Class XSSFilter
java.lang.Object
de.hybris.platform.servicelayer.web.XSSFilter
- All Implemented Interfaces:
javax.servlet.Filter
Filter that wraps requests to XSSRequestWrapper to sanitize inputs for XSS.
Utilizes HttpServletRequestWrapper that sanitize requests inputs to mitigate risks of XSS scripts being
passed over. This code is based on free and non-restricted code found at:
http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic interfaceInterface to inject configuration parameters intoXSSFilterwithout exposing the actual implementation of how these parameters are obtained.static interfaceInterface to encapsulate the actual processing of parameter and header values. -
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptioncompilePatterns(Map<String, String> rules) voiddestroy()voiddoFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain) protected Stringvoidinit(javax.servlet.FilterConfig filterConfig) protected voidprotected voidinitPatternsAndHeaders(boolean enabled, Map<String, String> patternDefinitions, Map<String, String> headers) protected voidprocessPatternsAndDoFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain) voidprotected voidsetRejectResponseCodes(javax.servlet.http.HttpServletResponse httpResponse)
-
Field Details
-
LOG
protected static org.apache.log4j.Logger LOG -
CONFIG_PARAM_PREFIX
- See Also:
-
CONFIG_RULE_PREFIX_REGEXP
- See Also:
-
CONFIG_HEADER_PREFIX_REGEXP
- See Also:
-
CONFIG_HEADER_PREFIX
- See Also:
-
CONFIG_ENABLED
- See Also:
-
CONFIG_SORT
- See Also:
-
CONFIG_ACTION
- See Also:
-
HOST_HEADER_WHITE_LIST_PREFIX
- See Also:
-
REJECTED_REQUEST_RESP_CONTENT
- See Also:
-
-
Constructor Details
-
XSSFilter
public XSSFilter()
-
-
Method Details
-
init
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException - Specified by:
initin interfacejavax.servlet.Filter- Throws:
javax.servlet.ServletException
-
initFromConfig
-
initPatternsAndHeaders
-
reloadOnConfigChange
public void reloadOnConfigChange() -
compilePatterns
-
getSetupInfo
-
doFilter
public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException - Specified by:
doFilterin interfacejavax.servlet.Filter- Throws:
IOExceptionjavax.servlet.ServletException
-
processPatternsAndDoFilter
protected void processPatternsAndDoFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException - Throws:
IOExceptionjavax.servlet.ServletException
-
setRejectResponseCodes
protected void setRejectResponseCodes(javax.servlet.http.HttpServletResponse httpResponse) throws IOException - Throws:
IOException
-
destroy
public void destroy()- Specified by:
destroyin interfacejavax.servlet.Filter
-