package org.apache.sling.scripting.sightly.impl.engine.extension;

import java.util.HashSet;
import java.util.Set;
import java.util.regex.Pattern;
import org.apache.sling.scripting.sightly.SightlyException;
import org.apache.sling.scripting.sightly.compiler.expression.MarkupContext;
import org.apache.sling.scripting.sightly.extension.RuntimeExtension;
import org.apache.sling.scripting.sightly.render.RenderContext;
import org.apache.sling.xss.XSSAPI;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {RuntimeExtension.class}, property = {"org.apache.sling.scripting.sightly.extension.name=xss"})
/* loaded from: input_file:org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.class */
public class XSSRuntimeExtension implements RuntimeExtension {

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private XSSAPI xssApi;
    private static final Set<String> elementNameWhiteList = new HashSet();
    private static final Logger LOG = LoggerFactory.getLogger(XSSRuntimeExtension.class);
    private static final Pattern VALID_ATTRIBUTE = Pattern.compile("^[a-zA-Z_:][\\-a-zA-Z0-9_:.]*$");
    private static final Pattern ATTRIBUTE_BLACKLIST = Pattern.compile("^(style|(on.*))$", 2);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.sling.scripting.sightly.impl.engine.extension.XSSRuntimeExtension$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext = new int[MarkupContext.values().length];

        static {
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.ATTRIBUTE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.COMMENT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.TEXT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.ATTRIBUTE_NAME.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.NUMBER.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.URI.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.SCRIPT_TOKEN.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.STYLE_TOKEN.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.SCRIPT_STRING.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.STYLE_STRING.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.SCRIPT_COMMENT.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.STYLE_COMMENT.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.ELEMENT_NAME.ordinal()] = 13;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[MarkupContext.HTML.ordinal()] = 14;
            } catch (NoSuchFieldError e14) {
            }
        }
    }

    public Object call(RenderContext renderContext, Object... objArr) {
        if (objArr.length < 2) {
            throw new SightlyException(String.format("Extension %s requires at least %d arguments", "xss", 2));
        }
        Object obj = objArr[0];
        Object obj2 = objArr[1];
        Object obj3 = null;
        if (objArr.length >= 3) {
            obj3 = objArr[2];
        }
        MarkupContext markupContext = null;
        if (obj2 instanceof String) {
            markupContext = MarkupContext.lookup((String) obj2);
        }
        if (markupContext == MarkupContext.UNSAFE) {
            return obj;
        }
        if (markupContext != null) {
            return applyXSSFilter(renderContext.getObjectModel().toString(obj), obj3, markupContext);
        }
        LOG.warn("Expression context {} is invalid, expression will be replaced by the empty string", obj2);
        return "";
    }

    private String applyXSSFilter(String str, Object obj, MarkupContext markupContext) {
        return (markupContext.equals(MarkupContext.ATTRIBUTE) && (obj instanceof String)) ? applyXSSFilter(str, getAttributeMarkupContext((String) obj)) : applyXSSFilter(str, markupContext);
    }

    private String applyXSSFilter(String str, MarkupContext markupContext) {
        switch (AnonymousClass1.$SwitchMap$org$apache$sling$scripting$sightly$compiler$expression$MarkupContext[markupContext.ordinal()]) {
            case 1:
                return this.xssApi.encodeForHTMLAttr(str);
            case 2:
            case 3:
                return this.xssApi.encodeForHTML(str);
            case 4:
                return escapeAttributeName(str);
            case 5:
                Object obj = 0;
                if (str != null) {
                    if (str.contains(".") || str.contains("e") || str.contains("E")) {
                        try {
                            obj = Double.valueOf(Double.parseDouble(str));
                        } catch (NumberFormatException e) {
                            obj = 0;
                        }
                    } else {
                        try {
                            obj = Long.valueOf(Long.parseLong(str));
                        } catch (NumberFormatException e2) {
                            obj = 0;
                        }
                    }
                }
                return obj.toString();
            case 6:
                return this.xssApi.getValidHref(str);
            case 7:
                return this.xssApi.getValidJSToken(str, "");
            case 8:
                return this.xssApi.getValidStyleToken(str, "");
            case 9:
                return this.xssApi.encodeForJSString(str);
            case 10:
                return this.xssApi.encodeForCSSString(str);
            case 11:
            case 12:
                return this.xssApi.getValidMultiLineComment(str, "");
            case 13:
                return escapeElementName(str);
            case 14:
                return this.xssApi.filterHTML(str);
            default:
                return str;
        }
    }

    private String escapeElementName(String str) {
        String trim = str.trim();
        return elementNameWhiteList.contains(trim.toLowerCase()) ? trim : "";
    }

    private MarkupContext getAttributeMarkupContext(String str) {
        return ("src".equalsIgnoreCase(str) || "href".equalsIgnoreCase(str)) ? MarkupContext.URI : MarkupContext.ATTRIBUTE;
    }

    private String escapeAttributeName(String str) {
        if (str == null) {
            return null;
        }
        String trim = str.trim();
        if (!VALID_ATTRIBUTE.matcher(trim).matches() || isSensitiveAttribute(trim)) {
            return null;
        }
        return trim;
    }

    private boolean isSensitiveAttribute(String str) {
        return ATTRIBUTE_BLACKLIST.matcher(str).matches();
    }

    static {
        elementNameWhiteList.add("section");
        elementNameWhiteList.add("nav");
        elementNameWhiteList.add("article");
        elementNameWhiteList.add("aside");
        elementNameWhiteList.add("h1");
        elementNameWhiteList.add("h2");
        elementNameWhiteList.add("h3");
        elementNameWhiteList.add("h4");
        elementNameWhiteList.add("h5");
        elementNameWhiteList.add("h6");
        elementNameWhiteList.add("header");
        elementNameWhiteList.add("footer");
        elementNameWhiteList.add("address");
        elementNameWhiteList.add("main");
        elementNameWhiteList.add("p");
        elementNameWhiteList.add("pre");
        elementNameWhiteList.add("blockquote");
        elementNameWhiteList.add("ul");
        elementNameWhiteList.add("ol");
        elementNameWhiteList.add("li");
        elementNameWhiteList.add("dl");
        elementNameWhiteList.add("dt");
        elementNameWhiteList.add("dd");
        elementNameWhiteList.add("figure");
        elementNameWhiteList.add("figcaption");
        elementNameWhiteList.add("div");
        elementNameWhiteList.add("a");
        elementNameWhiteList.add("em");
        elementNameWhiteList.add("strong");
        elementNameWhiteList.add("small");
        elementNameWhiteList.add("s");
        elementNameWhiteList.add("cite");
        elementNameWhiteList.add("q");
        elementNameWhiteList.add("dfn");
        elementNameWhiteList.add("abbbr");
        elementNameWhiteList.add("data");
        elementNameWhiteList.add("time");
        elementNameWhiteList.add("code");
        elementNameWhiteList.add("var");
        elementNameWhiteList.add("samp");
        elementNameWhiteList.add("kbd");
        elementNameWhiteList.add("sub");
        elementNameWhiteList.add("sup");
        elementNameWhiteList.add("i");
        elementNameWhiteList.add("b");
        elementNameWhiteList.add("u");
        elementNameWhiteList.add("mark");
        elementNameWhiteList.add("ruby");
        elementNameWhiteList.add("rt");
        elementNameWhiteList.add("rp");
        elementNameWhiteList.add("bdi");
        elementNameWhiteList.add("bdo");
        elementNameWhiteList.add("span");
        elementNameWhiteList.add("br");
        elementNameWhiteList.add("wbr");
        elementNameWhiteList.add("ins");
        elementNameWhiteList.add("del");
        elementNameWhiteList.add("table");
        elementNameWhiteList.add("caption");
        elementNameWhiteList.add("colgroup");
        elementNameWhiteList.add("col");
        elementNameWhiteList.add("tbody");
        elementNameWhiteList.add("thead");
        elementNameWhiteList.add("tfoot");
        elementNameWhiteList.add("tr");
        elementNameWhiteList.add("td");
        elementNameWhiteList.add("th");
    }
}
