package org.owasp.validator.html.scan;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.util.ArrayList;
import java.util.List;
import java.util.ResourceBundle;
import java.util.Stack;
import java.util.regex.Pattern;
import javax.ws.rs.core.Link;
import org.apache.batik.constants.XMLConstants;
import org.apache.xerces.util.AugmentationsImpl;
import org.apache.xerces.util.XMLAttributesImpl;
import org.apache.xerces.util.XMLStringBuffer;
import org.apache.xerces.xni.Augmentations;
import org.apache.xerces.xni.QName;
import org.apache.xerces.xni.XMLAttributes;
import org.apache.xerces.xni.XMLString;
import org.apache.xerces.xni.XNIException;
import org.apache.xerces.xni.parser.XMLDocumentFilter;
import org.cyberneko.html.filters.DefaultFilter;
import org.owasp.validator.css.CssScanner;
import org.owasp.validator.css.ExternalCssScanner;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.InternalPolicy;
import org.owasp.validator.html.ScanException;
import org.owasp.validator.html.model.Attribute;
import org.owasp.validator.html.model.Tag;
import org.owasp.validator.html.util.ErrorMessageUtil;
import org.owasp.validator.html.util.HTMLEntityEncoder;

@SuppressFBWarnings(value = {"REDOS"}, justification = "Tested the Regex against saferegex and safe-regex and not vulnerable")
/* loaded from: input_file:WEB-INF/lib/antisamy-1.6.3.jar:org/owasp/validator/html/scan/MagicSAXFilter.class */
public class MagicSAXFilter extends DefaultFilter implements XMLDocumentFilter {
    private InternalPolicy policy;
    private ResourceBundle messages;
    private boolean isNofollowAnchors;
    private boolean isValidateParamAsEmbed;
    private boolean preserveComments;
    private int maxInputSize;
    private boolean externalCssScanner;
    private static final Pattern conditionalDirectives = Pattern.compile("<?!?\\[\\s*(?:end)?if[^]]*\\]>?");
    private final Stack<Ops> operations = new Stack<>();
    private final List<String> errorMessages = new ArrayList();
    private StringBuffer cssContent = null;
    private XMLAttributes cssAttributes = null;
    private CssScanner cssScanner = null;
    private boolean inCdata = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/antisamy-1.6.3.jar:org/owasp/validator/html/scan/MagicSAXFilter$Ops.class */
    public enum Ops {
        CSS,
        FILTER,
        REMOVE,
        TRUNCATE,
        KEEP,
        ENCODE
    }

    public MagicSAXFilter(ResourceBundle resourceBundle) {
        this.messages = resourceBundle;
    }

    public void reset(InternalPolicy internalPolicy) {
        this.policy = internalPolicy;
        this.isNofollowAnchors = this.policy.isNofollowAnchors();
        this.isValidateParamAsEmbed = this.policy.isValidateParamAsEmbed();
        this.preserveComments = this.policy.isPreserveComments();
        this.maxInputSize = this.policy.getMaxInputSize();
        this.externalCssScanner = this.policy.isEmbedStyleSheets();
        this.operations.clear();
        this.errorMessages.clear();
        this.cssContent = null;
        this.cssAttributes = null;
        this.cssScanner = null;
        this.inCdata = false;
    }

    @Override // org.cyberneko.html.filters.DefaultFilter
    public void characters(XMLString xMLString, Augmentations augmentations) throws XNIException {
        Ops peekTop = peekTop();
        if (peekTop == Ops.REMOVE) {
            return;
        }
        if (peekTop == Ops.CSS) {
            this.cssContent.append(xMLString.ch, xMLString.offset, xMLString.length);
            return;
        }
        if (this.inCdata) {
            addError(ErrorMessageUtil.ERROR_CDATA_FOUND, new Object[]{HTMLEntityEncoder.htmlEntityEncode(xMLString.toString())});
        }
        super.characters(xMLString, augmentations);
    }

    @Override // org.cyberneko.html.filters.DefaultFilter
    public void comment(XMLString xMLString, Augmentations augmentations) throws XNIException {
        String xMLString2;
        if (!this.preserveComments || (xMLString2 = xMLString.toString()) == null) {
            return;
        }
        String replaceAll = conditionalDirectives.matcher(xMLString2).replaceAll("");
        super.comment(new XMLString(replaceAll.toCharArray(), 0, replaceAll.length()), augmentations);
    }

    @Override // org.cyberneko.html.filters.DefaultFilter
    public void doctypeDecl(String str, String str2, String str3, Augmentations augmentations) throws XNIException {
    }

    @Override // org.cyberneko.html.filters.DefaultFilter
    public void emptyElement(QName qName, XMLAttributes xMLAttributes, Augmentations augmentations) throws XNIException {
        startElement(qName, xMLAttributes, augmentations);
        endElement(qName, augmentations);
    }

    private Ops peekTop() {
        if (this.operations.empty()) {
            return null;
        }
        return this.operations.peek();
    }

    private XMLStringBuffer makeEndTag(String str) {
        return new XMLStringBuffer(XMLConstants.XML_CLOSE_TAG_START + str + XMLConstants.XML_CLOSE_TAG_END);
    }

    @Override // org.cyberneko.html.filters.DefaultFilter
    public void endElement(QName qName, Augmentations augmentations) throws XNIException {
        Ops peekTop = peekTop();
        if (Ops.REMOVE == peekTop) {
            this.operations.pop();
            return;
        }
        if (Ops.FILTER == peekTop) {
            this.operations.pop();
            return;
        }
        if (Ops.ENCODE == peekTop) {
            this.operations.pop();
            super.characters(makeEndTag(qName.rawname), augmentations);
            return;
        }
        if (Ops.CSS != peekTop) {
            this.operations.pop();
            super.endElement(qName, augmentations);
            return;
        }
        this.operations.pop();
        try {
            try {
                CleanResults scanStyleSheet = makeCssScanner().scanStyleSheet(this.cssContent.toString(), this.maxInputSize);
                this.errorMessages.addAll(scanStyleSheet.getErrorMessages());
                if (scanStyleSheet.getCleanHTML() != null && !scanStyleSheet.getCleanHTML().equals("")) {
                    super.startElement(qName, this.cssAttributes, new AugmentationsImpl());
                    super.characters(new XMLStringBuffer(scanStyleSheet.getCleanHTML()), new AugmentationsImpl());
                    super.endElement(qName, augmentations);
                }
                this.cssContent = null;
                this.cssAttributes = null;
            } catch (ScanException e) {
                addError(ErrorMessageUtil.ERROR_CSS_TAG_MALFORMED, new Object[]{HTMLEntityEncoder.htmlEntityEncode(this.cssContent.toString())});
                this.cssContent = null;
                this.cssAttributes = null;
            }
        } catch (Throwable th) {
            this.cssContent = null;
            this.cssAttributes = null;
            throw th;
        }
    }

    private CssScanner makeCssScanner() {
        if (this.cssScanner == null) {
            this.cssScanner = this.externalCssScanner ? new ExternalCssScanner(this.policy, this.messages) : new CssScanner(this.policy, this.messages);
        }
        return this.cssScanner;
    }

    @Override // org.cyberneko.html.filters.DefaultFilter
    public void processingInstruction(String str, XMLString xMLString, Augmentations augmentations) throws XNIException {
    }

    @Override // org.cyberneko.html.filters.DefaultFilter
    public void startCDATA(Augmentations augmentations) throws XNIException {
        this.inCdata = true;
        super.startCDATA(augmentations);
    }

    @Override // org.cyberneko.html.filters.DefaultFilter
    public void endCDATA(Augmentations augmentations) throws XNIException {
        this.inCdata = false;
        super.endCDATA(augmentations);
    }

    @Override // org.cyberneko.html.filters.DefaultFilter
    public void startElement(QName qName, XMLAttributes xMLAttributes, Augmentations augmentations) throws XNIException {
        Tag embedTag;
        String lowerCase = qName.localpart.toLowerCase();
        Tag tagByLowercaseName = this.policy.getTagByLowercaseName(lowerCase);
        boolean z = false;
        String str = null;
        String str2 = null;
        if (tagByLowercaseName == null && this.isValidateParamAsEmbed && "param".equals(lowerCase) && (embedTag = this.policy.getEmbedTag()) != null && embedTag.isAction("validate")) {
            tagByLowercaseName = embedTag;
            z = true;
            str = xMLAttributes.getValue("name");
            str2 = xMLAttributes.getValue("value");
            XMLAttributes xMLAttributesImpl = new XMLAttributesImpl();
            xMLAttributesImpl.addAttribute(makeSimpleQname(str), "CDATA", str2);
            xMLAttributes = xMLAttributesImpl;
        }
        XMLAttributes xMLAttributesImpl2 = new XMLAttributesImpl();
        Ops peekTop = peekTop();
        if (Ops.REMOVE == peekTop || Ops.CSS == peekTop) {
            this.operations.push(Ops.REMOVE);
        } else if ((tagByLowercaseName == null && this.policy.isEncodeUnknownTag()) || (tagByLowercaseName != null && tagByLowercaseName.isAction("encode"))) {
            String str3 = XMLConstants.XML_OPEN_TAG_START + qName.localpart + XMLConstants.XML_CLOSE_TAG_END;
            super.characters(new XMLString(str3.toCharArray(), 0, str3.length()), augmentations);
            this.operations.push(Ops.ENCODE);
        } else if (tagByLowercaseName == null) {
            addError(ErrorMessageUtil.ERROR_TAG_NOT_IN_POLICY, new Object[]{HTMLEntityEncoder.htmlEntityEncode(qName.localpart)});
            this.operations.push(Ops.FILTER);
        } else if (tagByLowercaseName.isAction("filter")) {
            addError(ErrorMessageUtil.ERROR_TAG_FILTERED, new Object[]{HTMLEntityEncoder.htmlEntityEncode(qName.localpart)});
            this.operations.push(Ops.FILTER);
        } else if (tagByLowercaseName.isAction("validate")) {
            boolean endsWith = "style".endsWith(qName.localpart);
            boolean z2 = false;
            boolean z3 = false;
            for (int i = 0; i < xMLAttributes.getLength(); i++) {
                String qName2 = xMLAttributes.getQName(i);
                String value = xMLAttributes.getValue(i);
                String lowerCase2 = qName2.toLowerCase();
                Attribute attributeByName = tagByLowercaseName.getAttributeByName(lowerCase2);
                if (attributeByName == null) {
                    attributeByName = this.policy.getGlobalAttributeByName(lowerCase2);
                    if (attributeByName == null && this.policy.isAllowDynamicAttributes()) {
                        attributeByName = this.policy.getDynamicAttributeByName(lowerCase2);
                    }
                }
                if ("style".equalsIgnoreCase(qName2)) {
                    try {
                        CleanResults scanInlineStyle = makeCssScanner().scanInlineStyle(value, qName.localpart, this.maxInputSize);
                        xMLAttributes.setValue(i, scanInlineStyle.getCleanHTML());
                        xMLAttributesImpl2.addAttribute(makeSimpleQname(qName2), "CDATA", scanInlineStyle.getCleanHTML());
                        this.errorMessages.addAll(scanInlineStyle.getErrorMessages());
                    } catch (ScanException e) {
                        addError(ErrorMessageUtil.ERROR_CSS_ATTRIBUTE_MALFORMED, new Object[]{qName.localpart, HTMLEntityEncoder.htmlEntityEncode(value)});
                    }
                } else if (attributeByName != null) {
                    boolean z4 = false;
                    if (attributeByName.containsAllowedValue(value.toLowerCase())) {
                        xMLAttributesImpl2.addAttribute(makeSimpleQname(qName2), "CDATA", value);
                        z4 = true;
                    }
                    if (!z4) {
                        z4 = attributeByName.matchesAllowedExpression(value);
                        if (z4) {
                            xMLAttributesImpl2.addAttribute(makeSimpleQname(qName2), "CDATA", value);
                        }
                    }
                    if (!z4 && "removeTag".equals(attributeByName.getOnInvalid())) {
                        addError(ErrorMessageUtil.ERROR_ATTRIBUTE_INVALID_REMOVED, new Object[]{tagByLowercaseName.getName(), HTMLEntityEncoder.htmlEntityEncode(qName2), HTMLEntityEncoder.htmlEntityEncode(value)});
                        z2 = true;
                    } else if (!z4 && ("filterTag".equals(attributeByName.getOnInvalid()) || z)) {
                        addError("error.attribute.invalid.filtered", new Object[]{tagByLowercaseName.getName(), HTMLEntityEncoder.htmlEntityEncode(qName2), HTMLEntityEncoder.htmlEntityEncode(value)});
                        z3 = true;
                    } else if (!z4) {
                        addError(ErrorMessageUtil.ERROR_ATTRIBUTE_INVALID, new Object[]{tagByLowercaseName.getName(), HTMLEntityEncoder.htmlEntityEncode(qName2), HTMLEntityEncoder.htmlEntityEncode(value)});
                    }
                } else {
                    addError(ErrorMessageUtil.ERROR_ATTRIBUTE_NOT_IN_POLICY, new Object[]{qName.localpart, HTMLEntityEncoder.htmlEntityEncode(qName2), HTMLEntityEncoder.htmlEntityEncode(value)});
                    if (z) {
                        z3 = true;
                    }
                }
            }
            if (z2) {
                this.operations.push(Ops.REMOVE);
            } else if (endsWith) {
                this.operations.push(Ops.CSS);
                this.cssContent = new StringBuffer();
                this.cssAttributes = xMLAttributesImpl2;
            } else if (z3) {
                this.operations.push(Ops.FILTER);
            } else {
                if (this.isNofollowAnchors && "a".equals(qName.localpart)) {
                    xMLAttributesImpl2.addAttribute(makeSimpleQname(Link.REL), "CDATA", "nofollow");
                }
                if (z) {
                    xMLAttributesImpl2 = new XMLAttributesImpl();
                    xMLAttributesImpl2.addAttribute(makeSimpleQname("name"), "CDATA", str);
                    xMLAttributesImpl2.addAttribute(makeSimpleQname("value"), "CDATA", str2);
                }
                this.operations.push(Ops.KEEP);
            }
        } else if (tagByLowercaseName.isAction("truncate")) {
            this.operations.push(Ops.TRUNCATE);
        } else {
            addError(ErrorMessageUtil.ERROR_TAG_DISALLOWED, new Object[]{HTMLEntityEncoder.htmlEntityEncode(qName.localpart)});
            this.operations.push(Ops.REMOVE);
        }
        if (Ops.TRUNCATE.equals(this.operations.peek())) {
            super.startElement(qName, new XMLAttributesImpl(), augmentations);
        } else if (Ops.KEEP.equals(this.operations.peek())) {
            super.startElement(qName, xMLAttributesImpl2, augmentations);
        }
    }

    private QName makeSimpleQname(String str) {
        return new QName("", str, str, "");
    }

    private void addError(String str, Object[] objArr) {
        this.errorMessages.add(ErrorMessageUtil.getMessage(this.messages, str, objArr));
    }

    public List<String> getErrorMessages() {
        return this.errorMessages;
    }
}
