Class XSSRequestWrapper

java.lang.Object
javax.servlet.ServletRequestWrapper
javax.servlet.http.HttpServletRequestWrapper
de.hybris.platform.servicelayer.web.XSSRequestWrapper
All Implemented Interfaces:
javax.servlet.http.HttpServletRequest, javax.servlet.ServletRequest

public class XSSRequestWrapper extends javax.servlet.http.HttpServletRequestWrapper
HttpServletRequestWrapper that sanitize requests inputs to mitigate risks of XSS scripts being passed over. This code is based on free and non-restricted code found at: http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/ Some notes on performance: in order to avoid re-scanning of parameter and header values we're caching sanitized results as soon as a single call to getParameterMap() or getHeaders(String) has occurred. Also note that we try to avoid the creation of new string arrays or enumerations in case of no pattern matches.
  • Field Summary

    Fields inherited from interface javax.servlet.http.HttpServletRequest

    BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH
  • Constructor Summary

    Constructors
    Constructor
    Description
    XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, XSSFilter.XSSValueTranslator translator)
    Constructor for creating a lazy-translating request wrapper.
    XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, Map<String,String[]> strippedHeadersMap, Map<String,String[]> strippedParametersMap)
    Constructor for creating a request wrapper using already processed parameter and header values.
  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
     
    protected void
     
     
     
    getParameter(String parameter)
     
     
     
    protected boolean
     
    protected boolean
     
    protected boolean
     

    Methods inherited from class javax.servlet.http.HttpServletRequestWrapper

    authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeaderNames, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRemoteUser, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getUserPrincipal, isRequestedSessionIdFromCookie, isRequestedSessionIdFromUrl, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isUserInRole, login, logout, upgrade

    Methods inherited from class javax.servlet.ServletRequestWrapper

    getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterNames, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequest, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setRequest, startAsync, startAsync

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface javax.servlet.ServletRequest

    getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterNames, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, startAsync, startAsync
  • Constructor Details

    • XSSRequestWrapper

      public XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, XSSFilter.XSSValueTranslator translator)
      Constructor for creating a lazy-translating request wrapper. Note that parameter or header values are stripped on first read access.
    • XSSRequestWrapper

      public XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, Map<String,String[]> strippedHeadersMap, Map<String,String[]> strippedParametersMap)
      Constructor for creating a request wrapper using already processed parameter and header values.
  • Method Details

    • getParameterValues

      public String[] getParameterValues(String parameter)
      Specified by:
      getParameterValues in interface javax.servlet.ServletRequest
      Overrides:
      getParameterValues in class javax.servlet.ServletRequestWrapper
    • getParameter

      public String getParameter(String parameter)
      Specified by:
      getParameter in interface javax.servlet.ServletRequest
      Overrides:
      getParameter in class javax.servlet.ServletRequestWrapper
    • getParameterMap

      public Map getParameterMap()
      Specified by:
      getParameterMap in interface javax.servlet.ServletRequest
      Overrides:
      getParameterMap in class javax.servlet.ServletRequestWrapper
    • parametersAreClean

      protected boolean parametersAreClean()
    • ensureParametersTranslated

      protected void ensureParametersTranslated()
    • getHeader

      public String getHeader(String name)
      Specified by:
      getHeader in interface javax.servlet.http.HttpServletRequest
      Overrides:
      getHeader in class javax.servlet.http.HttpServletRequestWrapper
    • getHeaders

      public Enumeration getHeaders(String name)
      Specified by:
      getHeaders in interface javax.servlet.http.HttpServletRequest
      Overrides:
      getHeaders in class javax.servlet.http.HttpServletRequestWrapper
    • ensureHeadersTranslated

      protected void ensureHeadersTranslated()
    • headersAlreadyTranslated

      protected boolean headersAlreadyTranslated()
    • headersAreClean

      protected boolean headersAreClean()