This project has retired. For details please refer to its Attic page.
XssFilter xref
View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.chukwa.util;
20  
21  import java.util.Enumeration;
22  import java.util.regex.Pattern;
23  import java.util.regex.Matcher;
24  import javax.servlet.http.HttpServletRequest;
25  import javax.servlet.http.HttpSession;
26  import org.apache.commons.logging.Log;
27  import org.apache.commons.logging.LogFactory;
28  
29  import com.josephoconnell.html.HTMLInputFilter;
30  
31  public class XssFilter {
32      private HttpServletRequest request = null;
33      private static Log log = LogFactory.getLog(XssFilter.class);
34      private HttpSession session = null;
35  
36      public XssFilter() {
37      }
38  
39      public XssFilter(HttpServletRequest request) {
40        this.request = request;
41        try {
42          this.session = request.getSession();
43          for (Enumeration e = request.getParameterNames() ; e.hasMoreElements() ;) {
44            Pattern p = Pattern.compile("_session\\.(.*)");
45            String name = (String) e.nextElement();
46            Matcher matcher = p.matcher(name);
47            if(matcher.find()) {
48              String realName = matcher.group(1);
49              if(session!=null) {
50                session.setAttribute(realName,filter(request.getParameter(name)));
51              }
52            }
53          }
54        } catch(NullPointerException ex) {
55          // Do nothing if session does not exist.
56          log.debug(ExceptionUtil.getStackTrace(ex));
57        }
58      }
59      
60      public String getParameter(String key) {
61  	String value=null;
62  	try {
63  	    value=this.request.getParameter(key);  
64  	} catch (Exception e) {
65  	    log.info("XssFilter.getParameter: Cannot get parameter for: "+key);
66  	}
67  	return filter(value);
68      }
69      
70      public String[] getParameterValues(String key) {
71        String[] values=null;
72        try {
73  	  values  = this.request.getParameterValues(key);
74  	  if(values!=null) {
75  	      for(int i=0;i<values.length;i++) {
76  		  values[i] = filter(values[i]);
77  	      }
78  	  }
79        } catch (Exception e) {
80  	  log.info("XssFilter.getParameterValues: cannot get parameter for: "+key);
81        }
82        return values;
83      }
84      
85      public static String filter( String input ) {
86          if(input==null) {
87              return null;
88          }
89          String clean = new HTMLInputFilter().filter( input.replaceAll("\"", "%22").replaceAll("\'","%27"));
90          return clean.replaceAll("<", "%3C").replaceAll(">", "%3E");
91      }
92  }