public class InjectionDefense extends Object
Specifically, this class verifies that the parameter substitutions do not inject
additional expressions, and that the parameters are strings, valid numbers or valid
expressions producing the expected number of sub-expressions. The idea is not to provide
full type safety but rather to heuristically prevent the injection of malicious
expressions. The template expression and the parameters supplied must not contain
comments since injection of comments could be used to hide one or more of the expected
expressions. Use stripComments(String)
to remove comments.
Valid patterns for parameters are:
Constructor and Description |
---|
InjectionDefense(String exprString) |
Modifier and Type | Method and Description |
---|---|
void |
addParameter(String param) |
StreamExpression |
safeExpression()
Provides an expression that is guaranteed to have the expected number of sub-expressions
|
String |
safeExpressionString()
Provides a string that is guaranteed to parse to a legal expression and to have the expected
number of sub-expressions.
|
static String |
stripComments(String exprString) |
public InjectionDefense(String exprString)
public void addParameter(String param)
public StreamExpression safeExpression()
public String safeExpressionString()
Copyright © 2000-2021 Apache Software Foundation. All Rights Reserved.