node-esapi
Version:
OSWASP ESAPI4JS encoders port to node module
1,150 lines (1,013 loc) • 109 kB
JavaScript
/*
* OWASP Enterprise Security API (ESAPI)
*
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
*
* Copyright (c) 2008 - The OWASP Foundation
*
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
*/
// Utility and Core API Methods
var $namespace = function(name, separator, container){
var ns = name.split(separator || '.'),
o = container || window,
i,
len;
for(i = 0, len = ns.length; i < len; i++){
o = o[ns[i]] = o[ns[i]] || {};
}
return o;
};
var $type = function( oVar, oType ) {
if ( !oVar instanceof oType ) {
throw new SyntaxError();
}
};
if (!$) {
var $ = function( sElementID ) {
return document.getElementById( sElementID );
};
}
if (!Array.prototype.each) {
Array.prototype.each = function(fIterator) {
if (typeof fIterator != 'function') {
throw 'Illegal Argument for Array.each';
}
for (var i = 0; i < this.length; i ++) {
fIterator(this[i]);
}
};
}
if (!Array.prototype.contains) {
Array.prototype.contains = function(srch) {
var found = false;
this.each(function(e) {
if ( ( srch.equals && srch.equals(e) ) || e == srch) {
found = true;
return;
}
});
return found;
};
}
if (!Array.prototype.containsKey) {
Array.prototype.containsKey = function(srch) {
for ( var key in this ) {
if ( key.toLowerCase() == srch.toLowerCase() ) {
return true;
}
}
return false;
};
}
if (!Array.prototype.getCaseInsensitive) {
Array.prototype.getCaseInsensitive = function(key) {
for (var k in this) {
if (k.toLowerCase() == key.toLowerCase()) {
return this[k];
}
}
return null;
};
}
if (!String.prototype.charCodeAt) {
String.prototype.charCodeAt = function( idx ) {
var c = this.charAt(idx);
for ( var i=0;i<65536;i++) {
var s = String.fromCharCode(i);
if ( s == c ) { return i; }
}
return 0;
};
}
if (!String.prototype.endsWith) {
String.prototype.endsWith = function( test ) {
return this.substr( ( this.length - test.length ), test.length ) == test;
};
}
// Declare Core Exceptions
if ( !Exception ) {
var Exception = function( sMsg, oException ) {
this.cause = oException;
this.errorMessage = sMsg;
};
Exception.prototype = Error.prototype;
Exception.prototype.getCause = function() { return this.cause; };
Exception.prototype.getMessage = function() { return this.message; };
/**
* This method creates the stacktrace for the Exception only when it is called the first time and
* caches it for access after that. Since building a stacktrace is a fairly expensive process, we
* only want to do it if it is called.
*/
Exception.prototype.getStackTrace = function() {
if ( this.callstack ) {
return this.callstack;
}
if ( this.stack ) { // Mozilla
var lines = stack.split("\n");
for ( var i=0, len=lines.length; i<len; i ++ ) {
if ( lines[i].match( /^\s*[A-Za-z0-9\=+\$]+\(/ ) ) {
this.callstack.push(lines[i]);
}
}
this.callstack.shift();
return this.callstack;
}
else if ( window.opera && this.message ) { // Opera
var lines = this.message.split('\n');
for ( var i=0, len=lines.length; i<len; i++ ) {
if ( lines[i].match( /^\s*[A-Za-z0-9\=+\$]+\(/ ) ) {
var entry = lines[i];
if ( lines[i+1] ) {
entry += " at " + lines[i+1];
i++;
}
this.callstack.push(entry);
}
}
this.callstack.shift();
return this.callstack;
}
else { // IE and Safari
var currentFunction = arguments.callee.caller;
while ( currentFunction ) {
var fn = currentFunction.toString();
var fname = fn.substring(fn.indexOf("function")+8,fn.indexOf("(")) || "anonymous";
this.callstack.push(fname);
currentFunction = currentFunction.caller;
}
return this.callstack;
}
};
Exception.prototype.printStackTrace = function( writer ) {
var out = this.getMessage() + "|||" + this.getStackTrace().join( "|||" );
if ( this.cause ) {
if ( this.cause.printStackTrace ) {
out += "||||||Caused by " + this.cause.printStackTrace().replace( "\n", "|||" );
}
}
if ( !writer ) {
return writer.replace( "|||", "\n" );
} else if ( writer.value ) {
writer.value = out.replace( "|||", "\n" );
} else if ( writer.writeln ) {
writer.writeln( out.replace( "|||", "\n" ) );
} else if ( writer.innerHTML ) {
writer.innerHTML = out.replace( "|||", "<br/>" );
} else if ( writer.innerText ) {
writer.innerText = out.replace( "|||", "<br/>" );
} else if ( writer.append ) {
writer.append( out.replace( "|||", "\n" ) );
} else if ( writer instanceof Function ) {
writer(out.replace( "|||", "\n" ) );
}
};
}
if ( !RuntimeException ) {
var RuntimeException = Exception;
}
if ( !IllegalArgumentException ) {
var IllegalArgumentException = Exception;
}
if ( !DateFormat ) {
// Based on http://jacwright.com/projects/javascript/date_format
var DateFormat = function( sFmt ) {
var fmt = sFmt;
var replaceChars = {
longMonths: [ "January", "February", "March", "April", "May", "June", "July", "August", "September", "October", "November", "December" ],
shortMonths: [ "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" ],
longDays: [ "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday" ],
shortDays: [ "Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat" ],
// Day
d: function(date) { return (date.getDate() < 10 ? '0' : '') + date.getDate(); },
D: function(date) { return replaceChars.shortDays[date.getDay()]; },
j: function(date) { return date.getDate(); },
l: function(date) { return replaceChars.longDays[date.getDay()]; },
N: function(date) { return date.getDay() + 1; },
S: function(date) { return (date.getDate() % 10 == 1 && date.getDate() != 11 ? 'st' : (date.getDate() % 10 == 2 && date.getDate() != 12 ? 'nd' : (date.getDate() % 10 == 3 && date.getDate() != 13 ? 'rd' : 'th'))); },
w: function(date) { return date.getDay(); },
z: function(date) { return "Not Yet Supported"; },
// Week
W: function(date) { return "Not Yet Supported"; },
// Month
F: function(date) { return replaceChars.longMonths[date.getMonth()]; },
m: function(date) { return (date.getMonth() < 9 ? '0' : '') + (date.getMonth() + 1); },
M: function(date) { return replaceChars.shortMonths[date.getMonth()]; },
n: function(date) { return date.getMonth() + 1; },
t: function(date) { return "Not Yet Supported"; },
// Year
L: function(date) { return (((date.getFullYear()%4==0)&&(date.getFullYear()%100 != 0)) || (date.getFullYear()%400==0)) ? '1' : '0'; },
o: function(date) { return "Not Supported"; },
Y: function(date) { return date.getFullYear(); },
y: function(date) { return ('' + date.getFullYear()).substr(2); },
// Time
a: function(date) { return date.getHours() < 12 ? 'am' : 'pm'; },
A: function(date) { return date.getHours() < 12 ? 'AM' : 'PM'; },
B: function(date) { return "Not Yet Supported"; },
g: function(date) { return date.getHours() % 12 || 12; },
G: function(date) { return date.getHours(); },
h: function(date) { return ((date.getHours() % 12 || 12) < 10 ? '0' : '') + (date.getHours() % 12 || 12); },
H: function(date) { return (date.getHours() < 10 ? '0' : '') + date.getHours(); },
i: function(date) { return (date.getMinutes() < 10 ? '0' : '') + date.getMinutes(); },
s: function(date) { return (date.getSeconds() < 10 ? '0' : '') + date.getSeconds(); },
// Timezone
e: function(date) { return "Not Yet Supported"; },
I: function(date) { return "Not Supported"; },
O: function(date) { return (-date.getTimezoneOffset() < 0 ? '-' : '+') + (Math.abs(date.getTimezoneOffset() / 60) < 10 ? '0' : '') + (Math.abs(date.getTimezoneOffset() / 60)) + '00'; },
P: function(date) { return (-date.getTimezoneOffset() < 0 ? '-' : '+') + (Math.abs(date.getTimezoneOffset() / 60) < 10 ? '0' : '') + (Math.abs(date.getTimezoneOffset() / 60)) + ':' + (Math.abs(date.getTimezoneOffset() % 60) < 10 ? '0' : '') + (Math.abs(date.getTimezoneOffset() % 60)); },
T: function(date) { var m = date.getMonth(); date.setMonth(0); var result = date.toTimeString().replace(/^.+ \(?([^\)]+)\)?$/, '$1'); date.setMonth(m); return result;},
Z: function(date) { return -date.getTimezoneOffset() * 60; },
// Full Date/Time
c: function(date) { return date.format("Y-m-d") + "T" + date.format("H:i:sP"); },
r: function(date) { return date.toString(); },
U: function(date) { return date.getTime() / 1000; }
};
return {
format: function(oDate) {
var out = '';
for(var i=0;i<fmt.length;i++) {
var c = fmt.charAt(i);
if ( replaceChars[c] ) {
out += replaceChars[c].call(oDate);
} else {
out += c;
}
}
return out;
}
};
};
DateFormat.getDateInstance = function() {
return new DateFormat("M/d/y h:i a");
};
}
$namespace('org.owasp.esapi');
org.owasp.esapi.ESAPI = function( oProperties ) {
var _properties = oProperties;
if ( !_properties ) throw new RuntimeException("Configuration Error - Unable to load $ESAPI_Properties Object");
var _encoder = null;
var _validator = null;
var _logFactory = null;
var _resourceBundle = null;
var _httputilities = null;
return {
properties: _properties,
encoder: function() {
if (!_encoder) {
if (!_properties.encoder.Implementation) throw new RuntimeException('Configuration Error - $ESAPI.properties.encoder.Implementation object not found.');
_encoder = new _properties.encoder.Implementation();
}
return _encoder;
},
logFactory: function() {
if ( !_logFactory ) {
if (!_properties.logging.Implementation) throw new RuntimeException('Configuration Error - $ESAPI.properties.logging.Implementation object not found.');
_logFactory = new _properties.logging.Implementation();
}
return _logFactory;
},
logger: function(sModuleName) {
return this.logFactory().getLogger(sModuleName);
},
locale: function() {
return org.owasp.esapi.i18n.Locale.getLocale( _properties.localization.DefaultLocale );
},
resourceBundle: function() {
if (!_resourceBundle) {
if(!_properties.localization.StandardResourceBundle) throw new RuntimeException("Configuration Error - $ESAPI.properties.localization.StandardResourceBundle not found.");
_resourceBundle = new org.owasp.esapi.i18n.ObjectResourceBundle( _properties.localization.StandardResourceBundle );
}
return _resourceBundle;
},
validator: function() {
if (!_validator) {
if (!_properties.validation.Implementation) throw new RuntimeException('Configuration Error - $ESAPI.properties.validation.Implementation object not found.');
_validator = new _properties.validation.Implementation();
}
return _validator;
},
httpUtilities: function() {
if (!_httputilities) _httputilities = new org.owasp.esapi.HTTPUtilities();
return _httputilities;
}
};
};
var $ESAPI = null;
org.owasp.esapi.ESAPI.initialize = function() {
$ESAPI = new org.owasp.esapi.ESAPI( Base.esapi.properties );
};
$namespace('org.owasp.esapi');
org.owasp.esapi.Encoder = function() {
}
$namespace('org.owasp.esapi');
org.owasp.esapi.EncoderConstants = {
CHAR_LOWERS: [ 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' ],
CHAR_UPPERS: [ 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' ],
CHAR_DIGITS: [ '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' ],
CHAR_SPECIALS: [ '!', '$', '*', '+', '-', '.', '=', '?', '@', '^', '_', '|', '~' ],
CHAR_LETTERS: [ 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' ],
CHAR_ALNUM: [ 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' ]
};
$namespace('org.owasp.esapi');
org.owasp.esapi.EnterpriseSecurityException = function(sUserMessage, sLogMessage, oException) {
var _logMessage = sLogMessage;
var _super = new Exception(sUserMessage, oException);
return {
getMessage: _super.getMessage,
getUserMessage: _super.getMessage,
getLogMessage: function() {
return _logMessage;
},
getStackTrace: _super.getStackTrace,
printStackTrace: _super.printStackTrace
};
};
$namespace('org.owasp.esapi');
org.owasp.esapi.HTTPUtilities = function() {
var log = $ESAPI.logger("HTTPUtilities");
var resourceBundle = $ESAPI.resourceBundle();
var EventType = org.owasp.esapi.Logger.EventType;
return {
addCookie: function( oCookie ) {
$type(oCookie,org.owasp.esapi.net.Cookie);
if ( window.top.location.protocol != 'http:' || window.top.location.protocol != 'https:' )
throw new RuntimeException(resourceBundle.getString( "HTTPUtilities.Cookie.Protocol", {"protocol":window.top.location.protocol}));
var name = oCookie.getName(),
value = oCookie.getValue(),
maxAge = oCookie.getMaxAge(),
domain = oCookie.getDomain(),
path = oCookie.getPath(),
secure = oCookie.getSecure();
var validationErrors = new org.owasp.esapi.ValidationErrorList();
var cookieName = $ESAPI.validator().getValidInput("cookie name", name, "HttpCookieName", 50, false, validationErrors );
var cookieValue = $ESAPI.validator().getValidInput("cookie value", value, "HttpCookieValue", 5000, false, validationErrors );
if (validationErrors.size() == 0) {
var header = name+'='+escape(value);
header += maxAge?";expires=" + ( new Date( ( new Date() ).getTime() + ( 1000 * maxAge ) ).toGMTString() ) : "";
header += path?";path="+path:"";
header += domain?";domain="+domain:"";
header += secure||$ESAPI.properties.httputilities.cookies.ForceSecure?";secure":"";
document.cookie=header;
}
else
{
log.warning(EventType.SECURITY_FAILURE, resourceBundle.getString("HTTPUtilities.Cookie.UnsafeData", { 'name':name, 'value':value } ) );
}
},
/**
* Returns a {@link org.owasp.esapi.net.Cookie} containing the name and value of the requested cookie.
*
* IMPORTANT: The value of the cookie is not sanitized at this level. It is the responsibility of the calling
* code to sanitize the value for proper output encoding prior to using it.
*
* @param sName {String} The name of the cookie to retrieve
* @return {org.owasp.esapi.net.Cookie}
*/
getCookie: function(sName) {
var cookieJar = document.cookie.split("; ");
for(var i=0,len=cookieJar.length;i<len;i++) {
var cookie = cookieJar[i].split("=");
if (cookie[0] == escape(sName)) {
return new org.owasp.esapi.net.Cookie( sName, cookie[1]?unescape(cookie[1]):'' );
}
}
return null;
},
/**
* Will attempt to kill any cookies associated with the current request (domain,path,secure). If a cookie cannot
* be deleted, a RuntimeException will be thrown.
*
* @throws RuntimeException if one of the cookies cannot be deleted.
*/
killAllCookies: function() {
var cookieJar = document.cookie.split("; ");
for(var i=0,len=cookieJar.length;i<len;i++) {
var cookie = cookieJar[i].split("=");
var name = unescape(cookie[0]);
// RuntimeException will bubble through if the cookie cannot be deleted
if (!this.killCookie(name)) {
// Something is wrong - cookieJar contains a cookie that is inaccesible using getCookie
throw new RuntimeException(resourceBundle.getString("HTTPUtilities.Cookie.CantKill", {"name":name}));
}
}
},
/**
* Will kill a single cookie. If that cookie cannot be deleted a RuntimeException will be thrown
* @param sName {String} The name of the cookie
*/
killCookie: function(sName) {
var c = this.getCookie(sName);
if ( c ) {
c.setMaxAge( -10 );
this.addCookie(c);
if (this.getCookie(sName)) {
throw new RuntimeException(resourceBundle.getString("HTTPUtilities.Cookie.CantKill", {"name":sName}));
}
return true;
}
return false;
},
/**
* This only works for GET parameters and is meerly a convenience method for accessing that information if need be
* @param sName {String} The name of the parameter to retrieve
*/
getRequestParameter: function( sName ) {
var url = window.top.location.search.substring(1);
var pIndex = url.indexOf(sName);
if (pIndex<0) return null;
pIndex=pIndex+sName.length;
var lastIndex=url.indexOf("&",pIndex);
if (lastIndex<0) lastIndex=url.length;
return unescape(url.substring(pIndex,lastIndex));
}
};
};
$namespace('org.owasp.esapi');
org.owasp.esapi.IntrusionException = function(sUserMessage, sLogMessage, oCause) {
var _super = new org.owasp.esapi.EnterpriseSecurityException(sUserMessage, sLogMessage, oCause);
return {
getMessage: _super.getMessage,
getUserMessage: _super.getMessage,
getLogMessage: _super.getLogMessage,
getStackTrace: _super.getStackTrace,
printStackTrace: _super.printStackTrace
};
};
$namespace('org.owasp.esapi');
org.owasp.esapi.LogFactory = function() {
return {
getLogger: false
};
}
$namespace('org.owasp.esapi');
org.owasp.esapi.Logger = function() {
return {
setLevel: false,
fatal: false,
error: false,
isErrorEnabled: false,
warning: false,
isWarningEnabled: false,
info: false,
isInfoEnabled: false,
debug: false,
isDebugEnabled: false,
trace: false,
isTraceEnabled: false
};
};
org.owasp.esapi.Logger.EventType = function( sName, bNewSuccess ) {
var type = sName;
var success = bNewSuccess;
return {
isSuccess: function() {
return success;
},
toString: function() {
return type;
}
};
};
with(org.owasp.esapi.Logger) {
EventType.SECURITY_SUCCESS = new EventType( "SECURITY SUCCESS", true );
EventType.SECURITY_FAILURE = new EventType( "SECURITY FAILURE", false );
EventType.EVENT_SUCCESS = new EventType( "EVENT SUCCESS", true );
EventType.EVENT_FAILURE = new EventType( "EVENT FAILURE", false );
OFF = Number.MAX_VALUE;
FATAL = 1000;
ERROR = 800;
WARNING = 600;
INFO = 400;
DEBUG = 200;
TRACE = 100;
ALL = Number.MIN_VALUE;
}
$namespace('org.owasp.esapi');
org.owasp.esapi.PreparedString = function(sTemplate, oCodec, sParameterCharacter) {
// Private Scope
var parts = [];
var parameters = [];
function split(s) {
var idx = 0, pcount = 0;
for (var i = 0; i < s.length; i ++) {
if (s.charAt(i) == sParameterCharacter) {
pcount ++;
parts.push(s.substr(idx, i));
idx = i + 1;
}
}
parts.push(s.substr(idx));
parameters = new Array(pcount);
}
;
if (!sParameterCharacter) {
sParameterCharacter = '?';
}
split(sTemplate);
return {
set: function(iIndex, sValue, codec) {
if (iIndex < 1 || iIndex > parameters.length) {
throw new IllegalArgumentException("Attempt to set parameter: " + iIndex + " on a PreparedString with only " + parameters.length + " placeholders");
}
if (!codec) {
codec = oCodec;
}
parameters[iIndex - 1] = codec.encode([], sValue);
},
toString: function() {
for (var ix = 0; ix < parameters.length; ix ++) {
if (parameters[ix] == null) {
throw new RuntimeException("Attempt to render PreparedString without setting parameter " + (ix + 1));
}
}
var out = '', i = 0;
for (var p = 0; p < parts.length; p ++) {
out += parts[p];
if (i < parameters.length) {
out += parameters[i++];
}
}
return out;
}
};
};
$namespace('org.owasp.esapi');
org.owasp.esapi.ValidationErrorList = function() {
var errorList = Array();
return {
addError: function( sContext, oValidationException ) {
if ( sContext == null ) throw new RuntimeException( "Context cannot be null: " + oValidationException.getLogMessage(), oValidationException );
if ( oValidationException == null ) throw new RuntimeException( "Context (" + sContext + ") - Error cannot be null" );
if ( errorList[sContext] ) throw new RuntimeException( "Context (" + sContext + ") already exists. must be unique." );
errorList[sContext] = oValidationException;
},
errors: function() {
return errorList;
},
isEmpty: function() {
return errorList.length == 0;
},
size: function() {
return errorList.length;
}
};
};
$namespace('org.owasp.esapi');
org.owasp.esapi.ValidationRule = function() {
return {
getValid: false,
setAllowNull: false,
getTypeName: false,
setTypeName: false,
setEncoder: false,
assertValid: false,
getSafe: false,
isValid: false,
whitelist: false
};
};
$namespace('org.owasp.esapi');
org.owasp.esapi.Validator = function() {
return {
addRule: false,
getRule: false,
getValidInput: false,
isValidDate: false,
getValidDate: false,
isValidSafeHTML: false,
getValidSafeHTML: false,
isValidCreditCard: false,
getValidCreditCard: false,
isValidFilename: false,
getValidFilename: false,
isValidNumber: false,
getValidNumber: false,
isValidPrintable: false,
getValidPrintable: false
};
};
$namespace('org.owasp.esapi.codecs.Base64');
org.owasp.esapi.codecs.Base64 = {
_keyStr : "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
encode: function(sInput) {
if (!sInput) {
return null;
}
var out = '';
var ch1,ch2,ch3,enc1,enc2,enc3,enc4;
var i = 0;
var input = org.owasp.esapi.codecs.UTF8.encode(sInput);
while (i < input.length) {
ch1 = input.charCodeAt(i++);
ch2 = input.charCodeAt(i++);
ch3 = input.charCodeAt(i++);
enc1 = ch1 >> 2;
enc2 = ((ch1 & 3) << 4) | (ch2 >> 4);
enc3 = ((ch2 & 15) << 2) | (ch3 >> 6);
enc4 = ch3 & 63;
if (isNaN(ch2)) {
enc3 = enc4 = 64;
}
else if (isNaN(ch3)) {
enc4 = 64;
}
out += this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) + this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
}
return out;
},
decode: function(sInput) {
if (!sInput) {
return null;
}
var out = '';
var ch1, ch2, ch3, enc1, enc2, enc3, enc4;
var i = 0;
var input = sInput.replace(/[^A-Za-z0-9\+\/\=]/g, "");
while (i < input.length) {
enc1 = this._keyStr.indexOf(input.charAt(i++));
enc2 = this._keyStr.indexOf(input.charAt(i++));
enc3 = this._keyStr.indexOf(input.charAt(i++));
enc4 = this._keyStr.indexOf(input.charAt(i++));
ch1 = (enc1 << 2) | (enc2 >> 4);
ch2 = ((enc2 & 15) << 4) | (enc3 >> 2);
ch3 = ((enc3 & 3) << 6) | enc4;
out += String.fromCharCode(ch1);
if (enc3 != 64) {
out += String.fromCharCode(ch2);
}
if (enc4 != 64) {
out += String.fromCharCode(ch3);
}
}
out = org.owasp.esapi.codecs.UTF8.decode(out);
return out;
}
};
$namespace('org.owasp.esapi.codecs');
org.owasp.esapi.codecs.CSSCodec = function() {
var _super = new org.owasp.esapi.codecs.Codec();
return {
encode: _super.encode,
decode: _super.decode,
encodeCharacter: function(aImmune, c) {
if (aImmune.contains(c)) {
return c;
}
var hex = org.owasp.esapi.codecs.Codec.getHexForNonAlphanumeric(c);
if (hex == null) {
return c;
}
return "\\" + hex + " ";
},
decodeCharacter: function(oPushbackString) {
oPushbackString.mark();
var first = oPushbackString.next();
if (first == null) {
oPushbackString.reset();
return null;
}
if (first != '\\') {
oPushbackString.reset();
return null;
}
var second = oPushbackString.next();
if (second == null) {
oPushbackString.reset();
return null;
}
if (oPushbackString.isHexDigit(second)) {
var out = second;
for (var i = 0; i < 6; i ++) {
var c = oPushbackString.next();
if (c == null || c.charCodeAt(0) == 0x20) {
break;
}
if (oPushbackString.isHexDigit(c)) {
out += c;
} else {
input.pushback(c);
break;
}
}
try {
var n = parseInt(out, 16);
return String.fromCharCode(n);
} catch (e) {
oPushbackString.reset();
return null;
}
}
return second;
}
};
};
$namespace('org.owasp.esapi.codecs');
org.owasp.esapi.codecs.Codec = function() {
return {
/**
* Encode a String so that it can be safely used in a specific context.
*
* @param aImmune
* array of immune characters
* @param sInput
* the String to encode
* @return the encoded String
*/
encode: function(aImmune, sInput) {
var out = '';
for (var i = 0; i < sInput.length; i ++) {
var c = sInput.charAt(i);
out += this.encodeCharacter(aImmune, c);
}
return out;
},
/**
* Default implementation that should be overridden in specific codecs.
*
* @param aImmune
* array of immune characters
* @param c
* the Character to encode
* @return
* the encoded Character
*/
encodeCharacter: function(aImmune, c) {
return c;
},
/**
* Decode a String that was encoded using the encode method in this Class
*
* @param sInput
* the String to decode
* @return
* the decoded String
*/
decode: function(sInput) {
var out = '';
var pbs = new org.owasp.esapi.codecs.PushbackString(sInput);
while (pbs.hasNext()) {
var c = this.decodeCharacter(pbs);
if (c != null) {
out += c;
} else {
out += pbs.next();
}
}
return out;
},
/**
* Returns the decoded version of the next character from the input string and advances the
* current character in the PushbackString. If the current character is not encoded, this
* method MUST reset the PushbackString.
*
* @param oPushbackString the Character to decode
* @return the decoded Character
*/
decodeCharacter: function(oPushbackString) {
return oPushbackString.next();
}
};
};
org.owasp.esapi.codecs.Codec.getHexForNonAlphanumeric = function(c) {
if (c.charCodeAt(0) < 256) {
return org.owasp.esapi.codecs.Codec.hex[c.charCodeAt(0)];
}
return c.charCodeAt(0).toString(16);
};
org.owasp.esapi.codecs.Codec.hex = [];
for ( var c = 0; c < 0xFF; c ++ ) {
if ( c >= 0x30 && c <= 0x39 || c>= 0x41 && c <= 0x5A || c >= 0x61 && c <= 0x7A ) {
org.owasp.esapi.codecs.Codec.hex[c] = null;
} else {
org.owasp.esapi.codecs.Codec.hex[c] = c.toString(16);
}
};
var entityToCharacterMap = [];
entityToCharacterMap["""] = "34"; /* 34 : quotation mark */
entityToCharacterMap["&"] = "38"; /* 38 : ampersand */
entityToCharacterMap["<"] = "60"; /* 60 : less-than sign */
entityToCharacterMap[">"] = "62"; /* 62 : greater-than sign */
entityToCharacterMap[" "] = "160"; /* 160 : no-break space */
entityToCharacterMap["¡"] = "161"; /* 161 : inverted exclamation mark */
entityToCharacterMap["¢"] = "162"; /* 162 : cent sign */
entityToCharacterMap["£"] = "163"; /* 163 : pound sign */
entityToCharacterMap["¤"] = "164"; /* 164 : currency sign */
entityToCharacterMap["¥"] = "165"; /* 165 : yen sign */
entityToCharacterMap["¦"] = "166"; /* 166 : broken bar */
entityToCharacterMap["§"] = "167"; /* 167 : section sign */
entityToCharacterMap["¨"] = "168"; /* 168 : diaeresis */
entityToCharacterMap["©"] = "169"; /* 169 : copyright sign */
entityToCharacterMap["ª"] = "170"; /* 170 : feminine ordinal indicator */
entityToCharacterMap["«"] = "171"; /* 171 : left-pointing double angle quotation mark */
entityToCharacterMap["¬"] = "172"; /* 172 : not sign */
entityToCharacterMap["­"] = "173"; /* 173 : soft hyphen */
entityToCharacterMap["®"] = "174"; /* 174 : registered sign */
entityToCharacterMap["¯"] = "175"; /* 175 : macron */
entityToCharacterMap["°"] = "176"; /* 176 : degree sign */
entityToCharacterMap["±"] = "177"; /* 177 : plus-minus sign */
entityToCharacterMap["²"] = "178"; /* 178 : superscript two */
entityToCharacterMap["³"] = "179"; /* 179 : superscript three */
entityToCharacterMap["´"] = "180"; /* 180 : acute accent */
entityToCharacterMap["µ"] = "181"; /* 181 : micro sign */
entityToCharacterMap["¶"] = "182"; /* 182 : pilcrow sign */
entityToCharacterMap["·"] = "183"; /* 183 : middle dot */
entityToCharacterMap["¸"] = "184"; /* 184 : cedilla */
entityToCharacterMap["¹"] = "185"; /* 185 : superscript one */
entityToCharacterMap["º"] = "186"; /* 186 : masculine ordinal indicator */
entityToCharacterMap["»"] = "187"; /* 187 : right-pointing double angle quotation mark */
entityToCharacterMap["¼"] = "188"; /* 188 : vulgar fraction one quarter */
entityToCharacterMap["½"] = "189"; /* 189 : vulgar fraction one half */
entityToCharacterMap["¾"] = "190"; /* 190 : vulgar fraction three quarters */
entityToCharacterMap["¿"] = "191"; /* 191 : inverted question mark */
entityToCharacterMap["À"] = "192"; /* 192 : Latin capital letter a with grave */
entityToCharacterMap["Á"] = "193"; /* 193 : Latin capital letter a with acute */
entityToCharacterMap["Â"] = "194"; /* 194 : Latin capital letter a with circumflex */
entityToCharacterMap["Ã"] = "195"; /* 195 : Latin capital letter a with tilde */
entityToCharacterMap["Ä"] = "196"; /* 196 : Latin capital letter a with diaeresis */
entityToCharacterMap["Å"] = "197"; /* 197 : Latin capital letter a with ring above */
entityToCharacterMap["Æ"] = "198"; /* 198 : Latin capital letter ae */
entityToCharacterMap["Ç"] = "199"; /* 199 : Latin capital letter c with cedilla */
entityToCharacterMap["È"] = "200"; /* 200 : Latin capital letter e with grave */
entityToCharacterMap["É"] = "201"; /* 201 : Latin capital letter e with acute */
entityToCharacterMap["Ê"] = "202"; /* 202 : Latin capital letter e with circumflex */
entityToCharacterMap["Ë"] = "203"; /* 203 : Latin capital letter e with diaeresis */
entityToCharacterMap["Ì"] = "204"; /* 204 : Latin capital letter i with grave */
entityToCharacterMap["Í"] = "205"; /* 205 : Latin capital letter i with acute */
entityToCharacterMap["Î"] = "206"; /* 206 : Latin capital letter i with circumflex */
entityToCharacterMap["Ï"] = "207"; /* 207 : Latin capital letter i with diaeresis */
entityToCharacterMap["Ð"] = "208"; /* 208 : Latin capital letter eth */
entityToCharacterMap["Ñ"] = "209"; /* 209 : Latin capital letter n with tilde */
entityToCharacterMap["Ò"] = "210"; /* 210 : Latin capital letter o with grave */
entityToCharacterMap["Ó"] = "211"; /* 211 : Latin capital letter o with acute */
entityToCharacterMap["Ô"] = "212"; /* 212 : Latin capital letter o with circumflex */
entityToCharacterMap["Õ"] = "213"; /* 213 : Latin capital letter o with tilde */
entityToCharacterMap["Ö"] = "214"; /* 214 : Latin capital letter o with diaeresis */
entityToCharacterMap["×"] = "215"; /* 215 : multiplication sign */
entityToCharacterMap["Ø"] = "216"; /* 216 : Latin capital letter o with stroke */
entityToCharacterMap["Ù"] = "217"; /* 217 : Latin capital letter u with grave */
entityToCharacterMap["Ú"] = "218"; /* 218 : Latin capital letter u with acute */
entityToCharacterMap["Û"] = "219"; /* 219 : Latin capital letter u with circumflex */
entityToCharacterMap["Ü"] = "220"; /* 220 : Latin capital letter u with diaeresis */
entityToCharacterMap["Ý"] = "221"; /* 221 : Latin capital letter y with acute */
entityToCharacterMap["Þ"] = "222"; /* 222 : Latin capital letter thorn */
entityToCharacterMap["ß"] = "223"; /* 223 : Latin small letter sharp s, German Eszett */
entityToCharacterMap["à"] = "224"; /* 224 : Latin small letter a with grave */
entityToCharacterMap["á"] = "225"; /* 225 : Latin small letter a with acute */
entityToCharacterMap["â"] = "226"; /* 226 : Latin small letter a with circumflex */
entityToCharacterMap["ã"] = "227"; /* 227 : Latin small letter a with tilde */
entityToCharacterMap["ä"] = "228"; /* 228 : Latin small letter a with diaeresis */
entityToCharacterMap["å"] = "229"; /* 229 : Latin small letter a with ring above */
entityToCharacterMap["æ"] = "230"; /* 230 : Latin lowercase ligature ae */
entityToCharacterMap["ç"] = "231"; /* 231 : Latin small letter c with cedilla */
entityToCharacterMap["è"] = "232"; /* 232 : Latin small letter e with grave */
entityToCharacterMap["é"] = "233"; /* 233 : Latin small letter e with acute */
entityToCharacterMap["ê"] = "234"; /* 234 : Latin small letter e with circumflex */
entityToCharacterMap["ë"] = "235"; /* 235 : Latin small letter e with diaeresis */
entityToCharacterMap["ì"] = "236"; /* 236 : Latin small letter i with grave */
entityToCharacterMap["í"] = "237"; /* 237 : Latin small letter i with acute */
entityToCharacterMap["î"] = "238"; /* 238 : Latin small letter i with circumflex */
entityToCharacterMap["ï"] = "239"; /* 239 : Latin small letter i with diaeresis */
entityToCharacterMap["ð"] = "240"; /* 240 : Latin small letter eth */
entityToCharacterMap["ñ"] = "241"; /* 241 : Latin small letter n with tilde */
entityToCharacterMap["ò"] = "242"; /* 242 : Latin small letter o with grave */
entityToCharacterMap["ó"] = "243"; /* 243 : Latin small letter o with acute */
entityToCharacterMap["ô"] = "244"; /* 244 : Latin small letter o with circumflex */
entityToCharacterMap["õ"] = "245"; /* 245 : Latin small letter o with tilde */
entityToCharacterMap["ö"] = "246"; /* 246 : Latin small letter o with diaeresis */
entityToCharacterMap["÷"] = "247"; /* 247 : division sign */
entityToCharacterMap["ø"] = "248"; /* 248 : Latin small letter o with stroke */
entityToCharacterMap["ù"] = "249"; /* 249 : Latin small letter u with grave */
entityToCharacterMap["ú"] = "250"; /* 250 : Latin small letter u with acute */
entityToCharacterMap["û"] = "251"; /* 251 : Latin small letter u with circumflex */
entityToCharacterMap["ü"] = "252"; /* 252 : Latin small letter u with diaeresis */
entityToCharacterMap["ý"] = "253"; /* 253 : Latin small letter y with acute */
entityToCharacterMap["þ"] = "254"; /* 254 : Latin small letter thorn */
entityToCharacterMap["ÿ"] = "255"; /* 255 : Latin small letter y with diaeresis */
entityToCharacterMap["&OElig"] = "338"; /* 338 : Latin capital ligature oe */
entityToCharacterMap["&oelig"] = "339"; /* 339 : Latin small ligature oe */
entityToCharacterMap["&Scaron"] = "352"; /* 352 : Latin capital letter s with caron */
entityToCharacterMap["&scaron"] = "353"; /* 353 : Latin small letter s with caron */
entityToCharacterMap["&Yuml"] = "376"; /* 376 : Latin capital letter y with diaeresis */
entityToCharacterMap["&fnof"] = "402"; /* 402 : Latin small letter f with hook */
entityToCharacterMap["&circ"] = "710"; /* 710 : modifier letter circumflex accent */
entityToCharacterMap["&tilde"] = "732"; /* 732 : small tilde */
entityToCharacterMap["&Alpha"] = "913"; /* 913 : Greek capital letter alpha */
entityToCharacterMap["&Beta"] = "914"; /* 914 : Greek capital letter beta */
entityToCharacterMap["&Gamma"] = "915"; /* 915 : Greek capital letter gamma */
entityToCharacterMap["&Delta"] = "916"; /* 916 : Greek capital letter delta */
entityToCharacterMap["&Epsilon"] = "917"; /* 917 : Greek capital letter epsilon */
entityToCharacterMap["&Zeta"] = "918"; /* 918 : Greek capital letter zeta */
entityToCharacterMap["&Eta"] = "919"; /* 919 : Greek capital letter eta */
entityToCharacterMap["&Theta"] = "920"; /* 920 : Greek capital letter theta */
entityToCharacterMap["&Iota"] = "921"; /* 921 : Greek capital letter iota */
entityToCharacterMap["&Kappa"] = "922"; /* 922 : Greek capital letter kappa */
entityToCharacterMap["&Lambda"] = "923"; /* 923 : Greek capital letter lambda */
entityToCharacterMap["&Mu"] = "924"; /* 924 : Greek capital letter mu */
entityToCharacterMap["&Nu"] = "925"; /* 925 : Greek capital letter nu */
entityToCharacterMap["&Xi"] = "926"; /* 926 : Greek capital letter xi */
entityToCharacterMap["&Omicron"] = "927"; /* 927 : Greek capital letter omicron */
entityToCharacterMap["&Pi"] = "928"; /* 928 : Greek capital letter pi */
entityToCharacterMap["&Rho"] = "929"; /* 929 : Greek capital letter rho */
entityToCharacterMap["&Sigma"] = "931"; /* 931 : Greek capital letter sigma */
entityToCharacterMap["&Tau"] = "932"; /* 932 : Greek capital letter tau */
entityToCharacterMap["&Upsilon"] = "933"; /* 933 : Greek capital letter upsilon */
entityToCharacterMap["&Phi"] = "934"; /* 934 : Greek capital letter phi */
entityToCharacterMap["&Chi"] = "935"; /* 935 : Greek capital letter chi */
entityToCharacterMap["&Psi"] = "936"; /* 936 : Greek capital letter psi */
entityToCharacterMap["&Omega"] = "937"; /* 937 : Greek capital letter omega */
entityToCharacterMap["&alpha"] = "945"; /* 945 : Greek small letter alpha */
entityToCharacterMap["&beta"] = "946"; /* 946 : Greek small letter beta */
entityToCharacterMap["&gamma"] = "947"; /* 947 : Greek small letter gamma */
entityToCharacterMap["&delta"] = "948"; /* 948 : Greek small letter delta */
entityToCharacterMap["&epsilon"] = "949"; /* 949 : Greek small letter epsilon */
entityToCharacterMap["&zeta"] = "950"; /* 950 : Greek small letter zeta */
entityToCharacterMap["&eta"] = "951"; /* 951 : Greek small letter eta */
entityToCharacterMap["&theta"] = "952"; /* 952 : Greek small letter theta */
entityToCharacterMap["&iota"] = "953"; /* 953 : Greek small letter iota */
entityToCharacterMap["&kappa"] = "954"; /* 954 : Greek small letter kappa */
entityToCharacterMap["&lambda"] = "955"; /* 955 : Greek small letter lambda */
entityToCharacterMap["&mu"] = "956"; /* 956 : Greek small letter mu */
entityToCharacterMap["&nu"] = "957"; /* 957 : Greek small letter nu */
entityToCharacterMap["&xi"] = "958"; /* 958 : Greek small letter xi */
entityToCharacterMap["&omicron"] = "959"; /* 959 : Greek small letter omicron */
entityToCharacterMap["&pi"] = "960"; /* 960 : Greek small letter pi */
entityToCharacterMap["&rho"] = "961"; /* 961 : Greek small letter rho */
entityToCharacterMap["&sigmaf"] = "962"; /* 962 : Greek small letter final sigma */
entityToCharacterMap["&sigma"] = "963"; /* 963 : Greek small letter sigma */
entityToCharacterMap["&tau"] = "964"; /* 964 : Greek small letter tau */
entityToCharacterMap["&upsilon"] = "965"; /* 965 : Greek small letter upsilon */
entityToCharacterMap["&phi"] = "966"; /* 966 : Greek small letter phi */
entityToCharacterMap["&chi"] = "967"; /* 967 : Greek small letter chi */
entityToCharacterMap["&psi"] = "968"; /* 968 : Greek small letter psi */
entityToCharacterMap["&omega"] = "969"; /* 969 : Greek small letter omega */
entityToCharacterMap["&thetasym"] = "977"; /* 977 : Greek theta symbol */
entityToCharacterMap["&upsih"] = "978"; /* 978 : Greek upsilon with hook symbol */
entityToCharacterMap["&piv"] = "982"; /* 982 : Greek pi symbol */
entityToCharacterMap["&ensp"] = "8194"; /* 8194 : en space */
entityToCharacterMap["&emsp"] = "8195"; /* 8195 : em space */
entityToCharacterMap["&thinsp"] = "8201"; /* 8201 : thin space */
entityToCharacterMap["&zwnj"] = "8204"; /* 8204 : zero width non-joiner */
entityToCharacterMap["&zwj"] = "8205"; /* 8205 : zero width joiner */
entityToCharacterMap["&lrm"] = "8206"; /* 8206 : left-to-right mark */
entityToCharacterMap["&rlm"] = "8207"; /* 8207 : right-to-left mark */
entityToCharacterMap["&ndash"] = "8211"; /* 8211 : en dash */
entityToCharacterMap["&mdash"] = "8212"; /* 8212 : em dash */
entityToCharacterMap["&lsquo"] = "8216"; /* 8216 : left single quotation mark */
entityToCharacterMap["&rsquo"] = "8217"; /* 8217 : right single quotation mark */
entityToCharacterMap["&sbquo"] = "8218"; /* 8218 : single low-9 quotation mark */
entityToCharacterMap["&ldquo"] = "8220"; /* 8220 : left double quotation mark */
entityToCharacterMap["&rdquo"] = "8221"; /* 8221 : right double quotation mark */
entityToCharacterMap["&bdquo"] = "8222"; /* 8222 : double low-9 quotation mark */
entityToCharacterMap["&dagger"] = "8224"; /* 8224 : dagger */
entityToCharacterMap["&Dagger"] = "8225"; /* 8225 : double dagger */
entityToCharacterMap["&bull"] = "8226"; /* 8226 : bullet */
entityToCharacterMap["&hellip"] = "8230"; /* 8230 : horizontal ellipsis */
entityToCharacterMap["&permil"] = "8240"; /* 8240 : per mille sign */
entityToCharacterMap["&prime"] = "8242"; /* 8242 : prime */
entityToCharacterMap["&Prime"] = "8243"; /* 8243 : double prime */
entityToCharacterMap["&lsaquo"] = "8249"; /* 8249 : single left-pointing angle quotation mark */
entityToCharacterMap["&rsaquo"] = "8250"; /* 8250 : single right-pointing angle quotation mark */
entityToCharacterMap["&oline"] = "8254"; /* 8254 : overline */
entityToCharacterMap["&frasl"] = "8260"; /* 8260 : fraction slash */
entityToCharacterMap["&euro"] = "8364"; /* 8364 : euro sign */
entityToCharacterMap["&image"] = "8365"; /* 8465 : black-letter capital i */
entityToCharacterMap["&weierp"] = "8472"; /* 8472 : script capital p, Weierstrass p */
entityToCharacterMap["&real"] = "8476"; /* 8476 : black-letter capital r */
entityToCharacterMap["&trade"] = "8482"; /* 8482 : trademark sign */
entityToCharacterMap["&alefsym"] = "8501"; /* 8501 : alef symbol */
entityToCharacterMap["&larr"] = "8592"; /* 8592 : leftwards arrow */
entityToCharacterMap["&uarr"] = "8593"; /* 8593 : upwards arrow */
entityToCharacterMap["&rarr"] = "8594"; /* 8594 : rightwards arrow */
entityToCharacterMap["&darr"] = "8595"; /* 8595 : downwards arrow */
entityToCharacterMap["&harr"] = "8596"; /* 8596 : left right arrow */
entityToCharacterMap["&crarr"] = "8629"; /* 8629 : downwards arrow with corner leftwards */
entityToCharacterMap["&lArr"] = "8656"; /* 8656 : leftwards double arrow */
entityToCharacterMap["&uArr"] = "8657"; /* 8657 : upwards double arrow */
entityToCharacterMap["&rArr"] = "8658"; /* 8658 : rightwards double arrow */
entityToCharacterMap["&dArr"] = "8659"; /* 8659 : downwards double arrow */
entityToCharacterMap["&hArr"] = "8660"; /* 8660 : left right double arrow */
entityToCharacterMap["&forall"] = "8704"; /* 8704 : for all */
entityToCharacterMap["&part"] = "8706"; /* 8706 : partial differential */
entityToCharacterMap["&exist"] = "8707"; /* 8707 : there exists */
entityToCharacterMap["&empty"] = "8709"; /* 8709 : empty set */
entityToCharacterMap["&nabla"] = "8711"; /* 8711 : nabla */
entityToCharacterMap["&isin"] = "8712"; /* 8712 : element of */
entityToCharacterMap["¬in"] = "8713"; /* 8713 : not an element of */
entityToCharacterMap["&ni"] = "8715"; /* 8715 : contains as member */
entityToCharacterMap["&prod"] = "8719"; /* 8719 : n-ary product */
entityToCharacterMap["&sum"] = "8721"; /* 8721 : n-ary summation */
entityToCharacterMap["&minus"] = "8722"; /* 8722 : minus sign */
entityToCharacterMap["&lowast"] = "8727"; /* 8727 : asterisk operator */
entityToCharacterMap["&radic"] = "8730"; /* 8730 : square root */
entityToCharacterMap["&prop"] = "8733"; /* 8733 : proportional to */
entityToCharacterMap["&infin"] = "8734"; /* 8734 : infinity */
entityToCharacterMap["&ang"] = "8736"; /* 8736 : angle */
entityToCharacterMap["&and"] = "8743"; /* 8743 : logical and */
entityToCharacterMap["&or"] = "8744"; /* 8744 : logical or */
entityToCharacterMap["&cap"] = "8745"; /* 8745 : intersection */
entityToCharacterMap["&cup"] = "8746"; /* 8746 : union */
entityToCharacterMap["&int"] = "8747"; /* 8747 : integral */
entityToC