package blackboard.util;

import blackboard.platform.config.BbConfig;
import blackboard.platform.config.ConfigurationService;
import blackboard.platform.config.ConfigurationServiceFactory;
import blackboard.platform.filesystem.MultipartRequest;
import blackboard.platform.log.LogServiceFactory;
import blackboard.platform.nautilus.BaseSourceId;
import blackboard.platform.security.SecurityUtil;
import blackboard.platform.security.XssFilter;
import blackboard.platform.security.XssFilterFactory;
import blackboard.platform.security.XssHtmlFilter;
import blackboard.platform.security.XssRequestFilterFactory;
import blackboard.platform.security.authentication.BbSecurityException;
import blackboard.platform.servlet.JspResourceIncludeUtil;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Iterator;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:blackboard/util/XSSUtil.class */
public class XSSUtil {
    public static final String XSS_ENTITLEMENT = "content.trustedcontent.MODIFY";
    protected static final String VALID_PKID_REGEX = "^_\\d+_\\d+$";
    protected static final Pattern VALID_PKID_PATTERN = Pattern.compile(VALID_PKID_REGEX);
    private static final Pattern ELEMENT_ID_PATTERN = Pattern.compile("^[a-z][0-9A-Z_:\\.-]*$", 2);

    public static final String getUnfilteredParameter(HttpServletRequest httpServletRequest, String str) {
        String[] unfilteredParameterValues = getUnfilteredParameterValues(httpServletRequest, str);
        if (null == unfilteredParameterValues || unfilteredParameterValues.length == 0) {
            return null;
        }
        return unfilteredParameterValues[0];
    }

    public static final String[] getUnfilteredParameterValues(HttpServletRequest httpServletRequest, String str) {
        return XssRequestFilterFactory.getFilter().getUnfilteredParameterValues(httpServletRequest, str);
    }

    public static final String getUnfilteredParameter(MultipartRequest multipartRequest, String str) {
        return getUnfilteredParameter(multipartRequest.getHttpRequest(), str);
    }

    public static final String[] getUnfilteredParameterValues(MultipartRequest multipartRequest, String str) {
        return getUnfilteredParameterValues(multipartRequest.getHttpRequest(), str);
    }

    public static final String filterUrl(String str, String str2) {
        if (StringUtil.isEmpty(str)) {
            return str;
        }
        try {
            return new URI(str).toString();
        } catch (URISyntaxException e) {
            return str2;
        }
    }

    public static final String filter(String str) {
        return filter(str, false);
    }

    public static final String filterHtml(String str) {
        return filterHtml(str, false);
    }

    public static String replaceFileNameInvalidChars(String str) {
        Matcher matcher = Pattern.compile("[\\(\\)]+").matcher(str);
        StringBuilder sb = new StringBuilder(str);
        while (matcher.find()) {
            StringUtil.replace(sb, matcher.group(0), "_");
        }
        String str2 = "<A href=\"" + sb.toString() + "\">";
        return str2.equals(filter(str2)) ? sb.toString() : FileUtil.escapeFileName(str);
    }

    public static final String filter(String str, boolean z) {
        if (!z && isTrusted()) {
            return str;
        }
        String str2 = str;
        Iterator<XssFilter> it = XssFilterFactory.getFilters().iterator();
        while (it.hasNext()) {
            str2 = it.next().sanitize(str2);
        }
        return str2;
    }

    public static final String filterHtml(String str, boolean z) {
        return (z || !isTrusted()) ? filterHtmlUntrusted(str) : str;
    }

    public static final String filterHtmlUntrusted(String str) {
        String str2 = str;
        if (XssFilterFactory.getHtmlFilters().isEmpty()) {
            Iterator<XssFilter> it = XssFilterFactory.getFilters().iterator();
            while (it.hasNext()) {
                str2 = it.next().sanitize(str2);
            }
        } else {
            Iterator<XssHtmlFilter> it2 = XssFilterFactory.getHtmlFilters().iterator();
            while (it2.hasNext()) {
                str2 = it2.next().sanitize(str2);
            }
        }
        return str2;
    }

    public static final String escape(String str) {
        return StringUtil.isEmpty(str) ? str : TextFormat.escape(str);
    }

    public static final String escapeUntrusted(String str) {
        return escape(str, false);
    }

    public static final String escape(String str, boolean z) {
        return ((z || !isTrusted()) && !StringUtil.isEmpty(str) && (str.contains(JspResourceIncludeUtil.AjaxUtil.LIST_AJAX_MODE_SUFFIX_MARQUEE_TEXT_PART2) || str.contains("<"))) ? TextFormat.escape(str) : str;
    }

    public static final String escapeThenFilterUntrusted(String str) {
        return escapeThenFilter(str, false);
    }

    public static final String escapeThenFilter(String str, boolean z) {
        return filter(escape(str, z), z);
    }

    public static final String escapeThenFilterUntrusted(HttpServletRequest httpServletRequest, String str) {
        return escapeThenFilter(httpServletRequest, str, false);
    }

    public static final String escapeThenFilter(HttpServletRequest httpServletRequest, String str, boolean z) {
        return filter(escape(getUnfilteredParameter(httpServletRequest, str), z), z);
    }

    public static String filterURL(String str) {
        ConfigurationService configurationServiceFactory = ConfigurationServiceFactory.getInstance();
        String bbProperty = configurationServiceFactory.getBbProperty(BbConfig.URL_FILTER_MODE, "relative");
        if ("all".equals(bbProperty)) {
            return filter(str, true);
        }
        if ("relative".equals(bbProperty)) {
            return filterRelativeURLs(str);
        }
        if (!"list".equals(bbProperty)) {
            return str;
        }
        String bbProperty2 = configurationServiceFactory.getBbProperty(BbConfig.URL_FILTER_ALLOW, "");
        if (StringUtil.isEmpty(bbProperty2)) {
            return filterRelativeURLs(str);
        }
        StringTokenizer stringTokenizer = new StringTokenizer(bbProperty2, BaseSourceId.SEPARATOR);
        while (stringTokenizer.hasMoreTokens()) {
            if (stringTokenizer.nextToken().equalsIgnoreCase(str)) {
                return str;
            }
        }
        return filterRelativeURLs(str);
    }

    public static void validatePkIdParameter(String str, String str2) throws BbSecurityException {
        if (StringUtil.notEmpty(str) && StringUtil.notEmpty(str2) && !VALID_PKID_PATTERN.matcher(str2).matches()) {
            BbSecurityException bbSecurityException = new BbSecurityException("Unable to process the request due to an error.");
            LogServiceFactory.getInstance().logError("[SECURITY] PkId Validation Failed: Parameter name: " + str + ", parameter value: " + str2 + ". PkIds *must* match regex: " + VALID_PKID_REGEX, bbSecurityException);
            throw bbSecurityException;
        }
    }

    public static void validatePkIdParameterFromUrl(String str, String str2) throws BbSecurityException {
        if (StringUtil.notEmpty(str) && StringUtil.notEmpty(str2)) {
            validatePkIdParameter(str2, UrlUtil.getRequestParameter(str, str2));
        }
    }

    public static final boolean isValidHtmlElementId(String str) {
        return StringUtil.notEmpty(str) && ELEMENT_ID_PATTERN.matcher(str).matches();
    }

    public static void validatePkIdParameterFromRequest(HttpServletRequest httpServletRequest, String str) throws BbSecurityException {
        if (httpServletRequest == null || !StringUtil.notEmpty(str)) {
            return;
        }
        validatePkIdParameter(str, getUnfilteredParameter(httpServletRequest, str));
    }

    public static final boolean isTrusted() {
        return SecurityUtil.userHasEntitlement(XSS_ENTITLEMENT);
    }

    private static final String filterRelativeURLs(String str) {
        while (true) {
            if (!str.startsWith("//") && !str.toLowerCase().startsWith("%2f%2f")) {
                break;
            }
            str = str.substring(1);
        }
        String filter = filter(str, true);
        if (!str.startsWith("/") && !str.toLowerCase().startsWith("%2f")) {
            filter = "";
        }
        return filter;
    }
}
