtexprvalue>
119            <type>java.lang.String</type>
120        </attribute>
121    </tag>
122    <tag>
123        <description>
124			Performs percent-encoding of a URL according to RFC 3986.  The provided
125			URL is assumed to a valid URL.  This method does not do any checking on
126			the quality or safety of the URL itself.  In many applications it may
127			be better to use java.net.URI instead.  Note: this is a
128			particularly dangerous context to put untrusted content in, as for
129			example a "javascript:" URL provided by a malicious user would be
130			"properly" escaped, and still execute.
131        </description>
132        <display-name>forUri</display-name>
133        <name>forUri</name>
134        <tag-class>org.owasp.encoder.tag.ForUriTag</tag-class>
135        <body-content>empty</body-content>
136        <attribute>
137            <description>value to be written out</description>
138            <name>value</name>
139            <required>true</required>
140            <rtexprvalue>true</rtexprvalue>
141            <type>java.lang.String</type>
142        </attribute>
143    </tag>
144    <tag>
145        <description>
146			Encodes for CSS URL contexts. The context must be surrounded by "url()".  It
147			is safe for use in both style blocks and attributes in HTML. Note: this does
148			not do any checking on the quality or safety of the URL itself.  The caller
149			should insure that the URL is safe for embedding (e.g. input validation) by
150			other means.
151        </description>
152        <display-name>forCssUrl</display-name>
153        <name>forCssUrl</name>
154        <tag-class>org.owasp.encoder.tag.ForCssUrlTag</tag-class>
155        <body-content>empty</body-content>
156        <attribute>
157            <description>value to be written out</description>
158            <name>value</name>
159            <required>true</required>
160            <rtexprvalue>true</rtexprvalue>
161            <type>java.lang.String</type>
162        </attribute>
163    </tag>
164    <tag>
165        <description>Encodes for HTML text attributes.</description>
166        <display-name>forHtmlAttribute</display-name>
167        <name>forHtmlAttribute</name>
168        <tag-class>org.owasp.encoder.tag.ForHtmlAttributeTag</tag-class>
169        <body-content>empty</body-content>
170        <attribute>
171            <description>value to be written out</description>
172            <name>value</name>
173            <required>true</required>
174            <rtexprvalue>true</rtexprvalue>
175            <type>java.lang.String</type>
176        </attribute>
177    </tag>
178    <tag>
179        <description>
180			Encodes for (X)HTML text content and text attributes.
181        </description>
182        <display-name>forHtml</display-name>
183        <name>forHtml</name>
184        <tag-class>org.owasp.encoder.tag.ForHtmlTag</tag-class>
185        <body-content>empty</body-content>
186        <attribute>
187            <description>value to be written out</description>
188            <name>value</name>
189            <required>true</required>
190            <rtexprvalue>true</rtexprvalue>
191            <type>java.lang.String</type>
192        </attribute>
193    </tag>
194    <tag>
195        <description>
196			Encodes for HTML text content.  It does not escape
197			quotation characters and is thus unsafe for use with
198			HTML attributes.  Use either forHtml or forHtmlAttribute for those
199			methods.
200        </description>
201        <display-name>forXmlContent</display-name>
202        <name>forXmlContent</name>
203        <tag-class>org.owasp.encoder.tag.ForXmlContentTag</tag-class>
204        <body-content>empty</body-content>
205        <attribute>
206            <description>value to be written out</description>
207            <name>value</name>
208            <required>true</required>
209            <rtexprvalue>true</rtexprvalue>
210            <type>java.lang.String</type>
211        </attribute>
212    </tag>
213    <tag>
214        <description>
215			Performs percent-encoding for a component of a URI, such as a query
216			parameter name or value, path or query-string.  In particular this
217			method insures that special characters in the component do not get
218			interpreted as part of another component.
219        </description>
220        <display-name>forUriComponent</display-name>
221        <name>forUriComponent</name>
222        <tag-class>org.owasp.encoder.tag.ForUriComponentTag</tag-class>
223        <body-content>empty</body-content>
224        <attribute>
225            <description>value to be written out</description>
226            <name>value</name>
227            <required>true</required>
228            <rtexprvalue>true</rtexprvalue>
229            <type>java.lang.String</type>
230        </attribute>
231    </tag>
232    <tag>
233        <description>
234			Encodes for CSS strings. The context must be surrounded by quotation characters.
235			It is safe for use in both style blocks and attributes in HTML.
236        </description>
237        <display-name>forCssString</display-name>
238        <name>forCssString</name>
239        <tag-class>org.owasp.encoder.tag.ForCssStringTag</tag-class>
240        <body-content>empty</body-content>
241        <attribute>
242            <description>value to be written out</description>
243            <name>value</name>
244            <required>true</required>
245            <rtexprvalue>true</rtexprvalue>
246            <type>java.lang.String</type>
247        </attribute>
248    </tag>
249    <function>
250        <description>
251			Encodes for (X)HTML text content and text attributes.
252        </description>
253        <display-name>forHtml</display-name>
254        <name>forHtml</name>
255        <function-class>org.owasp.encoder.Encode</function-class>
256        <function-signature>java.lang.String forHtml(java.lang.String)</function-signature>
257        <example>forHtml(unsafeData)</example>
258    </function>
259    <function>
260        <description>
261			This method encodes for HTML text content.  It does not escape
262			quotation characters and is thus unsafe for use with
263			HTML attributes.  Use either forHtml or forHtmlAttribute for those
264			methods.
265        </description>
266        <display-name>forHtmlContent</display-name>
267        <name>forHtmlContent</name>
268        <function-class>org.owasp.encoder.Encode</function-class>
269        <function-signature>java.lang.String forHtmlContent(java.lang.String)</function-signature>
270        <example>forHtmlContent(unsafeData)</example>
271    </function>
272    <function>
273        <description>Encodes for HTML text attributes.</description>
274        <name>forHtmlAttribute</name>
275        <function-class>org.owasp.encoder.Encode</function-class>
276        <function-signature>java.lang.String forHtmlAttribute(java.lang.String)</function-signature>
277        <example>forHtmlAttribute(unsafeData)</example>
278    </function>
279    <function>
280        <description>
281			Encodes for unquoted HTML attribute values. forHtml(String) or
282			forHtmlAttribute(String) should usually be preferred over this
283			method as quoted attributes are XHTML compliant.
284        </description>
285        <display-name>forHtmlUnquotedAttribute</display-name>
286        <name>forHtmlUnquotedAttribute</name>
287        <function-class>org.owasp.encoder.Encode</function-class>
288        <function-signature>java.lang.String forHtmlUnquotedAttribute(java.lang.String)</function-signature>
289        <example>forHtmlUnquotedAttribute(unsafeData)</example>
290    </function>
291    <function>
292        <description>
293			Encodes for CSS strings. The context must be surrounded by quotation characters.
294			It is safe for use in both style blocks and attributes in HTML.
295        </description>
296        <display-name>forCssString</display-name>
297        <name>forCssString</name>
298        <function-class>org.owasp.encoder.Encode</function-class>
299        <function-signature>java.lang.String forCssString(java.lang.String)</function-signature>
300        <example>forCssString(unsafeData)</example>
301    </function>
302    <function>
303        <description>
304			Encodes for CSS URL contexts. The context must be surrounded by "url()".  It
305			is safe for use in both style blocks and attributes in HTML. Note: this does
306			not do any checking on the quality or safety of the URL itself.  The caller
307			should insure that the URL is safe for embedding (e.g. input validation) by
308			other means.
309        </description>
310        <display-name>forCssUrl</display-name>
311        <name>forCssUrl</name>
312        <function-class>org.owasp.encoder.Encode</function-class>
313        <function-signature>java.lang.String forCssUrl(java.lang.String)</function-signature>
314        <example>forCssUrl(unsafeData)</example>
315    </function>
316    <function>
317        <description>
318			Performs percent-encoding of a URL according to RFC 3986.  The provided
319			URL is assumed to a valid URL.  This method does not do any checking on
320			the quality or safety of the URL itself.  In many applications it may
321			be better to use java.net.URI instead.  Note: this is a
322			particularly dangerous context to put untrusted content in, as for
323			example a "javascript:" URL provided by a malicious user would be
324			"properly" escaped, and still execute.
325        </description>
326        <display-name>forUri</display-name>
327        <name>forUri</name>
328        <function-class>org.owasp.encoder.Encode</function-class>
329        <function-signature>java.lang.String forUri(java.lang.String)</function-signature>
330        <example>forUri(unsafeData)</example>
331    </function>
332    <function>
333        <description>
334			Performs percent-encoding for a component of a URI, such as a query
335			parameter name or value, path or query-string.  In particular this
336			method insures that special characters in the component do not get
337			interpreted as part of another component.
338        </description>
339        <display-name>forUriComponent</display-name>
340        <name>forUriComponent</name>
341        <function-class>org.owasp.encoder.Encode</function-class>
342        <function-signature>java.lang.String forUriComponent(java.lang.String)</function-signature>
343        <example>forUriComponent(unsafeData)</example>
344    </function>
345    <function>
346        <description>Encodes for XML and XHTML.</description>
347        <display-name>forXml</display-name>
348        <name>forXml</name>
349        <function-class>org.owasp.encoder.Encode</function-class>
350        <function-signature>java.lang.String forXml(java.lang.String)</function-signature>
351        <example>forXml(unsafeData)</example>
352    </function>
353    <function>
354        <description>
355			Encodes for HTML text content.  It does not escape
356			quotation characters and is thus unsafe for use with
357			HTML attributes.  Use either forHtml or forHtmlAttribute for those
358			methods.
359        </description>
360        <display-name>forXmlContent</display-name>
361        <name>forXmlContent</name>
362        <function-class>org.owasp.encoder.Encode</function-class>
363        <function-signature>java.lang.String forXmlContent(java.lang.String)</function-signature>
364        <example>forXmlContent(unsafeData)</example>
365    </function>
366    <function>
367        <description>Encodes for XML and XHTML attribute content.</description>
368        <display-name>forXmlAttribute</display-name>
369        <name>forXmlAttribute</name>
370        <function-class>org.owasp.encoder.Encode</function-class>
371        <function-signature>java.lang.String forXmlAttribute(java.lang.String)</function-signature>
372        <example>forXmlAttribute(unsafeData)</example>
373    </function>
374    <function>
375        <description>
376            Encodes data for an XML CDATA section.  On the chance that the input
377            contains a terminating
378            &quot;]]&amp;gt;&quot;, it will be replaced by
379            &amp;quot;]]&amp;gt;]]&amp;lt;![CDATA[&amp;gt;&amp;quot;.
380            As with all XML contexts, characters that are invalid according to the
381            XML specification will be replaced by a space character.  Caller must
382            provide the CDATA section boundaries.
383        </description>
384        <display-name>forCDATA</display-name>
385        <name>forCDATA</name>
386        <function-class>org.owasp.encoder.Encode</function-class>
387        <function-signature>java.lang.String forCDATA(java.lang.String)</function-signature>
388        <example>forCDATA(unsafeData)</example>
389    </function>
390    <function>
391        <description>
392			Encodes for a JavaScript string.  It is safe for use in HTML
393			script attributes (such as onclick), script
394			blocks, JSON files, and JavaScript source.  The caller MUST
395			provide the surrounding quotation characters for the string.
396        </description>
397        <display-name>forJavaScript</display-name>
398        <name>forJavaScript</name>
399        <function-class>org.owasp.encoder.Encode</function-class>
400        <function-signature>java.lang.String forJavaScript(java.lang.String)</function-signature>
401        <example>forJavaScript(unsafeData)</example>
402    </function>
403</taglib>