@DefaultKey(value="esc") @ValidScope(value="application") public class EscapeTool extends SafeConfig implements Serializable
Example uses:
$velocity -> Please escape $ and #! $esc.velocity($velocity) -> Please escape ${esc.d} and ${esc.h}! $java -> He didn't say, "Stop!" $esc.java($java) -> He didn't say, \"Stop!\" $javascript -> He didn't say, "Stop!" $esc.javascript($javascript) -> He didn\'t say, \"Stop!\" $html -> "bread" & "butter" $esc.html($html) -> "bread" & "butter" $xml -> "bread" & "butter" $esc.xml($xml) -> "bread" & "butter" $sql -> McHale's Navy $esc.sql($sql) -> McHale''s Navy $url -> hello here & there $esc.url($url) -> hello+here+%26+there $esc.unurl($esc.url($url)) -> hello here & there $esc.dollar -> $ $esc.d -> $ $esc.hash -> # $esc.h -> # $esc.backslash -> \ $esc.b -> \ $esc.quote -> " $esc.q -> " $esc.singleQuote -> ' $esc.s -> ' $esc.newline -> $esc.n -> $esc.exclamation -> ! $esc.e -> !
Example tools.xml config (if you want to use this with VelocityView):
<tools> <toolbox scope="application"> <tool class="org.apache.velocity.tools.generic.EscapeTool"/> </toolbox> </tools>
This tool is entirely threadsafe, and has no instance members. It may be used in any scope (request, session, or application).
StringEscapeUtils
,
Serialized FormModifier and Type | Field and Description |
---|---|
static String |
DEFAULT_KEY |
LOCK_CONFIG_KEY, log, LOGGER_NAME_KEY, SAFE_MODE_KEY, USE_CLASS_LOGGER_KEY
Constructor and Description |
---|
EscapeTool() |
Modifier and Type | Method and Description |
---|---|
protected void |
configure(ValueParser values)
Does the actual configuration.
|
protected String |
dumpString(String string,
boolean key)
This code was pulled from the Apache Harmony project.
|
String |
getB()
Renders a backslash (\).
|
String |
getBackslash()
Renders a backslash (\).
|
String |
getD()
Renders a dollar sign ($).
|
String |
getDollar()
Renders a dollar sign ($).
|
String |
getE()
Renders an exclamation mark (!).
|
String |
getExclamation()
Renders an exclamation mark (!).
|
String |
getH()
Renders a hash (#).
|
String |
getHash()
Renders a hash (#).
|
String |
getKey()
Should return the key under which this tool has been configured.
|
String |
getN()
Renders a new line character appropriate for the
operating system ("\n" in java).
|
String |
getNewline()
Renders a new line character appropriate for the
operating system ("\n" in java).
|
String |
getQ()
Renders a double quotation mark (").
|
String |
getQuote()
Renders a double quotation mark (").
|
String |
getS()
Renders a single quotation mark (').
|
String |
getSingleQuote()
Renders a single quotation mark (').
|
String |
html(Object string)
Escapes the characters in a
String using HTML entities. |
String |
java(Object string)
Escapes the characters in a
String using Java String rules. |
String |
javascript(Object string)
Escapes the characters in a
String using JavaScript String rules. |
String |
propertyKey(Object string)
Escapes the characters in a
String using java.util.Properties rules for escaping property keys. |
String |
propertyValue(Object string)
Escapes the characters in a
String using java.util.Properties rules for escaping property values. |
protected void |
setKey(String key)
Sets the key under which this tool has been configured.
|
String |
sql(Object string)
Escapes the characters in a
String to be suitable to pass to an SQL query. |
String |
unicode(Object code)
Converts the specified Unicode code point and/or escape sequence into
the associated Unicode character.
|
String |
unurl(Object string)
Unscape the characters in a
String encoded as an HTTP parameter value. |
String |
url(Object string)
Escape the characters in a
String to be suitable to use as an HTTP parameter value. |
String |
velocity(Object obj)
Escapes the characters in a
String using "poor man's
escaping" for Velocity templates by replacing all '$' characters
with '${esc.d}' and all '#' characters with '${esc.h}'. |
String |
xml(Object string)
Escapes the characters in a
String using XML entities. |
configure, getLog, initLogger, isConfigLocked, isSafeMode, setLockConfig, setSafeMode
public static final String DEFAULT_KEY
protected void configure(ValueParser values)
configure
in class SafeConfig
values
- configuration valuesprotected void setKey(String key)
key
- tool keyvelocity(java.lang.Object)
public String getKey()
velocity(java.lang.Object)
public String velocity(Object obj)
Escapes the characters in a String
using "poor man's
escaping" for Velocity templates by replacing all '$' characters
with '${esc.d}' and all '#' characters with '${esc.h}'. This form
of escaping is far more reliable and consistent than using '\' to
escape valid references, directives and macros, though it does require
that you have the EscapeTool available in the context when you later
go to process the result returned by this method.
NOTE: This will only work so long as the EscapeTool is placed in the context using its default key 'esc' or you are using VelocityTools 2.0+ and have put this tool in one of your toolboxes under an alternate key (in which case the EscapeTool will automatically be told what its new key is). If for some strange reason you wish to use an alternate key and are not using the tool management facilities of VelocityTools 2.0+, you must subclass this tool and manually call setKey(String) before using this method.
obj
- the string value that needs escapingnull
if null string inputpublic String java(Object string)
Escapes the characters in a String
using Java String rules.
Delegates the process to StringEscapeUtils.escapeJava(String)
.
string
- the string to escape values, may be nullnull
if null string inputStringEscapeUtils.escapeJava(String)
public String propertyKey(Object string)
String
using java.util.Properties rules for escaping property keys.string
- the string to escape values, may be nullnull
if null string inputdumpString(String, boolean)
public String propertyValue(Object string)
String
using java.util.Properties rules for escaping property values.string
- the string to escape values, may be nullnull
if null string inputdumpString(String, boolean)
protected String dumpString(String string, boolean key)
string
- property key or property valuekey
- true
for a property keypublic String javascript(Object string)
Escapes the characters in a String
using JavaScript String rules.
Delegates the process to StringEscapeUtils.escapeEcmaScript(String)
.
string
- the string to escape values, may be nullnull
if null string inputStringEscapeUtils.escapeEcmaScript(String)
public String html(Object string)
Escapes the characters in a String
using HTML entities.
Delegates the process to StringEscapeUtils.escapeHtml4(String)
.
string
- the string to escape, may be nullString
, null
if null string inputStringEscapeUtils.escapeHtml4(String)
public String url(Object string)
Escape the characters in a String
to be suitable to use as an HTTP parameter value.
Uses UTF-8 as default character encoding.
string
- the string to escape, may be nullString
, null
if null string input
See java.net.URLEncoder#encode(String,String)public String unurl(Object string)
Unscape the characters in a String
encoded as an HTTP parameter value.
Uses UTF-8 as default character encoding.
string
- the string to unescape, may be nullString
, null
if null string inputURLDecoder.decode(String,String)
public String xml(Object string)
Escapes the characters in a String
using XML entities.
Delegates the process to StringEscapeUtils.escapeXml(java.lang.String)
.
string
- the string to escape, may be nullString
, null
if null string inputStringEscapeUtils.escapeXml(String)
public String sql(Object string)
Escapes the characters in a String
to be suitable to pass to an SQL query.
It boils down to doubling single quotes.
string
- the string to escape, may be nullnull
if null string inputpublic String unicode(Object code)
Converts the specified Unicode code point and/or escape sequence into the associated Unicode character. This allows numeric code points or String versions of the numeric code point to be correctly translated within a template. This is especially useful for those creating unicode from a reference value, or injecting a unicode character into a template with a version of Velocity prior to 1.6.
code
- the code to be translated/escaped, may be nullnull
if input was nullCharacter.toChars(int codePoint)
public String getDollar()
getD()
public String getD()
getDollar()
public String getBackslash()
getB()
public String getB()
getBackslash()
public String getQuote()
getQ()
public String getQ()
getQuote()
public String getSingleQuote()
getS()
public String getS()
getSingleQuote()
public String getNewline()
getN()
public String getN()
getNewline()
public String getExclamation()
getE()
public String getE()
getExclamation()
Copyright © 2002–2021 The Apache Software Foundation. All rights reserved.