package org.xwiki.xml.internal.html;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Pattern;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.apache.commons.lang3.StringUtils;
import org.xwiki.component.annotation.Component;
import org.xwiki.component.phase.Initializable;
import org.xwiki.component.phase.InitializationException;
import org.xwiki.stability.Unstable;
import org.xwiki.xml.Sax2Dom;
import org.xwiki.xml.html.HTMLConstants;
import org.xwiki.xml.html.HTMLElementSanitizer;

@Named(SecureHTMLElementSanitizer.HINT)
@Singleton
@Component
@Unstable
/* loaded from: input_file:org/xwiki/xml/internal/html/SecureHTMLElementSanitizer.class */
public class SecureHTMLElementSanitizer implements HTMLElementSanitizer, Initializable {
    public static final String HINT = "secure";
    static final Pattern IS_SCRIPT_OR_DATA = Pattern.compile("^(?:\\w+script|data):", 2);
    static final Pattern ATTR_WHITESPACE = Pattern.compile("[\\u0000-\\u0020\\u00A0\\u1680\\u180E\\u2000-\\u2029\\u205F\\u3000]");
    static final Pattern DATA_ATTR = Pattern.compile("^data-[\\-\\w.\\u00B7-\\uFFFF]");
    static final Pattern ARIA_ATTR = Pattern.compile("^aria-[\\-\\w]+$");
    static final Pattern IS_ALLOWED_URI = Pattern.compile("^(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):", 2);
    static final Pattern IS_NO_URI = Pattern.compile("^(?:[^a-z]|[a-z+.\\-]+(?:[^a-z+.\\-:]|$))", 2);

    @Inject
    private HTMLElementSanitizerConfiguration htmlElementSanitizerConfiguration;

    @Inject
    private HTMLDefinitions htmlDefinitions;

    @Inject
    private SVGDefinitions svgDefinitions;

    @Inject
    private MathMLDefinitions mathMLDefinitions;
    private boolean allowUnknownProtocols;
    private final Set<String> dataUriTags = new HashSet(Arrays.asList("audio", "video", HTMLConstants.TAG_IMG, "source", "image", "track"));
    private final Set<String> uriSafeAttributes = new HashSet(Arrays.asList(HTMLConstants.ATTRIBUTE_ALT, HTMLConstants.ATTRIBUTE_CLASS, "for", HTMLConstants.ATTRIBUTE_ID, "label", HTMLConstants.ATTRIBUTE_NAME, "pattern", "placeholder", "role", "summary", "title", "value", "style", Sax2Dom.XMLNS_PREFIX));
    private final Set<String> xmlAttributes = new HashSet(Arrays.asList("xlink:href", "xml:id", "xlink:title", "xml:space", "xmlns:xlink"));
    private final Set<String> extraAllowedTags = new HashSet();
    private final Set<String> extraAllowedAttributes = new HashSet();
    private final Set<String> forbidTags = new HashSet();
    private final Set<String> forbidAttributes = new HashSet();
    private Pattern allowedUriPattern = IS_ALLOWED_URI;

    public void initialize() throws InitializationException {
        this.extraAllowedTags.addAll(this.htmlElementSanitizerConfiguration.getExtraAllowedTags());
        this.extraAllowedAttributes.addAll(this.htmlElementSanitizerConfiguration.getExtraAllowedAttributes());
        this.uriSafeAttributes.addAll(this.htmlElementSanitizerConfiguration.getExtraUriSafeAttributes());
        this.dataUriTags.addAll(this.htmlElementSanitizerConfiguration.getExtraDataUriTags());
        this.allowUnknownProtocols = this.htmlElementSanitizerConfiguration.isAllowUnknownProtocols();
        this.forbidTags.addAll(this.htmlElementSanitizerConfiguration.getForbidTags());
        this.forbidAttributes.addAll(this.htmlElementSanitizerConfiguration.getForbidAttributes());
        String allowedUriRegexp = this.htmlElementSanitizerConfiguration.getAllowedUriRegexp();
        if (StringUtils.isNotBlank(allowedUriRegexp)) {
            this.allowedUriPattern = Pattern.compile(allowedUriRegexp, 2);
        }
    }

    @Override // org.xwiki.xml.html.HTMLElementSanitizer
    public boolean isElementAllowed(String str) {
        return !this.forbidTags.contains(str) && (this.extraAllowedTags.contains(str) || isElementSafe(str));
    }

    private boolean isElementSafe(String str) {
        return this.htmlDefinitions.isSafeTag(str) || this.svgDefinitions.isSafeTag(str) || this.mathMLDefinitions.isSafeTag(str);
    }

    @Override // org.xwiki.xml.html.HTMLElementSanitizer
    public boolean isAttributeAllowed(String str, String str2, String str3) {
        boolean z = false;
        String lowerCase = str.toLowerCase();
        String lowerCase2 = str2.toLowerCase();
        if ((DATA_ATTR.matcher(lowerCase2).find() || ARIA_ATTR.matcher(lowerCase2).find()) && !this.forbidAttributes.contains(lowerCase2)) {
            z = true;
        } else if (isAttributeAllowed(lowerCase2) && !this.forbidAttributes.contains(lowerCase2)) {
            z = isAllowedValue(lowerCase, lowerCase2, str3);
        }
        return z;
    }

    private boolean isAllowedValue(String str, String str2, String str3) {
        boolean isBlank = StringUtils.isBlank(str3);
        if (!isBlank) {
            String replaceAll = ATTR_WHITESPACE.matcher(str3).replaceAll("");
            isBlank = (((this.uriSafeAttributes.contains(str2) || IS_NO_URI.matcher(replaceAll).find()) || this.allowedUriPattern.matcher(replaceAll).find()) || isAllowedDataValue(str, str2, str3)) || (this.allowUnknownProtocols && !isScriptOrData(str3));
        }
        return isBlank;
    }

    private boolean isAttributeAllowed(String str) {
        return (((this.extraAllowedAttributes.contains(str) || this.htmlDefinitions.isAllowedAttribute(str)) || this.svgDefinitions.isAllowedAttribute(str)) || this.mathMLDefinitions.isAllowedAttribute(str)) || this.xmlAttributes.contains(str);
    }

    private boolean isScriptOrData(String str) {
        return IS_SCRIPT_OR_DATA.matcher(ATTR_WHITESPACE.matcher(str).replaceAll("")).find();
    }

    private boolean isAllowedDataValue(String str, String str2, String str3) {
        return (HTMLConstants.ATTRIBUTE_SRC.equals(str2) || "xlink:href".equals(str2) || HTMLConstants.ATTRIBUTE_HREF.equals(str2)) && !HTMLConstants.TAG_SCRIPT.equals(str) && str3.startsWith("data:") && this.dataUriTags.contains(str);
    }
}
