[OWASP-ESAPI] Encoder feedback
Gregory Rubin
grrubin at gmail.com
Wed Jul 9 19:09:19 EDT 2008
I knew that I had this rattling around somewhere. It needs to be
checked and all that stuff (I had to extract it from some more domain
specific code).
public static String escapeForJavaScript(String input) {
if(null == input) {
return null;
}
StringBuffer buf = new StringBuffer(input.length() + 2);
int len = input.length();
for(int x = 0; x < len; x++) {
int value = input.codePointAt(x);
if(isJavaScriptStringSafe(value)) {
buf.append(Character.toChars(value));
} else {
switch (value) {
case 0x0A: // newline
buf.append("\\n");
break;
case 0x09: // tab
buf.append("\\t");
break;
case 0x22: // Double-quote
buf.append("\\\"");
break;
case 0x27: // single-quote
buf.append("\\'");
break;
case 0x5C: // backslash
buf.append("\\\\");
break;
default:
buf.append(String.format("\\u%1$04X", value));
}
}
}
return buf.toString();
}
private static final String javaScriptStringSafeOther = ".,;: ()?!_-+*&{}[]@#";
private static boolean isJavaScriptStringSafe(int codepoint) {
if(Character.isLetterOrDigit(codepoint))
return true;
int len = javaScriptStringSafeOther.length();
// Check the whitelisted special characters
for(int x = 0; x < len; x++)
if(codepoint == javaScriptStringSafeOther.codePointAt(x))
return true;
return false;
}
More information about the OWASP-ESAPI
mailing list