001/* 002 * (C) Copyright 2006-2010 Nuxeo SA (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Florent Guillaume 018 */ 019package org.nuxeo.ecm.platform.htmlsanitizer; 020 021import org.nuxeo.ecm.core.api.DocumentModel; 022import org.nuxeo.ecm.core.api.event.DocumentEventTypes; 023import org.nuxeo.ecm.core.event.Event; 024import org.nuxeo.ecm.core.event.EventContext; 025import org.nuxeo.ecm.core.event.EventListener; 026import org.nuxeo.ecm.core.event.impl.DocumentEventContext; 027import org.nuxeo.ecm.core.schema.FacetNames; 028import org.nuxeo.runtime.api.Framework; 029 030/** 031 * Listener that sanitizes some HTML fields to remove potential cross-site scripting attacks in them. 032 */ 033public class HtmlSanitizerListener implements EventListener { 034 035 public static final String DISABLE_HTMLSANITIZER_LISTENER = "disableHtmlSanitizerListener"; 036 037 @Override 038 public void handleEvent(Event event) { 039 String eventId = event.getName(); 040 if (!eventId.equals(DocumentEventTypes.ABOUT_TO_CREATE) 041 && !eventId.equals(DocumentEventTypes.BEFORE_DOC_UPDATE)) { 042 return; 043 } 044 EventContext context = event.getContext(); 045 if (!(context instanceof DocumentEventContext)) { 046 return; 047 } 048 Boolean disableListener = (Boolean) context.getProperty(DISABLE_HTMLSANITIZER_LISTENER); 049 if (Boolean.TRUE.equals(disableListener)) { 050 return; 051 } 052 053 DocumentModel doc = ((DocumentEventContext) context).getSourceDocument(); 054 if (doc.hasFacet(FacetNames.IMMUTABLE)) { 055 return; 056 } 057 HtmlSanitizerService sanitizer = Framework.getService(HtmlSanitizerService.class); 058 sanitizer.sanitizeDocument(doc); 059 } 060 061}