Class JavaScriptCodec


  • public class JavaScriptCodec
    extends Codec
    Implementation of the Codec interface for backslash encoding in JavaScript.
    Since:
    June 1, 2007
    Author:
    Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
    See Also:
    Encoder
    • Constructor Detail

      • JavaScriptCodec

        public JavaScriptCodec()
    • Method Detail

      • encodeCharacter

        public java.lang.String encodeCharacter​(char[] immune,
                                                java.lang.Character c)
        Default implementation that should be overridden in specific codecs. Returns backslash encoded numeric format. Does not use backslash character escapes such as, \" or \' as these may cause parsing problems. For example, if a javascript attribute, such as onmouseover, contains a \" that will close the entire attribute and allow an attacker to inject another script attribute.
        Overrides:
        encodeCharacter in class Codec
        Parameters:
        immune -
        c - the Character to encode
        Returns:
        the encoded Character
      • decodeCharacter

        public java.lang.Character decodeCharacter​(PushbackString input)
        Returns the decoded version of the next character from the input string and advances the current character in the PushbackString. If the current character is not encoded, this method MUST reset the PushbackString. Returns the decoded version of the character starting at index, or null if no decoding is possible. See http://www.planetpdf.com/codecuts/pdfs/tutorial/jsspec.pdf Formats all are legal both upper/lower case: \\a - special characters \\xHH \\uHHHH \\OOO (1, 2, or 3 digits)
        Overrides:
        decodeCharacter in class Codec
        Parameters:
        input - the Character to decode
        Returns:
        the decoded Character