4769l2
Listing 2. Filtering HTML Tags and Composing the SQL Query String Using
a Regular Expression Engine
package net.confidentialfiles.DBUtils;
import java.util.*;
import gnu.regexp.*;
// Only one method is shown here to save space.
public class HTMLUtil {
// "Hashtable h" is a collection of field/value
// pairs to enter the database table
//
// "String mode" is either "plain" for plain text
// values or "HTML" for html text
//
// "String[] allowed" is an array of allowed HTML
// tags
//
// This method handles the blank values,
// validates HTML text
public static void processInput(Hashtable h,
String mode, String[] allowed)
throws Exception {
Object o;
NullValue nv = new NullValue();
RE re1, re2;
REMatch[] rematch;
String tag;
for (Enumeration e = h.keys();
e.hasMoreElements(); ) {
o = e.nextElement();
String s = (String)h.get(o);
if ( !isStr(s) ) {
h.put(o, nv);
} else {
if ( mode.equals("plain") ) {
// in plain mode all "<"s are "<"
re1 = new RE ("<");
s = re1.substituteAll( s, "<" );
} else {
// in html mode, only allowed tags are
// permitted other tags are will be
// converted to "<tagname"
re1 = new RE ( "<(\\w+)" );
rematch = re1.getAllMatches( s );
for (int i=0; i