1 /*
2 * This file is part of dependency-check-core.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17 */
18 package org.owasp.dependencycheck.reporting;
19
20 import java.io.UnsupportedEncodingException;
21 import java.net.URLEncoder;
22 import java.util.Set;
23 import javax.annotation.concurrent.ThreadSafe;
24 import static java.nio.charset.StandardCharsets.UTF_8;
25 import org.apache.commons.text.StringEscapeUtils;
26 import org.owasp.dependencycheck.dependency.naming.Identifier;
27 import org.slf4j.Logger;
28 import org.slf4j.LoggerFactory;
29
30 /**
31 * An extremely simple wrapper around various escape utils to perform URL and
32 * HTML encoding within the reports. This class was created to simplify the
33 * velocity configuration and avoid using the "built-in" escape tool.
34 *
35 * @author Jeremy Long
36 */
37 @ThreadSafe
38 public class EscapeTool {
39
40 /**
41 * The logger.
42 */
43 private static final Logger LOGGER = LoggerFactory.getLogger(EscapeTool.class);
44
45 /**
46 * URL Encodes the provided text.
47 *
48 * @param text the text to encode
49 * @return the URL encoded text
50 */
51 public String url(String text) {
52 if (text == null || text.isEmpty()) {
53 return text;
54 }
55 try {
56 return URLEncoder.encode(text, UTF_8.name());
57 } catch (UnsupportedEncodingException ex) {
58 LOGGER.warn("UTF-8 is not supported?");
59 LOGGER.info("", ex);
60 }
61 return "";
62 }
63
64 /**
65 * HTML Encodes the provided text.
66 *
67 * @param text the text to encode
68 * @return the HTML encoded text
69 */
70 public String html(String text) {
71 if (text == null || text.isEmpty()) {
72 return text;
73 }
74 return StringEscapeUtils.escapeHtml4(text);
75 }
76
77 /**
78 * XML Encodes the provided text.
79 *
80 * @param text the text to encode
81 * @return the XML encoded text
82 */
83 public String xml(String text) {
84 if (text == null || text.isEmpty()) {
85 return text;
86 }
87 return StringEscapeUtils.escapeXml11(text);
88 }
89
90 /**
91 * JSON Encodes the provided text.
92 *
93 * @param text the text to encode
94 * @return the JSON encoded text
95 */
96 public String json(String text) {
97 if (text == null || text.isEmpty()) {
98 return text;
99 }
100 return StringEscapeUtils.escapeJson(text);
101 }
102
103 /**
104 * JavaScript encodes the provided text.
105 *
106 * @param text the text to encode
107 * @return the JavaScript encoded text
108 */
109 public String javascript(String text) {
110 if (text == null || text.isEmpty()) {
111 return text;
112 }
113 return StringEscapeUtils.escapeEcmaScript(text);
114 }
115
116 /**
117 * Formats text for CSV format. This includes trimming whitespace, replace
118 * line breaks with spaces, and if necessary quotes the text and/or escapes
119 * contained quotes.
120 *
121 * @param text the text to escape and quote
122 * @return the escaped and quoted text
123 */
124 public String csv(String text) {
125 if (text == null || text.isEmpty()) {
126 return "\"\"";
127 }
128 final String str = text.trim().replace("\n", " ");
129 if (str.trim().length() == 0) {
130 return "\"\"";
131 }
132 return StringEscapeUtils.escapeCsv(str);
133 }
134
135 /**
136 * Takes a set of Identifiers, filters them to none CPE, and formats them
137 * for display in a CSV.
138 *
139 * @param ids the set of identifiers
140 * @return the formatted list of none CPE identifiers
141 */
142 public String csvIdentifiers(Set<Identifier> ids) {
143 if (ids == null || ids.isEmpty()) {
144 return "\"\"";
145 }
146 boolean addComma = false;
147 final StringBuilder sb = new StringBuilder();
148 for (Identifier id : ids) {
149 if (addComma) {
150 sb.append(", ");
151 } else {
152 addComma = true;
153 }
154 sb.append(id.getValue());
155 }
156 if (sb.length() == 0) {
157 return "\"\"";
158 }
159 return StringEscapeUtils.escapeCsv(sb.toString());
160 }
161
162 /**
163 * Takes a set of Identifiers, filters them to just CPEs, and formats them
164 * for confidence display in a CSV.
165 *
166 * @param ids the set of identifiers
167 * @return the formatted list of confidence
168 */
169 public String csvCpeConfidence(Set<Identifier> ids) {
170 if (ids == null || ids.isEmpty()) {
171 return "\"\"";
172 }
173 boolean addComma = false;
174 final StringBuilder sb = new StringBuilder();
175 for (Identifier id : ids) {
176 if (addComma) {
177 sb.append(", ");
178 } else {
179 addComma = true;
180 }
181 sb.append(id.getConfidence());
182 }
183 if (sb.length() == 0) {
184 return "\"\"";
185 }
186 return StringEscapeUtils.escapeCsv(sb.toString());
187 }
188 }