Package com.broadleafcommerce.resource.security.xss.filter

Class XSSRequestWrapper

  • All Implemented Interfaces:
    javax.servlet.http.HttpServletRequest, javax.servlet.ServletRequest
    public class XSSRequestWrapper
extends javax.servlet.http.HttpServletRequestWrapper
    A wrapper class for HttpServletRequestWrapper that provides XSS validation and sanitization.
    Author:
    Jon Fleschler (jfleschler)

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  XSSRequestWrapper.ProcessedRequestParameterMapInitializer
      This mechanism allows for thread-safe, lazy, one-time processing of all request parameters and their values rather than repeatedly within each parameter-related method.

    • Field Summary

      • Fields inherited from interface javax.servlet.http.HttpServletRequest

        BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      javax.servlet.ServletInputStream getInputStream()
      Responsible for processing the submitted data and performing any XSS validation before returning the stream in a new ServletInputStream.
      String getParameter​(String name)
      Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameter(java.lang.String).
      Map<String,​String[]> getParameterMap()  
      Enumeration<String> getParameterNames()
      Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameterNames().
      String[] getParameterValues​(String name)
      Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameterValues(java.lang.String).
      protected Map<String,​String[]> getProcessedRequestParameterMap()  
      protected XSSConfigurationProperties getProperties()  
      protected XSSRequestService getRequestService()  

      • Methods inherited from class javax.servlet.http.HttpServletRequestWrapper

        authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeader, getHeaderNames, getHeaders, getHttpServletMapping, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRemoteUser, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getTrailerFields, getUserPrincipal, isRequestedSessionIdFromCookie, isRequestedSessionIdFromUrl, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isTrailerFieldsReady, isUserInRole, login, logout, newPushBuilder, upgrade

      • Methods inherited from class javax.servlet.ServletRequestWrapper

        getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequest, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setRequest, startAsync, startAsync

      • Methods inherited from interface javax.servlet.ServletRequest

        getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, startAsync, startAsync

    • Constructor Detail

      • XSSRequestWrapper

        public XSSRequestWrapper​(javax.servlet.http.HttpServletRequest request,
                         XSSConfigurationProperties properties,
                         XSSRequestService requestService)
        Constructs a request object wrapping the given request.
        Parameters:
        request - the HttpServletRequest to be wrapped.
        Throws:
        IllegalArgumentException - if the request is null

    • Method Detail

      • getInputStream

        public javax.servlet.ServletInputStream getInputStream()
                                                throws IOException
        Responsible for processing the submitted data and performing any XSS validation before returning the stream in a new ServletInputStream.
        Specified by:
        getInputStream in interface javax.servlet.ServletRequest
        Overrides:
        getInputStream in class javax.servlet.ServletRequestWrapper
        Returns:
        the ServletInputStream containing the processed data
        Throws:
        IOException - inherited from super class
        com.broadleafcommerce.common.error.validation.ValidationException - if any fields are determined to have XSS violations

      • getParameterNames

        public Enumeration<String> getParameterNames()
        Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameterNames().
        Specified by:
        getParameterNames in interface javax.servlet.ServletRequest
        Overrides:
        getParameterNames in class javax.servlet.ServletRequestWrapper
        Returns:
        all request parameter names after XSS validation or sanitization
        Throws:
        XSSRequestParameterValidationException - if validation is enabled and parameter names/values are determined to have XSS violations

      • getParameterMap

        public Map<String,​String[]> getParameterMap()
        Specified by:
        getParameterMap in interface javax.servlet.ServletRequest
        Overrides:
        getParameterMap in class javax.servlet.ServletRequestWrapper
        Returns:
        all request parameters and values after XSS validation or sanitization
        Throws:
        XSSRequestParameterValidationException - if validation is enabled and parameter names/values are determined to have XSS violations

      • getParameter

        public String getParameter​(String name)
        Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameter(java.lang.String).
        Specified by:
        getParameter in interface javax.servlet.ServletRequest
        Overrides:
        getParameter in class javax.servlet.ServletRequestWrapper
        Parameters:
        name - the name of the requested parameter
        Returns:
        the value of the request parameter as a String after XSS validation or sanitization
        Throws:
        XSSRequestParameterValidationException - if validation is enabled and parameter names/values are determined to have XSS violations

      • getParameterValues

        public String[] getParameterValues​(String name)
        Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameterValues(java.lang.String).
        Specified by:
        getParameterValues in interface javax.servlet.ServletRequest
        Overrides:
        getParameterValues in class javax.servlet.ServletRequestWrapper
        Parameters:
        name - the name of the requested parameter
        Returns:
        an array of Strings containing all of the values the given request parameter has after XSS validation or sanitization. Will be null if the parameter does not exist.
        Throws:
        XSSRequestParameterValidationException - if validation is enabled and parameter names/values are determined to have XSS violations

      • getProcessedRequestParameterMap

        protected Map<String,​String[]> getProcessedRequestParameterMap()