package org.apache.sling.xss.impl;

import java.io.StringReader;
import java.io.StringWriter;
import java.util.HashMap;
import java.util.regex.Pattern;
import javax.json.Json;
import javax.json.JsonReaderFactory;
import javax.xml.parsers.SAXParserFactory;
import org.apache.commons.lang3.StringUtils;
import org.apache.johnzon.core.JsonParserFactoryImpl;
import org.apache.pdfbox.contentstream.operator.OperatorName;
import org.apache.sling.xss.ProtectionContext;
import org.apache.sling.xss.XSSAPI;
import org.apache.sling.xss.XSSFilter;
import org.apache.xpath.XPath;
import org.jetbrains.annotations.NotNull;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.owasp.encoder.Encode;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Validator;
import org.owasp.validator.html.Policy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.InputSource;

@Component(service = {XSSAPI.class}, property = {"service.vendor=The Apache Software Foundation"})
/* loaded from: input_file:resources/install/0/org.apache.sling.xss-2.2.2.jar:org/apache/sling/xss/impl/XSSAPIImpl.class */
public class XSSAPIImpl implements XSSAPI {

    @Reference
    private XSSFilter xssFilter;
    private static final Pattern PATTERN_AUTO_DIMENSION = Pattern.compile("['\"]?auto['\"]?");
    private SAXParserFactory factory;
    private volatile JsonReaderFactory jsonReaderFactory;
    private static final String NON_ASCII = "\\x00\\x08\\x0B\\x0C\\x0E-\\x1F";
    private static final String NUMBER = "[+-]?[\\d]*[\\.]?[\\d]*(?:[e][+-]?\\d+)?";
    private static final String HEX_DIGITS = "#[0-9a-f]*";
    private static final String IDENTIFIER = "-?[a-z_\\x00\\x08\\x0B\\x0C\\x0E-\\x1F][\\w_\\-\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]*";
    private static final String STRING = "\"(?:(?!javascript\\s?:)[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:(?!javascript\\s?:)[^'^\\\\^\\n]|(?:\\\\'))*'";
    private static final String DIMENSION = "[+-]?[\\d]*[\\.]?[\\d]*(?:[e][+-]?\\d+)?-?[a-z_\\x00\\x08\\x0B\\x0C\\x0E-\\x1F][\\w_\\-\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]*";
    private static final String PERCENT = "[+-]?[\\d]*[\\.]?[\\d]*(?:[e][+-]?\\d+)?%";
    private static final String FUNCTION = "-?[a-z_\\x00\\x08\\x0B\\x0C\\x0E-\\x1F][\\w_\\-\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]*\\((?:(?:[+-]?[\\d]*[\\.]?[\\d]*(?:[e][+-]?\\d+)?)|(?:-?[a-z_\\x00\\x08\\x0B\\x0C\\x0E-\\x1F][\\w_\\-\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]*)|(?:[\\s]*)|(?:,))*\\)";
    private static final String URL_UNQUOTED = "[^\"^'^\\(^\\)^[\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]]*";
    private static final String URL = "url\\((?:(?:[^\"^'^\\(^\\)^[\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]]*)|(?:\"(?:(?!javascript\\s?:)[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:(?!javascript\\s?:)[^'^\\\\^\\n]|(?:\\\\'))*'))\\)";
    private static final String CSS_TOKEN = "(?i)(?:[+-]?[\\d]*[\\.]?[\\d]*(?:[e][+-]?\\d+)?)|(?:[+-]?[\\d]*[\\.]?[\\d]*(?:[e][+-]?\\d+)?-?[a-z_\\x00\\x08\\x0B\\x0C\\x0E-\\x1F][\\w_\\-\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]*)|(?:[+-]?[\\d]*[\\.]?[\\d]*(?:[e][+-]?\\d+)?%)|(?:#[0-9a-f]*)|(?:-?[a-z_\\x00\\x08\\x0B\\x0C\\x0E-\\x1F][\\w_\\-\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]*)|(?:\"(?:(?!javascript\\s?:)[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:(?!javascript\\s?:)[^'^\\\\^\\n]|(?:\\\\'))*')|(?:-?[a-z_\\x00\\x08\\x0B\\x0C\\x0E-\\x1F][\\w_\\-\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]*\\((?:(?:[+-]?[\\d]*[\\.]?[\\d]*(?:[e][+-]?\\d+)?)|(?:-?[a-z_\\x00\\x08\\x0B\\x0C\\x0E-\\x1F][\\w_\\-\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]*)|(?:[\\s]*)|(?:,))*\\))|(?:url\\((?:(?:[^\"^'^\\(^\\)^[\\x00\\x08\\x0B\\x0C\\x0E-\\x1F]]*)|(?:\"(?:(?!javascript\\s?:)[^\"^\\\\^\\n]|(?:\\\\\"))*\"|'(?:(?!javascript\\s?:)[^'^\\\\^\\n]|(?:\\\\'))*'))\\))";
    private final Logger LOGGER = LoggerFactory.getLogger((Class<?>) XSSAPIImpl.class);
    private final Validator validator = ESAPI.validator();

    @Activate
    protected void activate() {
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
            this.factory = SAXParserFactory.newInstance();
            this.factory.setValidating(false);
            this.factory.setNamespaceAware(true);
            try {
                this.factory.setFeature(Policy.LOAD_EXTERNAL_DTD, false);
                this.factory.setFeature(Policy.EXTERNAL_PARAM_ENTITIES, false);
                this.factory.setFeature(Policy.EXTERNAL_GENERAL_ENTITIES, false);
            } catch (Exception e) {
                this.LOGGER.error("SAX parser configuration error: " + e.getMessage(), (Throwable) e);
            }
            HashMap hashMap = new HashMap();
            hashMap.put(JsonParserFactoryImpl.SUPPORTS_COMMENTS, true);
            this.jsonReaderFactory = Json.createReaderFactory(hashMap);
            Thread.currentThread().setContextClassLoader(contextClassLoader);
        } catch (Throwable th) {
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    @Deactivate
    protected void deactivate() {
        this.factory = null;
        this.jsonReaderFactory = null;
    }

    @Override // org.apache.sling.xss.XSSAPI
    public Integer getValidInteger(String str, int i) {
        if (str != null && str.length() > 0) {
            try {
                return this.validator.getValidInteger("XSS", str, -2000000000, 2000000000, false);
            } catch (Exception e) {
                this.LOGGER.warn("Unable to get a valid integer from the input.", (Throwable) e);
                this.LOGGER.debug("Integer input: {}", str);
            }
        }
        return Integer.valueOf(i);
    }

    @Override // org.apache.sling.xss.XSSAPI
    public Long getValidLong(String str, long j) {
        if (str != null && str.length() > 0) {
            try {
                LongValidationRule longValidationRule = new LongValidationRule("number", ESAPI.encoder(), -9000000000000000000L, 9000000000000000000L);
                longValidationRule.setAllowNull(false);
                return longValidationRule.getValid("XSS", str);
            } catch (Exception e) {
                this.LOGGER.warn("Unable to get a valid long from the input.", (Throwable) e);
                this.LOGGER.debug("Long input: {}", str);
            }
        }
        return Long.valueOf(j);
    }

    @Override // org.apache.sling.xss.XSSAPI
    public Double getValidDouble(String str, double d) {
        if (str != null && str.length() > 0) {
            try {
                return this.validator.getValidDouble("XSS", str, XPath.MATCH_SCORE_QNAME, Double.MAX_VALUE, false);
            } catch (Exception e) {
                this.LOGGER.warn("Unable to get a valid double from the input.", (Throwable) e);
                this.LOGGER.debug("Double input: {}", str);
            }
        }
        return Double.valueOf(d);
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String getValidDimension(String str, String str2) {
        if (str != null && str.length() > 0) {
            if (PATTERN_AUTO_DIMENSION.matcher(str).matches()) {
                return "\"auto\"";
            }
            try {
                return this.validator.getValidInteger("XSS", str, -10000, 10000, false).toString();
            } catch (Exception e) {
                this.LOGGER.warn("Unable to get a valid dimension from the input.", (Throwable) e);
                this.LOGGER.debug("Dimension input: {}", str);
            }
        }
        return str2;
    }

    @Override // org.apache.sling.xss.XSSAPI
    @NotNull
    public String getValidHref(String str) {
        if (!StringUtils.isNotEmpty(str)) {
            return "";
        }
        String replaceAll = str.replaceAll("\"", "%22").replaceAll(OperatorName.SHOW_TEXT_LINE, "%27").replaceAll(">", "%3E").replaceAll("<", "%3C").replaceAll("`", "%60").replaceAll(" ", "%20");
        try {
            return this.xssFilter.isValidHref(replaceAll) ? replaceAll : "";
        } catch (Throwable th) {
            this.LOGGER.warn("Unable to validate URL.", th);
            this.LOGGER.debug("Passed URL: {}", str);
            return "";
        }
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String getValidJSToken(String str, String str2) {
        if (str != null && str.length() > 0) {
            String trim = str.trim();
            String substring = trim.substring(0, 1);
            if (substring.matches("['\"]") && trim.endsWith(substring)) {
                return substring + encodeForJSString(trim.substring(1, trim.length() - 1)) + substring;
            }
            if (trim.matches("[0-9a-zA-Z_$][0-9a-zA-Z_$.]*")) {
                return trim;
            }
        }
        return str2;
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String getValidStyleToken(String str, String str2) {
        return (str == null || str.length() <= 0 || !str.matches(CSS_TOKEN)) ? str2 : str;
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String getValidCSSColor(String str, String str2) {
        if (str != null && str.length() > 0) {
            String trim = str.trim();
            if (trim.matches("(?i)[#a-fghlrs(+0-9-.%,) \\t\\n\\x0B\\f\\r]+")) {
                return trim;
            }
            if (trim.matches("(?i)[a-zA-Z \\t\\n\\x0B\\f\\r]+")) {
                return trim;
            }
        }
        return str2;
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String getValidMultiLineComment(String str, String str2) {
        return (str == null || str.contains("*/")) ? str2 : str;
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String getValidJSON(String str, String str2) {
        if (str == null) {
            return getValidJSON(str2, "");
        }
        String trim = str.trim();
        if ("".equals(trim)) {
            return "";
        }
        int indexOf = trim.indexOf("{");
        int indexOf2 = trim.indexOf("[");
        if (indexOf < 0 || (indexOf >= indexOf2 && indexOf2 >= 0)) {
            try {
                StringWriter stringWriter = new StringWriter();
                Json.createGenerator(stringWriter).write(this.jsonReaderFactory.createReader(new StringReader(trim)).readArray()).close();
                return stringWriter.getBuffer().toString();
            } catch (Exception e) {
                this.LOGGER.warn("Unable to get valid JSON from the input.", (Throwable) e);
                this.LOGGER.debug("JSON input:\n{}", trim);
            }
        } else {
            try {
                StringWriter stringWriter2 = new StringWriter();
                Json.createGenerator(stringWriter2).write(this.jsonReaderFactory.createReader(new StringReader(trim)).readObject()).close();
                return stringWriter2.getBuffer().toString();
            } catch (Exception e2) {
                this.LOGGER.warn("Unable to get valid JSON from the input.", (Throwable) e2);
                this.LOGGER.debug("JSON input:\n{}", trim);
            }
        }
        return getValidJSON(str2, "");
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String getValidXML(String str, String str2) {
        if (str == null) {
            return getValidXML(str2, "");
        }
        String trim = str.trim();
        if ("".equals(trim)) {
            return "";
        }
        try {
            this.factory.newSAXParser().getXMLReader().parse(new InputSource(new StringReader(trim)));
            return trim;
        } catch (Exception e) {
            this.LOGGER.warn("Unable to get valid XML from the input.", (Throwable) e);
            this.LOGGER.debug("XML input:\n{}", trim);
            return getValidXML(str2, "");
        }
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String encodeForHTML(String str) {
        if (str == null) {
            return null;
        }
        return Encode.forHtml(str);
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String encodeForHTMLAttr(String str) {
        if (str == null) {
            return null;
        }
        return Encode.forHtmlAttribute(str);
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String encodeForXML(String str) {
        if (str == null) {
            return null;
        }
        return Encode.forXml(str);
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String encodeForXMLAttr(String str) {
        if (str == null) {
            return null;
        }
        return Encode.forXmlAttribute(str);
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String encodeForJSString(String str) {
        if (str == null) {
            return null;
        }
        return Encode.forJavaScript(str).replace("\\-", "\\u002D");
    }

    @Override // org.apache.sling.xss.XSSAPI
    public String encodeForCSSString(String str) {
        if (str == null) {
            return null;
        }
        return Encode.forCssString(str);
    }

    @Override // org.apache.sling.xss.XSSAPI
    @NotNull
    public String filterHTML(String str) {
        return this.xssFilter.filter(ProtectionContext.HTML_HTML_CONTENT, str);
    }
}
