Issue ESAPI#300 -- Fixed most unit tests. chars are NOT autoboxed to Characters, make sure we update documentation!

Author: xeno6696

src/main/java/org/owasp/esapi/PreparedString.java

@@ -16,6 +16,7 @@
 package org.owasp.esapi;
 
 import java.util.ArrayList;
+
 import org.owasp.esapi.codecs.Codec;
 import org.owasp.esapi.codecs.HTMLEntityCodec;
 

src/main/java/org/owasp/esapi/codecs/AbstractCodec.java

@@ -0,0 +1,173 @@
+/**
+ * OWASP Enterprise Security API (ESAPI)
+ * 
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2007 - The OWASP Foundation
+ * 
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created 2007
+ */
+package org.owasp.esapi.codecs;
+
+
+/**
+ * The Codec interface defines a set of methods for encoding and decoding application level encoding schemes,
+ * such as HTML entity encoding and percent encoding (aka URL encoding). Codecs are used in output encoding
+ * and canonicalization.  The design of these codecs allows for character-by-character decoding, which is
+ * necessary to detect double-encoding and the use of multiple encoding schemes, both of which are techniques
+ * used by attackers to bypass validation and bury encoded attacks in data.
+ * 
+ * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
+ *         href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @since June 1, 2007
+ * @see org.owasp.esapi.Encoder
+ */
+public abstract class AbstractCodec implements Codec {
+
+	/**
+	 * Initialize an array to mark which characters are to be encoded. Store the hex
+	 * string for that character to save time later. If the character shouldn't be
+	 * encoded, then store null.
+	 */
+	private final String[] hex = new String[256];
+
+	/**
+	 * Default constructor
+	 */
+	public AbstractCodec() {
+		for ( char c = 0; c < 0xFF; c++ ) {
+			if ( c >= 0x30 && c <= 0x39 || c >= 0x41 && c <= 0x5A || c >= 0x61 && c <= 0x7A ) {
+				hex[c] = null;
+			} else {
+				hex[c] = toHex(c).intern();
+			}
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see org.owasp.esapi.codecs.Codec#encode(char[], java.lang.String)
+	 */
+	@Override
+	public String encode(char[] immune, String input) {
+		StringBuilder sb = new StringBuilder();
+		for(int offset  = 0; offset < input.length(); ){
+			final int point = input.codePointAt(offset);
+			if(Character.isBmpCodePoint(point)){
+				//We can then safely cast this to char and maintain legacy behavior.
+				sb.append(encodeCharacter(immune, new Character((char) point)));
+			}else{
+				sb.append(encodeCharacter(immune, point));	
+			}
+			offset += Character.charCount(point);
+		}
+		return sb.toString();
+	}
+
+	/**
+	 * WARNING!!!!  Passing a standard char to this method will resolve to the 
+	 * @{code public String encodeCharacter( char[] immune, int codePoint )} method
+	 * instead of this one!!!  YOU HAVE BEEN WARNED!!!!
+	 * 
+	 * @{Inherit}
+	 */
+	@Override
+	public String encodeCharacter( char[] immune, Character c ) {
+		return ""+c;
+	}
+	
+	/* (non-Javadoc)
+	 * @see org.owasp.esapi.codecs.Codec#encodeCharacter(char[], int)
+	 */
+	@Override
+	public String encodeCharacter( char[] immune, int codePoint ) {
+		return new StringBuilder().appendCodePoint(codePoint).toString();
+	}
+
+	/* (non-Javadoc)
+	 * @see org.owasp.esapi.codecs.Codec#decode(java.lang.String)
+	 */
+	@Override
+	public String decode(String input) {
+		StringBuilder sb = new StringBuilder();
+		PushbackString pbs = new PushbackString(input);
+		while (pbs.hasNext()) {
+			Character c = decodeCharacter(pbs);
+			if (c != null) {
+				sb.append(c);
+			} else {
+				sb.append(pbs.next());
+			}
+		}
+		return sb.toString();
+	}
+
+	/* (non-Javadoc)
+	 * @see org.owasp.esapi.codecs.Codec#decodeCharacter(org.owasp.esapi.codecs.PushbackString)
+	 */
+	@Override
+	public Character decodeCharacter( PushbackString input ) {
+		return input.next();
+	}
+
+	/**
+	 * Lookup the hex value of any character that is not alphanumeric.
+	 * @param c The character to lookup.
+	 * @return, return null if alphanumeric or the character code
+	 * 	in hex.
+	 */
+	public String getHexForNonAlphanumeric(char c)
+	{
+		if(c<0xFF)
+			return hex[c];
+		return toHex(c);
+	}
+	
+	/**
+	 * Lookup the hex value of any character that is not alphanumeric.
+	 * @param c The character to lookup.
+	 * @return, return null if alphanumeric or the character code
+	 * 	in hex.
+	 */
+	public String getHexForNonAlphanumeric(int c)
+	{
+		if(c<0xFF)
+			return hex[c];
+		return toHex(c);
+	}
+
+	public String toOctal(char c)
+	{
+		return Integer.toOctalString(c);
+	}
+
+	public String toHex(char c)
+	{
+		return Integer.toHexString(c);
+	}
+	
+	public String toHex(int c)
+	{
+		return Integer.toHexString(c);
+	}
+
+	/**
+	 * Utility to search a char[] for a specific char.
+	 * 
+	 * @param c
+	 * @param array
+	 * @return
+	 */
+	public boolean containsCharacter( char c, char[] array ) {
+		for (char ch : array) {
+			if (c == ch) return true;
+		}
+		return false;
+	}
+
+}

src/main/java/org/owasp/esapi/codecs/CSSCodec.java

@@ -23,7 +23,7 @@
  * @since June 1, 2007
  * @see org.owasp.esapi.Encoder
  */
-public class CSSCodec extends Codec
+public class CSSCodec extends AbstractCodec
 {
 	private static final Character REPLACEMENT = '\ufffd';
 
@@ -42,7 +42,7 @@ public String encodeCharacter(char[] immune, Character c) {
 		}
 
 		// check for alphanumeric characters
-		String hex = Codec.getHexForNonAlphanumeric(c);
+		String hex = super.getHexForNonAlphanumeric(c);
 		if ( hex == null ) {
 			return ""+c;
 		}

src/main/java/org/owasp/esapi/codecs/Codec.java

@@ -28,32 +28,7 @@
  * @since June 1, 2007
  * @see org.owasp.esapi.Encoder
  */
-public abstract class Codec {
-
-	/**
-	 * Initialize an array to mark which characters are to be encoded. Store the hex
-	 * string for that character to save time later. If the character shouldn't be
-	 * encoded, then store null.
-	 */
-	private static final String[] hex = new String[256];
-
-	static {
-		for ( char c = 0; c < 0xFF; c++ ) {
-			if ( c >= 0x30 && c <= 0x39 || c >= 0x41 && c <= 0x5A || c >= 0x61 && c <= 0x7A ) {
-				hex[c] = null;
-			} else {
-				hex[c] = toHex(c).intern();
-			}
-		}
-	}
-
-
-	/**
-	 * Default constructor
-	 */
-	public Codec() {
-	}
-
+public interface Codec {
 	/**
 	 * Encode a String so that it can be safely used in a specific context.
 	 * 
@@ -62,20 +37,7 @@ public Codec() {
 	 * 		the String to encode
 	 * @return the encoded String
 	 */
-	public String encode(char[] immune, String input) {
-		StringBuilder sb = new StringBuilder();
-		for(int offset  = 0; offset < input.length(); ){
-			final int point = input.codePointAt(offset);
-			if(Character.isBmpCodePoint(point)){
-				//We can then safely cast this to char and maintain legacy behavior.
-				sb.append(encodeCharacter(immune, (char) point));
-			}else{
-				sb.append(encodeCharacter(immune, point));	
-			}
-			offset += Character.charCount(point);
-		}
-		return sb.toString();
-	}
+	public String encode(char[] immune, String input);
 
 	/**
 	 * Default implementation that should be overridden in specific codecs.
@@ -86,9 +48,7 @@ public String encode(char[] immune, String input) {
 	 * @return
 	 * 		the encoded Character
 	 */
-	public String encodeCharacter( char[] immune, Character c ) {
-		return ""+c;
-	}
+	public String encodeCharacter( char[] immune, Character c );
 
 	/**
 	 * Default codepoint implementation that should be overridden in specific codecs.
@@ -99,9 +59,7 @@ public String encodeCharacter( char[] immune, Character c ) {
 	 * @return
 	 * 		the encoded Character
 	 */
-	public String encodeCharacter( char[] immune, int codePoint ) {
-		return new StringBuilder().appendCodePoint(codePoint).toString();
-	}
+	public String encodeCharacter( char[] immune, int codePoint );
 
 	/**
 	 * Decode a String that was encoded using the encode method in this Class
@@ -111,19 +69,7 @@ public String encodeCharacter( char[] immune, int codePoint ) {
 	 * @return
 	 *		the decoded String
 	 */
-	public String decode(String input) {
-		StringBuilder sb = new StringBuilder();
-		PushbackString pbs = new PushbackString(input);
-		while (pbs.hasNext()) {
-			Character c = decodeCharacter(pbs);
-			if (c != null) {
-				sb.append(c);
-			} else {
-				sb.append(pbs.next());
-			}
-		}
-		return sb.toString();
-	}
+	public String decode(String input);
 
 	/**
 	 * Returns the decoded version of the next character from the input string and advances the
@@ -134,50 +80,29 @@ public String decode(String input) {
 	 * 
 	 * @return the decoded Character
 	 */
-	public Character decodeCharacter( PushbackString input ) {
-		return input.next();
-	}
+	public Character decodeCharacter( PushbackString input );
 
 	/**
 	 * Lookup the hex value of any character that is not alphanumeric.
 	 * @param c The character to lookup.
 	 * @return, return null if alphanumeric or the character code
 	 * 	in hex.
 	 */
-	public static String getHexForNonAlphanumeric(char c)
-	{
-		if(c<0xFF)
-			return hex[c];
-		return toHex(c);
-	}
+	public String getHexForNonAlphanumeric(char c);
 
 	/**
 	 * Lookup the hex value of any character that is not alphanumeric.
 	 * @param c The character to lookup.
 	 * @return, return null if alphanumeric or the character code
 	 * 	in hex.
 	 */
-	public static String getHexForNonAlphanumeric(int c)
-	{
-		if(c<0xFF)
-			return hex[c];
-		return toHex(c);
-	}
+	public String getHexForNonAlphanumeric(int c);
 
-	public static String toOctal(char c)
-	{
-		return Integer.toOctalString(c);
-	}
+	public String toOctal(char c);
 
-	public static String toHex(char c)
-	{
-		return Integer.toHexString(c);
-	}
+	public String toHex(char c);
 
-	public static String toHex(int c)
-	{
-		return Integer.toHexString(c);
-	}
+	public String toHex(int c);
 
 	/**
 	 * Utility to search a char[] for a specific char.
@@ -186,11 +111,6 @@ public static String toHex(int c)
 	 * @param array
 	 * @return
 	 */
-	public static boolean containsCharacter( char c, char[] array ) {
-		for (char ch : array) {
-			if (c == ch) return true;
-		}
-		return false;
-	}
+	public boolean containsCharacter( char c, char[] array );
 
 }

src/main/java/org/owasp/esapi/codecs/DB2Codec.java

@@ -20,7 +20,7 @@
  * @since October 26, 2010
  * @see org.owasp.esapi.Encoder
  */
-public class DB2Codec extends Codec {
+public class DB2Codec extends AbstractCodec {
 
 	public String encodeCharacter(char[] immune, Character c) {