lan13217
- 浏览: 481480 次
- 性别:
-
文章分类
- 全部博客 (369)
- Java (48)
- Struts (1)
- Spring (4)
- Hibernate (7)
- WebServices (2)
- XML (3)
- web服务器 (12)
- PHP (16)
- FLEX (13)
- Flash (7)
- JavaScript (35)
- Ajax (4)
- Jquery (18)
- EXTJS (7)
- CSS (7)
- HTML (7)
- JSON (5)
- 好玩的 (1)
- 其他 (21)
- Oracle (35)
- mysql (12)
- Linux (12)
- JDBC (2)
- EJB3 (1)
- AOP (1)
- 正则表达式 (6)
- JSF (1)
- 设计模式 (1)
- RBAC (1)
- PowerDesigner (1)
- windows (1)
- 电脑工具软件 (3)
- SEO (3)
- maven (13)
- cms (9)
- JSP (5)
- jpbm (1)
- eclipse (8)
- sql (4)
- android (3)
- 浏览器 (5)
- 国外IT网站 (1)
- 文摘 (1)
- 文档 (31)
- doc命令 (1)
- webgl (1)
- html5 (1)
- ant (1)
- mongodb (0)
- 操作系统 (1)
- Dreamweaver (1)
- hadoop (2)
- xpath (1)
- nutch (1)
- window (1)
- xm (2)
- excel (1)
- httpclient (0)
- YII (2)
- CXF (1)
- Quartz (1)
- jsoup (2)
- wifi (2)
- logback (1)
- 硬件 (1)
- 工具 (3)
- freemark (1)
- ide (2)
- mail (1)
- log (1)
- ueditor (1)
- 链接 (1)
- reaver (2)
- js (1)
- .net (1)
- chrome (1)
- git (1)
- Docker (1)
- unicode (1)
- 多线程 (1)
- 并发 (1)
- Nashorn (3)
- Angular (1)
- curl (1)
- Cygwin (1)
- nashron (1)
- Babel (1)
- React Native (1)
- sip (1)
- openmeetings (1)
- IDEA (0)
- CAS (1)
最新评论
-
沉醉音乐的咖啡:
使用 preventDefault() 函数来阻止对表单的提交。 -
PhoenixHorse:
原表的索引啥的不就失效了吗
oracle修改表精度 -
yupengcc:
资料带走 3Q
RBAC模型 -
Java路:
...
JSON-LIB快速入门(转) -
damoqiongqiu:
utf-8下,E文字符占1个字节,中文字符占3个字节。如果一个 ...
AS3:截取定长度的字符串
for Json in notepad++ replace
http://www.javapractices.com/topic/TopicAction.do?Id=96
<tr><td> " </td><td> \" </td></tr> <tr><td> \ </td><td> \\ </td></tr> <tr><td> / </td><td> \/ </td></tr> <tr><td> back space </td><td> \b </td></tr> <tr><td> form feed </td><td> \f </td></tr> <tr><td> line feed </td><td> \n </td></tr> <tr><td> carriage return </td><td> \r </td></tr> <tr><td> tab </td><td> \t </td></tr>
find: ([\b\t\n\f\r\"\'\\]{1})
replace: \\\1
http://www.javapractices.com/topic/TopicAction.do?Id=96
import java.net.URLEncoder;
import java.io.UnsupportedEncodingException;
import java.text.CharacterIterator;
import java.text.StringCharacterIterator;
import java.util.regex.Pattern;
import java.util.regex.Matcher;
import hirondelle.web4j.security.SafeText;
import hirondelle.web4j.ui.translate.Text;
import hirondelle.web4j.ui.translate.Tooltips;
import hirondelle.web4j.ui.translate.TextFlow;
import hirondelle.web4j.ui.tag.Populate;
import hirondelle.web4j.database.Report;
/**
Convenience methods for escaping special characters related to HTML, XML,
and regular expressions.
<P>To keep you safe by default, WEB4J goes to some effort to escape
characters in your data when appropriate, such that you <em>usually</em>
don't need to think too much about escaping special characters. Thus, you
shouldn't need to <em>directly</em> use the services of this class very often.
<P><span class='highlight'>For Model Objects containing free form user input,
it is highly recommended that you use {@link SafeText}, not <tt>String</tt></span>.
Free form user input is open to malicious use, such as
<a href='http://www.owasp.org/index.php/Cross_Site_Scripting'>Cross Site Scripting</a>
attacks.
Using <tt>SafeText</tt> will protect you from such attacks, by always escaping
special characters automatically in its <tt>toString()</tt> method.
<P>The following WEB4J classes will automatically escape special characters
for you, when needed :
<ul>
<li>the {@link SafeText} class, used as a building block class for your
application's Model Objects, for modeling all free form user input
<li>the {@link Populate} tag used with forms
<li>the {@link Report} class used for creating quick reports
<li>the {@link Text}, {@link TextFlow}, and {@link Tooltips} custom tags used
for translation
</ul>
*/
public final class EscapeChars {
/**
Escape characters for text appearing in HTML markup.
<P>This method exists as a defence against Cross Site Scripting (XSS) hacks.
The idea is to neutralize control characters commonly used by scripts, such that
they will not be executed by the browser. This is done by replacing the control
characters with their escaped equivalents.
See {@link hirondelle.web4j.security.SafeText} as well.
<P>The following characters are replaced with corresponding
HTML character entities :
<table border='1' cellpadding='3' cellspacing='0'>
<tr><th> Character </th><th>Replacement</th></tr>
<tr><td> < </td><td> < </td></tr>
<tr><td> > </td><td> > </td></tr>
<tr><td> & </td><td> & </td></tr>
<tr><td> " </td><td> "</td></tr>
<tr><td> \t </td><td> 	</td></tr>
<tr><td> ! </td><td> !</td></tr>
<tr><td> # </td><td> #</td></tr>
<tr><td> $ </td><td> $</td></tr>
<tr><td> % </td><td> %</td></tr>
<tr><td> ' </td><td> '</td></tr>
<tr><td> ( </td><td> (</td></tr>
<tr><td> ) </td><td> )</td></tr>
<tr><td> * </td><td> *</td></tr>
<tr><td> + </td><td> + </td></tr>
<tr><td> , </td><td> , </td></tr>
<tr><td> - </td><td> - </td></tr>
<tr><td> . </td><td> . </td></tr>
<tr><td> / </td><td> / </td></tr>
<tr><td> : </td><td> :</td></tr>
<tr><td> ; </td><td> ;</td></tr>
<tr><td> = </td><td> =</td></tr>
<tr><td> ? </td><td> ?</td></tr>
<tr><td> @ </td><td> @</td></tr>
<tr><td> [ </td><td> [</td></tr>
<tr><td> \ </td><td> \</td></tr>
<tr><td> ] </td><td> ]</td></tr>
<tr><td> ^ </td><td> ^</td></tr>
<tr><td> _ </td><td> _</td></tr>
<tr><td> ` </td><td> `</td></tr>
<tr><td> { </td><td> {</td></tr>
<tr><td> | </td><td> |</td></tr>
<tr><td> } </td><td> }</td></tr>
<tr><td> ~ </td><td> ~</td></tr>
</table>
<P>Note that JSTL's {@code <c:out>} escapes <em>only the first
five</em> of the above characters.
*/
public static String forHTML(String aText){
final StringBuilder result = new StringBuilder();
final StringCharacterIterator iterator = new StringCharacterIterator(aText);
char character = iterator.current();
while (character != CharacterIterator.DONE ){
if (character == '<') {
result.append("<");
}
else if (character == '>') {
result.append(">");
}
else if (character == '&') {
result.append("&");
}
else if (character == '\"') {
result.append(""");
}
else if (character == '\t') {
addCharEntity(9, result);
}
else if (character == '!') {
addCharEntity(33, result);
}
else if (character == '#') {
addCharEntity(35, result);
}
else if (character == '$') {
addCharEntity(36, result);
}
else if (character == '%') {
addCharEntity(37, result);
}
else if (character == '\'') {
addCharEntity(39, result);
}
else if (character == '(') {
addCharEntity(40, result);
}
else if (character == ')') {
addCharEntity(41, result);
}
else if (character == '*') {
addCharEntity(42, result);
}
else if (character == '+') {
addCharEntity(43, result);
}
else if (character == ',') {
addCharEntity(44, result);
}
else if (character == '-') {
addCharEntity(45, result);
}
else if (character == '.') {
addCharEntity(46, result);
}
else if (character == '/') {
addCharEntity(47, result);
}
else if (character == ':') {
addCharEntity(58, result);
}
else if (character == ';') {
addCharEntity(59, result);
}
else if (character == '=') {
addCharEntity(61, result);
}
else if (character == '?') {
addCharEntity(63, result);
}
else if (character == '@') {
addCharEntity(64, result);
}
else if (character == '[') {
addCharEntity(91, result);
}
else if (character == '\\') {
addCharEntity(92, result);
}
else if (character == ']') {
addCharEntity(93, result);
}
else if (character == '^') {
addCharEntity(94, result);
}
else if (character == '_') {
addCharEntity(95, result);
}
else if (character == '`') {
addCharEntity(96, result);
}
else if (character == '{') {
addCharEntity(123, result);
}
else if (character == '|') {
addCharEntity(124, result);
}
else if (character == '}') {
addCharEntity(125, result);
}
else if (character == '~') {
addCharEntity(126, result);
}
else {
//the char is not a special one
//add it to the result as is
result.append(character);
}
character = iterator.next();
}
return result.toString();
}
/**
Escape all ampersand characters in a URL.
<P>Replaces all <tt>'&'</tt> characters with <tt>'&'</tt>.
<P>An ampersand character may appear in the query string of a URL.
The ampersand character is indeed valid in a URL.
<em>However, URLs usually appear as an <tt>HREF</tt> attribute, and
such attributes have the additional constraint that ampersands
must be escaped.</em>
<P>The JSTL <c:url> tag does indeed perform proper URL encoding of
query parameters. But it does not, in general, produce text which
is valid as an <tt>HREF</tt> attribute, simply because it does
not escape the ampersand character. This is a nuisance when
multiple query parameters appear in the URL, since it requires a little
extra work.
*/
public static String forHrefAmpersand(String aURL){
return aURL.replace("&", "&");
}
/**
Synonym for <tt>URLEncoder.encode(String, "UTF-8")</tt>.
<P>Used to ensure that HTTP query strings are in proper form, by escaping
special characters such as spaces.
<P>It is important to note that if a query string appears in an <tt>HREF</tt>
attribute, then there are two issues - ensuring the query string is valid HTTP
(it is URL-encoded), and ensuring it is valid HTML (ensuring the
ampersand is escaped).
*/
public static String forURL(String aURLFragment){
String result = null;
try {
result = URLEncoder.encode(aURLFragment, "UTF-8");
}
catch (UnsupportedEncodingException ex){
throw new RuntimeException("UTF-8 not supported", ex);
}
return result;
}
/**
Escape characters for text appearing as XML data, between tags.
<P>The following characters are replaced with corresponding character entities :
<table border='1' cellpadding='3' cellspacing='0'>
<tr><th> Character </th><th> Encoding </th></tr>
<tr><td> < </td><td> < </td></tr>
<tr><td> > </td><td> > </td></tr>
<tr><td> & </td><td> & </td></tr>
<tr><td> " </td><td> "</td></tr>
<tr><td> ' </td><td> '</td></tr>
</table>
<P>Note that JSTL's {@code <c:out>} escapes the exact same set of
characters as this method. <span class='highlight'>That is, {@code <c:out>}
is good for escaping to produce valid XML, but not for producing safe
HTML.</span>
*/
public static String forXML(String aText){
final StringBuilder result = new StringBuilder();
final StringCharacterIterator iterator = new StringCharacterIterator(aText);
char character = iterator.current();
while (character != CharacterIterator.DONE ){
if (character == '<') {
result.append("<");
}
else if (character == '>') {
result.append(">");
}
else if (character == '\"') {
result.append(""");
}
else if (character == '\'') {
result.append("'");
}
else if (character == '&') {
result.append("&");
}
else {
//the char is not a special one
//add it to the result as is
result.append(character);
}
character = iterator.next();
}
return result.toString();
}
/**
Escapes characters for text appearing as data in the
<a href='http://www.json.org/'>Javascript Object Notation</a>
(JSON) data interchange format.
<P>The following commonly used control characters are escaped :
<table border='1' cellpadding='3' cellspacing='0'>
<tr><th> Character </th><th> Escaped As </th></tr>
<tr><td> " </td><td> \" </td></tr>
<tr><td> \ </td><td> \\ </td></tr>
<tr><td> / </td><td> \/ </td></tr>
<tr><td> back space </td><td> \b </td></tr>
<tr><td> form feed </td><td> \f </td></tr>
<tr><td> line feed </td><td> \n </td></tr>
<tr><td> carriage return </td><td> \r </td></tr>
<tr><td> tab </td><td> \t </td></tr>
</table>
<P>See <a href='http://www.ietf.org/rfc/rfc4627.txt'>RFC 4627</a> for more information.
*/
public static String forJSON(String aText){
final StringBuilder result = new StringBuilder();
StringCharacterIterator iterator = new StringCharacterIterator(aText);
char character = iterator.current();
while (character != StringCharacterIterator.DONE){
if( character == '\"' ){
result.append("\\\"");
}
else if(character == '\\'){
result.append("\\\\");
}
else if(character == '/'){
result.append("\\/");
}
else if(character == '\b'){
result.append("\\b");
}
else if(character == '\f'){
result.append("\\f");
}
else if(character == '\n'){
result.append("\\n");
}
else if(character == '\r'){
result.append("\\r");
}
else if(character == '\t'){
result.append("\\t");
}
else {
//the char is not a special one
//add it to the result as is
result.append(character);
}
character = iterator.next();
}
return result.toString();
}
/**
Return <tt>aText</tt> with all <tt>'<'</tt> and <tt>'>'</tt> characters
replaced by their escaped equivalents.
*/
public static String toDisableTags(String aText){
final StringBuilder result = new StringBuilder();
final StringCharacterIterator iterator = new StringCharacterIterator(aText);
char character = iterator.current();
while (character != CharacterIterator.DONE ){
if (character == '<') {
result.append("<");
}
else if (character == '>') {
result.append(">");
}
else {
//the char is not a special one
//add it to the result as is
result.append(character);
}
character = iterator.next();
}
return result.toString();
}
/**
Replace characters having special meaning in regular expressions
with their escaped equivalents, preceded by a '\' character.
<P>The escaped characters include :
<ul>
<li>.
<li>\
<li>?, * , and +
<li>&
<li>:
<li>{ and }
<li>[ and ]
<li>( and )
<li>^ and $
</ul>
*/
public static String forRegex(String aRegexFragment){
final StringBuilder result = new StringBuilder();
final StringCharacterIterator iterator =
new StringCharacterIterator(aRegexFragment)
;
char character = iterator.current();
while (character != CharacterIterator.DONE ){
/*
All literals need to have backslashes doubled.
*/
if (character == '.') {
result.append("\\.");
}
else if (character == '\\') {
result.append("\\\\");
}
else if (character == '?') {
result.append("\\?");
}
else if (character == '*') {
result.append("\\*");
}
else if (character == '+') {
result.append("\\+");
}
else if (character == '&') {
result.append("\\&");
}
else if (character == ':') {
result.append("\\:");
}
else if (character == '{') {
result.append("\\{");
}
else if (character == '}') {
result.append("\\}");
}
else if (character == '[') {
result.append("\\[");
}
else if (character == ']') {
result.append("\\]");
}
else if (character == '(') {
result.append("\\(");
}
else if (character == ')') {
result.append("\\)");
}
else if (character == '^') {
result.append("\\^");
}
else if (character == '$') {
result.append("\\$");
}
else {
//the char is not a special one
//add it to the result as is
result.append(character);
}
character = iterator.next();
}
return result.toString();
}
/**
Escape <tt>'$'</tt> and <tt>'\'</tt> characters in replacement strings.
<P>Synonym for <tt>Matcher.quoteReplacement(String)</tt>.
<P>The following methods use replacement strings which treat
<tt>'$'</tt> and <tt>'\'</tt> as special characters:
<ul>
<li><tt>String.replaceAll(String, String)</tt>
<li><tt>String.replaceFirst(String, String)</tt>
<li><tt>Matcher.appendReplacement(StringBuffer, String)</tt>
</ul>
<P>If replacement text can contain arbitrary characters, then you
will usually need to escape that text, to ensure special characters
are interpreted literally.
*/
public static String forReplacementString(String aInput){
return Matcher.quoteReplacement(aInput);
}
/**
Disable all <tt><SCRIPT></tt> tags in <tt>aText</tt>.
<P>Insensitive to case.
*/
public static String forScriptTagsOnly(String aText){
String result = null;
Matcher matcher = SCRIPT.matcher(aText);
result = matcher.replaceAll("<SCRIPT>");
matcher = SCRIPT_END.matcher(result);
result = matcher.replaceAll("</SCRIPT>");
return result;
}
// PRIVATE //
private EscapeChars(){
//empty - prevent construction
}
private static final Pattern SCRIPT = Pattern.compile(
"<SCRIPT>", Pattern.CASE_INSENSITIVE
);
private static final Pattern SCRIPT_END = Pattern.compile(
"</SCRIPT>", Pattern.CASE_INSENSITIVE
);
private static void addCharEntity(Integer aIdx, StringBuilder aBuilder){
String padding = "";
if( aIdx <= 9 ){
padding = "00";
}
else if( aIdx <= 99 ){
padding = "0";
}
else {
//no prefix
}
String number = padding + aIdx.toString();
aBuilder.append("&#" + number + ";");
}
}
分享到:
发表评论
-
javaweb 读取 classes 下的文件
2016-05-20 11:26 802http://www.cnblogs.com/hxling/a ... -
itext pdf
2015-08-19 23:17 566itext pdf 简单版 <script src= ... -
正则解析分红
2015-05-23 15:51 636// 表达式对象 Pattern p = Patte ... -
maven中指定main方法并且导入关联jar包,拷贝依赖包
2015-03-05 10:21 659<build> <plugins& ... -
nashorn shell
2015-02-05 18:21 641java8 doc http://docs.oracle.co ... -
java jvm 多线程 并发相关
2015-01-28 09:36 538Doug Lea并发编程文章全部译文 http://ifeve ... -
char <-->unicode
2015-01-06 15:20 607http://daoshud1.iteye.com/blog/ ... -
java gc
2014-12-10 14:10 0Java垃圾回收精粹 — Part1Java垃圾回收精粹 ... -
分页test
2014-12-01 09:20 549/** * * @author lan * ... -
java 正则模板
2014-10-08 10:44 484import java.util.HashMap; im ... -
java mail 带图片附件
2014-09-24 11:54 434package t; import java.uti ... -
“||”.split(“\\|”).length return 0 and 3
2014-08-26 10:00 577“||”.split(“\\|”) [] “| ... -
JRebel config
2014-08-03 17:43 2266http://zeroturnaround.com/sof ... -
java反编译
2014-07-25 18:01 593http://jd.benow.ca/ -
mvn tomcat7:run config
2014-07-24 16:37 766<project xmlns="http: ... -
Eclipse 编写应用程序设置代理
2014-07-17 10:18 829java -Dhttp.proxyHost=proxyho ... -
happens-before
2014-06-03 12:16 699内存一致性属性 Java Language Speci ... -
java.util.concurrent 的结构
2014-06-03 00:14 566... -
深入理解Java:注解(Annotation)自定义注解入门
2014-04-21 14:27 694要深入学习注解,我们就必须能定义自己的注解,并使用注解,在 ... -
test
2014-03-16 13:35 0http://hi.baidu.com/tag/data/fe ...
相关推荐
Fix an extra space in the check for exctags.... Escape special characters like backslash in the tag name when saving a session file. Add an internal function to get and detect file types.
Functionality to escape special LaTeX characters Bold, italic and verbatim functions Every class has a dump method, which writes the output to a filepointer this way you can use snippets in in ...
// Escapes HTML special characters in attribute values as HTML entitiesvar yourParser = sanitizer.makeSaxParser(yourHandler); // Given a SAX-like event handler, produce a function that feeds those ...
DataView RowFilter Syntax [C#] This example describes syntax of DataView.RowFil ter expression.... Column names If a column name contains any of these special characters ~ ( ) # / / = > < + – * %
About_special_characters.help.txt About_switch.help.txt About_system_state.help.txt About_types.help.txt About_commonparameters.help.txt About_where.help.txt About_while.help.txt About_wildcard.help....
A.1 Special Characters in Regular Expressions A.2 Searching for Special Characters A.3 Using the Period A.4 Using Brackets A.4.1 Using the Dash within Brackets A.4.2 Using the Caret within Brackets A....
集合了 所有的 Unix命令大全 ...telnet 192.168.0.23 自己帐号 sd08077-you0 ftp工具 192.168.0.202 tools-toolss ... 各个 shell 可互相切换 ksh:$ sh:$ csh:guangzhou% bash:bash-3.00$ ... 命令和参数之间必需用空格隔...
=== Simple Tags === Contributors: momo360modena ...Tags: tag, posts, tags, admin, administration, tagging, navigation, terms, taxonomy Requires at least: 3.0 Tested up to: 3.3 Stable tag: 2.2 ...
* \e The escape character ('\u001B') \e esc符号 ('\u001B') * \cx The control character corresponding to x \cx x 对应的控制符 * * Character classes 字符类 * ...
Contents Contents iii List of Tables xi List of Figures xv 1 General 1 1.1 Scope . . . . ....1.2 Normative references ....1.3 Terms and definitions ....1.4 Implementation compliance ....1.5 Structure of this ...
Contents Contents ii List of Tables x List of Figures xiv 1 Scope 1 2 Normative references 2 3 Terms and definitions 3 4 General principles 7 4.1 Implementation compliance . ....4.2 Structure of this ...
1.1 What's Special About UNIX?............................................................................................................2 ...............................................................
CHAPTER 1 About Python ............................................................................................1 What Is Python? ......................................................................