package org.apache.ofbiz.base.util;

import java.io.UnsupportedEncodingException;
import java.lang.reflect.InvocationTargetException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.apache.ofbiz.base.html.SanitizerCustomPolicy;
import org.apache.ofbiz.htmlreport.util.ReportEncoder;
import org.apache.ofbiz.webtools.artifactinfo.ArtifactInfoFactory;
import org.apache.ofbiz.widget.model.ModelScreenWidget;
import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.codecs.HTMLEntityCodec;
import org.owasp.esapi.codecs.PercentCodec;
import org.owasp.esapi.codecs.XMLEntityCodec;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;
import org.owasp.html.Sanitizers;

/* loaded from: input_file:org/apache/ofbiz/base/util/UtilCodec.class */
public class UtilCodec {
    private static final List<Codec> codecs;
    private static final String module = UtilCodec.class.getName();
    private static final HtmlEncoder htmlEncoder = new HtmlEncoder();
    private static final XmlEncoder xmlEncoder = new XmlEncoder();
    private static final StringEncoder stringEncoder = new StringEncoder();
    private static final UrlCodec urlCodec = new UrlCodec();
    private static final List<String> jsEventList = Arrays.asList("onAbort", "onActivate", "onAfterPrint", "onAfterUpdate", "onBeforeActivate", "onBeforeCopy", "onBeforeCut", "onBeforeDeactivate", "onBeforeEditFocus", "onBeforePaste", "onBeforePrint", "onBeforeUnload", "onBeforeUpdate", "onBegin", "onBlur", "onBounce", "onCellChange", "onChange", "onClick", "onContextMenu", "onControlSelect", "onCopy", "onCut", "onDataAvailable", "onDataSetChanged", "onDataSetComplete", "onDblClick", "onDeactivate", "onDrag", "onDragEnd", "onDragLeave", "onDragEnter", "onDragOver", "onDragDrop", "onDragStart", "onDrop", "onEnd", "onError", "onErrorUpdate", "onFilterChange", "onFinish", "onFocus", "onFocusIn", "onFocusOut", "onHashChange", "onHelp", "onInput", "onKeyDown", "onKeyPress", "onKeyUp", "onLayoutComplete", "onLoad", "onLoseCapture", "onMediaComplete", "onMediaError", "onMessage", "onMouseDown", "onMouseEnter", "onMouseLeave", "onMouseMove", "onMouseOut", "onMouseOver", "onMouseUp", "onMouseWheel", "onMove", "onMoveEnd", "onMoveStart", "onOffline", "onOnline", "onOutOfSync", "onPaste", "onPause", "onPopState", "onProgress", "onPropertyChange", "onReadyStateChange", "onRedo", "onRepeat", "onReset", "onResize", "onResizeEnd", "onResizeStart", "onResume", "onReverse", "onRowsEnter", "onRowExit", "onRowDelete", "onRowInserted", "onScroll", "onSeek", "onSelect", "onSelectionChange", "onSelectStart", "onStart", "onStop", "onStorage", "onSyncRestored", "onSubmit", "onTimeError", "onTrackChange", "onUndo", "onUnload", "onURLFlip", "seekSegmentTime");

    /* loaded from: input_file:org/apache/ofbiz/base/util/UtilCodec$HtmlEncoder.class */
    public static class HtmlEncoder implements SimpleEncoder {
        private HTMLEntityCodec htmlCodec = new HTMLEntityCodec();
        private static final char[] IMMUNE_HTML = {',', '.', '-', '_', ' ', ':'};
        public static final PolicyFactory PERMISSIVE_POLICY = new HtmlPolicyBuilder().allowWithoutAttributes(new String[]{"html", "body"}).allowAttributes(new String[]{"id", "class"}).globally().allowElements(new String[]{"div", "center", "span", "table", "td"}).allowWithoutAttributes(new String[]{"html", "body", "div", "span", "table", "td"}).allowAttributes(new String[]{"width"}).onElements(new String[]{"table"}).toFactory();
        public static final PolicyFactory BIRT_FLEXIBLE_REPORT_POLICY = new HtmlPolicyBuilder().allowWithoutAttributes(new String[]{"html", "body"}).allowElements(new String[]{ArtifactInfoFactory.FormWidgetInfoTypeId, "div", "span", "table", "tr", "td", "input", "textarea", ModelScreenWidget.Label.TAG_NAME, "select", "option"}).allowAttributes(new String[]{"id", "class", "name", "value", "onclick"}).globally().allowAttributes(new String[]{"width", "cellspacing"}).onElements(new String[]{"table"}).allowAttributes(new String[]{"type", "size", "maxlength"}).onElements(new String[]{"input"}).allowAttributes(new String[]{"cols", "rows"}).onElements(new String[]{"textarea"}).allowAttributes(new String[]{"class"}).onElements(new String[]{"td"}).allowAttributes(new String[]{"method"}).onElements(new String[]{ArtifactInfoFactory.FormWidgetInfoTypeId}).allowAttributes(new String[]{"accept", "action", "accept-charset", "autocomplete", "enctype", "method", "name", "novalidate", "target"}).onElements(new String[]{ArtifactInfoFactory.FormWidgetInfoTypeId}).toFactory();

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String encode(String str) {
            if (str == null) {
                return null;
            }
            return this.htmlCodec.encode(IMMUNE_HTML, str);
        }

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String sanitize(String str) {
            return sanitize(str, null);
        }

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String sanitize(String str, String str2) {
            if (str == null) {
                return null;
            }
            if (!UtilProperties.getPropertyAsBoolean("owasp", "sanitizer.enable", true).booleanValue()) {
                return str;
            }
            PolicyFactory and = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS).and(Sanitizers.IMAGES).and(Sanitizers.LINKS).and(Sanitizers.STYLES);
            if ("FLEXIBLE_REPORT".equals(str2)) {
                and = and.and(BIRT_FLEXIBLE_REPORT_POLICY);
            }
            if ("CUSTOM".equals(UtilProperties.getPropertyValue("owasp", "sanitizer.permissive.policy"))) {
                PolicyFactory policyFactory = null;
                try {
                    Class<?> cls = Class.forName(UtilProperties.getPropertyValue("owasp", "sanitizer.custom.permissive.policy.class"));
                    Object newInstance = cls.newInstance();
                    if (SanitizerCustomPolicy.class.isAssignableFrom(cls)) {
                        policyFactory = (PolicyFactory) cls.getMethod("getSanitizerPolicy", new Class[0]).invoke(newInstance, new Object[0]);
                    }
                } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | InstantiationException | NoSuchMethodException | SecurityException | InvocationTargetException e) {
                    Debug.logError(e, "Could not find custom permissive sanitizer policy. Using default instead", UtilCodec.module);
                }
                if (policyFactory != null) {
                    return and.and(policyFactory).sanitize(str);
                }
            }
            return and.and(PERMISSIVE_POLICY).sanitize(str);
        }
    }

    /* loaded from: input_file:org/apache/ofbiz/base/util/UtilCodec$HtmlEncodingMapWrapper.class */
    public static class HtmlEncodingMapWrapper<K> implements Map<K, Object> {
        protected Map<K, Object> internalMap = null;
        protected SimpleEncoder encoder = null;

        public static <K> HtmlEncodingMapWrapper<K> getHtmlEncodingMapWrapper(Map<K, Object> map, SimpleEncoder simpleEncoder) {
            if (map == null) {
                return null;
            }
            HtmlEncodingMapWrapper<K> htmlEncodingMapWrapper = new HtmlEncodingMapWrapper<>();
            htmlEncodingMapWrapper.setup(map, simpleEncoder);
            return htmlEncodingMapWrapper;
        }

        protected HtmlEncodingMapWrapper() {
        }

        public void setup(Map<K, Object> map, SimpleEncoder simpleEncoder) {
            this.internalMap = map;
            this.encoder = simpleEncoder;
        }

        public void reset() {
            this.internalMap = null;
            this.encoder = null;
        }

        @Override // java.util.Map
        public int size() {
            return this.internalMap.size();
        }

        @Override // java.util.Map
        public boolean isEmpty() {
            return this.internalMap.isEmpty();
        }

        @Override // java.util.Map
        public boolean containsKey(Object obj) {
            return this.internalMap.containsKey(obj);
        }

        @Override // java.util.Map
        public boolean containsValue(Object obj) {
            return this.internalMap.containsValue(obj);
        }

        @Override // java.util.Map
        public Object get(Object obj) {
            Object obj2 = this.internalMap.get(obj);
            return obj2 instanceof String ? this.encoder != null ? this.encoder.encode((String) obj2) : UtilCodec.getEncoder("html").encode((String) obj2) : obj2 instanceof Map ? getHtmlEncodingMapWrapper(UtilGenerics.checkMap(obj2), this.encoder) : obj2;
        }

        @Override // java.util.Map
        public Object put(K k, Object obj) {
            return this.internalMap.put(k, obj);
        }

        @Override // java.util.Map
        public Object remove(Object obj) {
            return this.internalMap.remove(obj);
        }

        @Override // java.util.Map
        public void putAll(Map<? extends K, ? extends Object> map) {
            this.internalMap.putAll(map);
        }

        @Override // java.util.Map
        public void clear() {
            this.internalMap.clear();
        }

        @Override // java.util.Map
        public Set<K> keySet() {
            return this.internalMap.keySet();
        }

        @Override // java.util.Map
        public Collection<Object> values() {
            return this.internalMap.values();
        }

        @Override // java.util.Map
        public Set<Map.Entry<K, Object>> entrySet() {
            return this.internalMap.entrySet();
        }

        public String toString() {
            return this.internalMap.toString();
        }
    }

    /* loaded from: input_file:org/apache/ofbiz/base/util/UtilCodec$IntrusionException.class */
    public static class IntrusionException extends GeneralRuntimeException {
        public IntrusionException(String str) {
            super(str);
        }
    }

    /* loaded from: input_file:org/apache/ofbiz/base/util/UtilCodec$SimpleDecoder.class */
    public interface SimpleDecoder {
        String decode(String str);
    }

    /* loaded from: input_file:org/apache/ofbiz/base/util/UtilCodec$SimpleEncoder.class */
    public interface SimpleEncoder {
        String encode(String str);

        String sanitize(String str);

        String sanitize(String str, String str2);
    }

    /* loaded from: input_file:org/apache/ofbiz/base/util/UtilCodec$StringEncoder.class */
    public static class StringEncoder implements SimpleEncoder {
        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String encode(String str) {
            if (str != null) {
                str = str.replace("\"", "\\\"");
            }
            return str;
        }

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String sanitize(String str) {
            return sanitize(str, null);
        }

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String sanitize(String str, String str2) {
            return encode(str);
        }
    }

    /* loaded from: input_file:org/apache/ofbiz/base/util/UtilCodec$UrlCodec.class */
    public static class UrlCodec implements SimpleEncoder, SimpleDecoder {
        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String encode(String str) {
            try {
                return URLEncoder.encode(str, ReportEncoder.ENCODING_UTF_8);
            } catch (UnsupportedEncodingException e) {
                Debug.logError(e, UtilCodec.module);
                return null;
            }
        }

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String sanitize(String str) {
            return sanitize(str, null);
        }

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String sanitize(String str, String str2) {
            return encode(str);
        }

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleDecoder
        public String decode(String str) {
            try {
                UtilCodec.canonicalize(str);
                return URLDecoder.decode(str, ReportEncoder.ENCODING_UTF_8);
            } catch (UnsupportedEncodingException e) {
                Debug.logError(e, UtilCodec.module);
                return null;
            }
        }
    }

    /* loaded from: input_file:org/apache/ofbiz/base/util/UtilCodec$XmlEncoder.class */
    public static class XmlEncoder implements SimpleEncoder {
        private static final char[] IMMUNE_XML = {',', '.', '-', '_', ' '};
        private XMLEntityCodec xmlCodec = new XMLEntityCodec();

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String encode(String str) {
            if (str == null) {
                return null;
            }
            return this.xmlCodec.encode(IMMUNE_XML, str);
        }

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String sanitize(String str) {
            return sanitize(str, null);
        }

        @Override // org.apache.ofbiz.base.util.UtilCodec.SimpleEncoder
        public String sanitize(String str, String str2) {
            return encode(str);
        }
    }

    public static SimpleEncoder getEncoder(String str) {
        if ("url".equals(str)) {
            return urlCodec;
        }
        if ("xml".equals(str)) {
            return xmlEncoder;
        }
        if ("html".equals(str)) {
            return htmlEncoder;
        }
        if ("string".equals(str)) {
            return stringEncoder;
        }
        return null;
    }

    public static SimpleDecoder getDecoder(String str) {
        if ("url".equals(str)) {
            return urlCodec;
        }
        return null;
    }

    public static String canonicalize(String str) throws IntrusionException {
        return canonicalize(str, false, false);
    }

    public static String canonicalize(String str, boolean z) throws IntrusionException {
        return canonicalize(str, z, z);
    }

    public static String canonicalize(String str, boolean z, boolean z2) {
        if (str == null) {
            return null;
        }
        String str2 = str;
        Codec codec = null;
        int i = 1;
        int i2 = 0;
        boolean z3 = false;
        while (!z3) {
            z3 = true;
            for (Codec codec2 : codecs) {
                String str3 = str2;
                str2 = codec2.decode(str2);
                if (!str3.equals(str2)) {
                    if (codec != null && codec != codec2) {
                        i++;
                    }
                    codec = codec2;
                    if (z3) {
                        i2++;
                    }
                    z3 = false;
                }
            }
        }
        if (i2 >= 2 && i > 1) {
            if (z || z2) {
                throw new IntrusionException("Input validation failure");
            }
            Debug.logWarning("Multiple (" + i2 + "x) and mixed encoding (" + i + "x) detected in " + str, module);
        } else if (i2 >= 2) {
            if (z) {
                throw new IntrusionException("Input validation failure");
            }
            Debug.logWarning("Multiple (" + i2 + "x) encoding detected in " + str, module);
        } else if (i > 1) {
            if (z2) {
                throw new IntrusionException("Input validation failure");
            }
            Debug.logWarning("Mixed encoding (" + i + "x) detected in " + str, module);
        }
        return str2;
    }

    public static String checkStringForHtmlStrictNone(String str, String str2, List<String> list, Locale locale) {
        if (UtilValidate.isEmpty(str2)) {
            return str2;
        }
        try {
            str2 = canonicalize(str2, true);
        } catch (IntrusionException e) {
            Debug.logError("Canonicalization (format consistency, character escaping that is mixed or double, etc) error for attribute named [" + str + "], String [" + str2 + "]: " + e.toString(), module);
            list.add((locale.equals(new Locale("test")) ? "In field [" + str + "] found character escaping (mixed or double) that is not allowed or other format consistency error: " : UtilProperties.getMessage("SecurityUiLabels", "PolicyNoneMixedOrDouble", (Map<String, ? extends Object>) UtilMisc.toMap("valueName", str), locale)) + e.toString());
        }
        if (str2.indexOf("<") >= 0 || str2.indexOf(">") >= 0) {
            list.add(locale.equals(new Locale("test")) ? "In field [" + str + "] less-than (<) and greater-than (>) symbols are not allowed." : UtilProperties.getMessage("SecurityUiLabels", "PolicyNoneLess-thanGreater-than", (Map<String, ? extends Object>) UtilMisc.toMap("valueName", str), locale));
        }
        String str3 = "on" + StringUtils.substringBetween(str2, " on", "=");
        if (jsEventList.stream().anyMatch(str4 -> {
            return StringUtils.containsIgnoreCase(str4, str3);
        }) || str2.contains("seekSegmentTime")) {
            list.add(locale.equals(new Locale("test")) ? "In field [" + str + "] Javascript events are not allowed." : UtilProperties.getMessage("SecurityUiLabels", "PolicyNoneJsEvents", (Map<String, ? extends Object>) UtilMisc.toMap("valueName", str), locale));
        }
        return str2;
    }

    public static String checkStringForHtmlSafe(String str, String str2, List<String> list, Locale locale, boolean z) {
        if (!z) {
            return str2;
        }
        PolicyFactory policyFactory = null;
        try {
            Class<?> cls = locale.equals(new Locale("test")) ? Class.forName("org.apache.ofbiz.base.html.CustomSafePolicy") : Class.forName(UtilProperties.getPropertyValue("owasp", "sanitizer.custom.safe.policy.class"));
            Object newInstance = cls.newInstance();
            if (SanitizerCustomPolicy.class.isAssignableFrom(cls)) {
                policyFactory = (PolicyFactory) cls.getMethod("getSanitizerPolicy", new Class[0]).invoke(newInstance, new Object[0]);
            }
        } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | InstantiationException | NoSuchMethodException | SecurityException | InvocationTargetException e) {
            Debug.logError(e, "Could not find custom safe sanitizer policy. Using default instead.Beware: the result is not rightly checked!", module);
        }
        if (!str2.equals(StringEscapeUtils.unescapeHtml4(policyFactory.sanitize(str2)))) {
            list.add(locale.equals(new Locale("test")) ? "In field [" + str + "] by our input policy, your input has not been accepted for security reason. Please check and modify accordingly, thanks." : UtilProperties.getMessage("SecurityUiLabels", "PolicySafe", (Map<String, ? extends Object>) UtilMisc.toMap("valueName", str), locale));
        }
        return str2;
    }

    static {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new HTMLEntityCodec());
        arrayList.add(new PercentCodec());
        codecs = Collections.unmodifiableList(arrayList);
    }
}
