Class XSSRequestWrapper
- java.lang.Object
-
- javax.servlet.ServletRequestWrapper
-
- javax.servlet.http.HttpServletRequestWrapper
-
- de.hybris.platform.servicelayer.web.XSSRequestWrapper
-
- All Implemented Interfaces:
javax.servlet.http.HttpServletRequest,javax.servlet.ServletRequest
public class XSSRequestWrapper extends javax.servlet.http.HttpServletRequestWrapperHttpServletRequestWrapper that sanitize requests inputs to mitigate risks of XSS scripts being passed over. This code is based on free and non-restricted code found at: http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/ Some notes on performance: in order to avoid re-scanning of parameter and header values we're caching sanitized results as soon as a single call togetParameterMap()orgetHeaders(String)has occurred. Also note that we try to avoid the creation of new string arrays or enumerations in case of no pattern matches.
-
-
Constructor Summary
Constructors Constructor Description XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, XSSFilter.XSSValueTranslator translator)Constructor for creating a lazy-translating request wrapper.XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, java.util.Map<java.lang.String,java.lang.String[]> strippedHeadersMap, java.util.Map<java.lang.String,java.lang.String[]> strippedParametersMap)Constructor for creating a request wrapper using already processed parameter and header values.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected voidensureHeadersTranslated()protected voidensureParametersTranslated()java.lang.StringgetHeader(java.lang.String name)java.util.EnumerationgetHeaders(java.lang.String name)java.lang.StringgetParameter(java.lang.String parameter)java.util.MapgetParameterMap()java.lang.String[]getParameterValues(java.lang.String parameter)protected booleanheadersAlreadyTranslated()protected booleanheadersAreClean()protected booleanparametersAreClean()-
Methods inherited from class javax.servlet.http.HttpServletRequestWrapper
authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeaderNames, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRemoteUser, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getUserPrincipal, isRequestedSessionIdFromCookie, isRequestedSessionIdFromUrl, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isUserInRole, login, logout, upgrade
-
Methods inherited from class javax.servlet.ServletRequestWrapper
getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterNames, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequest, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setRequest, startAsync, startAsync
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface javax.servlet.ServletRequest
getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterNames, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, startAsync, startAsync
-
-
-
-
Constructor Detail
-
XSSRequestWrapper
public XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, XSSFilter.XSSValueTranslator translator)Constructor for creating a lazy-translating request wrapper. Note that parameter or header values are stripped on first read access.
-
XSSRequestWrapper
public XSSRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest, java.util.Map<java.lang.String,java.lang.String[]> strippedHeadersMap, java.util.Map<java.lang.String,java.lang.String[]> strippedParametersMap)Constructor for creating a request wrapper using already processed parameter and header values.
-
-
Method Detail
-
getParameterValues
public java.lang.String[] getParameterValues(java.lang.String parameter)
- Specified by:
getParameterValuesin interfacejavax.servlet.ServletRequest- Overrides:
getParameterValuesin classjavax.servlet.ServletRequestWrapper
-
getParameter
public java.lang.String getParameter(java.lang.String parameter)
- Specified by:
getParameterin interfacejavax.servlet.ServletRequest- Overrides:
getParameterin classjavax.servlet.ServletRequestWrapper
-
getParameterMap
public java.util.Map getParameterMap()
- Specified by:
getParameterMapin interfacejavax.servlet.ServletRequest- Overrides:
getParameterMapin classjavax.servlet.ServletRequestWrapper
-
parametersAreClean
protected boolean parametersAreClean()
-
ensureParametersTranslated
protected void ensureParametersTranslated()
-
getHeader
public java.lang.String getHeader(java.lang.String name)
- Specified by:
getHeaderin interfacejavax.servlet.http.HttpServletRequest- Overrides:
getHeaderin classjavax.servlet.http.HttpServletRequestWrapper
-
getHeaders
public java.util.Enumeration getHeaders(java.lang.String name)
- Specified by:
getHeadersin interfacejavax.servlet.http.HttpServletRequest- Overrides:
getHeadersin classjavax.servlet.http.HttpServletRequestWrapper
-
ensureHeadersTranslated
protected void ensureHeadersTranslated()
-
headersAlreadyTranslated
protected boolean headersAlreadyTranslated()
-
headersAreClean
protected boolean headersAreClean()
-
-