Class XSSRequestWrapper
java.lang.Object
jakarta.servlet.ServletRequestWrapper
jakarta.servlet.http.HttpServletRequestWrapper
com.broadleafcommerce.resource.security.xss.filter.XSSRequestWrapper
- All Implemented Interfaces:
jakarta.servlet.http.HttpServletRequest
,jakarta.servlet.ServletRequest
public class XSSRequestWrapper
extends jakarta.servlet.http.HttpServletRequestWrapper
A wrapper class for
HttpServletRequestWrapper
that provides XSS validation and
sanitization.- Author:
- Jon Fleschler (jfleschler)
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
This mechanism allows for thread-safe, lazy, one-time processing of all request parameters and their values rather than repeatedly within each parameter-related method. -
Field Summary
Fields inherited from interface jakarta.servlet.http.HttpServletRequest
BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH
-
Constructor Summary
ConstructorDescriptionXSSRequestWrapper
(jakarta.servlet.http.HttpServletRequest request, XSSConfigurationProperties properties, XSSRequestService requestService) Constructs a request object wrapping the given request. -
Method Summary
Modifier and TypeMethodDescriptionjakarta.servlet.ServletInputStream
Responsible for processing the submitted data and performing any XSS validation before returning the stream in a newServletInputStream
.getParameter
(String name) Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameter(java.lang.String)
.Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameterNames()
.String[]
getParameterValues
(String name) Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameterValues(java.lang.String)
.protected XSSConfigurationProperties
protected XSSRequestService
Methods inherited from class jakarta.servlet.http.HttpServletRequestWrapper
authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeader, getHeaderNames, getHeaders, getHttpServletMapping, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRemoteUser, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getTrailerFields, getUserPrincipal, isRequestedSessionIdFromCookie, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isTrailerFieldsReady, isUserInRole, login, logout, newPushBuilder, upgrade
Methods inherited from class jakarta.servlet.ServletRequestWrapper
getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getProtocol, getProtocolRequestId, getReader, getRemoteAddr, getRemoteHost, getRemotePort, getRequest, getRequestDispatcher, getRequestId, getScheme, getServerName, getServerPort, getServletConnection, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setRequest, startAsync, startAsync
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface jakarta.servlet.ServletRequest
getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getProtocol, getProtocolRequestId, getReader, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getRequestId, getScheme, getServerName, getServerPort, getServletConnection, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, startAsync, startAsync
-
Constructor Details
-
XSSRequestWrapper
public XSSRequestWrapper(jakarta.servlet.http.HttpServletRequest request, XSSConfigurationProperties properties, XSSRequestService requestService) Constructs a request object wrapping the given request.- Parameters:
request
- theHttpServletRequest
to be wrapped.- Throws:
IllegalArgumentException
- if the request is null
-
-
Method Details
-
getInputStream
Responsible for processing the submitted data and performing any XSS validation before returning the stream in a newServletInputStream
.- Specified by:
getInputStream
in interfacejakarta.servlet.ServletRequest
- Overrides:
getInputStream
in classjakarta.servlet.ServletRequestWrapper
- Returns:
- the
ServletInputStream
containing the processed data - Throws:
IOException
- inherited from super classcom.broadleafcommerce.common.error.validation.ValidationException
- if any fields are determined to have XSS violations
-
getParameterNames
Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameterNames()
.- Specified by:
getParameterNames
in interfacejakarta.servlet.ServletRequest
- Overrides:
getParameterNames
in classjakarta.servlet.ServletRequestWrapper
- Returns:
- all request parameter names after XSS validation or sanitization
- Throws:
XSSRequestParameterValidationException
- if validation is enabled and parameter names/values are determined to have XSS violations
-
getParameterMap
- Specified by:
getParameterMap
in interfacejakarta.servlet.ServletRequest
- Overrides:
getParameterMap
in classjakarta.servlet.ServletRequestWrapper
- Returns:
- all request parameters and values after XSS validation or sanitization
- Throws:
XSSRequestParameterValidationException
- if validation is enabled and parameter names/values are determined to have XSS violations
-
getParameter
Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameter(java.lang.String)
.- Specified by:
getParameter
in interfacejakarta.servlet.ServletRequest
- Overrides:
getParameter
in classjakarta.servlet.ServletRequestWrapper
- Parameters:
name
- the name of the requested parameter- Returns:
- the value of the request parameter as a String after XSS validation or sanitization
- Throws:
XSSRequestParameterValidationException
- if validation is enabled and parameter names/values are determined to have XSS violations
-
getParameterValues
Adapted fromorg.apache.catalina.core.ApplicationHttpRequest#getParameterValues(java.lang.String)
.- Specified by:
getParameterValues
in interfacejakarta.servlet.ServletRequest
- Overrides:
getParameterValues
in classjakarta.servlet.ServletRequestWrapper
- Parameters:
name
- the name of the requested parameter- Returns:
- an array of Strings containing all of the values the given request parameter has after XSS validation or sanitization. Will be null if the parameter does not exist.
- Throws:
XSSRequestParameterValidationException
- if validation is enabled and parameter names/values are determined to have XSS violations
-
getProcessedRequestParameterMap
-
getProperties
-
getRequestService
-