Package com.broadleafcommerce.resource.security.xss.filter

Class XSSRequestWrapper

java.lang.Object

jakarta.servlet.ServletRequestWrapper

jakarta.servlet.http.HttpServletRequestWrapper

com.broadleafcommerce.resource.security.xss.filter.XSSRequestWrapper

All Implemented Interfaces:

jakarta.servlet.http.HttpServletRequest, jakarta.servlet.ServletRequest

public class XSSRequestWrapper
extends jakarta.servlet.http.HttpServletRequestWrapper

A wrapper class for HttpServletRequestWrapper that provides XSS validation and sanitization.

Author:

Jon Fleschler (jfleschler)

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	XSSRequestWrapper.ProcessedRequestParameterMapInitializer	This mechanism allows for thread-safe, lazy, one-time processing of all request parameters and their values rather than repeatedly within each parameter-related method.

Field Summary

Fields inherited from interface jakarta.servlet.http.HttpServletRequest

BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH

Constructor Summary

Constructors

Constructor	Description
XSSRequestWrapper(jakarta.servlet.http.HttpServletRequest request, XSSConfigurationProperties properties, XSSRequestService requestService)	Constructs a request object wrapping the given request.

Method Summary

Modifier and Type	Method	Description
jakarta.servlet.ServletInputStream	getInputStream()	Responsible for processing the submitted data and performing any XSS validation before returning the stream in a new ServletInputStream.
String	getParameter(String name)	Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameter(java.lang.String).
Map<String,String[]>	getParameterMap()
Enumeration<String>	getParameterNames()	Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameterNames().
String[]	getParameterValues(String name)	Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameterValues(java.lang.String).
protected Map<String,String[]>	getProcessedRequestParameterMap()
protected XSSConfigurationProperties	getProperties()
protected XSSRequestService	getRequestService()

Methods inherited from class jakarta.servlet.http.HttpServletRequestWrapper

authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeader, getHeaderNames, getHeaders, getHttpServletMapping, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRemoteUser, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getTrailerFields, getUserPrincipal, isRequestedSessionIdFromCookie, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isTrailerFieldsReady, isUserInRole, login, logout, newPushBuilder, upgrade

Methods inherited from class jakarta.servlet.ServletRequestWrapper

getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getProtocol, getProtocolRequestId, getReader, getRemoteAddr, getRemoteHost, getRemotePort, getRequest, getRequestDispatcher, getRequestId, getScheme, getServerName, getServerPort, getServletConnection, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setRequest, startAsync, startAsync

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface jakarta.servlet.ServletRequest

getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getProtocol, getProtocolRequestId, getReader, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getRequestId, getScheme, getServerName, getServerPort, getServletConnection, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, startAsync, startAsync

Constructor Details

XSSRequestWrapper

public XSSRequestWrapper(jakarta.servlet.http.HttpServletRequest request,
 XSSConfigurationProperties properties,
 XSSRequestService requestService)

Constructs a request object wrapping the given request.

Parameters:

request - the HttpServletRequest to be wrapped.

Throws:

IllegalArgumentException - if the request is null

Method Details

getInputStream

public jakarta.servlet.ServletInputStream getInputStream()
                                                  throws IOException

Responsible for processing the submitted data and performing any XSS validation before returning the stream in a new ServletInputStream.

Specified by:

getInputStream in interface jakarta.servlet.ServletRequest

Overrides:

getInputStream in class jakarta.servlet.ServletRequestWrapper

Returns:

the ServletInputStream containing the processed data

Throws:

IOException - inherited from super class

com.broadleafcommerce.common.error.validation.ValidationException - if any fields are determined to have XSS violations

getParameterNames

public Enumeration<String> getParameterNames()

Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameterNames().

Specified by:

getParameterNames in interface jakarta.servlet.ServletRequest

Overrides:

getParameterNames in class jakarta.servlet.ServletRequestWrapper

Returns:

all request parameter names after XSS validation or sanitization

Throws:

XSSRequestParameterValidationException - if validation is enabled and parameter names/values are determined to have XSS violations

getParameterMap

public Map<String,String[]> getParameterMap()

Specified by:

getParameterMap in interface jakarta.servlet.ServletRequest

Overrides:

getParameterMap in class jakarta.servlet.ServletRequestWrapper

Returns:

all request parameters and values after XSS validation or sanitization

Throws:

XSSRequestParameterValidationException - if validation is enabled and parameter names/values are determined to have XSS violations

getParameter

public String getParameter(String name)

Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameter(java.lang.String).

Specified by:

getParameter in interface jakarta.servlet.ServletRequest

Overrides:

getParameter in class jakarta.servlet.ServletRequestWrapper

Parameters:

name - the name of the requested parameter

Returns:

the value of the request parameter as a String after XSS validation or sanitization

Throws:

XSSRequestParameterValidationException - if validation is enabled and parameter names/values are determined to have XSS violations

getParameterValues

public String[] getParameterValues(String name)

Adapted from org.apache.catalina.core.ApplicationHttpRequest#getParameterValues(java.lang.String).

Specified by:

getParameterValues in interface jakarta.servlet.ServletRequest

Overrides:

getParameterValues in class jakarta.servlet.ServletRequestWrapper

Parameters:

name - the name of the requested parameter

Returns:

an array of Strings containing all of the values the given request parameter has after XSS validation or sanitization. Will be null if the parameter does not exist.

Throws:

XSSRequestParameterValidationException - if validation is enabled and parameter names/values are determined to have XSS violations

getProcessedRequestParameterMap

protected Map<String,String[]> getProcessedRequestParameterMap()

getProperties

protected XSSConfigurationProperties getProperties()

getRequestService

protected XSSRequestService getRequestService()