HV-1302 Moving protocols to attribute level

hibernate · May 22, 2017 · c4f3716 · c4f3716
1 parent 0a55ad2
commit c4f3716
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 19 deletions.
diff --git a/engine/src/main/java/org/hibernate/validator/constraints/SafeHtml.java b/engine/src/main/java/org/hibernate/validator/constraints/SafeHtml.java
@@ -91,10 +91,29 @@
 		String[] attributes() default { };
 
 		/**
-		 * @return list of valid protocols.
+		 * @return list of tag attributes with corresponding allowed protocols which are whitelisted.
 		 * @since 6.0
 		 */
-		String[] protocols() default { };
+		Attribute[] additionalAttributesWithProtocols() default { };
+
+		/**
+		 * Allows to specify attribute with whitelisted protocols.
+		 * @since 6.0
+		 */
+		@Target({ METHOD, FIELD, ANNOTATION_TYPE, CONSTRUCTOR, PARAMETER })
+		@Retention(RUNTIME)
+		@Documented @interface Attribute {
+			/**
+			 * @return the attribute name to whitelist.
+			 */
+			String name();
+
+			/**
+			 * @return list of attribute protocols which are whitelisted.
+			 */
+			String[] protocols() default { };
+
+		}
 	}
 
 	/**

diff --git a/...main/java/org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java b/...main/java/org/hibernate/validator/internal/constraintvalidators/hv/SafeHtmlValidator.java
@@ -56,10 +56,14 @@ public void initialize(SafeHtml safeHtmlAnnotation) {
 		whitelist.addTags( safeHtmlAnnotation.additionalTags() );
 
 		for ( SafeHtml.Tag tag : safeHtmlAnnotation.additionalTagsWithAttributes() ) {
-			whitelist.addAttributes( tag.name(), tag.attributes() );
-			if ( tag.protocols().length > 0 ) {
-				for ( String attribute : tag.attributes() ) {
-					whitelist.addProtocols( tag.name(), attribute, tag.protocols() );
+			whitelist.addTags( tag.name() );
+			if ( tag.attributes().length > 0 ) {
+				whitelist.addAttributes( tag.name(), tag.attributes() );
+			}
+			if ( tag.additionalAttributesWithProtocols().length > 0 ) {
+				for ( SafeHtml.Tag.Attribute attribute : tag.additionalAttributesWithProtocols() ) {
+					whitelist.addAttributes( tag.name(), attribute.name() );
+					whitelist.addProtocols( tag.name(), attribute.name(), attribute.protocols() );
 				}
 			}
 		}

diff --git a/...src/test/java/org/hibernate/validator/test/cfg/ProgrammaticConstraintDefinitionsTest.java b/...src/test/java/org/hibernate/validator/test/cfg/ProgrammaticConstraintDefinitionsTest.java
@@ -75,12 +75,16 @@ public void safeHtmlProgrammaticDefinition() {
 		doProgrammaticTest( new SafeHtmlDef().whitelistType( SafeHtml.WhiteListType.NONE )
 				.additionalTagsWithAttributes( AnnotationFactory.create( tagDescriptor ) ), "<td class='class' id='tableId'>1234qwer</td>", 0 );
 
-		AnnotationDescriptor<SafeHtml.Tag> protocolDescriptor = new AnnotationDescriptor( SafeHtml.Tag.class );
-		protocolDescriptor.setValue( "name", "img" );
-		protocolDescriptor.setValue( "attributes", new String[]{ "src" } );
-		protocolDescriptor.setValue( "protocols", new String[]{ "data" } );
+		AnnotationDescriptor<SafeHtml.Tag.Attribute> attributeDescriptor = new AnnotationDescriptor( SafeHtml.Tag.Attribute.class );
+		attributeDescriptor.setValue( "name",  "src"  );
+		attributeDescriptor.setValue( "protocols", new String[]{ "data" } );
+
+		tagDescriptor = new AnnotationDescriptor( SafeHtml.Tag.class );
+		tagDescriptor.setValue( "name", "img" );
+		tagDescriptor.setValue( "additionalAttributesWithProtocols", new SafeHtml.Tag.Attribute[]{ AnnotationFactory.create( attributeDescriptor ) } );
+
 		doProgrammaticTest( new SafeHtmlDef().whitelistType( SafeHtml.WhiteListType.NONE )
-				.additionalTagsWithAttributes( AnnotationFactory.create( protocolDescriptor ) ), "<img src='data:image/png;base64,100101' />", 0 );
+				.additionalTagsWithAttributes( AnnotationFactory.create( tagDescriptor ) ), "<img src='data:image/png;base64,100101' />", 0 );
 	}
 
 	@Test

diff --git a/.../org/hibernate/validator/test/internal/constraintvalidators/hv/SafeHtmlValidatorTest.java b/.../org/hibernate/validator/test/internal/constraintvalidators/hv/SafeHtmlValidatorTest.java
@@ -166,12 +166,13 @@ public void testAdditionalProtocols() {
 		assertNumberOfViolations( validator.validate( new Bar( "<div src='data:image/png;base64,100101' />" ) ), 1 );
 		assertNumberOfViolations( validator.validate( new Bar(
 				"<custom>" +
-						"  <img src='data:image/png;base64,100101' />" +
-						"  <custom attr1='strange_protocol:some_text' />" +
-						"  <custom><img /></custom>" +
-						"  <section id='sec1' attr='val'></section>" +
-						"  <custom attr1='dataprotocol:some_text' attr2='strange_protocol:some_text' />" +
-						"</custom>" ) ), 0 );
+				"  <img src='data:image/png;base64,100101' />" +
+				"  <custom attr1='strange_protocol:some_text' />" +
+				"  <custom attr3='some_protocol:some_text' />" +
+				"  <custom><img /></custom>" +
+				"  <section id='sec1' attr='val'></section>" +
+				"  <custom attr1='dataprotocol:some_text' attr2='strange_protocol:some_text' />" +
+				"</custom>" ) ), 0 );
 	}
 
 	@Test
@@ -211,8 +212,12 @@ public static class Bar {
 		@SafeHtml(
 				whitelistType = WhiteListType.BASIC,
 				additionalTagsWithAttributes = {
-						@SafeHtml.Tag(name = "img", attributes = "src", protocols = { "data" }),
-						@SafeHtml.Tag(name = "custom", attributes = { "attr1", "attr2" }, protocols = { "dataprotocol", "strange_protocol" }),
+						@SafeHtml.Tag(name = "img", additionalAttributesWithProtocols = @SafeHtml.Tag.Attribute(name = "src", protocols = { "data" })),
+						@SafeHtml.Tag(name = "custom", additionalAttributesWithProtocols = {
+								@SafeHtml.Tag.Attribute(name = "attr1", protocols = { "dataprotocol", "strange_protocol" }),
+								@SafeHtml.Tag.Attribute(name = "attr2", protocols = { "dataprotocol", "strange_protocol" }),
+								@SafeHtml.Tag.Attribute(name = "attr3", protocols = "some_protocol")
+						}),
 						@SafeHtml.Tag(name = "section", attributes = { "attr", "id" })
 				}
 		)