Class XSSRequestWrapper
- java.lang.Object
-
- javax.servlet.ServletRequestWrapper
-
- javax.servlet.http.HttpServletRequestWrapper
-
- com.broadleafcommerce.resource.security.xss.filter.XSSRequestWrapper
-
- All Implemented Interfaces:
javax.servlet.http.HttpServletRequest
,javax.servlet.ServletRequest
public class XSSRequestWrapper extends javax.servlet.http.HttpServletRequestWrapper
A wrapper class forHttpServletRequestWrapper
that provides XSS validation and sanitization.- Author:
- Jon Fleschler (jfleschler)
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
XSSRequestWrapper.ProcessedRequestParameterMapInitializer
This mechanism allows for thread-safe, lazy, one-time processing of all request parameters and their values rather than repeatedly within each parameter-related method.
-
Constructor Summary
Constructors Constructor Description XSSRequestWrapper(javax.servlet.http.HttpServletRequest request, XSSConfigurationProperties properties, XSSRequestService requestService)
Constructs a request object wrapping the given request.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description javax.servlet.ServletInputStream
getInputStream()
Responsible for processing the submitted data and performing any XSS validation before returning the stream in a newServletInputStream
.String
getParameter(String name)
Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameter(java.lang.String)
.Map<String,String[]>
getParameterMap()
Enumeration<String>
getParameterNames()
Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameterNames()
.String[]
getParameterValues(String name)
Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameterValues(java.lang.String)
.protected Map<String,String[]>
getProcessedRequestParameterMap()
protected XSSConfigurationProperties
getProperties()
protected XSSRequestService
getRequestService()
-
Methods inherited from class javax.servlet.http.HttpServletRequestWrapper
authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeader, getHeaderNames, getHeaders, getHttpServletMapping, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRemoteUser, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getTrailerFields, getUserPrincipal, isRequestedSessionIdFromCookie, isRequestedSessionIdFromUrl, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isTrailerFieldsReady, isUserInRole, login, logout, newPushBuilder, upgrade
-
Methods inherited from class javax.servlet.ServletRequestWrapper
getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequest, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setRequest, startAsync, startAsync
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface javax.servlet.ServletRequest
getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, startAsync, startAsync
-
-
-
-
Constructor Detail
-
XSSRequestWrapper
public XSSRequestWrapper(javax.servlet.http.HttpServletRequest request, XSSConfigurationProperties properties, XSSRequestService requestService)
Constructs a request object wrapping the given request.- Parameters:
request
- theHttpServletRequest
to be wrapped.- Throws:
IllegalArgumentException
- if the request is null
-
-
Method Detail
-
getInputStream
public javax.servlet.ServletInputStream getInputStream() throws IOException
Responsible for processing the submitted data and performing any XSS validation before returning the stream in a newServletInputStream
.- Specified by:
getInputStream
in interfacejavax.servlet.ServletRequest
- Overrides:
getInputStream
in classjavax.servlet.ServletRequestWrapper
- Returns:
- the
ServletInputStream
containing the processed data - Throws:
IOException
- inherited from super classcom.broadleafcommerce.common.error.validation.ValidationException
- if any fields are determined to have XSS violations
-
getParameterNames
public Enumeration<String> getParameterNames()
Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameterNames()
.- Specified by:
getParameterNames
in interfacejavax.servlet.ServletRequest
- Overrides:
getParameterNames
in classjavax.servlet.ServletRequestWrapper
- Returns:
- all request parameter names after XSS validation or sanitization
- Throws:
XSSRequestParameterValidationException
- if validation is enabled and parameter names/values are determined to have XSS violations
-
getParameterMap
public Map<String,String[]> getParameterMap()
- Specified by:
getParameterMap
in interfacejavax.servlet.ServletRequest
- Overrides:
getParameterMap
in classjavax.servlet.ServletRequestWrapper
- Returns:
- all request parameters and values after XSS validation or sanitization
- Throws:
XSSRequestParameterValidationException
- if validation is enabled and parameter names/values are determined to have XSS violations
-
getParameter
public String getParameter(String name)
Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameter(java.lang.String)
.- Specified by:
getParameter
in interfacejavax.servlet.ServletRequest
- Overrides:
getParameter
in classjavax.servlet.ServletRequestWrapper
- Parameters:
name
- the name of the requested parameter- Returns:
- the value of the request parameter as a String after XSS validation or sanitization
- Throws:
XSSRequestParameterValidationException
- if validation is enabled and parameter names/values are determined to have XSS violations
-
getParameterValues
public String[] getParameterValues(String name)
Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameterValues(java.lang.String)
.- Specified by:
getParameterValues
in interfacejavax.servlet.ServletRequest
- Overrides:
getParameterValues
in classjavax.servlet.ServletRequestWrapper
- Parameters:
name
- the name of the requested parameter- Returns:
- an array of Strings containing all of the values the given request parameter has after XSS validation or sanitization. Will be null if the parameter does not exist.
- Throws:
XSSRequestParameterValidationException
- if validation is enabled and parameter names/values are determined to have XSS violations
-
getProperties
protected XSSConfigurationProperties getProperties()
-
getRequestService
protected XSSRequestService getRequestService()
-
-