View Javadoc
1   /*
2    * This file is part of dependency-check-core.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    *     http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   *
16   * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17   */
18  package org.owasp.dependencycheck.reporting;
19  
20  import java.net.URLEncoder;
21  import java.util.Set;
22  import javax.annotation.concurrent.ThreadSafe;
23  import static java.nio.charset.StandardCharsets.UTF_8;
24  import org.apache.commons.text.StringEscapeUtils;
25  import org.owasp.dependencycheck.dependency.naming.Identifier;
26  
27  /**
28   * An extremely simple wrapper around various escape utils to perform URL and
29   * HTML encoding within the reports. This class was created to simplify the
30   * velocity configuration and avoid using the "built-in" escape tool.
31   *
32   * @author Jeremy Long
33   */
34  @ThreadSafe
35  public class EscapeTool {
36      /**
37       * URL Encodes the provided text.
38       *
39       * @param text the text to encode
40       * @return the URL encoded text
41       */
42      public String url(String text) {
43          if (text == null || text.isEmpty()) {
44              return text;
45          }
46          return URLEncoder.encode(text, UTF_8);
47      }
48  
49      /**
50       * HTML Encodes the provided text.
51       *
52       * @param text the text to encode
53       * @return the HTML encoded text
54       */
55      public String html(String text) {
56          if (text == null || text.isEmpty()) {
57              return text;
58          }
59          return StringEscapeUtils.escapeHtml4(text);
60      }
61  
62      public String html(Object o) {
63          return xml(o == null ? null : o.toString());
64      }
65  
66      /**
67       * XML Encodes the provided text.
68       *
69       * @param text the text to encode
70       * @return the XML encoded text
71       */
72      public String xml(String text) {
73          if (text == null || text.isEmpty()) {
74              return text;
75          }
76          return StringEscapeUtils.escapeXml11(text);
77      }
78  
79      public String xml(Object o) {
80          return xml(o == null ? null : o.toString());
81      }
82  
83      /**
84       * JSON Encodes the provided text.
85       *
86       * @param text the text to encode
87       * @return the JSON encoded text
88       */
89      public String json(String text) {
90          if (text == null || text.isEmpty()) {
91              return text;
92          }
93          return StringEscapeUtils.escapeJson(text);
94      }
95  
96      public String json(Object o) {
97          return xml(o == null ? null : o.toString());
98      }
99  
100     /**
101      * JavaScript encodes the provided text.
102      *
103      * @param text the text to encode
104      * @return the JavaScript encoded text
105      */
106     public String javascript(String text) {
107         if (text == null || text.isEmpty()) {
108             return text;
109         }
110         return StringEscapeUtils.escapeEcmaScript(text);
111     }
112 
113     /**
114      * Formats text for CSV format. This includes trimming whitespace, replace
115      * line breaks with spaces, and if necessary quotes the text and/or escapes
116      * contained quotes.
117      *
118      * @param text the text to escape and quote
119      * @return the escaped and quoted text
120      */
121     public String csv(String text) {
122         if (text == null || text.isEmpty()) {
123             return "\"\"";
124         }
125         final String str = text.trim().replace("\n", " ");
126         if (str.isBlank()) {
127             return "\"\"";
128         }
129         return StringEscapeUtils.escapeCsv(str);
130     }
131 
132     /**
133      * Takes a set of Identifiers, filters them to none CPE, and formats them
134      * for display in a CSV.
135      *
136      * @param ids the set of identifiers
137      * @return the formatted list of none CPE identifiers
138      */
139     public String csvIdentifiers(Set<Identifier> ids) {
140         if (ids == null || ids.isEmpty()) {
141             return "\"\"";
142         }
143         boolean addComma = false;
144         final StringBuilder sb = new StringBuilder();
145         for (Identifier id : ids) {
146             if (addComma) {
147                 sb.append(", ");
148             } else {
149                 addComma = true;
150             }
151             sb.append(id.getValue());
152         }
153         if (sb.length() == 0) {
154             return "\"\"";
155         }
156         return StringEscapeUtils.escapeCsv(sb.toString());
157     }
158 
159     /**
160      * Takes a set of Identifiers, filters them to just CPEs, and formats them
161      * for confidence display in a CSV.
162      *
163      * @param ids the set of identifiers
164      * @return the formatted list of confidence
165      */
166     public String csvCpeConfidence(Set<Identifier> ids) {
167         if (ids == null || ids.isEmpty()) {
168             return "\"\"";
169         }
170         boolean addComma = false;
171         final StringBuilder sb = new StringBuilder();
172         for (Identifier id : ids) {
173             if (addComma) {
174                 sb.append(", ");
175             } else {
176                 addComma = true;
177             }
178             sb.append(id.getConfidence());
179         }
180         if (sb.length() == 0) {
181             return "\"\"";
182         }
183         return StringEscapeUtils.escapeCsv(sb.toString());
184     }
185 }