1<?xml version="1.0" encoding="UTF-8" ?> 2<taglib version="2.1" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 3 <display-name>OWASP Java Encoder Project</display-name> 4 <tlib-version>1.0</tlib-version> 5 <short-name>java-encoder</short-name> 6 <uri>https://www.owasp.org/index.php/OWASP_Java_Encoder_Project</uri> 7 <tag> 8 <description> 9 Encodes data for an XML CDATA section. On the chance that the input 10 contains a terminating 11 "]]&gt;", it will be replaced by 12 &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. 13 As with all XML contexts, characters that are invalid according to the 14 XML specification will be replaced by a space character. Caller must 15 provide the CDATA section boundaries. 16 </description> 17 <display-name>forCDATA</display-name> 18 <name>forCDATA</name> 19 <tag-class>org.owasp.encoder.tag.ForCDATATag</tag-class> 20 <body-content>empty</body-content> 21 <attribute> 22 <description>The value to be written out</description> 23 <name>value</name> 24 <required>true</required> 25 <rtexprvalue>true</rtexprvalue> 26 <type>java.lang.String</type> 27 </attribute> 28 </tag> 29 <tag> 30 <description> 31 This method encodes for HTML text content. It does not escape 32 quotation characters and is thus unsafe for use with 33 HTML attributes. Use either forHtml or forHtmlAttribute for those 34 methods. 35 </description> 36 <display-name>forHtmlContent</display-name> 37 <name>forHtmlContent</name> 38 <tag-class>org.owasp.encoder.tag.ForHtmlContentTag</tag-class> 39 <body-content>empty</body-content> 40 <attribute> 41 <description>value to be written out</description> 42 <name>value</name> 43 <required>true</required> 44 <rtexprvalue>true</rtexprvalue> 45 <type>java.lang.String</type> 46 </attribute> 47 </tag> 48 <tag> 49 <description>Encodes for XML and XHTML attribute content.</description> 50 <display-name>forXmlAttribute</display-name> 51 <name>forXmlAttribute</name> 52 <tag-class>org.owasp.encoder.tag.ForXmlAttributeTag</tag-class> 53 <body-content>empty</body-content> 54 <attribute> 55 <description>value to be written out</description> 56 <name>value</name> 57 <required>true</required> 58 <rtexprvalue>true</rtexprvalue> 59 <type>java.lang.String</type> 60 </attribute> 61 </tag> 62 <tag> 63 <description>Encodes for XML and XHTML.</description> 64 <display-name>forXml</display-name> 65 <name>forXml</name> 66 <tag-class>org.owasp.encoder.tag.ForXmlTag</tag-class> 67 <body-content>empty</body-content> 68 <attribute> 69 <description>value to be written out</description> 70 <name>value</name> 71 <required>true</required> 72 <rtexprvalue>true</rtexprvalue> 73 <type>java.lang.String</type> 74 </attribute> 75 </tag> 76 <tag> 77 <description> 78 Encodes for a JavaScript string. It is safe for use in HTML 79 script attributes (such as onclick), script 80 blocks, JSON files, and JavaScript source. The caller MUST 81 provide the surrounding quotation characters for the string. 82 Since this performs additional encoding so it can work in all 83 of the JavaScript contexts listed, it may be slightly less 84 efficient then using one of the methods targetted to a specific 85 JavaScript context: forJavaScriptAttribute, 86 forJavaScriptBlock, or forJavaScriptSource. 87 88 Unless you are interested in saving a few bytes of output or 89 are writing a framework on top of this library, it is recommend 90 that you use this method over the others. 91 </description> 92 <display-name>forJavaScript</display-name> 93 <name>forJavaScript</name> 94 <tag-class>org.owasp.encoder.tag.ForJavaScriptTag</tag-class> 95 <body-content>empty</body-content> 96 <attribute> 97 <description>value to be written out</description> 98 <name>value</name> 99 <required>true</required> 100 <rtexprvalue>true</rtexprvalue> 101 <type>java.lang.String</type> 102 </attribute> 103 </tag> 104 <tag> 105 <description> 106 Encodes for unquoted HTML attribute values. forHtml(String) or 107 forHtmlAttribute(String) should usually be preferred over this 108 method as quoted attributes are XHTML compliant. 109 </description> 110 <display-name>forHtmlUnquotedAttribute</display-name> 111 <name>forHtmlUnquotedAttribute</name> 112 <tag-class>org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag</tag-class> 113 <body-content>empty</body-content> 114 <attribute> 115 <description>value to be written out</description> 116 <name>value</name> 117 <required>true</required> 118 <rtexprvalue>true</rtexprvalue> 119 <type>java.lang.String</type> 120 </attribute> 121 </tag> 122 <tag> 123 <description> 124 Performs percent-encoding of a URL according to RFC 3986. The provided 125 URL is assumed to a valid URL. This method does not do any checking on 126 the quality or safety of the URL itself. In many applications it may 127 be better to use java.net.URI instead. Note: this is a 128 particularly dangerous context to put untrusted content in, as for 129 example a "javascript:" URL provided by a malicious user would be 130 "properly" escaped, and still execute. 131 </description> 132 <display-name>forUri</display-name> 133 <name>forUri</name> 134 <tag-class>org.owasp.encoder.tag.ForUriTag</tag-class> 135 <body-content>empty</body-content> 136 <attribute> 137 <description>value to be written out</description> 138 <name>value</name> 139 <required>true</required> 140 <rtexprvalue>true</rtexprvalue> 141 <type>java.lang.String</type> 142 </attribute> 143 </tag> 144 <tag> 145 <description> 146 Encodes for CSS URL contexts. The context must be surrounded by "url()". It 147 is safe for use in both style blocks and attributes in HTML. Note: this does 148 not do any checking on the quality or safety of the URL itself. The caller 149 should insure that the URL is safe for embedding (e.g. input validation) by 150 other means. 151 </description> 152 <display-name>forCssUrl</display-name> 153 <name>forCssUrl</name> 154 <tag-class>org.owasp.encoder.tag.ForCssUrlTag</tag-class> 155 <body-content>empty</body-content> 156 <attribute> 157 <description>value to be written out</description> 158 <name>value</name> 159 <required>true</required> 160 <rtexprvalue>true</rtexprvalue> 161 <type>java.lang.String</type> 162 </attribute> 163 </tag> 164 <tag> 165 <description>Encodes for HTML text attributes.</description> 166 <display-name>forHtmlAttribute</display-name> 167 <name>forHtmlAttribute</name> 168 <tag-class>org.owasp.encoder.tag.ForHtmlAttributeTag</tag-class> 169 <body-content>empty</body-content> 170 <attribute> 171 <description>value to be written out</description> 172 <name>value</name> 173 <required>true</required> 174 <rtexprvalue>true</rtexprvalue> 175 <type>java.lang.String</type> 176 </attribute> 177 </tag> 178 <tag> 179 <description> 180 Encodes for (X)HTML text content and text attributes. 181 </description> 182 <display-name>forHtml</display-name> 183 <name>forHtml</name> 184 <tag-class>org.owasp.encoder.tag.ForHtmlTag</tag-class> 185 <body-content>empty</body-content> 186 <attribute> 187 <description>value to be written out</description> 188 <name>value</name> 189 <required>true</required> 190 <rtexprvalue>true</rtexprvalue> 191 <type>java.lang.String</type> 192 </attribute> 193 </tag> 194 <tag> 195 <description> 196 Encodes for HTML text content. It does not escape 197 quotation characters and is thus unsafe for use with 198 HTML attributes. Use either forHtml or forHtmlAttribute for those 199 methods. 200 </description> 201 <display-name>forXmlContent</display-name> 202 <name>forXmlContent</name> 203 <tag-class>org.owasp.encoder.tag.ForXmlContentTag</tag-class> 204 <body-content>empty</body-content> 205 <attribute> 206 <description>value to be written out</description> 207 <name>value</name> 208 <required>true</required> 209 <rtexprvalue>true</rtexprvalue> 210 <type>java.lang.String</type> 211 </attribute> 212 </tag> 213 <tag> 214 <description> 215 Performs percent-encoding for a component of a URI, such as a query 216 parameter name or value, path or query-string. In particular this 217 method insures that special characters in the component do not get 218 interpreted as part of another component. 219 </description> 220 <display-name>forUriComponent</display-name> 221 <name>forUriComponent</name> 222 <tag-class>org.owasp.encoder.tag.ForUriComponentTag</tag-class> 223 <body-content>empty</body-content> 224 <attribute> 225 <description>value to be written out</description> 226 <name>value</name> 227 <required>true</required> 228 <rtexprvalue>true</rtexprvalue> 229 <type>java.lang.String</type> 230 </attribute> 231 </tag> 232 <tag> 233 <description> 234 Encodes for CSS strings. The context must be surrounded by quotation characters. 235 It is safe for use in both style blocks and attributes in HTML. 236 </description> 237 <display-name>forCssString</display-name> 238 <name>forCssString</name> 239 <tag-class>org.owasp.encoder.tag.ForCssStringTag</tag-class> 240 <body-content>empty</body-content> 241 <attribute> 242 <description>value to be written out</description> 243 <name>value</name> 244 <required>true</required> 245 <rtexprvalue>true</rtexprvalue> 246 <type>java.lang.String</type> 247 </attribute> 248 </tag> 249 <function> 250 <description> 251 Encodes for (X)HTML text content and text attributes. 252 </description> 253 <display-name>forHtml</display-name> 254 <name>forHtml</name> 255 <function-class>org.owasp.encoder.Encode</function-class> 256 <function-signature>java.lang.String forHtml(java.lang.String)</function-signature> 257 <example>forHtml(unsafeData)</example> 258 </function> 259 <function> 260 <description> 261 This method encodes for HTML text content. It does not escape 262 quotation characters and is thus unsafe for use with 263 HTML attributes. Use either forHtml or forHtmlAttribute for those 264 methods. 265 </description> 266 <display-name>forHtmlContent</display-name> 267 <name>forHtmlContent</name> 268 <function-class>org.owasp.encoder.Encode</function-class> 269 <function-signature>java.lang.String forHtmlContent(java.lang.String)</function-signature> 270 <example>forHtmlContent(unsafeData)</example> 271 </function> 272 <function> 273 <description>Encodes for HTML text attributes.</description> 274 <name>forHtmlAttribute</name> 275 <function-class>org.owasp.encoder.Encode</function-class> 276 <function-signature>java.lang.String forHtmlAttribute(java.lang.String)</function-signature> 277 <example>forHtmlAttribute(unsafeData)</example> 278 </function> 279 <function> 280 <description> 281 Encodes for unquoted HTML attribute values. forHtml(String) or 282 forHtmlAttribute(String) should usually be preferred over this 283 method as quoted attributes are XHTML compliant. 284 </description> 285 <display-name>forHtmlUnquotedAttribute</display-name> 286 <name>forHtmlUnquotedAttribute</name> 287 <function-class>org.owasp.encoder.Encode</function-class> 288 <function-signature>java.lang.String forHtmlUnquotedAttribute(java.lang.String)</function-signature> 289 <example>forHtmlUnquotedAttribute(unsafeData)</example> 290 </function> 291 <function> 292 <description> 293 Encodes for CSS strings. The context must be surrounded by quotation characters. 294 It is safe for use in both style blocks and attributes in HTML. 295 </description> 296 <display-name>forCssString</display-name> 297 <name>forCssString</name> 298 <function-class>org.owasp.encoder.Encode</function-class> 299 <function-signature>java.lang.String forCssString(java.lang.String)</function-signature> 300 <example>forCssString(unsafeData)</example> 301 </function> 302 <function> 303 <description> 304 Encodes for CSS URL contexts. The context must be surrounded by "url()". It 305 is safe for use in both style blocks and attributes in HTML. Note: this does 306 not do any checking on the quality or safety of the URL itself. The caller 307 should insure that the URL is safe for embedding (e.g. input validation) by 308 other means. 309 </description> 310 <display-name>forCssUrl</display-name> 311 <name>forCssUrl</name> 312 <function-class>org.owasp.encoder.Encode</function-class> 313 <function-signature>java.lang.String forCssUrl(java.lang.String)</function-signature> 314 <example>forCssUrl(unsafeData)</example> 315 </function> 316 <function> 317 <description> 318 Performs percent-encoding of a URL according to RFC 3986. The provided 319 URL is assumed to a valid URL. This method does not do any checking on 320 the quality or safety of the URL itself. In many applications it may 321 be better to use java.net.URI instead. Note: this is a 322 particularly dangerous context to put untrusted content in, as for 323 example a "javascript:" URL provided by a malicious user would be 324 "properly" escaped, and still execute. 325 </description> 326 <display-name>forUri</display-name> 327 <name>forUri</name> 328 <function-class>org.owasp.encoder.Encode</function-class> 329 <function-signature>java.lang.String forUri(java.lang.String)</function-signature> 330 <example>forUri(unsafeData)</example> 331 </function> 332 <function> 333 <description> 334 Performs percent-encoding for a component of a URI, such as a query 335 parameter name or value, path or query-string. In particular this 336 method insures that special characters in the component do not get 337 interpreted as part of another component. 338 </description> 339 <display-name>forUriComponent</display-name> 340 <name>forUriComponent</name> 341 <function-class>org.owasp.encoder.Encode</function-class> 342 <function-signature>java.lang.String forUriComponent(java.lang.String)</function-signature> 343 <example>forUriComponent(unsafeData)</example> 344 </function> 345 <function> 346 <description>Encodes for XML and XHTML.</description> 347 <display-name>forXml</display-name> 348 <name>forXml</name> 349 <function-class>org.owasp.encoder.Encode</function-class> 350 <function-signature>java.lang.String forXml(java.lang.String)</function-signature> 351 <example>forXml(unsafeData)</example> 352 </function> 353 <function> 354 <description> 355 Encodes for HTML text content. It does not escape 356 quotation characters and is thus unsafe for use with 357 HTML attributes. Use either forHtml or forHtmlAttribute for those 358 methods. 359 </description> 360 <display-name>forXmlContent</display-name> 361 <name>forXmlContent</name> 362 <function-class>org.owasp.encoder.Encode</function-class> 363 <function-signature>java.lang.String forXmlContent(java.lang.String)</function-signature> 364 <example>forXmlContent(unsafeData)</example> 365 </function> 366 <function> 367 <description>Encodes for XML and XHTML attribute content.</description> 368 <display-name>forXmlAttribute</display-name> 369 <name>forXmlAttribute</name> 370 <function-class>org.owasp.encoder.Encode</function-class> 371 <function-signature>java.lang.String forXmlAttribute(java.lang.String)</function-signature> 372 <example>forXmlAttribute(unsafeData)</example> 373 </function> 374 <function> 375 <description> 376 Encodes data for an XML CDATA section. On the chance that the input 377 contains a terminating 378 "]]&gt;", it will be replaced by 379 &quot;]]&gt;]]&lt;![CDATA[&gt;&quot;. 380 As with all XML contexts, characters that are invalid according to the 381 XML specification will be replaced by a space character. Caller must 382 provide the CDATA section boundaries. 383 </description> 384 <display-name>forCDATA</display-name> 385 <name>forCDATA</name> 386 <function-class>org.owasp.encoder.Encode</function-class> 387 <function-signature>java.lang.String forCDATA(java.lang.String)</function-signature> 388 <example>forCDATA(unsafeData)</example> 389 </function> 390 <function> 391 <description> 392 Encodes for a JavaScript string. It is safe for use in HTML 393 script attributes (such as onclick), script 394 blocks, JSON files, and JavaScript source. The caller MUST 395 provide the surrounding quotation characters for the string. 396 </description> 397 <display-name>forJavaScript</display-name> 398 <name>forJavaScript</name> 399 <function-class>org.owasp.encoder.Encode</function-class> 400 <function-signature>java.lang.String forJavaScript(java.lang.String)</function-signature> 401 <example>forJavaScript(unsafeData)</example> 402 </function> 403</taglib>