Index: util-util/util/src/java/org/sakaiproject/util/FormattedText.java
===================================================================
--- util-util/util/src/java/org/sakaiproject/util/FormattedText.java (revision 54755)
+++ util-util/util/src/java/org/sakaiproject/util/FormattedText.java (working copy)
@@ -229,6 +229,28 @@
public static String processFormattedText(final String strFromBrowser, StringBuilder errorMessages, boolean checkForEvilTags,
boolean replaceWhitespaceTags)
{
+ boolean createTargetAttributes = true;
+ return processFormattedText(strFromBrowser, errorMessages, checkForEvilTags, replaceWhitespaceTags, createTargetAttributes);
+ }
+ /**
+ * Processes and validates HTML formatted text received from the web browser (from the WYSIWYG editor). Validates that the user input follows the Sakai formatted text specification; can disallow dangerous stuff such as <SCRIPT> JavaScript tags.
+ * Encodes the text according to the formatted text specification, for the rest of the system to use.
+ *
+ * @param strFromBrowser
+ * The formatted text as sent from the web browser (from the WYSIWYG editor)
+ * @param errorMessages
+ * User-readable error messages will be returned here.
+ * @param checkForEvilTags
+ * If true, check for tags and attributes that shouldn't be in formatted text
+ * @param replaceWhitespaceTags
+ * If true, clean up line breaks to be like "<br />".
+ * @param processAnchors
+ * If true, create a target="_blank" attribute on all anchor tags and remove all other attributes of the tag except href.
+ * @return The validated processed HTML formatted text, ready for use by the system.
+ */
+ public static String processFormattedText(final String strFromBrowser, StringBuilder errorMessages, boolean checkForEvilTags,
+ boolean replaceWhitespaceTags, boolean processAnchors)
+ {
String val = strFromBrowser;
if (val == null || val.length() == 0) return val;
@@ -245,7 +267,7 @@
if (checkForEvilTags)
{
- val = processHtml(strFromBrowser, errorMessages);
+ val = processHtml(strFromBrowser, errorMessages, processAnchors);
}
// deal with hardcoded empty space character from Firefox 1.5
@@ -569,6 +591,21 @@
*/
public static String processEscapedHtml(final String source)
{
+ boolean processAnchors = true;
+ return processEscapedHtml(source, processAnchors);
+ }
+
+ /**
+ * Processes and validates character data as HTML. Disallows dangerous stuff such as <SCRIPT> JavaScript tags. Encodes the text according to the formatted text specification, for the rest of the system to use.
+ *
+ * @param source
+ * The escaped HTML (e.g., from the News service)
+ * @param processAnchors
+ * If true, remove all attributes from anchor tags except href and target="_blank".
+ * @return The validated processed formatted text, ready for use by the system.
+ */
+ public static String processEscapedHtml(final String source, boolean processAnchors)
+ {
if (source == null) return "";
if (source.equals("")) return "";
@@ -592,10 +629,10 @@
M_log.warn("FormattedText.processEscapedHtml unEscapeHtml(Html):", e);
}
- return processHtml(Html, new StringBuilder());
+ return processHtml(Html, new StringBuilder(), processAnchors);
}
- private static String processHtml(final String source, StringBuilder errorMessages)
+ private static String processHtml(final String source, StringBuilder errorMessages, boolean processAnchors)
{
// normalize all variants of the "
" HTML tag to be "
\n"
// TODO call a method to do this in each process routine
@@ -621,7 +658,7 @@
if (m.start() > start) buf.append(Html.substring(start, m.start()));
start = m.end();
- buf.append(checkTag(m.group(), errorMessages));
+ buf.append(checkTag(m.group(), errorMessages, processAnchors));
}
// tail
@@ -635,7 +672,7 @@
return new String(buf.toString());
}
- private static String checkTag (final String tag, StringBuilder errorMessages)
+ private static String checkTag (final String tag, StringBuilder errorMessages, boolean processAnchors)
{
StringBuilder buf = new StringBuilder();
boolean escape = true;
@@ -645,7 +682,7 @@
{
if (M_goodTagsPatterns[i].matcher(tag).matches())
{
- if (M_patternAnchorTag.matcher(tag).matches()
+ if (processAnchors && M_patternAnchorTag.matcher(tag).matches()
&& !M_patternCloseAnchorTag.matcher(tag).matches())
{
// if it's an anchor tag, sanitize it