package net.sourceforge.pmd.lang.visualforce.rule.security;

import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.regex.Pattern;
import net.sourceforge.pmd.lang.ast.Node;
import net.sourceforge.pmd.lang.visualforce.ast.ASTAttribute;
import net.sourceforge.pmd.lang.visualforce.ast.ASTContent;
import net.sourceforge.pmd.lang.visualforce.ast.ASTElExpression;
import net.sourceforge.pmd.lang.visualforce.ast.ASTElement;
import net.sourceforge.pmd.lang.visualforce.ast.ASTExpression;
import net.sourceforge.pmd.lang.visualforce.ast.ASTHtmlScript;
import net.sourceforge.pmd.lang.visualforce.ast.ASTLiteral;
import net.sourceforge.pmd.lang.visualforce.ast.ASTText;
import net.sourceforge.pmd.lang.visualforce.ast.VfTokenKinds;
import net.sourceforge.pmd.lang.visualforce.rule.AbstractVfRule;
import net.sourceforge.pmd.lang.visualforce.rule.security.internal.ElEscapeDetector;

/* loaded from: input_file:net/sourceforge/pmd/lang/visualforce/rule/security/VfUnescapeElRule.class */
public class VfUnescapeElRule extends AbstractVfRule {
    private static final String A_CONST = "a";
    private static final String APEXIFRAME_CONST = "apex:iframe";
    private static final String IFRAME_CONST = "iframe";
    private static final String HREF = "href";
    private static final String SRC = "src";
    private static final String APEX_PARAM = "apex:param";
    private static final String VALUE = "value";
    private static final String ITEM_VALUE = "itemvalue";
    private static final String ESCAPE = "escape";
    private static final String ITEM_ESCAPED = "itemescaped";
    private static final String APEX_OUTPUT_TEXT = "apex:outputtext";
    private static final String APEX_PAGE_MESSAGE = "apex:pagemessage";
    private static final String APEX_PAGE_MESSAGES = "apex:pagemessages";
    private static final String APEX_SELECT_OPTION = "apex:selectoption";
    private static final String FALSE = "false";
    private static final Pattern ON_EVENT = Pattern.compile("^on(\\w)+$");
    private static final Pattern PLACEHOLDERS = Pattern.compile("\\{(\\w|,|\\.|'|:|\\s)*\\}");
    private static final Set<ElEscapeDetector.Escaping> JSENCODE_JSINHTMLENCODE = EnumSet.of(ElEscapeDetector.Escaping.JSENCODE, ElEscapeDetector.Escaping.JSINHTMLENCODE);
    private static final Set<ElEscapeDetector.Escaping> ANY_ENCODE = EnumSet.of(ElEscapeDetector.Escaping.ANY);

    @Override // net.sourceforge.pmd.lang.visualforce.ast.VfVisitor
    public Object visit(ASTHtmlScript aSTHtmlScript, Object obj) {
        checkIfCorrectlyEscaped(aSTHtmlScript, obj);
        return super.visit(aSTHtmlScript, (ASTHtmlScript) obj);
    }

    private void checkIfCorrectlyEscaped(ASTHtmlScript aSTHtmlScript, Object obj) {
        for (int i = 0; i < aSTHtmlScript.getNumChildren(); i++) {
            Node child = aSTHtmlScript.getChild(i);
            if (child instanceof ASTElExpression) {
                processElInScriptContext((ASTElExpression) child, obj);
            }
        }
    }

    private void processElInScriptContext(ASTElExpression aSTElExpression, Object obj) {
        if (properlyEscaped(aSTElExpression)) {
            return;
        }
        asCtx(obj).addViolation(aSTElExpression);
    }

    private boolean properlyEscaped(ASTElExpression aSTElExpression) {
        ASTExpression firstChild = aSTElExpression.firstChild(ASTExpression.class);
        return firstChild == null || ElEscapeDetector.expressionRecursivelyValid(firstChild, JSENCODE_JSINHTMLENCODE);
    }

    @Override // net.sourceforge.pmd.lang.visualforce.ast.VfVisitor
    public Object visit(ASTElement aSTElement, Object obj) {
        if (doesTagSupportEscaping(aSTElement)) {
            checkApexTagsThatSupportEscaping(aSTElement, obj);
        } else {
            checkLimitedFlags(aSTElement, obj);
            checkAllOnEventTags(aSTElement, obj);
        }
        return super.visit(aSTElement, (ASTElement) obj);
    }

    private void checkLimitedFlags(ASTElement aSTElement, Object obj) {
        String lowerCase = aSTElement.getName().toLowerCase(Locale.ROOT);
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -1191214428:
                if (lowerCase.equals(IFRAME_CONST)) {
                    z = false;
                    break;
                }
                break;
            case VfTokenKinds.IN_ATTR_WHITESPACE /* 97 */:
                if (lowerCase.equals(A_CONST)) {
                    z = 2;
                    break;
                }
                break;
            case 813628412:
                if (lowerCase.equals(APEXIFRAME_CONST)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
                List<ASTAttribute> list = aSTElement.children(ASTAttribute.class).toList();
                boolean z2 = false;
                HashSet hashSet = new HashSet();
                for (ASTAttribute aSTAttribute : list) {
                    String lowerCase2 = aSTAttribute.getName().toLowerCase(Locale.ROOT);
                    if (HREF.equalsIgnoreCase(lowerCase2) || SRC.equalsIgnoreCase(lowerCase2)) {
                        boolean z3 = false;
                        ASTText first = aSTAttribute.descendants(ASTText.class).first();
                        if (first != null && 0 == first.getIndexInParent()) {
                            String lowerCase3 = first.getImage().toLowerCase(Locale.ROOT);
                            if (lowerCase3.startsWith("/") || lowerCase3.startsWith("http") || lowerCase3.startsWith("mailto")) {
                                z3 = true;
                            }
                        }
                        if (!z3) {
                            for (ASTElExpression aSTElExpression : aSTAttribute.descendants(ASTElExpression.class)) {
                                if (!startsWithSlashLiteral(aSTElExpression) && !ElEscapeDetector.startsWithSafeResource(aSTElExpression)) {
                                    if (ElEscapeDetector.doesElContainAnyUnescapedIdentifiers(aSTElExpression, ElEscapeDetector.Escaping.URLENCODE)) {
                                        z2 = true;
                                        hashSet.add(aSTElExpression);
                                    }
                                }
                            }
                        }
                    }
                }
                if (z2) {
                    Iterator it = hashSet.iterator();
                    while (it.hasNext()) {
                        asCtx(obj).addViolation((ASTElExpression) it.next());
                    }
                    return;
                }
                return;
            default:
                return;
        }
    }

    private void checkAllOnEventTags(ASTElement aSTElement, Object obj) {
        boolean z = false;
        HashSet hashSet = new HashSet();
        for (ASTAttribute aSTAttribute : aSTElement.children(ASTAttribute.class)) {
            if (ON_EVENT.matcher(aSTAttribute.getName().toLowerCase(Locale.ROOT)).matches()) {
                for (ASTElExpression aSTElExpression : aSTAttribute.descendants(ASTElExpression.class)) {
                    if (!ElEscapeDetector.startsWithSafeResource(aSTElExpression) && ElEscapeDetector.doesElContainAnyUnescapedIdentifiers(aSTElExpression, ANY_ENCODE)) {
                        z = true;
                        hashSet.add(aSTElExpression);
                    }
                }
            }
        }
        if (z) {
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                asCtx(obj).addViolation((ASTElExpression) it.next());
            }
        }
    }

    private boolean startsWithSlashLiteral(ASTElExpression aSTElExpression) {
        ASTLiteral firstChild;
        ASTExpression firstChild2 = aSTElExpression.firstChild(ASTExpression.class);
        if (firstChild2 == null || (firstChild = firstChild2.firstChild(ASTLiteral.class)) == null || firstChild.getIndexInParent() != 0) {
            return false;
        }
        String lowerCase = firstChild.getImage().toLowerCase(Locale.ROOT);
        return lowerCase.startsWith("'/") || lowerCase.startsWith("\"/") || lowerCase.startsWith("'http") || lowerCase.startsWith("\"http");
    }

    /* JADX WARN: Removed duplicated region for block: B:20:0x00d4 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:32:0x00fd A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:58:0x001e A[SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void checkApexTagsThatSupportEscaping(net.sourceforge.pmd.lang.visualforce.ast.ASTElement r4, java.lang.Object r5) {
        /*
            Method dump skipped, instructions count: 485
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: net.sourceforge.pmd.lang.visualforce.rule.security.VfUnescapeElRule.checkApexTagsThatSupportEscaping(net.sourceforge.pmd.lang.visualforce.ast.ASTElement, java.lang.Object):void");
    }

    private boolean doesTagSupportEscaping(ASTElement aSTElement) {
        if (aSTElement.getName() == null) {
            return false;
        }
        String lowerCase = aSTElement.getName().toLowerCase(Locale.ROOT);
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case 10161216:
                if (lowerCase.equals(APEX_PAGE_MESSAGE)) {
                    z = true;
                    break;
                }
                break;
            case 34865926:
                if (lowerCase.equals(APEX_OUTPUT_TEXT)) {
                    z = false;
                    break;
                }
                break;
            case 314997811:
                if (lowerCase.equals(APEX_PAGE_MESSAGES)) {
                    z = 2;
                    break;
                }
                break;
            case 1184507849:
                if (lowerCase.equals(APEX_SELECT_OPTION)) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
            case true:
                return true;
            default:
                return false;
        }
    }

    private Set<ASTElExpression> hasELInInnerElements(ASTElement aSTElement) {
        HashSet hashSet = new HashSet();
        ASTContent firstChild = aSTElement.firstChild(ASTContent.class);
        if (firstChild != null) {
            for (ASTElement aSTElement2 : firstChild.children(ASTElement.class)) {
                if (APEX_PARAM.equalsIgnoreCase(aSTElement2.getName())) {
                    Iterator it = aSTElement2.children(ASTAttribute.class).iterator();
                    while (it.hasNext()) {
                        for (ASTElExpression aSTElExpression : ((ASTAttribute) it.next()).descendants(ASTElExpression.class)) {
                            if (!ElEscapeDetector.startsWithSafeResource(aSTElExpression) && ElEscapeDetector.doesElContainAnyUnescapedIdentifiers(aSTElExpression, ElEscapeDetector.Escaping.HTMLENCODE)) {
                                hashSet.add(aSTElExpression);
                            }
                        }
                    }
                }
            }
        }
        return hashSet;
    }
}
