package blackboard.util;

import blackboard.data.course.CourseMembership;
import blackboard.data.user.User;
import blackboard.db.CIConstants;
import blackboard.platform.BbServiceManager;
import blackboard.platform.context.Context;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: input_file:blackboard/util/XSSUtil.class */
public class XSSUtil {
    private static final String CONTEXT_ATTRIBUTE_KEY = XSSUtil.class.getPackage().getName() + ".XSSUtil.is_trusted";
    private static final Pattern NULL_CHAR = Pattern.compile("\\x00");
    private static final Pattern NUMERIC_CHARACTER_REFERENCE = Pattern.compile("&#(x?)0*([0-9a-f]*);?", 2);
    private static final Pattern TRIM = Pattern.compile("^\\s*=\\s*(['\"]?)\\s*(.*?)\\s*\\1\\s*$");
    private static final Pattern INVALID_HREF = Pattern.compile("\\(|\\)|<|>");
    private static final Pattern INVALID_URL = Pattern.compile("&(?!amp;)|#(?![0-9][0-9];)|\\(|\\)|<|>|\"|'|%|=|\\?");
    private static final Pattern DISABLED_TAGS = getTags(new String[]{"script", "iframe", "frame", "frameset"});
    private static final Pattern FORM_TAGS = getTags(new String[]{"form", "input", "textarea"});
    private static final Pattern URL_ATTRIBUTES = getAttributeValues(new String[]{"src", "lowsrc", "dynsrc"});
    private static final Pattern HREF_ATTRIBUTES = getAttributeValues(new String[]{"href"});
    private static final Pattern APPLET_START = getTagWithoutAttributeValues("applet", new AttributeValues[]{new AttributeValues("archive", new String[]{"/ui/client-lib/webeqapplet\\.jar"})});
    private static final Pattern APPLET_END = getDisabledClosingTag("applet");
    private static final Pattern OBJECT_START = getTagWithoutAttributeValues("object", new AttributeValues[]{new AttributeValues("classid", new String[]{"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000", "clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6"})});
    private static final Pattern OBJECT_END = getDisabledClosingTag("object");
    private static final Pattern EMBED_START = getTagWithoutAttributeValues("embed", new AttributeValues[]{new AttributeValues("type", new String[]{"audio/x-wav"}), new AttributeValues("name", new String[]{"AOIQTEmbed", "AOIRealEmbed", "AOIAudioEmbed"})});
    private static final Pattern EMBED_END = getDisabledClosingTag("embed");
    private static final Map<Character, String> RESERVED_CHARS;
    private static final Pattern PROHIBITED_STRINGS;
    private static final Pattern DISABLED_ATTRIBUTES;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:blackboard/util/XSSUtil$AttributeValues.class */
    public static class AttributeValues {
        private String attribute;
        private String[] values;

        private AttributeValues(String str, String[] strArr) {
            this.attribute = str;
            this.values = strArr;
        }
    }

    /* loaded from: input_file:blackboard/util/XSSUtil$UnsafeInstance.class */
    public static final class UnsafeInstance {
        private Type _type;
        private String _instance;

        /* loaded from: input_file:blackboard/util/XSSUtil$UnsafeInstance$Type.class */
        public enum Type {
            UNSAFE_STRING,
            UNSAFE_ELEMENT,
            UNSAFE_ATTRIBUTE,
            UNSAFE_URL
        }

        public UnsafeInstance() {
        }

        public UnsafeInstance(String str, Type type) {
            this._instance = str;
            this._type = type;
        }

        public Type getType() {
            return this._type;
        }

        public String getInstance() {
            return this._instance;
        }

        public void setType(Type type) {
            this._type = type;
        }

        public void setInstance(String str) {
            this._instance = str;
        }
    }

    public static final String render(String str) {
        return render(str, false);
    }

    public static final String render(String str, boolean z) {
        if (str == null || str.length() == 0 || (!z && isTrustedContext())) {
            return str;
        }
        StringBuilder sb = new StringBuilder();
        for (char c : str.toCharArray()) {
            switch (c) {
                case '\"':
                    sb.append("&quot;");
                    break;
                case '#':
                    sb.append("&#35;");
                    break;
                case '$':
                case '*':
                case '+':
                case ',':
                case '-':
                case '.':
                case '/':
                case '0':
                case '1':
                case '2':
                case '3':
                case '4':
                case '5':
                case '6':
                case '7':
                case '8':
                case '9':
                case ':':
                case ';':
                default:
                    sb.append(c);
                    break;
                case '%':
                    sb.append("&#37;");
                    break;
                case '&':
                    sb.append("&amp;");
                    break;
                case '\'':
                    sb.append("&#39;");
                    break;
                case CIConstants.LIC_MS_SQL_EE /* 40 */:
                    sb.append("&#40;");
                    break;
                case ')':
                    sb.append("&#41;");
                    break;
                case CIConstants.LIC_MS_SQL_EEE /* 60 */:
                    sb.append("&lt;");
                    break;
                case '=':
                    sb.append("&#61;");
                    break;
                case '>':
                    sb.append("&gt;");
                    break;
                case '?':
                    sb.append("&#63;");
                    break;
            }
        }
        return sb.toString();
    }

    public static final String filter(String str) {
        return filter(str, false);
    }

    public static final String filter(String str, boolean z) {
        return filterHtml(str, z, true, false);
    }

    public static final String filterHtml(String str, boolean z, boolean z2, boolean z3) {
        if (str == null || str.length() == 0 || (!z && isTrustedContext())) {
            return str;
        }
        String filterUrl = filterUrl(filterUrl(DISABLED_ATTRIBUTES.matcher(DISABLED_TAGS.matcher(PROHIBITED_STRINGS.matcher(cleanup(str)).replaceAll("disabled-$0")).replaceAll("disabled-$0")).replaceAll("disabled-$0"), URL_ATTRIBUTES, false), HREF_ATTRIBUTES, false);
        if (!z2) {
            filterUrl = EMBED_END.matcher(EMBED_START.matcher(OBJECT_END.matcher(OBJECT_START.matcher(APPLET_END.matcher(APPLET_START.matcher(filterUrl).replaceAll("disabled-$0")).replaceAll("$1disabled-$2")).replaceAll("disabled-$0")).replaceAll("$1disabled-$2")).replaceAll("disabled-$0")).replaceAll("$1disabled-$2");
        }
        if (!z3) {
            filterUrl = FORM_TAGS.matcher(filterUrl).replaceAll("disabled-$0");
        }
        return filterUrl;
    }

    public static final List<UnsafeInstance> checkHtml(String str, boolean z, boolean z2, boolean z3) {
        ArrayList arrayList = new ArrayList();
        if (str == null || str.length() == 0 || (!z && isTrustedContext())) {
            return arrayList;
        }
        String cleanup = cleanup(str);
        getMatches(arrayList, cleanup, PROHIBITED_STRINGS, UnsafeInstance.Type.UNSAFE_STRING);
        getMatches(arrayList, cleanup, DISABLED_TAGS, UnsafeInstance.Type.UNSAFE_ELEMENT);
        getMatches(arrayList, cleanup, DISABLED_ATTRIBUTES, UnsafeInstance.Type.UNSAFE_ATTRIBUTE);
        getUrlMatches(arrayList, cleanup, URL_ATTRIBUTES, UnsafeInstance.Type.UNSAFE_URL, true);
        getUrlMatches(arrayList, cleanup, HREF_ATTRIBUTES, UnsafeInstance.Type.UNSAFE_URL, false);
        if (!z2) {
            getMatches(arrayList, cleanup, APPLET_START, UnsafeInstance.Type.UNSAFE_ELEMENT);
            getMatches(arrayList, cleanup, OBJECT_START, UnsafeInstance.Type.UNSAFE_ELEMENT);
            getMatches(arrayList, cleanup, EMBED_START, UnsafeInstance.Type.UNSAFE_ELEMENT);
        }
        if (!z3) {
            getMatches(arrayList, cleanup, FORM_TAGS, UnsafeInstance.Type.UNSAFE_ELEMENT);
        }
        return arrayList;
    }

    private static final String cleanup(String str) {
        Matcher matcher = NUMERIC_CHARACTER_REFERENCE.matcher(NULL_CHAR.matcher(str).replaceAll(""));
        StringBuffer stringBuffer = new StringBuffer();
        while (matcher.find()) {
            String group = matcher.group(2);
            if (group == null) {
                matcher.appendReplacement(stringBuffer, "");
            } else if (group.length() < 4) {
                String group2 = matcher.group(1);
                int parseInt = Integer.parseInt(matcher.group(2), (group2 == null || !"x".equalsIgnoreCase(group2)) ? 10 : 16);
                if (parseInt < 32 || parseInt == 127) {
                    matcher.appendReplacement(stringBuffer, "");
                } else if ((parseInt > 64 && parseInt < 91) || (parseInt > 96 && parseInt < 123)) {
                    matcher.appendReplacement(stringBuffer, String.valueOf((char) parseInt));
                }
            }
        }
        matcher.appendTail(stringBuffer);
        return stringBuffer.toString();
    }

    private static final void getMatches(List<UnsafeInstance> list, String str, Pattern pattern, UnsafeInstance.Type type) {
        Matcher matcher = pattern.matcher(str);
        while (matcher.find()) {
            list.add(new UnsafeInstance(matcher.group(), type));
        }
    }

    private static final void getUrlMatches(List<UnsafeInstance> list, String str, Pattern pattern, UnsafeInstance.Type type, boolean z) {
        Matcher matcher = pattern.matcher(str);
        while (matcher.find()) {
            String group = matcher.group();
            if (!isValidUrl(group, z)) {
                list.add(new UnsafeInstance(TRIM.matcher(group).replaceAll("$2"), type));
            }
        }
    }

    private static final Pattern getTags(String[] strArr) {
        StringBuilder sb = new StringBuilder();
        for (String str : strArr) {
            sb.append("(?<=<)\\s*").append(str).append("(?=[\\s|>])|(?<=</)\\s*").append(str).append("(?=\\s*>)|");
        }
        sb.deleteCharAt(sb.length() - 1);
        return Pattern.compile(sb.toString(), 2);
    }

    private static final Pattern getAttributeValues(String[] strArr) {
        StringBuilder sb = new StringBuilder();
        for (String str : strArr) {
            sb.append("(?<=\\s").append(str).append(")\\s*=\\s*\".*?[^\\\\]\"(?=[\\s|>])|(?<=\\s").append(str).append(")\\s*=\\s*'.*?[^\\\\]'(?=[\\s|>])|(?<=\\s").append(str).append(")\\s*=[^\\s].*?(?=[\\s|>])|");
        }
        sb.deleteCharAt(sb.length() - 1);
        return Pattern.compile(sb.toString(), 2);
    }

    private static final Pattern getTagWithoutAttributeValues(String str, AttributeValues[] attributeValuesArr) {
        StringBuilder sb = new StringBuilder();
        sb.append("(?<=<)\\s*").append(str).append("(?!\\s[^>]*(");
        for (AttributeValues attributeValues : attributeValuesArr) {
            String str2 = attributeValues.attribute;
            String[] strArr = attributeValues.values;
            sb.append("(").append(str2).append("\\s*=\\s*['\"](");
            for (String str3 : strArr) {
                sb.append(str3).append("|");
            }
            sb.deleteCharAt(sb.length() - 1);
            sb.append(")[\"'])|");
        }
        sb.deleteCharAt(sb.length() - 1);
        sb.append("))");
        return Pattern.compile(sb.toString(), 2);
    }

    private static final Pattern getDisabledClosingTag(String str) {
        StringBuilder sb = new StringBuilder();
        sb.append("(<\\s*disabled-").append(str).append("\\b.*?<\\s*/\\s*)(").append(str).append(")(?=\\s*>)");
        return Pattern.compile(sb.toString(), 2);
    }

    private static final String buildProhibitedStringPattern(String str) {
        StringBuilder sb = new StringBuilder();
        for (char c : str.toCharArray()) {
            if (RESERVED_CHARS.containsKey(Character.valueOf(c))) {
                sb.append(RESERVED_CHARS.get(Character.valueOf(c)));
            } else {
                sb.append("\\Q").append(c).append("\\E");
            }
            sb.append("[\\s\\\\]*");
        }
        return sb.toString();
    }

    private static boolean isValidUrl(String str, boolean z) {
        if (str == null) {
            return true;
        }
        String replaceAll = TRIM.matcher(str).replaceAll("$2");
        if (replaceAll.length() == 0) {
            return true;
        }
        return z ? !INVALID_URL.matcher(replaceAll).find() : !INVALID_HREF.matcher(replaceAll).find();
    }

    private static String filterUrl(String str, Pattern pattern, boolean z) {
        Matcher matcher = pattern.matcher(str);
        StringBuffer stringBuffer = new StringBuffer();
        while (matcher.find()) {
            String group = matcher.group();
            if (!isValidUrl(group, z)) {
                matcher.appendReplacement(stringBuffer, "=\"disabled-url: " + (z ? INVALID_URL : INVALID_HREF).matcher(TRIM.matcher(group).replaceAll("$2")).replaceAll("") + "\"");
            }
        }
        matcher.appendTail(stringBuffer);
        return stringBuffer.toString();
    }

    private static final boolean isTrustedContext() {
        Boolean bool;
        User user;
        User.SystemRole systemRole;
        CourseMembership courseMembership;
        CourseMembership.Role role;
        Context context = null;
        try {
            context = BbServiceManager.getContextManager().getContext();
            bool = (Boolean) context.getAttribute(CONTEXT_ATTRIBUTE_KEY);
        } catch (Throwable th) {
            bool = false;
        }
        if (bool != null) {
            return bool.booleanValue();
        }
        if (context.hasCourseContext() && (courseMembership = context.getCourseMembership()) != null && (role = courseMembership.getRole()) != null) {
            bool = Boolean.valueOf((role == CourseMembership.Role.NONE || role == CourseMembership.Role.GUEST || role == CourseMembership.Role.STUDENT) ? false : true);
        }
        if (bool == null && (user = context.getUser()) != null && (systemRole = user.getSystemRole()) != null) {
            bool = Boolean.valueOf((systemRole == User.SystemRole.NONE || systemRole == User.SystemRole.GUEST || systemRole == User.SystemRole.OBSERVER) ? false : true);
        }
        if (bool == null) {
            bool = false;
        }
        if (context != null) {
            context.setAttribute(CONTEXT_ATTRIBUTE_KEY, bool);
        }
        return bool.booleanValue();
    }

    static {
        HashMap hashMap = new HashMap();
        StringBuilder sb = new StringBuilder();
        for (char c : new char[]{'(', '=', ':', '/', '-'}) {
            sb.append("(?:\\Q");
            sb.append(c);
            sb.append("\\E|");
            sb.append("&#x0*");
            sb.append(Integer.toHexString(c));
            sb.append("(?:;|[^0-9a-f]|$)|");
            sb.append("&#0*");
            sb.append((int) c);
            sb.append("(?:;|[^0-9a-f]|$))");
            hashMap.put(Character.valueOf(c), sb.toString());
            sb.delete(0, sb.length());
        }
        RESERVED_CHARS = Collections.unmodifiableMap(hashMap);
        StringBuilder sb2 = new StringBuilder();
        for (String str : new String[]{"javascript:", "vbscript:", "url(", "expression(", "text/javascript", "text/x-scriptlet"}) {
            sb2.append("(?<!-)");
            sb2.append(buildProhibitedStringPattern(str));
            sb2.append("|");
        }
        sb2.append("(?<!-)");
        sb2.append("http-equiv\\s*=\\s*(?:&#x?[0-9]*;?|\"|'|&quot;)*\\s*" + buildProhibitedStringPattern("refresh"));
        PROHIBITED_STRINGS = Pattern.compile(sb2.toString(), 2);
        StringBuilder sb3 = new StringBuilder();
        for (String str2 : new String[]{"on[a-z]+"}) {
            sb3.append("(?<=\\s)").append(str2).append("(?=\\s*=)|");
        }
        sb3.deleteCharAt(sb3.length() - 1);
        DISABLED_ATTRIBUTES = Pattern.compile(sb3.toString(), 2);
    }
}
