Package com.broadleafcommerce.resource.security.xss.service

Class XSSRequestProcessingService

java.lang.Object
com.broadleafcommerce.resource.security.xss.service.XSSRequestProcessingService
public class XSSRequestProcessingService extends Object
Responsible for performing validation and sanitization on provided values.
Author:
Jon Fleschler (jfleschler)
See Also:

  • Constructor Details

    • XSSRequestProcessingService

      public XSSRequestProcessingService(org.owasp.html.PolicyFactory policy, XSSConfigurationProperties properties)

  • Method Details

    • processValue

      public XSSProcessingResponse processValue(String value, @Nullable jakarta.servlet.http.HttpServletRequest request)
      Process a given value against XSS sanitization. This will respond with an XSSProcessingResponse containing the processed value and whether it detected any XSS violations. A field will either be validated _OR_ sanitized.
      Parameters:
      value - the value to process
      request - the current request that this payload belongs to
      Returns:
      a XSSProcessingResponse containing the processed value and if a violation has occurred

    • processField

      public XSSProcessingResponse processField(@Nullable String fieldName, String fieldValue, @Nullable jakarta.servlet.http.HttpServletRequest request)
      Process a given field and value against XSS sanitization. This will respond with an XSSProcessingResponse containing the processed value and whether it detected any XSS violations. A field will either be validated _OR_ sanitized.
      Parameters:
      fieldName - the name of the field to sanitize
      fieldValue - the value of the field to process
      request - the current request that this payload belongs to
      Returns:
      a XSSProcessingResponse containing the processed value and if a violation has occurred

    • shouldValidate

      protected boolean shouldValidate(@Nullable String fieldName, @Nullable jakarta.servlet.http.HttpServletRequest request)
      Whether the value for the provided field should be validated against XSS
      Parameters:
      fieldName - the name of the field to sanitize
      request - the current request that this payload belongs to
      Returns:
      whether the value should be validated

    • shouldSanitize

      protected boolean shouldSanitize(@Nullable String fieldName, @Nullable jakarta.servlet.http.HttpServletRequest request)
      Whether the value for the provide field should be sanitized. A field can only be sanitized if validation is not required.
      Parameters:
      fieldName - the name of the field to sanitize
      request - the current request that this payload belongs to
      Returns:
      whether the value should be sanitized

    • doValidate

      protected boolean doValidate(@Nullable String value)
      Perform the validation by comparing a sanitized version of the value to a baseline sanitized version.
      Parameters:
      value - the value to validate
      Returns:
      whether the value is valid

    • doSanitize

      protected String doSanitize(@Nullable String value)
      Perform the XSS sanitization of a value
      Parameters:
      value - the value to sanitize
      Returns:
      the sanitized value

    • normalize

      protected String normalize(String value)
      Normalized the input value by removing spaces and semi-colons as the baseline sanitize does not perform formatting
      Parameters:
      value - the value to normalize
      Returns:
      a string with spaces and semi-colons removed

    • processRequestParameter

      public XSSRequestParameterProcessingResponse processRequestParameter(String originalParameterName, @Nullable String[] originalParameterValues, @Nullable jakarta.servlet.http.HttpServletRequest request)
      Process a given request parameter and its values. This will respond with an XSSRequestParameterProcessingResponse containing the results of XSS validation or sanitization. The parameter name and values will either be validated _or_ sanitized.
      Parameters:
      originalParameterName - the original request parameter name to sanitize/validate
      originalParameterValues - the original request parameter values to sanitize/validate
      request - the request that the parameter was given with
      Returns:
      an XSSRequestParameterProcessingResponse containing the processed values and if a violation has occurred. XSSRequestParameterProcessingResponse.getSanitizedParameterName() is expected to be set both when sanitization is requested, or when validation fails (to safely report the invalid parameter name)

    • shouldValidateParameter

      protected boolean shouldValidateParameter(@Nullable String parameterName, @Nullable jakarta.servlet.http.HttpServletRequest request)
      Whether the name/value for the provided request parameter should be validated against XSS
      Parameters:
      parameterName - the name of the parameter to validate
      request - the request that the parameter was given with
      Returns:
      whether the parameter should be validated

    • shouldSanitizeParameter

      protected boolean shouldSanitizeParameter(@Nullable String parameterName, @Nullable jakarta.servlet.http.HttpServletRequest request)
      Whether the name/value for the provided request parameter should be sanitized for XSS. A parameter can only be sanitized if validation is not required.
      Parameters:
      parameterName - the name of the parameter to sanitize
      request - the request that the parameter was given with
      Returns:
      whether the value should be sanitized

    • doValidate

      protected boolean doValidate(@Nullable String[] values)
      Similar to doValidate(String) but for an array of values.
      Parameters:
      values - the array of values to validate against XSS
      Returns:
      true if all values were valid (or the array was null/empty), false otherwise

    • doSanitize

      @Nullable protected String[] doSanitize(@Nullable String[] values)
      Similar to doSanitize(String) but for an array of values.
      Parameters:
      values - the array of values to sanitize against XSS
      Returns:
      an array of sanitized values

    • getPolicy

      protected org.owasp.html.PolicyFactory getPolicy()

    • getProperties

      protected XSSConfigurationProperties getProperties()