public final class UriUtils extends Object
Modifier and Type | Method and Description |
---|---|
static String |
encode(String uri)
Encodes the URL.
|
static String |
encodeAllowEscapes(String uri)
Encodes the URL, preserving existing %-escapes.
|
static String |
extractScheme(String uri)
Extracts the scheme of a URI.
|
static SafeUri |
fromSafeConstant(String s)
Returns a
SafeUri constructed from a value that is fully under
the control of the program, e.g., a constant. |
static SafeUri |
fromString(String s)
Returns a
SafeUri obtained by sanitizing the provided string. |
static SafeUri |
fromTrustedString(String s)
Returns a
SafeUri constructed from a trusted string, i.e., without
sanitizing the string. |
static boolean |
isSafeUri(String uri)
Determines if a
String is safe to use as the value of a URI-valued
HTML attribute such as src or href . |
static String |
sanitizeUri(String uri)
Sanitizes a URI.
|
static SafeUri |
unsafeCastFromUntrustedString(String s)
Deprecated.
This method is intended only for use in APIs that use
SafeUri to represent URIs, but for backwards
compatibility have methods that accept URI parameters as plain
strings. |
public static String encode(String uri)
In client code, this method delegates to URL.encode(String)
and
then unescapes brackets, as they might be used for IPv6 addresses.
uri
- the URL to encodepublic static String encodeAllowEscapes(String uri)
uri
- the URL to encodepublic static String extractScheme(String uri)
uri
- the URI to extract the scheme fromnull
if the URI does not have onepublic static SafeUri fromSafeConstant(String s)
SafeUri
constructed from a value that is fully under
the control of the program, e.g., a constant.
The string is not sanitized and no checks are performed. The assumption
that the resulting value adheres to the SafeUri
type contract
is entirely based on the argument being fully under program control and
not being derived from a program input.
Convention of use: This method must only be invoked on values that are fully under the program's control, such as string literals.
s
- the input Stringpublic static SafeUri fromString(String s)
SafeUri
obtained by sanitizing the provided string.
The input string is sanitized using sanitizeUri(String)
.
s
- the input Stringpublic static SafeUri fromTrustedString(String s)
SafeUri
constructed from a trusted string, i.e., without
sanitizing the string. No checks are performed. The calling code should be
carefully reviewed to ensure the argument meets the SafeUri contract.s
- the input Stringpublic static boolean isSafeUri(String uri)
String
is safe to use as the value of a URI-valued
HTML attribute such as src
or href
.
In this context, a URI is safe if it can be established that using it as
the value of a URI-valued HTML attribute such as src
or href
cannot result in script execution. Specifically, this method deems a
URI safe if it either does not have a scheme, or its scheme is one of
http, https, ftp, mailto
.
uri
- the URI to validatetrue
if uri
is safe in the above sense; false
otherwisepublic static String sanitizeUri(String uri)
This method returns the URI provided if it is safe to use as the value
of a URI-valued HTML attribute according to isSafeUri(java.lang.String)
, or the URI
"#
" otherwise.
uri
- the URI to sanitize@Deprecated public static SafeUri unsafeCastFromUntrustedString(String s)
SafeUri
to represent URIs, but for backwards
compatibility have methods that accept URI parameters as plain
strings.SafeUri
constructed from an untrusted string but without
sanitizing it.
Despite this method creating a SafeUri instance, no checks are
performed, so the returned SafeUri is absolutely NOT guaranteed to be
safe!s
- the input StringCopyright © 2016. All rights reserved.