feat: add improvements from maintainers

Author: Ivan-Montes

core/src/main/java/com/linecorp/armeria/server/docs/DocService.java

@@ -164,8 +164,7 @@ private DocService(ExampleSupport exampleSupport,
     }
 
     private DocService(SpecificationLoader specificationLoader,
-                       List<BiFunction<ServiceRequestContext, HttpRequest, String>> injectedScriptSuppliers
-                       ) {
+                       List<BiFunction<ServiceRequestContext, HttpRequest, String>> injectedScriptSuppliers) {
         super(FileService.builder(new DocServiceVfs(specificationLoader))
                          .serveCompressedFiles(true)
                          .autoDecompress(true)
@@ -269,7 +268,7 @@ static final class SpecificationLoader {
             this.exampleSupport = exampleSupport;
             this.filter = filter;
             this.descriptiveTypeInfoProvider = composeDescriptiveTypeInfoProvider(descriptiveTypeInfoProvider);
-            this.docServiceExtraInfo = requireNonNull(docServiceExtraInfo,"docServiceExtraInfo");
+            this.docServiceExtraInfo = requireNonNull(docServiceExtraInfo, "docServiceExtraInfo");
         }
 
         boolean contains(String path) {

core/src/main/java/com/linecorp/armeria/server/docs/DocServiceBuilder.java

@@ -24,7 +24,6 @@
 import java.util.List;
 import java.util.Map;
 import java.util.function.BiFunction;
-import java.util.regex.Pattern;
 
 import com.google.common.collect.ArrayListMultimap;
 import com.google.common.collect.ImmutableList;
@@ -561,14 +560,11 @@ private static String[] guessAndSerializeExampleRequest(Object exampleRequest) {
     public DocServiceBuilder webAppTitle(String webAppTitle) {
         final String webAppTitleKey = "webAppTitle";
         final Integer webAppTitleMaxSize = 50;
-        final String webAppTitlePattern = "<[^>]*>";
         requireNonNull(webAppTitle, webAppTitleKey);
         checkArgument(!webAppTitle.trim().isEmpty(), "%s is empty.", webAppTitleKey);
         checkArgument(webAppTitle.length() <= webAppTitleMaxSize,
                       "%s length exceeds %s.", webAppTitleKey, webAppTitleMaxSize);
-        final String webAppTitlePatternSanitized = Pattern.compile(webAppTitlePattern).matcher(webAppTitle)
-                                                          .replaceAll("").trim();
-        docServiceExtraInfo.putIfAbsent(webAppTitleKey, webAppTitlePatternSanitized);
+        docServiceExtraInfo.putIfAbsent(webAppTitleKey, webAppTitle);
         return this;
     }
 

core/src/main/java/com/linecorp/armeria/server/docs/DocServiceInjectedScriptsUtil.java

@@ -1,7 +1,7 @@
 /*
- *  Copyright 2025 LINE Corporation
+ *  Copyright 2025 LY Corporation
  *
- *  LINE Corporation licenses this file to you under the Apache License,
+ *  LY Corporation licenses this file to you under the Apache License,
  *  version 2.0 (the "License"); you may not use this file except in compliance
  *  with the License. You may obtain a copy of the License at:
  *
@@ -18,6 +18,8 @@
 import static com.google.common.base.Preconditions.checkArgument;
 import static java.util.Objects.requireNonNull;
 
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.regex.Pattern;
 
 import com.google.common.collect.ImmutableSet;
@@ -32,6 +34,7 @@ public final class DocServiceInjectedScriptsUtil {
     private static final String SAFE_DOM_HOOK = "data-js-target";
     private static final ImmutableSet<String> ALLOWED_FAVICON_EXTENSIONS =
             ImmutableSet.of(".ico", ".png", ".svg");
+    private static final ImmutableSet<String> ALLOWED_SCHEMES = ImmutableSet.of("http", "https");
 
     /**
      * Returns a js script to change the title background color.
@@ -40,11 +43,11 @@ public final class DocServiceInjectedScriptsUtil {
      * @return the js script
      */
     public static String withTitleBackground(String color) {
-      final String titleBackgroundKey = "titleBackground";
-      final String targetAttr = "main-app-bar";
-      validateHexColor(color, titleBackgroundKey);
+        final String titleBackgroundKey = "titleBackground";
+        final String targetAttr = "main-app-bar";
+        validateHexColor(color, titleBackgroundKey);
 
-      return buildStyleScript(color, targetAttr);
+        return buildStyleScript(color, targetAttr);
     }
 
     /**
@@ -64,111 +67,139 @@ public static String withGotoBackground(String color) {
     /**
      * Returns a js script to change the web favicon.
      *
-     * @param url the url string to set
+     * @param uri the uri string to set
      * @return the js script
      */
-    public static String withFavicon(String url) {
+    public static String withFavicon(String uri) {
         final String faviconKey = "favicon";
-        validateFaviconUrl(url, faviconKey);
+        validateFaviconUri(uri, faviconKey);
 
-        return buildFaviconScript(escapeForJavaScriptUrl(url));
+        return buildFaviconScript(escapeJavaScriptUri(uri));
     }
 
     private DocServiceInjectedScriptsUtil() {}
 
     /**
-     * Validates the favicon url.
+     * Validates that the given color is a non-null, non-empty, character hex color string.
      *
-     * @param url the url string to validate
+     * @param color the color string to validate
      * @param key the name used in error messages
      */
-    private static void validateFaviconUrl(String url, String key) {
-        requireNonNull(url, key);
-        checkArgument(!url.trim().isEmpty(), "%s is empty.", key);
-        checkArgument(hasValidFaviconExtension(url), "%s extension not allowed.",key);
+    private static void validateHexColor(String color, String key) {
+        requireNonNull(color, key);
+        checkArgument(!color.trim().isEmpty(), "%s is empty.", key);
+        checkArgument(color.length() <= MAX_COLOR_LENGTH,
+                      "%s length exceeds %s.", key, MAX_COLOR_LENGTH);
+        checkArgument(Pattern.matches(HEX_COLOR_PATTERN, color),
+                      "%s not in hex format: %s.", key, color);
+    }
+
+    /**
+     * Builds a JavaScript snippet that sets the background color of a DOM element.
+     *
+     * @param color the background color in hex format
+     * @param targetAttr the value of the target attribute to match
+     * @return a JavaScript string that applies the background color to the element
+     */
+    private static String buildStyleScript(String color, String targetAttr) {
+        return "{\n" +
+               "  const element = document.querySelector('[" + SAFE_DOM_HOOK + "=\"" + targetAttr + "\"]');\n" +
+               "  if (element) {\n" +
+               "    element.style.backgroundColor = '" + color + "';\n" +
+               "  }\n}\n";
+    }
+
+    /**
+     * Validates the favicon uri.
+     *
+     * @param uri the uri string to validate
+     * @param key the name used in error messages
+     */
+    private static void validateFaviconUri(String uri, String key) {
+        requireNonNull(uri, key);
+        checkArgument(!uri.trim().isEmpty(), "%s is empty.", key);
+        checkArgument(isValidUri(uri), "%s uri invalid.", key);
+        checkArgument(hasValidFaviconExtension(uri), "%s extension not allowed.",key);
+    }
+
+    /**
+     * Check if the input is a valid URI.
+     * @param input the uri string to validate
+     * @return true if is valid
+     */
+    public static boolean isValidUri(String input) {
+        try {
+            final URI uri = new URI(input);
+            final String scheme = uri.getScheme();
+            if (scheme == null) {
+              return true;
+            }
+            return ALLOWED_SCHEMES.contains(scheme.toLowerCase());
+        } catch (URISyntaxException e) {
+            return false;
+        }
     }
 
     /**
      * Validates the favicon extension.
      *
-     * @param url the url string
+     * @param uri the uri string
      * @return the result of validation
      */
-    private static boolean hasValidFaviconExtension(String url) {
-        final String lowerUrl = url.toLowerCase();
+    private static boolean hasValidFaviconExtension(String uri) {
+        final String lowerUrl = uri.toLowerCase();
         return ALLOWED_FAVICON_EXTENSIONS.stream()
                      .anyMatch(lowerUrl::endsWith);
     }
 
     /**
-     * Escapes special characters in a string to safely embed it in a JavaScript string literal.
+     * Escapes special characters not filtered by other methods.
      *
-     * @param url the input string to escape
+     * @param uri the input string to escape
      * @return the escaped string
      */
-    private static String escapeForJavaScriptUrl(String url) {
-        final StringBuilder escaped = new StringBuilder(url.length());
+    private static String escapeJavaScriptUri(String uri) {
+        final StringBuilder escaped = new StringBuilder();
+
+        for (int i = 0; i < uri.length(); i++) {
+            final char c = uri.charAt(i);
 
-        for (char c : url.toCharArray()) {
             switch (c) {
                 case '\\':
                     escaped.append("\\\\");
                     break;
                 case '\'':
                     escaped.append("\\'");
                     break;
-                case '"':
-                    escaped.append("\\\"");
+                case '&':
+                    escaped.append("\\u0026");
                     break;
-                case ';':
-                case '\n':
-                case '\r':
+                case '=':
+                    escaped.append("\\u003D");
+                    break;
+                case '/':
+                    escaped.append("\\/");
                     break;
                 default:
-                    escaped.append(c);
+                    if (c > 126) {
+                        escaped.append(String.format("\\u%04X", (int) c));
+                    } else {
+                        escaped.append(c);
+                    }
+                    break;
             }
         }
 
         return escaped.toString();
     }
 
-    /**
-     * Validates that the given color is a non-null, non-empty, character hex color string.
-     *
-     * @param color the color string to validate
-     * @param key the name used in error messages
-     */
-    private static void validateHexColor(String color, String key) {
-        requireNonNull(color, key);
-        checkArgument(!color.trim().isEmpty(), "%s is empty.", key);
-        checkArgument(color.length() <= MAX_COLOR_LENGTH,
-                      "%s length exceeds %s.", key, MAX_COLOR_LENGTH);
-        checkArgument(Pattern.matches(HEX_COLOR_PATTERN, color),
-                      "%s not in hex format: %s.", key, color);
-    }
-
-    /**
-     * Builds a JavaScript snippet that sets the background color of a DOM element.
-     *
-     * @param color the background color in hex format
-     * @param targetAttr the value of the target attribute to match
-     * @return a JavaScript string that applies the background color to the element
-     */
-    private static String buildStyleScript(String color, String targetAttr) {
-        return "{\n" +
-               "  const element = document.querySelector('[" + SAFE_DOM_HOOK + "=\"" + targetAttr + "\"]');\n" +
-               "  if (element) {\n" +
-               "    element.style.backgroundColor = '" + color + "';\n" +
-               "  }\n}\n";
-    }
-
     /**
      * Builds a JavaScript snippet that sets the new favicon.
      *
-     * @param url the url string to set
+     * @param uri the uri string to set
      * @return a JavaScript string that applies the favicon change
      */
-    private static String buildFaviconScript(String url) {
+    private static String buildFaviconScript(String uri) {
         return "{\n" +
                "  let link = document.querySelector('link[rel~=\"icon\"]');\n" +
                "  if (link) {\n" +
@@ -177,7 +208,7 @@ private static String buildFaviconScript(String url) {
                "  link = document.createElement('link');\n" +
                "  link.rel = 'icon';\n" +
                "  link.type = 'image/x-icon';\n" +
-               "  link.href = '" + url + "';\n" +
+               "  link.href = '" + uri + "';\n" +
                "  document.head.appendChild(link);\n" +
                "}\n";
     }