optimuse
diff --git a/‎coverage-report/pom.xml‎
Lines changed: 10 additions & 1 deletion b/‎coverage-report/pom.xml‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎coverage-report/src/test/java/org/jooby/issues/Issue475.java‎
Lines changed: 35 additions & 0 deletions b/‎coverage-report/src/test/java/org/jooby/issues/Issue475.java‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎jooby-csl/pom.xml‎
Lines changed: 102 additions & 0 deletions b/‎jooby-csl/pom.xml‎
Lines changed: 102 additions & 0 deletions
diff --git a/‎jooby-csl/src/main/java/org/jooby/xss/XSS.java‎
Lines changed: 80 additions & 0 deletions b/‎jooby-csl/src/main/java/org/jooby/xss/XSS.java‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎jooby-csl/src/test/java/csl/XssApp.java‎
Lines changed: 22 additions & 0 deletions b/‎jooby-csl/src/test/java/csl/XssApp.java‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎jooby-scanner/pom.xml‎
Lines changed: 0 additions & 1 deletion b/‎jooby-scanner/pom.xml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎md/cors.md‎
Lines changed: 0 additions & 2 deletions b/‎md/cors.md‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎md/doc/csl/csl.md‎
Lines changed: 54 additions & 0 deletions b/‎md/doc/csl/csl.md‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎md/doc/index.md‎
Lines changed: 2 additions & 2 deletions b/‎md/doc/index.md‎
Lines changed: 2 additions & 2 deletions
@@ -82,6 +82,7 @@
                     <source>${project.parent.basedir}/jooby-couchbase/src/main/java</source>
                     <source>${project.parent.basedir}/jooby-cassandra/src/main/java</source>
                     <source>${project.parent.basedir}/jooby-scanner/src/main/java</source>
+                    <source>${project.parent.basedir}/jooby-csl/src/main/java</source>
                   </sources>
                 </configuration>
               </execution>
@@ -139,6 +140,7 @@
                     <source>${project.parent.basedir}/jooby-couchbase/src/test/java</source>
                     <source>${project.parent.basedir}/jooby-cassandra/src/test/java</source>
                     <source>${project.parent.basedir}/jooby-scanner/src/test/java</source>
+                    <source>${project.parent.basedir}/jooby-csl/src/test/java</source>
                   </sources>
                 </configuration>
               </execution>
@@ -216,7 +218,8 @@
                 <include>**/*Feature.java</include>
                 <include>**/*Issue*.java</include>
               </includes>
-              <argLine>-Xmx1024m -XX:MaxPermSize=256m -Xbootclasspath/p:${settings.localRepository}/org/mortbay/jetty/alpn/alpn-boot/${alpn-boot.version}/alpn-boot-${alpn-boot.version}.jar</argLine>
+              <argLine>-Xmx1024m -XX:MaxPermSize=256m
+                -Xbootclasspath/p:${settings.localRepository}/org/mortbay/jetty/alpn/alpn-boot/${alpn-boot.version}/alpn-boot-${alpn-boot.version}.jar</argLine>
               <systemPropertyVariables>
                 <!-- JaCoCo runtime must know where to dump coverage: -->
                 <jacoco-agent.destfile>target${file.separator}jacoco.exec</jacoco-agent.destfile>
@@ -410,6 +413,12 @@
       <version>${project.version}</version>
     </dependency>
 
+    <dependency>
+      <groupId>org.jooby</groupId>
+      <artifactId>jooby-csl</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
     <!-- H2 database -->
     <dependency>
       <groupId>com.h2database</groupId>
 
@@ -0,0 +1,35 @@
+package org.jooby.issues;
+
+import org.jooby.test.ServerFeature;
+import org.jooby.xss.XSS;
+import org.junit.Test;
+
+public class Issue475 extends ServerFeature {
+
+  {
+    use(new XSS());
+
+    get("/475/text", req -> {
+      return req.param("text", "html").value();
+    });
+
+    get("/475/js", req -> {
+      return req.param("text", "js").value();
+    });
+  }
+
+  @Test
+  public void escapeHtml() throws Exception {
+    request()
+        .get("/475/text?text=%3Ch1%3EX%3C/h1%3E")
+        .expect("&lt;h1&gt;X&lt;&#x2F;h1&gt;");
+  }
+
+  @Test
+  public void escapeJs() throws Exception {
+    request()
+        .get("/475/js?text=%3Cscript%3Ealert(%27xss%27)%3C/script%3E")
+        .expect("\\u003Cscript\\u003Ealert(\\u0027xss\\u0027)\\u003C\\u002Fscript\\u003E");
+  }
+
+}
@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+  <parent>
+    <groupId>org.jooby</groupId>
+    <artifactId>jooby-project</artifactId>
+    <version>1.0.0.Final</version>
+  </parent>
+
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>jooby-csl</artifactId>
+
+  <name>xss-csl module</name>
+
+  <build>
+    <plugins>
+      <!-- sure-fire -->
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <configuration>
+          <includes>
+            <include>**/*Test.java</include>
+            <include>**/*Feature.java</include>
+            <include>**/Issue*.java</include>
+          </includes>
+        </configuration>
+      </plugin>
+
+    </plugins>
+  </build>
+
+  <dependencies>
+    <!-- Jooby -->
+    <dependency>
+      <groupId>org.jooby</groupId>
+      <artifactId>jooby</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>com.coverity.security</groupId>
+      <artifactId>coverity-escapers</artifactId>
+    </dependency>
+
+    <!-- Test dependencies -->
+    <dependency>
+      <groupId>org.jooby</groupId>
+      <artifactId>jooby</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+      <classifier>tests</classifier>
+    </dependency>
+
+    <dependency>
+      <groupId>org.jooby</groupId>
+      <artifactId>jooby-netty</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.jooby</groupId>
+      <artifactId>jooby-jackson</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.easymock</groupId>
+      <artifactId>easymock</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.powermock</groupId>
+      <artifactId>powermock-api-easymock</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.powermock</groupId>
+      <artifactId>powermock-module-junit4</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.jacoco</groupId>
+      <artifactId>org.jacoco.agent</artifactId>
+      <classifier>runtime</classifier>
+      <scope>test</scope>
+    </dependency>
+
+  </dependencies>
+
+</project>
@@ -0,0 +1,80 @@
+package org.jooby.xss;
+
+import org.jooby.Env;
+import org.jooby.Jooby.Module;
+
+import com.coverity.security.Escape;
+import com.google.inject.Binder;
+import com.typesafe.config.Config;
+
+/**
+ * <h1>xss</h1>
+ * <p>
+ * Lightweight set of escaping routines for fixing cross-site scripting (XSS) via
+ * <a href="https://github.com/coverity/coverity-security-library">coverity-security-library</a>
+ * </p>
+ *
+ * <h2>exports</h2>
+ * <ul>
+ * <li><strong>html</strong> escaper: HTML entity escaping for text content and attributes.</li>
+ * <li><strong>htmlText</strong> escaper: Faster HTML entity escaping for tag content or quoted
+ * attributes values only.</li>
+ * <li><strong>js</strong> escaper: JavaScript String Unicode escaper.</li>
+ * <li><strong>jsRegex</strong> escaper: JavaScript regex content escaper.</li>
+ * <li><strong>css</strong> escaper: CSS String escaper.</li>
+ * <li><strong>uri</strong> escaper: URI encoder.</li>
+ * </ul>
+ *
+ * <h2>usage</h2>
+ * <pre>{@code
+ * {
+ *   use(new XSS());
+ *
+ *   post("/", req -> {
+ *     String safeHtml = req.param("text", "html").value();
+ *   });
+ * }
+ * }</pre>
+ *
+ * <p>
+ * Nested context are supported by providing multiple encoders:
+ * </p>
+ *
+ * <pre>{@code
+ * {
+ *   use(new XSS());
+ *
+ *   post("/", req -> {
+ *     String safeHtml = req.param("text", "js", "html", "uri").value();
+ *   });
+ * }
+ * }</pre>
+ *
+ * <p>
+ * Encoders run in the order they are provided.
+ * </p>
+ * <p>
+ * If you want to learn more about nested context and why they are important have a look at this
+ * <a href=
+ * "http://security.coverity.com/document/2013/Mar/fixing-xss-a-practical-guide-for-developers.html">nice
+ * guide</code> from
+ * <a href="https://github.com/coverity/coverity-security-library">coverity-security-library</a>.
+ * </p>
+ *
+ * @author edgar
+ * @since 1.0.0
+ */
+public class XSS implements Module {
+
+  @Override
+  public void configure(final Env env, final Config conf, final Binder binder) {
+    // contribute CSL escape functions
+    env.xss("html", Escape::html)
+        .xss("htmlText", Escape::htmlText)
+        .xss("js", Escape::jsString)
+        .xss("jsRegex", Escape::jsRegex)
+        .xss("css", Escape::cssString)
+        .xss("uri", Escape::uri);
+  }
+
+}
@@ -0,0 +1,22 @@
+package csl;
+
+import org.jooby.Jooby;
+import org.jooby.xss.XSS;
+
+public class XssApp extends Jooby {
+
+  {
+    use(new XSS());
+
+    get("/param", req -> "<html><body><a href=>" + req.param("p", "html").value() + "</html></body>");
+
+    get("/h", req -> "<html><body>" + req.header("h", "html").value("<h1>X</h1>") + "</html></body>");
+
+    get("*", req -> req.path(true));
+
+  }
+
+  public static void main(final String[] args) {
+    run(XssApp::new, args);
+  }
+}
@@ -41,7 +41,6 @@
     <dependency>
       <groupId>io.github.lukehutch</groupId>
       <artifactId>fast-classpath-scanner</artifactId>
-      <version>1.99.0</version>
     </dependency>
 
     <!-- Test dependencies -->
 
@@ -7,9 +7,7 @@ Cross-origin resource sharing (CORS) is a mechanism that allows restricted resou
 
 ```java
 {
-
   use("*", new CorsHandler());
-
 }
 ```
 
 
@@ -0,0 +1,54 @@
+# xss
+
+Lightweight set of escaping routines for fixing cross-site scripting (XSS) via <a href="https://github.com/coverity/coverity-security-library">coverity-security-library</a>
+
+## dependency
+
+```xml
+<dependency>
+ <groupId>org.jooby</groupId>
+ <artifactId>jooby-xss</artifactId>
+ <version>{{version}}</version>
+</dependency>
+```
+
+## exports
+
+* **html** escaper: HTML entity escaping for text content and attributes. 
+* **htmlText** escaper: Faster HTML entity escaping for tag content or quoted attributes values only. 
+* **js** escaper: JavaScript String Unicode escaper. 
+* **jsRegex** escaper: JavaScript regex content escaper. 
+* **css** escaper: CSS String escaper. 
+* **uri** escaper: URI encoder. 
+
+## usage
+
+```java
+{
+  use(new XSS());
+
+  post("/", req -> {
+
+    String safeHtml = req.param("text", "html").value();
+  });
+
+}
+```
+
+Nested context are supported by providing multiple encoders:
+
+```java
+{
+  use(new XSS());
+
+  post("/", req -> {
+
+    String safeHtml = req.param("text", "js", "html", "uri").value();
+  });
+
+}
+```
+
+Encoders run in the order they are provided.
+
+If you want to learn more about nested context and why they are important have a look at this <a href="http://security.coverity.com/document/2013/Mar/fixing-xss-a-practical-guide-for-developers.html">nice guide from </a><a href="https://github.com/coverity/coverity-security-library">coverity-security-library</a>.
@@ -48,8 +48,8 @@ documentation
 
 {{cors.md}}
 
-{{javascript.md}}
-
 {{https.md}}
 
+{{javascript.md}}
+
 {{appendix}}
Original file line number	Diff line number	Diff line change
`@@ -7,9 +7,7 @@ Cross-origin resource sharing (CORS) is a mechanism that allows restricted resou`
`7`	`7`
`8`	`8`	```java
`9`	`9`	`{`
`10`		`-`
`11`	`10`	`use("*", new CorsHandler());`
`12`		`-`
`13`	`11`	`}`
`14`	`12`	```
`15`	`13`