This is a test
'); 12 | 13 | # Encoder Functions 14 | 15 | The encoder() returns an object with the following main functions: 16 | 17 | + encodeForHTML 18 | + encodeForCSS 19 | + encodeForJS = encodeForJavaScript = encodeForJavascript 20 | + encodeForURL 21 | + encodeForHTMLAttribute 22 | + encodeForBase64 23 | 24 | # Middleware 25 | 26 | The ESAPI has a function for creating express middleware to serve client side scripts of ESAPI. 27 | 28 | app.use(ESAPI.middleware()); 29 | 30 | // Now in your HTML you can do 31 | 32 | 33 | 34 | 39 | 40 | # Licence 41 | 42 | ## ESAPI Licence 43 | 44 | The BSD License 45 | 46 | Copyright (c) 2007, The OWASP Foundation 47 | All rights reserved. 48 | 49 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 50 | 51 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 52 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 53 | Neither the name of the OWASP Foundation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 54 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 55 | 56 | ## node-esapi Licence 57 | 58 | The MIT License (MIT) 59 | 60 | Copyright (c) 2014 Karl Düüna 61 | 62 | Permission is hereby granted, free of charge, to any person obtaining a copy of 63 | this software and associated documentation files (the "Software"), to deal in 64 | the Software without restriction, including without limitation the rights to 65 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 66 | the Software, and to permit persons to whom the Software is furnished to do so, 67 | subject to the following conditions: 68 | 69 | The above copyright notice and this permission notice shall be included in all 70 | copies or substantial portions of the Software. 71 | 72 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 73 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 74 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 75 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 76 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 77 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 78 | -------------------------------------------------------------------------------- /lib/esapi.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | var utils = require('./utils'); 4 | 5 | var esapi = { 6 | codecs: {} 7 | }; 8 | 9 | 10 | esapi.codecs.Codec = function() { 11 | return { 12 | /** 13 | * Encode a String so that it can be safely used in a specific context. 14 | * 15 | * @param aImmune 16 | * array of immune characters 17 | * @param sInput 18 | * the String to encode 19 | * @return the encoded String 20 | */ 21 | encode: function(aImmune, sInput) { 22 | var out = ''; 23 | for (var i = 0; i < sInput.length; i ++) { 24 | var c = sInput.charAt(i); 25 | out += this.encodeCharacter(aImmune, c); 26 | } 27 | return out; 28 | }, 29 | 30 | /** 31 | * Default implementation that should be overridden in specific codecs. 32 | * 33 | * @param aImmune 34 | * array of immune characters 35 | * @param c 36 | * the Character to encode 37 | * @return 38 | * the encoded Character 39 | */ 40 | encodeCharacter: function(aImmune, c) { 41 | return c; 42 | }, 43 | 44 | /** 45 | * Decode a String that was encoded using the encode method in this Class 46 | * 47 | * @param sInput 48 | * the String to decode 49 | * @return 50 | * the decoded String 51 | */ 52 | decode: function(sInput) { 53 | var out = ''; 54 | var pbs = new esapi.codecs.PushbackString(sInput); 55 | while (pbs.hasNext()) { 56 | var c = this.decodeCharacter(pbs); 57 | if (c != null) { 58 | out += c; 59 | } else { 60 | out += pbs.next(); 61 | } 62 | } 63 | return out; 64 | }, 65 | 66 | /** 67 | * Returns the decoded version of the next character from the input string and advances the 68 | * current character in the PushbackString. If the current character is not encoded, this 69 | * method MUST reset the PushbackString. 70 | * 71 | * @param oPushbackString the Character to decode 72 | * @return the decoded Character 73 | */ 74 | decodeCharacter: function(oPushbackString) { 75 | return oPushbackString.next(); 76 | } 77 | }; 78 | }; 79 | 80 | esapi.codecs.Codec.getHexForNonAlphanumeric = function(c) { 81 | if (c.charCodeAt(0) < 256) { 82 | return esapi.codecs.Codec.hex[c.charCodeAt(0)]; 83 | } 84 | return c.charCodeAt(0).toString(16); 85 | }; 86 | 87 | esapi.codecs.Codec.hex = []; 88 | for ( var c = 0; c < 0xFF; c ++ ) { 89 | if ( c >= 0x30 && c <= 0x39 || c>= 0x41 && c <= 0x5A || c >= 0x61 && c <= 0x7A ) { 90 | esapi.codecs.Codec.hex[c] = null; 91 | } else { 92 | esapi.codecs.Codec.hex[c] = c.toString(16); 93 | } 94 | }; 95 | 96 | esapi.codecs.Base64 = { 97 | _keyStr : "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", 98 | 99 | encode: function(sInput) { 100 | if (!sInput) { 101 | return null; 102 | } 103 | 104 | var out = ''; 105 | var ch1,ch2,ch3,enc1,enc2,enc3,enc4; 106 | var i = 0; 107 | 108 | var input = esapi.codecs.UTF8.encode(sInput); 109 | 110 | while (i < input.length) { 111 | ch1 = input.charCodeAt(i++); 112 | ch2 = input.charCodeAt(i++); 113 | ch3 = input.charCodeAt(i++); 114 | 115 | enc1 = ch1 >> 2; 116 | enc2 = ((ch1 & 3) << 4) | (ch2 >> 4); 117 | enc3 = ((ch2 & 15) << 2) | (ch3 >> 6); 118 | enc4 = ch3 & 63; 119 | 120 | if (isNaN(ch2)) { 121 | enc3 = enc4 = 64; 122 | } 123 | else if (isNaN(ch3)) { 124 | enc4 = 64; 125 | } 126 | 127 | out += this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) + this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4); 128 | } 129 | 130 | return out; 131 | }, 132 | 133 | decode: function(sInput) { 134 | if (!sInput) { 135 | return null; 136 | } 137 | 138 | var out = ''; 139 | var ch1, ch2, ch3, enc1, enc2, enc3, enc4; 140 | var i = 0; 141 | 142 | var input = sInput.replace(/[^A-Za-z0-9\+\/\=]/g, ""); 143 | 144 | while (i < input.length) { 145 | enc1 = this._keyStr.indexOf(input.charAt(i++)); 146 | enc2 = this._keyStr.indexOf(input.charAt(i++)); 147 | enc3 = this._keyStr.indexOf(input.charAt(i++)); 148 | enc4 = this._keyStr.indexOf(input.charAt(i++)); 149 | 150 | ch1 = (enc1 << 2) | (enc2 >> 4); 151 | ch2 = ((enc2 & 15) << 4) | (enc3 >> 2); 152 | ch3 = ((enc3 & 3) << 6) | enc4; 153 | 154 | out += String.fromCharCode(ch1); 155 | if (enc3 != 64) { 156 | out += String.fromCharCode(ch2); 157 | } 158 | if (enc4 != 64) { 159 | out += String.fromCharCode(ch3); 160 | } 161 | } 162 | 163 | out = esapi.codecs.UTF8.decode(out); 164 | return out; 165 | } 166 | }; 167 | 168 | 169 | esapi.codecs.CSSCodec = function() { 170 | var _super = new esapi.codecs.Codec(); 171 | 172 | return { 173 | encode: _super.encode, 174 | 175 | decode: _super.decode, 176 | 177 | encodeCharacter: function(aImmune, c) { 178 | if (utils.contains(aImmune, c)) { 179 | return c; 180 | } 181 | 182 | var hex = esapi.codecs.Codec.getHexForNonAlphanumeric(c); 183 | if (hex == null) { 184 | return c; 185 | } 186 | 187 | return "\\" + hex + " "; 188 | }, 189 | 190 | decodeCharacter: function(oPushbackString) { 191 | oPushbackString.mark(); 192 | var first = oPushbackString.next(); 193 | if (first == null) { 194 | oPushbackString.reset(); 195 | return null; 196 | } 197 | 198 | if (first != '\\') { 199 | oPushbackString.reset(); 200 | return null; 201 | } 202 | 203 | var second = oPushbackString.next(); 204 | if (second == null) { 205 | oPushbackString.reset(); 206 | return null; 207 | } 208 | 209 | if (oPushbackString.isHexDigit(second)) { 210 | var out = second; 211 | for (var i = 0; i < 6; i ++) { 212 | var c = oPushbackString.next(); 213 | if (c == null || c.charCodeAt(0) == 0x20) { 214 | break; 215 | } 216 | if (oPushbackString.isHexDigit(c)) { 217 | out += c; 218 | } else { 219 | input.pushback(c); 220 | break; 221 | } 222 | } 223 | 224 | try { 225 | var n = parseInt(out, 16); 226 | return String.fromCharCode(n); 227 | } catch (e) { 228 | oPushbackString.reset(); 229 | return null; 230 | } 231 | } 232 | 233 | return second; 234 | } 235 | }; 236 | }; 237 | 238 | 239 | var entityToCharacterMap = []; 240 | entityToCharacterMap["""] = "34"; /* 34 : quotation mark */ 241 | entityToCharacterMap["&"] = "38"; /* 38 : ampersand */ 242 | entityToCharacterMap["<"] = "60"; /* 60 : less-than sign */ 243 | entityToCharacterMap[">"] = "62"; /* 62 : greater-than sign */ 244 | entityToCharacterMap[" "] = "160"; /* 160 : no-break space */ 245 | entityToCharacterMap["¡"] = "161"; /* 161 : inverted exclamation mark */ 246 | entityToCharacterMap["¢"] = "162"; /* 162 : cent sign */ 247 | entityToCharacterMap["£"] = "163"; /* 163 : pound sign */ 248 | entityToCharacterMap["¤"] = "164"; /* 164 : currency sign */ 249 | entityToCharacterMap["¥"] = "165"; /* 165 : yen sign */ 250 | entityToCharacterMap["¦"] = "166"; /* 166 : broken bar */ 251 | entityToCharacterMap["§"] = "167"; /* 167 : section sign */ 252 | entityToCharacterMap["¨"] = "168"; /* 168 : diaeresis */ 253 | entityToCharacterMap["©"] = "169"; /* 169 : copyright sign */ 254 | entityToCharacterMap["ª"] = "170"; /* 170 : feminine ordinal indicator */ 255 | entityToCharacterMap["«"] = "171"; /* 171 : left-pointing double angle quotation mark */ 256 | entityToCharacterMap["¬"] = "172"; /* 172 : not sign */ 257 | entityToCharacterMap[""] = "173"; /* 173 : soft hyphen */ 258 | entityToCharacterMap["®"] = "174"; /* 174 : registered sign */ 259 | entityToCharacterMap["¯"] = "175"; /* 175 : macron */ 260 | entityToCharacterMap["°"] = "176"; /* 176 : degree sign */ 261 | entityToCharacterMap["±"] = "177"; /* 177 : plus-minus sign */ 262 | entityToCharacterMap["²"] = "178"; /* 178 : superscript two */ 263 | entityToCharacterMap["³"] = "179"; /* 179 : superscript three */ 264 | entityToCharacterMap["´"] = "180"; /* 180 : acute accent */ 265 | entityToCharacterMap["µ"] = "181"; /* 181 : micro sign */ 266 | entityToCharacterMap["¶"] = "182"; /* 182 : pilcrow sign */ 267 | entityToCharacterMap["·"] = "183"; /* 183 : middle dot */ 268 | entityToCharacterMap["¸"] = "184"; /* 184 : cedilla */ 269 | entityToCharacterMap["¹"] = "185"; /* 185 : superscript one */ 270 | entityToCharacterMap["º"] = "186"; /* 186 : masculine ordinal indicator */ 271 | entityToCharacterMap["»"] = "187"; /* 187 : right-pointing double angle quotation mark */ 272 | entityToCharacterMap["¼"] = "188"; /* 188 : vulgar fraction one quarter */ 273 | entityToCharacterMap["½"] = "189"; /* 189 : vulgar fraction one half */ 274 | entityToCharacterMap["¾"] = "190"; /* 190 : vulgar fraction three quarters */ 275 | entityToCharacterMap["¿"] = "191"; /* 191 : inverted question mark */ 276 | entityToCharacterMap["À"] = "192"; /* 192 : Latin capital letter a with grave */ 277 | entityToCharacterMap["Á"] = "193"; /* 193 : Latin capital letter a with acute */ 278 | entityToCharacterMap["Â"] = "194"; /* 194 : Latin capital letter a with circumflex */ 279 | entityToCharacterMap["Ã"] = "195"; /* 195 : Latin capital letter a with tilde */ 280 | entityToCharacterMap["Ä"] = "196"; /* 196 : Latin capital letter a with diaeresis */ 281 | entityToCharacterMap["Å"] = "197"; /* 197 : Latin capital letter a with ring above */ 282 | entityToCharacterMap["Æ"] = "198"; /* 198 : Latin capital letter ae */ 283 | entityToCharacterMap["Ç"] = "199"; /* 199 : Latin capital letter c with cedilla */ 284 | entityToCharacterMap["È"] = "200"; /* 200 : Latin capital letter e with grave */ 285 | entityToCharacterMap["É"] = "201"; /* 201 : Latin capital letter e with acute */ 286 | entityToCharacterMap["Ê"] = "202"; /* 202 : Latin capital letter e with circumflex */ 287 | entityToCharacterMap["Ë"] = "203"; /* 203 : Latin capital letter e with diaeresis */ 288 | entityToCharacterMap["Ì"] = "204"; /* 204 : Latin capital letter i with grave */ 289 | entityToCharacterMap["Í"] = "205"; /* 205 : Latin capital letter i with acute */ 290 | entityToCharacterMap["Î"] = "206"; /* 206 : Latin capital letter i with circumflex */ 291 | entityToCharacterMap["Ï"] = "207"; /* 207 : Latin capital letter i with diaeresis */ 292 | entityToCharacterMap["Ð"] = "208"; /* 208 : Latin capital letter eth */ 293 | entityToCharacterMap["Ñ"] = "209"; /* 209 : Latin capital letter n with tilde */ 294 | entityToCharacterMap["Ò"] = "210"; /* 210 : Latin capital letter o with grave */ 295 | entityToCharacterMap["Ó"] = "211"; /* 211 : Latin capital letter o with acute */ 296 | entityToCharacterMap["Ô"] = "212"; /* 212 : Latin capital letter o with circumflex */ 297 | entityToCharacterMap["Õ"] = "213"; /* 213 : Latin capital letter o with tilde */ 298 | entityToCharacterMap["Ö"] = "214"; /* 214 : Latin capital letter o with diaeresis */ 299 | entityToCharacterMap["×"] = "215"; /* 215 : multiplication sign */ 300 | entityToCharacterMap["Ø"] = "216"; /* 216 : Latin capital letter o with stroke */ 301 | entityToCharacterMap["Ù"] = "217"; /* 217 : Latin capital letter u with grave */ 302 | entityToCharacterMap["Ú"] = "218"; /* 218 : Latin capital letter u with acute */ 303 | entityToCharacterMap["Û"] = "219"; /* 219 : Latin capital letter u with circumflex */ 304 | entityToCharacterMap["Ü"] = "220"; /* 220 : Latin capital letter u with diaeresis */ 305 | entityToCharacterMap["Ý"] = "221"; /* 221 : Latin capital letter y with acute */ 306 | entityToCharacterMap["Þ"] = "222"; /* 222 : Latin capital letter thorn */ 307 | entityToCharacterMap["ß"] = "223"; /* 223 : Latin small letter sharp s, German Eszett */ 308 | entityToCharacterMap["à"] = "224"; /* 224 : Latin small letter a with grave */ 309 | entityToCharacterMap["á"] = "225"; /* 225 : Latin small letter a with acute */ 310 | entityToCharacterMap["â"] = "226"; /* 226 : Latin small letter a with circumflex */ 311 | entityToCharacterMap["ã"] = "227"; /* 227 : Latin small letter a with tilde */ 312 | entityToCharacterMap["ä"] = "228"; /* 228 : Latin small letter a with diaeresis */ 313 | entityToCharacterMap["å"] = "229"; /* 229 : Latin small letter a with ring above */ 314 | entityToCharacterMap["æ"] = "230"; /* 230 : Latin lowercase ligature ae */ 315 | entityToCharacterMap["ç"] = "231"; /* 231 : Latin small letter c with cedilla */ 316 | entityToCharacterMap["è"] = "232"; /* 232 : Latin small letter e with grave */ 317 | entityToCharacterMap["é"] = "233"; /* 233 : Latin small letter e with acute */ 318 | entityToCharacterMap["ê"] = "234"; /* 234 : Latin small letter e with circumflex */ 319 | entityToCharacterMap["ë"] = "235"; /* 235 : Latin small letter e with diaeresis */ 320 | entityToCharacterMap["ì"] = "236"; /* 236 : Latin small letter i with grave */ 321 | entityToCharacterMap["í"] = "237"; /* 237 : Latin small letter i with acute */ 322 | entityToCharacterMap["î"] = "238"; /* 238 : Latin small letter i with circumflex */ 323 | entityToCharacterMap["ï"] = "239"; /* 239 : Latin small letter i with diaeresis */ 324 | entityToCharacterMap["ð"] = "240"; /* 240 : Latin small letter eth */ 325 | entityToCharacterMap["ñ"] = "241"; /* 241 : Latin small letter n with tilde */ 326 | entityToCharacterMap["ò"] = "242"; /* 242 : Latin small letter o with grave */ 327 | entityToCharacterMap["ó"] = "243"; /* 243 : Latin small letter o with acute */ 328 | entityToCharacterMap["ô"] = "244"; /* 244 : Latin small letter o with circumflex */ 329 | entityToCharacterMap["õ"] = "245"; /* 245 : Latin small letter o with tilde */ 330 | entityToCharacterMap["ö"] = "246"; /* 246 : Latin small letter o with diaeresis */ 331 | entityToCharacterMap["÷"] = "247"; /* 247 : division sign */ 332 | entityToCharacterMap["ø"] = "248"; /* 248 : Latin small letter o with stroke */ 333 | entityToCharacterMap["ù"] = "249"; /* 249 : Latin small letter u with grave */ 334 | entityToCharacterMap["ú"] = "250"; /* 250 : Latin small letter u with acute */ 335 | entityToCharacterMap["û"] = "251"; /* 251 : Latin small letter u with circumflex */ 336 | entityToCharacterMap["ü"] = "252"; /* 252 : Latin small letter u with diaeresis */ 337 | entityToCharacterMap["ý"] = "253"; /* 253 : Latin small letter y with acute */ 338 | entityToCharacterMap["þ"] = "254"; /* 254 : Latin small letter thorn */ 339 | entityToCharacterMap["ÿ"] = "255"; /* 255 : Latin small letter y with diaeresis */ 340 | entityToCharacterMap["&OElig"] = "338"; /* 338 : Latin capital ligature oe */ 341 | entityToCharacterMap["&oelig"] = "339"; /* 339 : Latin small ligature oe */ 342 | entityToCharacterMap["&Scaron"] = "352"; /* 352 : Latin capital letter s with caron */ 343 | entityToCharacterMap["&scaron"] = "353"; /* 353 : Latin small letter s with caron */ 344 | entityToCharacterMap["&Yuml"] = "376"; /* 376 : Latin capital letter y with diaeresis */ 345 | entityToCharacterMap["&fnof"] = "402"; /* 402 : Latin small letter f with hook */ 346 | entityToCharacterMap["&circ"] = "710"; /* 710 : modifier letter circumflex accent */ 347 | entityToCharacterMap["&tilde"] = "732"; /* 732 : small tilde */ 348 | entityToCharacterMap["&Alpha"] = "913"; /* 913 : Greek capital letter alpha */ 349 | entityToCharacterMap["&Beta"] = "914"; /* 914 : Greek capital letter beta */ 350 | entityToCharacterMap["&Gamma"] = "915"; /* 915 : Greek capital letter gamma */ 351 | entityToCharacterMap["&Delta"] = "916"; /* 916 : Greek capital letter delta */ 352 | entityToCharacterMap["&Epsilon"] = "917"; /* 917 : Greek capital letter epsilon */ 353 | entityToCharacterMap["&Zeta"] = "918"; /* 918 : Greek capital letter zeta */ 354 | entityToCharacterMap["&Eta"] = "919"; /* 919 : Greek capital letter eta */ 355 | entityToCharacterMap["&Theta"] = "920"; /* 920 : Greek capital letter theta */ 356 | entityToCharacterMap["&Iota"] = "921"; /* 921 : Greek capital letter iota */ 357 | entityToCharacterMap["&Kappa"] = "922"; /* 922 : Greek capital letter kappa */ 358 | entityToCharacterMap["&Lambda"] = "923"; /* 923 : Greek capital letter lambda */ 359 | entityToCharacterMap["&Mu"] = "924"; /* 924 : Greek capital letter mu */ 360 | entityToCharacterMap["&Nu"] = "925"; /* 925 : Greek capital letter nu */ 361 | entityToCharacterMap["&Xi"] = "926"; /* 926 : Greek capital letter xi */ 362 | entityToCharacterMap["&Omicron"] = "927"; /* 927 : Greek capital letter omicron */ 363 | entityToCharacterMap["&Pi"] = "928"; /* 928 : Greek capital letter pi */ 364 | entityToCharacterMap["&Rho"] = "929"; /* 929 : Greek capital letter rho */ 365 | entityToCharacterMap["&Sigma"] = "931"; /* 931 : Greek capital letter sigma */ 366 | entityToCharacterMap["&Tau"] = "932"; /* 932 : Greek capital letter tau */ 367 | entityToCharacterMap["&Upsilon"] = "933"; /* 933 : Greek capital letter upsilon */ 368 | entityToCharacterMap["&Phi"] = "934"; /* 934 : Greek capital letter phi */ 369 | entityToCharacterMap["&Chi"] = "935"; /* 935 : Greek capital letter chi */ 370 | entityToCharacterMap["&Psi"] = "936"; /* 936 : Greek capital letter psi */ 371 | entityToCharacterMap["&Omega"] = "937"; /* 937 : Greek capital letter omega */ 372 | entityToCharacterMap["&alpha"] = "945"; /* 945 : Greek small letter alpha */ 373 | entityToCharacterMap["&beta"] = "946"; /* 946 : Greek small letter beta */ 374 | entityToCharacterMap["&gamma"] = "947"; /* 947 : Greek small letter gamma */ 375 | entityToCharacterMap["&delta"] = "948"; /* 948 : Greek small letter delta */ 376 | entityToCharacterMap["&epsilon"] = "949"; /* 949 : Greek small letter epsilon */ 377 | entityToCharacterMap["&zeta"] = "950"; /* 950 : Greek small letter zeta */ 378 | entityToCharacterMap["&eta"] = "951"; /* 951 : Greek small letter eta */ 379 | entityToCharacterMap["&theta"] = "952"; /* 952 : Greek small letter theta */ 380 | entityToCharacterMap["&iota"] = "953"; /* 953 : Greek small letter iota */ 381 | entityToCharacterMap["&kappa"] = "954"; /* 954 : Greek small letter kappa */ 382 | entityToCharacterMap["&lambda"] = "955"; /* 955 : Greek small letter lambda */ 383 | entityToCharacterMap["&mu"] = "956"; /* 956 : Greek small letter mu */ 384 | entityToCharacterMap["&nu"] = "957"; /* 957 : Greek small letter nu */ 385 | entityToCharacterMap["&xi"] = "958"; /* 958 : Greek small letter xi */ 386 | entityToCharacterMap["&omicron"] = "959"; /* 959 : Greek small letter omicron */ 387 | entityToCharacterMap["&pi"] = "960"; /* 960 : Greek small letter pi */ 388 | entityToCharacterMap["&rho"] = "961"; /* 961 : Greek small letter rho */ 389 | entityToCharacterMap["&sigmaf"] = "962"; /* 962 : Greek small letter final sigma */ 390 | entityToCharacterMap["&sigma"] = "963"; /* 963 : Greek small letter sigma */ 391 | entityToCharacterMap["&tau"] = "964"; /* 964 : Greek small letter tau */ 392 | entityToCharacterMap["&upsilon"] = "965"; /* 965 : Greek small letter upsilon */ 393 | entityToCharacterMap["&phi"] = "966"; /* 966 : Greek small letter phi */ 394 | entityToCharacterMap["&chi"] = "967"; /* 967 : Greek small letter chi */ 395 | entityToCharacterMap["&psi"] = "968"; /* 968 : Greek small letter psi */ 396 | entityToCharacterMap["&omega"] = "969"; /* 969 : Greek small letter omega */ 397 | entityToCharacterMap["&thetasym"] = "977"; /* 977 : Greek theta symbol */ 398 | entityToCharacterMap["&upsih"] = "978"; /* 978 : Greek upsilon with hook symbol */ 399 | entityToCharacterMap["&piv"] = "982"; /* 982 : Greek pi symbol */ 400 | entityToCharacterMap["&ensp"] = "8194"; /* 8194 : en space */ 401 | entityToCharacterMap["&emsp"] = "8195"; /* 8195 : em space */ 402 | entityToCharacterMap["&thinsp"] = "8201"; /* 8201 : thin space */ 403 | entityToCharacterMap["&zwnj"] = "8204"; /* 8204 : zero width non-joiner */ 404 | entityToCharacterMap["&zwj"] = "8205"; /* 8205 : zero width joiner */ 405 | entityToCharacterMap["&lrm"] = "8206"; /* 8206 : left-to-right mark */ 406 | entityToCharacterMap["&rlm"] = "8207"; /* 8207 : right-to-left mark */ 407 | entityToCharacterMap["&ndash"] = "8211"; /* 8211 : en dash */ 408 | entityToCharacterMap["&mdash"] = "8212"; /* 8212 : em dash */ 409 | entityToCharacterMap["&lsquo"] = "8216"; /* 8216 : left single quotation mark */ 410 | entityToCharacterMap["&rsquo"] = "8217"; /* 8217 : right single quotation mark */ 411 | entityToCharacterMap["&sbquo"] = "8218"; /* 8218 : single low-9 quotation mark */ 412 | entityToCharacterMap["&ldquo"] = "8220"; /* 8220 : left double quotation mark */ 413 | entityToCharacterMap["&rdquo"] = "8221"; /* 8221 : right double quotation mark */ 414 | entityToCharacterMap["&bdquo"] = "8222"; /* 8222 : double low-9 quotation mark */ 415 | entityToCharacterMap["&dagger"] = "8224"; /* 8224 : dagger */ 416 | entityToCharacterMap["&Dagger"] = "8225"; /* 8225 : double dagger */ 417 | entityToCharacterMap["&bull"] = "8226"; /* 8226 : bullet */ 418 | entityToCharacterMap["&hellip"] = "8230"; /* 8230 : horizontal ellipsis */ 419 | entityToCharacterMap["&permil"] = "8240"; /* 8240 : per mille sign */ 420 | entityToCharacterMap["&prime"] = "8242"; /* 8242 : prime */ 421 | entityToCharacterMap["&Prime"] = "8243"; /* 8243 : double prime */ 422 | entityToCharacterMap["&lsaquo"] = "8249"; /* 8249 : single left-pointing angle quotation mark */ 423 | entityToCharacterMap["&rsaquo"] = "8250"; /* 8250 : single right-pointing angle quotation mark */ 424 | entityToCharacterMap["&oline"] = "8254"; /* 8254 : overline */ 425 | entityToCharacterMap["&frasl"] = "8260"; /* 8260 : fraction slash */ 426 | entityToCharacterMap["&euro"] = "8364"; /* 8364 : euro sign */ 427 | entityToCharacterMap["&image"] = "8365"; /* 8465 : black-letter capital i */ 428 | entityToCharacterMap["&weierp"] = "8472"; /* 8472 : script capital p, Weierstrass p */ 429 | entityToCharacterMap["&real"] = "8476"; /* 8476 : black-letter capital r */ 430 | entityToCharacterMap["&trade"] = "8482"; /* 8482 : trademark sign */ 431 | entityToCharacterMap["&alefsym"] = "8501"; /* 8501 : alef symbol */ 432 | entityToCharacterMap["&larr"] = "8592"; /* 8592 : leftwards arrow */ 433 | entityToCharacterMap["&uarr"] = "8593"; /* 8593 : upwards arrow */ 434 | entityToCharacterMap["&rarr"] = "8594"; /* 8594 : rightwards arrow */ 435 | entityToCharacterMap["&darr"] = "8595"; /* 8595 : downwards arrow */ 436 | entityToCharacterMap["&harr"] = "8596"; /* 8596 : left right arrow */ 437 | entityToCharacterMap["&crarr"] = "8629"; /* 8629 : downwards arrow with corner leftwards */ 438 | entityToCharacterMap["&lArr"] = "8656"; /* 8656 : leftwards double arrow */ 439 | entityToCharacterMap["&uArr"] = "8657"; /* 8657 : upwards double arrow */ 440 | entityToCharacterMap["&rArr"] = "8658"; /* 8658 : rightwards double arrow */ 441 | entityToCharacterMap["&dArr"] = "8659"; /* 8659 : downwards double arrow */ 442 | entityToCharacterMap["&hArr"] = "8660"; /* 8660 : left right double arrow */ 443 | entityToCharacterMap["&forall"] = "8704"; /* 8704 : for all */ 444 | entityToCharacterMap["&part"] = "8706"; /* 8706 : partial differential */ 445 | entityToCharacterMap["&exist"] = "8707"; /* 8707 : there exists */ 446 | entityToCharacterMap["&empty"] = "8709"; /* 8709 : empty set */ 447 | entityToCharacterMap["&nabla"] = "8711"; /* 8711 : nabla */ 448 | entityToCharacterMap["&isin"] = "8712"; /* 8712 : element of */ 449 | entityToCharacterMap["¬in"] = "8713"; /* 8713 : not an element of */ 450 | entityToCharacterMap["&ni"] = "8715"; /* 8715 : contains as member */ 451 | entityToCharacterMap["&prod"] = "8719"; /* 8719 : n-ary product */ 452 | entityToCharacterMap["&sum"] = "8721"; /* 8721 : n-ary summation */ 453 | entityToCharacterMap["&minus"] = "8722"; /* 8722 : minus sign */ 454 | entityToCharacterMap["&lowast"] = "8727"; /* 8727 : asterisk operator */ 455 | entityToCharacterMap["&radic"] = "8730"; /* 8730 : square root */ 456 | entityToCharacterMap["&prop"] = "8733"; /* 8733 : proportional to */ 457 | entityToCharacterMap["&infin"] = "8734"; /* 8734 : infinity */ 458 | entityToCharacterMap["&ang"] = "8736"; /* 8736 : angle */ 459 | entityToCharacterMap["&and"] = "8743"; /* 8743 : logical and */ 460 | entityToCharacterMap["&or"] = "8744"; /* 8744 : logical or */ 461 | entityToCharacterMap["&cap"] = "8745"; /* 8745 : intersection */ 462 | entityToCharacterMap["&cup"] = "8746"; /* 8746 : union */ 463 | entityToCharacterMap["&int"] = "8747"; /* 8747 : integral */ 464 | entityToCharacterMap["&there4"] = "8756"; /* 8756 : therefore */ 465 | entityToCharacterMap["&sim"] = "8764"; /* 8764 : tilde operator */ 466 | entityToCharacterMap["&cong"] = "8773"; /* 8773 : congruent to */ 467 | entityToCharacterMap["&asymp"] = "8776"; /* 8776 : almost equal to */ 468 | entityToCharacterMap["&ne"] = "8800"; /* 8800 : not equal to */ 469 | entityToCharacterMap["&equiv"] = "8801"; /* 8801 : identical to, equivalent to */ 470 | entityToCharacterMap["&le"] = "8804"; /* 8804 : less-than or equal to */ 471 | entityToCharacterMap["&ge"] = "8805"; /* 8805 : greater-than or equal to */ 472 | entityToCharacterMap["&sub"] = "8834"; /* 8834 : subset of */ 473 | entityToCharacterMap["&sup"] = "8835"; /* 8835 : superset of */ 474 | entityToCharacterMap["&nsub"] = "8836"; /* 8836 : not a subset of */ 475 | entityToCharacterMap["&sube"] = "8838"; /* 8838 : subset of or equal to */ 476 | entityToCharacterMap["&supe"] = "8839"; /* 8839 : superset of or equal to */ 477 | entityToCharacterMap["&oplus"] = "8853"; /* 8853 : circled plus */ 478 | entityToCharacterMap["&otimes"] = "8855"; /* 8855 : circled times */ 479 | entityToCharacterMap["&perp"] = "8869"; /* 8869 : up tack */ 480 | entityToCharacterMap["&sdot"] = "8901"; /* 8901 : dot operator */ 481 | entityToCharacterMap["&lceil"] = "8968"; /* 8968 : left ceiling */ 482 | entityToCharacterMap["&rceil"] = "8969"; /* 8969 : right ceiling */ 483 | entityToCharacterMap["&lfloor"] = "8970"; /* 8970 : left floor */ 484 | entityToCharacterMap["&rfloor"] = "8971"; /* 8971 : right floor */ 485 | entityToCharacterMap["&lang"] = "9001"; /* 9001 : left-pointing angle bracket */ 486 | entityToCharacterMap["&rang"] = "9002"; /* 9002 : right-pointing angle bracket */ 487 | entityToCharacterMap["&loz"] = "9674"; /* 9674 : lozenge */ 488 | entityToCharacterMap["&spades"] = "9824"; /* 9824 : black spade suit */ 489 | entityToCharacterMap["&clubs"] = "9827"; /* 9827 : black club suit */ 490 | entityToCharacterMap["&hearts"] = "9829"; /* 9829 : black heart suit */ 491 | entityToCharacterMap["&diams"] = "9830"; /* 9830 : black diamond suit */ 492 | 493 | var characterToEntityMap = []; 494 | 495 | for ( var entity in entityToCharacterMap ) { 496 | characterToEntityMap[entityToCharacterMap[entity]] = entity; 497 | } 498 | 499 | esapi.codecs.HTMLEntityCodec = function() { 500 | var _super = new esapi.codecs.Codec(); 501 | 502 | var getNumericEntity = function(input) { 503 | var first = input.peek(); 504 | if (first == null) { 505 | return null; 506 | } 507 | 508 | if (first == 'x' || first == 'X') { 509 | input.next(); 510 | return parseHex(input); 511 | } 512 | return parseNumber(input); 513 | }; 514 | 515 | var parseNumber = function(input) { 516 | var out = ''; 517 | while (input.hasNext()) { 518 | var c = input.peek(); 519 | if (c.match(/[0-9]/)) { 520 | out += c; 521 | input.next(); 522 | } else if (c == ';') { 523 | input.next(); 524 | break; 525 | } else { 526 | break; 527 | } 528 | } 529 | 530 | try { 531 | return parseInt(out); 532 | } catch (e) { 533 | return null; 534 | } 535 | }; 536 | 537 | var parseHex = function(input) { 538 | var out = ''; 539 | while (input.hasNext()) { 540 | var c = input.peek(); 541 | if (c.match(/[0-9A-Fa-f]/)) { 542 | out += c; 543 | input.next(); 544 | } else if (c == ';') { 545 | input.next(); 546 | break; 547 | } else { 548 | break; 549 | } 550 | } 551 | try { 552 | return parseInt(out, 16); 553 | } catch (e) { 554 | return null; 555 | } 556 | }; 557 | 558 | var getNamedEntity = function(input) { 559 | var entity = ''; 560 | while (input.hasNext()) { 561 | var c = input.peek(); 562 | if (c.match(/[A-Za-z]/)) { 563 | entity += c; 564 | input.next(); 565 | if (utils.containsKey(entityToCharacterMap, '&' + entity)) { 566 | if (input.peek(';')) input.next(); 567 | break; 568 | } 569 | } else if (c == ';') { 570 | input.next(); 571 | } else { 572 | break; 573 | } 574 | } 575 | 576 | return String.fromCharCode(entityToCharacterMap.getCaseInsensitive('&' + entity)); 577 | }; 578 | 579 | return { 580 | encode: _super.encode, 581 | 582 | decode: _super.decode, 583 | 584 | encodeCharacter: function(aImmune, c) { 585 | if (utils.contains(aImmune, c)) { 586 | return c; 587 | } 588 | 589 | var hex = esapi.codecs.Codec.getHexForNonAlphanumeric(c); 590 | if (hex == null) { 591 | return c; 592 | } 593 | 594 | var cc = c.charCodeAt(0); 595 | if (( cc <= 0x1f && c != '\t' && c != '\n' && c != '\r' ) || ( cc >= 0x7f && cc <= 0x9f ) || c == ' ') { 596 | return " "; 597 | } 598 | 599 | var entityName = characterToEntityMap[cc]; 600 | if (entityName != null) { 601 | return entityName + ";"; 602 | } 603 | 604 | return "&#x" + hex + ";"; 605 | }, 606 | 607 | decodeCharacter: function(oPushbackString) { 608 | //noinspection UnnecessaryLocalVariableJS 609 | var input = oPushbackString; 610 | input.mark(); 611 | var first = input.next(); 612 | if (first == null || first != '&') { 613 | input.reset(); 614 | return null; 615 | } 616 | 617 | var second = input.next(); 618 | if (second == null) { 619 | input.reset(); 620 | return null; 621 | } 622 | 623 | if (second == '#') { 624 | var c = getNumericEntity(input); 625 | if (c != null) { 626 | return c; 627 | } 628 | } else if (second.match(/[A-Za-z]/)) { 629 | input.pushback(second); 630 | c = getNamedEntity(input); 631 | if (c != null) { 632 | return c; 633 | } 634 | } 635 | input.reset(); 636 | return null; 637 | } 638 | }; 639 | }; 640 | 641 | 642 | esapi.codecs.JavascriptCodec = function() { 643 | var _super = new esapi.codecs.Codec(); 644 | 645 | return { 646 | encode: function(aImmune, sInput) { 647 | var out = ''; 648 | for (var idx = 0; idx < sInput.length; idx ++) { 649 | var ch = sInput.charAt(idx); 650 | if (utils.contains(aImmune, ch)) { 651 | out += ch; 652 | } 653 | else { 654 | var hex = esapi.codecs.Codec.getHexForNonAlphanumeric(ch); 655 | if (hex == null) { 656 | out += ch; 657 | } 658 | else { 659 | var tmp = ch.charCodeAt(0).toString(16); 660 | if (ch.charCodeAt(0) < 256) { 661 | var pad = "00".substr(tmp.length); 662 | out += "\\x" + pad + tmp.toUpperCase(); 663 | } 664 | else { 665 | pad = "0000".substr(tmp.length); 666 | out += "\\u" + pad + tmp.toUpperCase(); 667 | } 668 | } 669 | } 670 | } 671 | return out; 672 | }, 673 | 674 | decode: _super.decode, 675 | 676 | decodeCharacter: function(oPushbackString) { 677 | oPushbackString.mark(); 678 | var first = oPushbackString.next(); 679 | if (first == null) { 680 | oPushbackString.reset(); 681 | return null; 682 | } 683 | 684 | if (first != '\\') { 685 | oPushbackString.reset(); 686 | return null; 687 | } 688 | 689 | var second = oPushbackString.next(); 690 | if (second == null) { 691 | oPushbackString.reset(); 692 | return null; 693 | } 694 | 695 | // \0 collides with the octal decoder and is non-standard 696 | // if ( second.charValue() == '0' ) { 697 | // return Character.valueOf( (char)0x00 ); 698 | if (second == 'b') { 699 | return 0x08; 700 | } else if (second == 't') { 701 | return 0x09; 702 | } else if (second == 'n') { 703 | return 0x0a; 704 | } else if (second == 'v') { 705 | return 0x0b; 706 | } else if (second == 'f') { 707 | return 0x0c; 708 | } else if (second == 'r') { 709 | return 0x0d; 710 | } else if (second == '\"') { 711 | return 0x22; 712 | } else if (second == '\'') { 713 | return 0x27; 714 | } else if (second == '\\') { 715 | return 0x5c; 716 | } else if (second.toLowerCase() == 'x') { 717 | out = ''; 718 | for (var i = 0; i < 2; i++) { 719 | var c = oPushbackString.nextHex(); 720 | if (c != null) { 721 | out += c; 722 | } else { 723 | input.reset(); 724 | return null; 725 | } 726 | } 727 | try { 728 | n = parseInt(out, 16); 729 | return String.fromCharCode(n); 730 | } catch (e) { 731 | oPushbackString.reset(); 732 | return null; 733 | } 734 | } else if (second.toLowerCase() == 'u') { 735 | out = ''; 736 | for (i = 0; i < 4; i++) { 737 | c = oPushbackString.nextHex(); 738 | if (c != null) { 739 | out += c; 740 | } else { 741 | input.reset(); 742 | return null; 743 | } 744 | } 745 | try { 746 | var n = parseInt(out, 16); 747 | return String.fromCharCode(n); 748 | } catch (e) { 749 | oPushbackString.reset(); 750 | return null; 751 | } 752 | } else if (oPushbackString.isOctalDigit(second)) { 753 | var out = second; 754 | var c2 = oPushbackString.next(); 755 | if (!oPushbackString.isOctalDigit(c2)) { 756 | oPushbackString.pushback(c2); 757 | } else { 758 | out += c2; 759 | var c3 = oPushbackString.next(); 760 | if (!oPushbackString.isOctalDigit(c3)) { 761 | oPushbackString.pushback(c3); 762 | } else { 763 | out += c3; 764 | } 765 | } 766 | 767 | try { 768 | n = parseInt(out, 8); 769 | return String.fromCharCode(n); 770 | } catch (e) { 771 | oPushbackString.reset(); 772 | return null; 773 | } 774 | } 775 | return second; 776 | } 777 | }; 778 | }; 779 | 780 | 781 | esapi.codecs.PercentCodec = function() { 782 | var _super = new esapi.codecs.Codec(); 783 | 784 | var ALPHA_NUMERIC_STR = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; 785 | var RFC_NON_ALPHANUMERIC_UNRESERVED_STR = "-._~"; 786 | var ENCODED_NON_ALPHA_NUMERIC_UNRESERVED = true; 787 | var UNENCODED_STR = ALPHA_NUMERIC_STR + (ENCODED_NON_ALPHA_NUMERIC_UNRESERVED ? "" : RFC_NON_ALPHANUMERIC_UNRESERVED_STR); 788 | 789 | var getTwoUpperBytes = function(b) { 790 | var out = ''; 791 | if (b < -128 || b > 127) { 792 | throw new IllegalArgumentException("b is not a byte (was " + b + ")"); 793 | } 794 | b &= 0xFF; 795 | if (b < 0x10) { 796 | out += '0'; 797 | } 798 | return out + b.toString(16).toUpperCase(); 799 | }; 800 | 801 | return { 802 | encode: _super.encode, 803 | 804 | decode: _super.decode, 805 | 806 | encodeCharacter: function(aImmune, c) { 807 | if (UNENCODED_STR.indexOf(c) > -1) { 808 | return c; 809 | } 810 | 811 | var bytes = esapi.codecs.UTF8.encode(c); 812 | var out = ''; 813 | for (var b = 0; b < bytes.length; b++) { 814 | out += '%' + getTwoUpperBytes(bytes.charCodeAt(b)); 815 | } 816 | return out; 817 | }, 818 | 819 | decodeCharacter: function(oPushbackString) { 820 | oPushbackString.mark(); 821 | var first = oPushbackString.next(); 822 | if (first == null || first != '%') { 823 | oPushbackString.reset(); 824 | return null; 825 | } 826 | 827 | var out = ''; 828 | for (var i = 0; i < 2; i++) { 829 | var c = oPushbackString.nextHex(); 830 | if (c != null) { 831 | out += c; 832 | } 833 | } 834 | if (out.length == 2) { 835 | try { 836 | var n = parseInt(out, 16); 837 | return String.fromCharCode(n); 838 | } catch (e) { 839 | } 840 | } 841 | oPushbackString.reset(); 842 | return null; 843 | } 844 | }; 845 | }; 846 | 847 | esapi.codecs.PushbackString = function(sInput) { 848 | var _input = sInput, 849 | _pushback = '', 850 | _temp = '', 851 | _index = 0, 852 | _mark = 0; 853 | 854 | return { 855 | pushback: function(c) { 856 | _pushback = c; 857 | }, 858 | 859 | index: function() { 860 | return _index; 861 | }, 862 | 863 | hasNext: function() { 864 | if (_pushback != null) return true; 865 | return !(_input == null || _input.length == 0 || _index >= _input.length); 866 | 867 | }, 868 | 869 | next: function() { 870 | if (_pushback != null) { 871 | var save = _pushback; 872 | _pushback = null; 873 | return save; 874 | } 875 | if (_input == null || _input.length == 0 || _index >= _input.length) { 876 | return null; 877 | } 878 | return _input.charAt(_index++); 879 | }, 880 | 881 | nextHex: function() { 882 | var c = this.next(); 883 | if (this.isHexDigit(c)) return c; 884 | return null; 885 | }, 886 | 887 | nextOctal: function() { 888 | var c = this.next(); 889 | if (this.isOctalDigit(c)) return c; 890 | return null; 891 | }, 892 | 893 | isHexDigit: function(c) { 894 | return c != null && ( ( c >= '0' && c <= '9' ) || ( c >= 'a' && c <= 'f' ) || ( c >= 'A' && c <= 'F' ) ); 895 | }, 896 | 897 | isOctalDigit: function(c) { 898 | return c != null && ( c >= '0' && c <= '7' ); 899 | }, 900 | 901 | peek: function(c) { 902 | if (!c) { 903 | if (_pushback != null) return _pushback; 904 | if (_input == null || _input.length == 0 || _index >= _input.length) return null; 905 | return _input.charAt(_index); 906 | } else { 907 | if (_pushback != null && _pushback == c) return true; 908 | if (_input == null || _input.length == 0 || _index >= _input.length) return false; 909 | return _input.charAt(_index) == c; 910 | } 911 | }, 912 | 913 | mark: function() { 914 | _temp = _pushback; 915 | _mark = _index; 916 | }, 917 | 918 | reset: function() { 919 | _pushback = _temp; 920 | _index = _mark; 921 | }, 922 | 923 | remainder: function() { 924 | var out = _input.substr(_index); 925 | if (_pushback != null) { 926 | out = _pushback + out; 927 | } 928 | return out; 929 | } 930 | }; 931 | }; 932 | 933 | esapi.codecs.UTF8 = { 934 | encode: function(sInput) { 935 | var input = sInput.replace(/\r\n/g, "\n"); 936 | var utftext = ''; 937 | 938 | for (var n = 0; n < input.length; n ++) { 939 | var c = input.charCodeAt(n); 940 | 941 | if (c < 128) { 942 | utftext += String.fromCharCode(c); 943 | } 944 | else if (( c > 127) && (c < 2048)) { 945 | utftext += String.fromCharCode((c >> 6) | 192); 946 | utftext += String.fromCharCode((c & 63) | 128); 947 | } 948 | else { 949 | utftext += String.fromCharCode((c >> 12) | 224); 950 | utftext += String.fromCharCode(((c >> 6) & 63) | 128); 951 | utftext += String.fromCharCode((c & 63) | 128); 952 | } 953 | } 954 | 955 | return utftext; 956 | } 957 | , 958 | 959 | decode: function(sInput) { 960 | var out = ''; 961 | var i, c, c1, c2, c3, string; 962 | i = c = c1 = c2 = 0; 963 | 964 | while (i < sInput.length) { 965 | c = sInput.charCodeAt(i); 966 | 967 | if (c < 128) { 968 | out += String.fromCharCode(c); 969 | i ++; 970 | } 971 | else if ((c > 191) && (c < 224)) { 972 | c2 = sInput.charCodeAt(i + 1); 973 | out += String.fromCharCode(((c & 31) << 6) | (c2 & 63)); 974 | i += 2; 975 | } 976 | else { 977 | c2 = utftext.charCodeAt(i + 1); 978 | c3 = utftext.charCodeAt(i + 2); 979 | string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63)); 980 | i += 3; 981 | } 982 | } 983 | 984 | return out; 985 | } 986 | }; 987 | 988 | 989 | 990 | esapi.DefaultEncoder = function(aCodecs) { 991 | var _codecs = [], 992 | _htmlCodec = new esapi.codecs.HTMLEntityCodec(), 993 | _javascriptCodec = new esapi.codecs.JavascriptCodec(), 994 | _cssCodec = new esapi.codecs.CSSCodec(), 995 | _percentCodec = new esapi.codecs.PercentCodec(); 996 | 997 | if (!aCodecs) { 998 | _codecs.push(_htmlCodec); 999 | _codecs.push(_javascriptCodec); 1000 | _codecs.push(_cssCodec); 1001 | _codecs.push(_percentCodec); 1002 | } else { 1003 | _codecs = aCodecs; 1004 | } 1005 | 1006 | var IMMUNE_HTML = new Array(',', '.', '-', '_', ' '); 1007 | var IMMUNE_HTMLATTR = new Array(',', '.', '-', '_'); 1008 | var IMMUNE_CSS = new Array(); 1009 | var IMMUNE_JAVASCRIPT = new Array(',', '.', '_'); 1010 | 1011 | return { 1012 | cananicalize: function(sInput, bStrict) { 1013 | if (!sInput) { 1014 | return null; 1015 | } 1016 | var working = sInput, codecFound = null, mixedCount = 1, foundCount = 0, clean = false; 1017 | while (!clean) { 1018 | clean = true; 1019 | 1020 | _codecs.each(function(codec) { 1021 | var old = working; 1022 | working = codec.decode(working); 1023 | 1024 | if (old != working) { 1025 | if (codecFound != null && codecFound != codec) { 1026 | mixedCount ++; 1027 | } 1028 | codecFound = codec; 1029 | if (clean) { 1030 | foundCount ++; 1031 | } 1032 | clean = false; 1033 | } 1034 | }); 1035 | } 1036 | 1037 | if (foundCount >= 2 && mixedCount > 1) { 1038 | if (bStrict) { 1039 | throw new esapi.IntrusionException("Input validation failure", "Multiple (" + foundCount + "x) and mixed encoding (" + mixedCount + "x) detected in " + sInput); 1040 | } 1041 | } 1042 | else if (foundCount >= 2) { 1043 | if (bStrict) { 1044 | throw new esapi.IntrusionException("Input validation failure", "Multiple (" + foundCount + "x) encoding detected in " + sInput); 1045 | } 1046 | } 1047 | else if (mixedCount > 1) { 1048 | if (bStrict) { 1049 | throw new esapi.IntrusionException("Input validation failure", "Mixed (" + mixedCount + "x) encoding detected in " + sInput); 1050 | } 1051 | } 1052 | return working; 1053 | }, 1054 | 1055 | normalize: function(sInput) { 1056 | return sInput.replace(/[^\x00-\x7F]/g, ''); 1057 | }, 1058 | 1059 | encodeForHTML: function(sInput) { 1060 | return !sInput ? null : _htmlCodec.encode(IMMUNE_HTML, sInput); 1061 | }, 1062 | 1063 | decodeForHTML: function(sInput) { 1064 | return !sInput ? null : _htmlCodec.decode(sInput); 1065 | }, 1066 | 1067 | encodeForHTMLAttribute: function(sInput) { 1068 | return !sInput ? null : _htmlCodec.encode(IMMUNE_HTMLATTR, sInput); 1069 | }, 1070 | 1071 | encodeForCSS: function(sInput) { 1072 | return !sInput ? null : _cssCodec.encode(IMMUNE_CSS, sInput); 1073 | }, 1074 | 1075 | encodeForJavaScript: function(sInput) { 1076 | return !sInput ? null : _javascriptCodec.encode(IMMUNE_JAVASCRIPT, sInput); 1077 | }, 1078 | 1079 | encodeForJavascript: this.encodeForJavaScript, 1080 | 1081 | encodeForJS: this.encodeForJavascript, 1082 | 1083 | encodeForURL: function(sInput) { 1084 | return !sInput ? null : escape(sInput); 1085 | }, 1086 | 1087 | decodeFromURL: function(sInput) { 1088 | return !sInput ? null : unescape(sInput); 1089 | }, 1090 | 1091 | encodeForBase64: function(sInput) { 1092 | return !sInput ? null : esapi.codecs.Base64.encode(sInput); 1093 | }, 1094 | 1095 | decodeFromBase64: function(sInput) { 1096 | return !sInput ? null : esapi.codecs.Base64.decode(sInput); 1097 | } 1098 | }; 1099 | }; 1100 | 1101 | module.exports = { 1102 | encoder: function () { 1103 | return esapi.DefaultEncoder(); 1104 | }, 1105 | middleware: function () { 1106 | return utils.middleware; 1107 | } 1108 | }; -------------------------------------------------------------------------------- /lib/public/esapi-compressed.js: -------------------------------------------------------------------------------- 1 | var $namespace=function(b,d,a){b=b.split(d||".");a=a||window;var e;d=0;for(e=b.length;d