Class XSSRequestWrapper
java.lang.Object
javax.servlet.ServletRequestWrapper
javax.servlet.http.HttpServletRequestWrapper
de.hybris.platform.servicelayer.web.XSSRequestWrapper
- All Implemented Interfaces:
javax.servlet.http.HttpServletRequest,javax.servlet.ServletRequest
public class XSSRequestWrapper
extends javax.servlet.http.HttpServletRequestWrapper
HttpServletRequestWrapper that sanitize requests inputs to mitigate risks of XSS scripts being passed over. This code
is based on free and non-restricted code found at:
http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/ Some notes on
performance: in order to avoid re-scanning of parameter and header values we're caching sanitized results as soon as
a single call to
getParameterMap() or getHeaders(String) has occurred. Also note that we try to
avoid the creation of new string arrays or enumerations in case of no pattern matches.-
Field Summary
Fields inherited from interface javax.servlet.http.HttpServletRequest
BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH -
Constructor Summary
ConstructorsConstructorDescriptionXSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, XSSFilter.XSSValueTranslator translator) Constructor for creating a lazy-translating request wrapper.XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, Map<String, String[]> strippedHeadersMap, Map<String, String[]> strippedParametersMap) Constructor for creating a request wrapper using already processed parameter and header values. -
Method Summary
Modifier and TypeMethodDescriptionprotected voidprotected voidgetHeaders(String name) getParameter(String parameter) String[]getParameterValues(String parameter) protected booleanprotected booleanprotected booleanMethods inherited from class javax.servlet.http.HttpServletRequestWrapper
authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeaderNames, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRemoteUser, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getUserPrincipal, isRequestedSessionIdFromCookie, isRequestedSessionIdFromUrl, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isUserInRole, login, logout, upgradeMethods inherited from class javax.servlet.ServletRequestWrapper
getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterNames, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequest, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setRequest, startAsync, startAsyncMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface javax.servlet.ServletRequest
getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterNames, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, startAsync, startAsync
-
Constructor Details
-
XSSRequestWrapper
public XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, XSSFilter.XSSValueTranslator translator) Constructor for creating a lazy-translating request wrapper. Note that parameter or header values are stripped on first read access. -
XSSRequestWrapper
public XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, Map<String, String[]> strippedHeadersMap, Map<String, String[]> strippedParametersMap) Constructor for creating a request wrapper using already processed parameter and header values.
-
-
Method Details
-
getParameterValues
- Specified by:
getParameterValuesin interfacejavax.servlet.ServletRequest- Overrides:
getParameterValuesin classjavax.servlet.ServletRequestWrapper
-
getParameter
- Specified by:
getParameterin interfacejavax.servlet.ServletRequest- Overrides:
getParameterin classjavax.servlet.ServletRequestWrapper
-
getParameterMap
- Specified by:
getParameterMapin interfacejavax.servlet.ServletRequest- Overrides:
getParameterMapin classjavax.servlet.ServletRequestWrapper
-
parametersAreClean
protected boolean parametersAreClean() -
ensureParametersTranslated
protected void ensureParametersTranslated() -
getHeader
- Specified by:
getHeaderin interfacejavax.servlet.http.HttpServletRequest- Overrides:
getHeaderin classjavax.servlet.http.HttpServletRequestWrapper
-
getHeaders
- Specified by:
getHeadersin interfacejavax.servlet.http.HttpServletRequest- Overrides:
getHeadersin classjavax.servlet.http.HttpServletRequestWrapper
-
ensureHeadersTranslated
protected void ensureHeadersTranslated() -
headersAlreadyTranslated
protected boolean headersAlreadyTranslated() -
headersAreClean
protected boolean headersAreClean()
-