001/* 002 * (C) Copyright 2006-2010 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Florent Guillaume 018 */ 019package org.nuxeo.ecm.platform.htmlsanitizer; 020 021import org.nuxeo.ecm.core.api.DocumentModel; 022import org.nuxeo.ecm.core.api.event.DocumentEventTypes; 023import org.nuxeo.ecm.core.event.Event; 024import org.nuxeo.ecm.core.event.EventContext; 025import org.nuxeo.ecm.core.event.EventListener; 026import org.nuxeo.ecm.core.event.impl.DocumentEventContext; 027import org.nuxeo.ecm.core.schema.FacetNames; 028import org.nuxeo.runtime.api.Framework; 029 030/** 031 * Listener that sanitizes some HTML fields to remove potential cross-site scripting attacks in them. 032 */ 033public class HtmlSanitizerListener implements EventListener { 034 035 public static final String DISABLE_HTMLSANITIZER_LISTENER = "disableHtmlSanitizerListener"; 036 037 public void handleEvent(Event event) { 038 String eventId = event.getName(); 039 if (!eventId.equals(DocumentEventTypes.ABOUT_TO_CREATE) 040 && !eventId.equals(DocumentEventTypes.BEFORE_DOC_UPDATE)) { 041 return; 042 } 043 EventContext context = event.getContext(); 044 if (!(context instanceof DocumentEventContext)) { 045 return; 046 } 047 Boolean disableListener = (Boolean) context.getProperty(DISABLE_HTMLSANITIZER_LISTENER); 048 if (Boolean.TRUE.equals(disableListener)) { 049 return; 050 } 051 052 DocumentModel doc = ((DocumentEventContext) context).getSourceDocument(); 053 if (doc.hasFacet(FacetNames.IMMUTABLE)) { 054 return; 055 } 056 HtmlSanitizerService sanitizer = Framework.getService(HtmlSanitizerService.class); 057 sanitizer.sanitizeDocument(doc); 058 } 059 060}