{"id":16332266,"url":"https://github.com/mikesamuel/html-contextual-autoescaper-java","last_synced_at":"2025-03-22T23:31:53.919Z","repository":{"id":1752074,"uuid":"2578689","full_name":"mikesamuel/html-contextual-autoescaper-java","owner":"mikesamuel","description":"Prevents XSS by figuring out how to escape untrusted values in templates","archived":false,"fork":false,"pushed_at":"2020-10-13T10:15:13.000Z","size":10697,"stargazers_count":15,"open_issues_count":3,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-18T15:43:18.944Z","etag":null,"topics":["java","security-hardening","template-engine","xss"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mikesamuel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2011-10-14T20:36:28.000Z","updated_at":"2023-03-25T11:23:55.000Z","dependencies_parsed_at":"2022-07-20T06:47:08.176Z","dependency_job_id":null,"html_url":"https://github.com/mikesamuel/html-contextual-autoescaper-java","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikesamuel%2Fhtml-contextual-autoescaper-java","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikesamuel%2Fhtml-contextual-autoescaper-java/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikesamuel%2Fhtml-contextual-autoescaper-java/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mikesamuel%2Fhtml-contextual-autoescaper-java/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mikesamuel","download_url":"https://codeload.github.com/mikesamuel/html-contextual-autoescaper-java/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245036111,"owners_count":20550661,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java","security-hardening","template-engine","xss"],"created_at":"2024-10-10T23:29:51.960Z","updated_at":"2025-03-22T23:31:53.620Z","avatar_url":"https://github.com/mikesamuel.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"A runtime contextual autoescaper written in Java.\n\nThis provides a writer-like object that provides two methods:\n\n```java\n  writeSafe(String)\n  write(Object)\n```\n\nso that the sequence of calls\n\n```java\n w.writeSafe(\"\u003cb\u003e\");\n w.write(\"I \u003c3 Ponies!\");\n w.writeSafe(\"\u003c/b\u003e\\n\u003cbutton onclick=foo(\");\n w.writeObject(ImmutableMap.\u003cString, Object\u003eof(\n     \"foo\", \"bar\", \"\\\"baz\\\"\", 42));\n w.writeSafe(\")\u003e\");\n```\n\nresults in the output\n\n```html\n  \u003cb\u003eI \u0026lt;3 Ponies!\u003c/b\u003e\n  \u003cbutton onclick=\"foo({\u0026#34;foo\u0026#34;:\u0026#34;\\x22bar\\x22\u0026#34;:42})\"\u003e\n```\n\nThe safe parts are treated as literal chunks of HTML/CSS/JS, and the unsafe\nparts are escaped to preserve security and least-surprise.\n\nFor a more comprehensive example, a template like\n\n```html\n\u003cdiv style=\"color: \u003c%=$self.color%\u003e\"\u003e\n  \u003ca href=\"/\u003c%=$self.color%\u003e?q=\u003c%=$self.world%\u003e\"\n   onclick=\"alert('\u003c% helper($self) %\u003e');return false\"\u003e\n    \u003c% helper($self) %\u003e\n  \u003c/a\u003e\n  \u003cscript\u003e(function () {  // Sleepy developers put sensitive info in comments.\n    var o = \u003c%=$self\u003e,\n        w = \"\u003c%=$self.world%\u003e\";\n  })();\u003c/script\u003e\n\u003c/div\u003e\n\n\u003c% def helper($self) {\n  %\u003eHello, \u003c%=$self.world%\u003e\n\u003c%}%\u003e\n```\n\nmight correspond to the sequence of calls\n\n```java\n // Dummy input values.\n Map $self = ImmutableMap.\u003cString, Object\u003eof(\n     \"world\", \"\u003cCincinatti\u003e\", \"color\", \"blue\");\n Object color = self.get(\"color\"), world = self.get(\"world\");\n // Alternating safe and unsafe writes that implement the template.\n w.writeSafe(\"\u003cdiv style=\\\"color: \");\n w.write    (color);\n w.writeSafe(\"\\\"\u003e\\n\u003ca href=\\\"/\");\n w.write    (color);\n w.writeSafe(\"?q=\");\n w.write    (world);\n w.writeSafe(\"\\\"\\n  onclick=\\\"alert('\");\n helper     (w, $self);\n w.writeSafe(\"');return false\\\"\u003e\\n    \");\n helper     (w, $self);\n w.writeSafe(\"\\n  \u003c/a\u003e\\n  \u003cscript\u003e(function () {\\n    var o = \");\n w.write    ($self);\n w.writeSafe(\",\\n        w = \\\"\");\n w.write    (world);\n w.writeSafe(\"\\\";\\n  })();\u003c/script\u003e\\n\u003c/div\u003e\");\n```\n\nwhich result in the output\n\n```html\n\u003cdiv style=\"color: blue\"\u003e\n  \u003ca href=\"/blue?q=%3cCincinatti%3e\"\n   onclick=\"alert('Hello, \\x3cCincinatti\\x3e!');return false\"\u003e\n    Hello, \u003cCincinatti\u003e!\n  \u003c/a\u003e\n  \u003cscript\u003e(function () {\n    var o = {\"Color\":\"blue\",\"World\":\"\\u003cCincinatti\\u003e\"},\n        w = \"\\x26lt;Cincinatti\\x26gt;\";\n  })();\u003c/script\u003e\n\u003c/div\u003e\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmikesamuel%2Fhtml-contextual-autoescaper-java","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmikesamuel%2Fhtml-contextual-autoescaper-java","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmikesamuel%2Fhtml-contextual-autoescaper-java/lists"}