package org.apache.sling.scripting.sightly.impl.engine.extension;

import io.netty.handler.ssl.ApplicationProtocolNames;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Pattern;
import org.apache.batik.css.parser.CSSLexicalUnit;
import org.apache.batik.util.CSSConstants;
import org.apache.felix.bundlerepository.impl.RepositoryParser;
import org.apache.jackrabbit.oak.commons.jmx.ManagementOperation;
import org.apache.jackrabbit.oak.plugins.document.mongo.MongoBlob;
import org.apache.lucene.analysis.wikipedia.WikipediaTokenizer;
import org.apache.sling.scripting.sightly.SightlyException;
import org.apache.sling.scripting.sightly.compiler.RuntimeFunction;
import org.apache.sling.scripting.sightly.compiler.expression.MarkupContext;
import org.apache.sling.scripting.sightly.extension.RuntimeExtension;
import org.apache.sling.scripting.sightly.render.RenderContext;
import org.apache.sling.xss.XSSAPI;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {RuntimeExtension.class}, property = {"org.apache.sling.scripting.sightly.extension.name=xss"})
/* loaded from: input_file:WEB-INF/resources/install/0/org.apache.sling.scripting.sightly-1.0.56-1.4.0.jar:org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.class */
public class XSSRuntimeExtension implements RuntimeExtension {

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private XSSAPI xssApi;
    private static final Set<String> elementNameWhiteList = new HashSet();
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) XSSRuntimeExtension.class);
    private static final Pattern VALID_ATTRIBUTE = Pattern.compile("^[a-zA-Z_:][\\-a-zA-Z0-9_:.]*$");
    private static final Pattern ATTRIBUTE_BLACKLIST = Pattern.compile("^(style|(on.*))$", 2);

    @Override // org.apache.sling.scripting.sightly.extension.RuntimeExtension
    public Object call(RenderContext renderContext, Object... objArr) {
        if (objArr.length < 2) {
            throw new SightlyException(String.format("Extension %s requires at least %d arguments", RuntimeFunction.XSS, 2));
        }
        Object obj = objArr[0];
        Object obj2 = objArr[1];
        Object obj3 = null;
        if (objArr.length >= 3) {
            obj3 = objArr[2];
        }
        MarkupContext markupContext = null;
        if (obj2 instanceof String) {
            markupContext = MarkupContext.lookup((String) obj2);
        }
        if (markupContext == MarkupContext.UNSAFE) {
            return obj;
        }
        if (markupContext != null) {
            return applyXSSFilter(renderContext.getObjectModel().toString(obj), obj3, markupContext);
        }
        LOG.warn("Expression context {} is invalid, expression will be replaced by the empty string", obj2);
        return "";
    }

    private String applyXSSFilter(String str, Object obj, MarkupContext markupContext) {
        return (markupContext.equals(MarkupContext.ATTRIBUTE) && (obj instanceof String)) ? applyXSSFilter(str, getAttributeMarkupContext((String) obj)) : applyXSSFilter(str, markupContext);
    }

    private String applyXSSFilter(String str, MarkupContext markupContext) {
        switch (markupContext) {
            case ATTRIBUTE:
                return this.xssApi.encodeForHTMLAttr(str);
            case COMMENT:
            case TEXT:
                return this.xssApi.encodeForHTML(str);
            case ATTRIBUTE_NAME:
                return escapeAttributeName(str);
            case NUMBER:
                Object obj = 0;
                if (str != null) {
                    if (str.contains(".") || str.contains("e") || str.contains("E")) {
                        try {
                            obj = Double.valueOf(Double.parseDouble(str));
                        } catch (NumberFormatException e) {
                            obj = 0;
                        }
                    } else {
                        try {
                            obj = Long.valueOf(Long.parseLong(str));
                        } catch (NumberFormatException e2) {
                            obj = 0;
                        }
                    }
                }
                return obj.toString();
            case URI:
                return this.xssApi.getValidHref(str);
            case SCRIPT_TOKEN:
                return this.xssApi.getValidJSToken(str, "");
            case STYLE_TOKEN:
                return this.xssApi.getValidStyleToken(str, "");
            case SCRIPT_STRING:
                return this.xssApi.encodeForJSString(str);
            case STYLE_STRING:
                return this.xssApi.encodeForCSSString(str);
            case SCRIPT_COMMENT:
            case STYLE_COMMENT:
                return this.xssApi.getValidMultiLineComment(str, "");
            case ELEMENT_NAME:
                return escapeElementName(str);
            case HTML:
                return this.xssApi.filterHTML(str);
            default:
                return str;
        }
    }

    private String escapeElementName(String str) {
        String trim = str.trim();
        return elementNameWhiteList.contains(trim.toLowerCase()) ? trim : "";
    }

    private MarkupContext getAttributeMarkupContext(String str) {
        return (CSSConstants.CSS_SRC_PROPERTY.equalsIgnoreCase(str) || "href".equalsIgnoreCase(str)) ? MarkupContext.URI : MarkupContext.ATTRIBUTE;
    }

    private String escapeAttributeName(String str) {
        if (str == null) {
            return null;
        }
        String trim = str.trim();
        if (!VALID_ATTRIBUTE.matcher(trim).matches() || isSensitiveAttribute(trim)) {
            return null;
        }
        return trim;
    }

    private boolean isSensitiveAttribute(String str) {
        return ATTRIBUTE_BLACKLIST.matcher(str).matches();
    }

    static {
        elementNameWhiteList.add("section");
        elementNameWhiteList.add("nav");
        elementNameWhiteList.add("article");
        elementNameWhiteList.add("aside");
        elementNameWhiteList.add("h1");
        elementNameWhiteList.add(ApplicationProtocolNames.HTTP_2);
        elementNameWhiteList.add("h3");
        elementNameWhiteList.add("h4");
        elementNameWhiteList.add("h5");
        elementNameWhiteList.add("h6");
        elementNameWhiteList.add("header");
        elementNameWhiteList.add("footer");
        elementNameWhiteList.add("address");
        elementNameWhiteList.add("main");
        elementNameWhiteList.add(RepositoryParser.P);
        elementNameWhiteList.add("pre");
        elementNameWhiteList.add("blockquote");
        elementNameWhiteList.add("ul");
        elementNameWhiteList.add("ol");
        elementNameWhiteList.add("li");
        elementNameWhiteList.add("dl");
        elementNameWhiteList.add("dt");
        elementNameWhiteList.add("dd");
        elementNameWhiteList.add("figure");
        elementNameWhiteList.add("figcaption");
        elementNameWhiteList.add("div");
        elementNameWhiteList.add("a");
        elementNameWhiteList.add(CSSLexicalUnit.UNIT_TEXT_EM);
        elementNameWhiteList.add("strong");
        elementNameWhiteList.add(CSSConstants.CSS_SMALL_VALUE);
        elementNameWhiteList.add(CSSLexicalUnit.UNIT_TEXT_SECOND);
        elementNameWhiteList.add("cite");
        elementNameWhiteList.add("q");
        elementNameWhiteList.add("dfn");
        elementNameWhiteList.add("abbbr");
        elementNameWhiteList.add(MongoBlob.KEY_DATA);
        elementNameWhiteList.add(SchemaSymbols.ATTVAL_TIME);
        elementNameWhiteList.add(ManagementOperation.Status.ITEM_CODE);
        elementNameWhiteList.add("var");
        elementNameWhiteList.add("samp");
        elementNameWhiteList.add("kbd");
        elementNameWhiteList.add(CSSConstants.CSS_SUB_VALUE);
        elementNameWhiteList.add("sup");
        elementNameWhiteList.add("i");
        elementNameWhiteList.add(WikipediaTokenizer.BOLD);
        elementNameWhiteList.add("u");
        elementNameWhiteList.add("mark");
        elementNameWhiteList.add("ruby");
        elementNameWhiteList.add("rt");
        elementNameWhiteList.add("rp");
        elementNameWhiteList.add("bdi");
        elementNameWhiteList.add("bdo");
        elementNameWhiteList.add("span");
        elementNameWhiteList.add("br");
        elementNameWhiteList.add("wbr");
        elementNameWhiteList.add("ins");
        elementNameWhiteList.add("del");
        elementNameWhiteList.add("table");
        elementNameWhiteList.add(CSSConstants.CSS_CAPTION_VALUE);
        elementNameWhiteList.add("colgroup");
        elementNameWhiteList.add("col");
        elementNameWhiteList.add("tbody");
        elementNameWhiteList.add("thead");
        elementNameWhiteList.add("tfoot");
        elementNameWhiteList.add("tr");
        elementNameWhiteList.add("td");
        elementNameWhiteList.add("th");
    }
}
