1/*2 * Licensed to the Apache Software Foundation (ASF) under one3 * or more contributor license agreements. See the NOTICE file4 * distributed with this work for additional information5 * regarding copyright ownership. The ASF licenses this file6 * to you under the Apache License, Version 2.0 (the7 * "License"); you may not use this file except in compliance8 * with the License. You may obtain a copy of the License at9 *10 * http://www.apache.org/licenses/LICENSE-2.011 *12 * Unless required by applicable law or agreed to in writing, software13 * distributed under the License is distributed on an "AS IS" BASIS,14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.15 * See the License for the specific language governing permissions and16 * limitations under the License.17 */1819package org.apache.hadoop.chukwa.util;
2021import javax.servlet.http.HttpServletRequest;
22import org.apache.commons.logging.Log;
23import org.apache.commons.logging.LogFactory;
2425import org.jsoup.Jsoup;
26import org.jsoup.safety.Whitelist;
27import org.owasp.esapi.ESAPI;
2829publicclassXssFilter {
30private HttpServletRequest request = null;
31privatestatic Log LOG = LogFactory.getLog(XssFilter.class);
3233publicXssFilter() {
34 }
3536publicXssFilter(HttpServletRequest request) {
37// Return the cleansed request38this.request = request;
39 }
4041public String getParameter(String key) {
42 String value=null;
43try {
44 value=filter(this.request.getParameter(key));
45 } catch (Exception e) {
46 LOG.info("XssFilter.getParameter: Cannot get parameter for: "+key);
47 }
48return value;
49 }
5051public String[] getParameterValues(String key) {
52 String[] values=null;
53try {
54 values = this.request.getParameterValues(key);
55int i = 0;
56for(String value : values) {
57 values[i] = filter(value);
58 i++;
59 }
60 } catch (Exception e) {
61 LOG.info("XssFilter.getParameterValues: cannot get parameter for: "+key);
62 }
63return values;
64 }
6566/**67 * Strips any potential XSS threats out of the value68 * @param value69 * @return sanitized html text70 */71public String filter( String value ) {
72if( value == null )
73returnnull;
7475// Use the ESAPI library to avoid encoded attacks.76 value = ESAPI.encoder().canonicalize( value );
7778// Avoid null characters79 value = value.replaceAll("\0", "");
8081// Clean out HTML82 value = Jsoup.clean( value, Whitelist.none() );
8384return value;
85 }
86 }