Class XSSRequestProcessingService
- java.lang.Object
-
- com.broadleafcommerce.resource.security.xss.service.XSSRequestProcessingService
-
public class XSSRequestProcessingService extends Object
Responsible for performing validation and sanitization on provided values.- Author:
- Jon Fleschler (jfleschler)
- See Also:
XSSRequestService
-
-
Constructor Summary
Constructors Constructor Description XSSRequestProcessingService(org.owasp.html.PolicyFactory policy, XSSConfigurationProperties properties)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected String
doSanitize(String value)
Perform the XSS sanitization of a valueprotected String[]
doSanitize(String[] values)
Similar todoSanitize(String)
but for an array of values.protected boolean
doValidate(String value)
Perform the validation by comparing a sanitized version of the value to a baseline sanitized version.protected boolean
doValidate(String[] values)
Similar todoValidate(String)
but for an array of values.protected org.owasp.html.PolicyFactory
getPolicy()
protected XSSConfigurationProperties
getProperties()
protected String
normalize(String value)
Normalized the input value by removing spaces and semi-colons as the baseline sanitize does not perform formattingXSSProcessingResponse
processField(String fieldName, String fieldValue, javax.servlet.http.HttpServletRequest request)
Process a given field and value against XSS sanitization.XSSRequestParameterProcessingResponse
processRequestParameter(String originalParameterName, String[] originalParameterValues, javax.servlet.http.HttpServletRequest request)
Process a given request parameter and its values.XSSProcessingResponse
processValue(String value, javax.servlet.http.HttpServletRequest request)
Process a given value against XSS sanitization.protected boolean
shouldSanitize(String fieldName, javax.servlet.http.HttpServletRequest request)
Whether the value for the provide field should be sanitized.protected boolean
shouldSanitizeParameter(String parameterName, javax.servlet.http.HttpServletRequest request)
Whether the name/value for the provided request parameter should be sanitized for XSS.protected boolean
shouldValidate(String fieldName, javax.servlet.http.HttpServletRequest request)
Whether the value for the provided field should be validated against XSSprotected boolean
shouldValidateParameter(String parameterName, javax.servlet.http.HttpServletRequest request)
Whether the name/value for the provided request parameter should be validated against XSS
-
-
-
Constructor Detail
-
XSSRequestProcessingService
public XSSRequestProcessingService(org.owasp.html.PolicyFactory policy, XSSConfigurationProperties properties)
-
-
Method Detail
-
processValue
public XSSProcessingResponse processValue(String value, @Nullable javax.servlet.http.HttpServletRequest request)
Process a given value against XSS sanitization. This will respond with anXSSProcessingResponse
containing the processed value and whether it detected any XSS violations. A field will either be validated _OR_ sanitized.- Parameters:
value
- the value to processrequest
- the current request that this payload belongs to- Returns:
- a
XSSProcessingResponse
containing the processed value and if a violation has occurred
-
processField
public XSSProcessingResponse processField(@Nullable String fieldName, String fieldValue, @Nullable javax.servlet.http.HttpServletRequest request)
Process a given field and value against XSS sanitization. This will respond with anXSSProcessingResponse
containing the processed value and whether it detected any XSS violations. A field will either be validated _OR_ sanitized.- Parameters:
fieldName
- the name of the field to sanitizefieldValue
- the value of the field to processrequest
- the current request that this payload belongs to- Returns:
- a
XSSProcessingResponse
containing the processed value and if a violation has occurred
-
shouldValidate
protected boolean shouldValidate(@Nullable String fieldName, @Nullable javax.servlet.http.HttpServletRequest request)
Whether the value for the provided field should be validated against XSS- Parameters:
fieldName
- the name of the field to sanitizerequest
- the current request that this payload belongs to- Returns:
- whether the value should be validated
-
shouldSanitize
protected boolean shouldSanitize(@Nullable String fieldName, @Nullable javax.servlet.http.HttpServletRequest request)
Whether the value for the provide field should be sanitized. A field can only be sanitized if validation is not required.- Parameters:
fieldName
- the name of the field to sanitizerequest
- the current request that this payload belongs to- Returns:
- whether the value should be sanitized
-
doValidate
protected boolean doValidate(@Nullable String value)
Perform the validation by comparing a sanitized version of the value to a baseline sanitized version.- Parameters:
value
- the value to validate- Returns:
- whether the value is valid
-
doSanitize
protected String doSanitize(@Nullable String value)
Perform the XSS sanitization of a value- Parameters:
value
- the value to sanitize- Returns:
- the sanitized value
-
normalize
protected String normalize(String value)
Normalized the input value by removing spaces and semi-colons as the baseline sanitize does not perform formatting- Parameters:
value
- the value to normalize- Returns:
- a string with spaces and semi-colons removed
-
processRequestParameter
public XSSRequestParameterProcessingResponse processRequestParameter(String originalParameterName, @Nullable String[] originalParameterValues, @Nullable javax.servlet.http.HttpServletRequest request)
Process a given request parameter and its values. This will respond with anXSSRequestParameterProcessingResponse
containing the results of XSS validation or sanitization. The parameter name and values will either be validated _or_ sanitized.- Parameters:
originalParameterName
- the original request parameter name to sanitize/validateoriginalParameterValues
- the original request parameter values to sanitize/validaterequest
- the request that the parameter was given with- Returns:
- an
XSSRequestParameterProcessingResponse
containing the processed values and if a violation has occurred.XSSRequestParameterProcessingResponse.getSanitizedParameterName()
is expected to be set both when sanitization is requested, or when validation fails (to safely report the invalid parameter name)
-
shouldValidateParameter
protected boolean shouldValidateParameter(@Nullable String parameterName, @Nullable javax.servlet.http.HttpServletRequest request)
Whether the name/value for the provided request parameter should be validated against XSS- Parameters:
parameterName
- the name of the parameter to validaterequest
- the request that the parameter was given with- Returns:
- whether the parameter should be validated
-
shouldSanitizeParameter
protected boolean shouldSanitizeParameter(@Nullable String parameterName, @Nullable javax.servlet.http.HttpServletRequest request)
Whether the name/value for the provided request parameter should be sanitized for XSS. A parameter can only be sanitized if validation is not required.- Parameters:
parameterName
- the name of the parameter to sanitizerequest
- the request that the parameter was given with- Returns:
- whether the value should be sanitized
-
doValidate
protected boolean doValidate(@Nullable String[] values)
Similar todoValidate(String)
but for an array of values.- Parameters:
values
- the array of values to validate against XSS- Returns:
- true if all values were valid (or the array was null/empty), false otherwise
-
doSanitize
@Nullable protected String[] doSanitize(@Nullable String[] values)
Similar todoSanitize(String)
but for an array of values.- Parameters:
values
- the array of values to sanitize against XSS- Returns:
- an array of sanitized values
-
getPolicy
protected org.owasp.html.PolicyFactory getPolicy()
-
getProperties
protected XSSConfigurationProperties getProperties()
-
-