4769l2

Listing 2. Filtering HTML Tags and Composing the SQL Query String Using
a Regular Expression Engine

package net.confidentialfiles.DBUtils;

import java.util.*;
import gnu.regexp.*;

// Only one method is shown here to save space.
public class HTMLUtil {

  // "Hashtable h" is a collection of field/value
  // pairs to enter the database table
  //
  // "String mode" is either "plain" for plain text
  //  values or "HTML" for html text
  //
  // "String[] allowed" is an array of allowed HTML
  // tags
  //
  // This method handles the blank values,
  // validates HTML text

  public static void processInput(Hashtable h,
                  String mode, String[] allowed)
                                throws Exception {
    Object o;
    NullValue nv = new NullValue();
    RE re1, re2;
    REMatch[] rematch;
    String tag;
    for (Enumeration e = h.keys();
               e.hasMoreElements(); ) {
      o = e.nextElement();
      String s = (String)h.get(o);
      if ( !isStr(s) ) {
        h.put(o, nv);
      } else {
        if ( mode.equals("plain") ) {
          // in plain mode all "<"s are "&lt;"
          re1 = new RE ("<");
          s = re1.substituteAll( s, "&lt;" );
        } else {
          // in html mode, only allowed tags are
          // permitted other tags are will be
          // converted to "&lt;tagname"
          re1 = new RE ( "<(\\w+)" );
          rematch = re1.getAllMatches( s );
          for (int i=0; i<rematch.length; i++) {
            // get rid of the "<" for tag
            // by using the grouped subexp $1
            tag = rematch[i].toString(1);
            boolean isallowed = false;
            for (int j=0; j<allowed.length; j++) {
              if ( tag.compareToIgnoreCase(
                              allowed[j]) == 0 ) {
                isallowed = true;
              }
            }
            if ( !isallowed ) {
              re2 = new RE ( "<" + tag );
              s = re2.substituteAll( s,
                                "&lt;" + tag );
              re2 = new RE ( "</" + tag );
              s = re2.substituteAll( s,
                                "&lt;/" + tag );
            }
          }
        }
        // escape quotes and special chars in SQL
        // query string
        h.put(o, DatabaseUtil.escapeString(s));
      }
    }
    return;
  }
}