This project has retired. For details please refer to its Attic page.
XssFilter xref
View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  
19  package org.apache.hadoop.chukwa.util;
20  
21  import javax.servlet.http.HttpServletRequest;
22  import org.apache.commons.logging.Log;
23  import org.apache.commons.logging.LogFactory;
24  
25  import org.jsoup.Jsoup;
26  import org.jsoup.safety.Whitelist;
27  import org.owasp.esapi.ESAPI;
28  
29  public class XssFilter {
30      private HttpServletRequest request = null;
31      private static Log LOG = LogFactory.getLog(XssFilter.class);
32  
33      public XssFilter() {
34      }
35  
36      public XssFilter(HttpServletRequest request) {
37        // Return the cleansed request
38        this.request = request;
39      }
40      
41      public String getParameter(String key) {
42        String value=null;
43        try {
44          value=filter(this.request.getParameter(key));
45        } catch (Exception e) {
46          LOG.info("XssFilter.getParameter: Cannot get parameter for: "+key);
47        }
48        return value;
49      }
50      
51      public String[] getParameterValues(String key) {
52        String[] values=null;
53        try {
54  	  values  = this.request.getParameterValues(key);
55            int i = 0;
56            for(String value : values) {
57              values[i] = filter(value);
58              i++;
59            }
60        } catch (Exception e) {
61  	  LOG.info("XssFilter.getParameterValues: cannot get parameter for: "+key);
62        }
63        return values;
64      }
65  
66      /**
67       * Strips any potential XSS threats out of the value
68       * @param value
69       * @return sanitized html text
70       */
71      public String filter( String value ) {
72        if( value == null )
73          return null;
74       
75        // Use the ESAPI library to avoid encoded attacks.
76        value = ESAPI.encoder().canonicalize( value );
77   
78        // Avoid null characters
79        value = value.replaceAll("\0", "");
80   
81        // Clean out HTML
82        value = Jsoup.clean( value, Whitelist.none() );
83   
84        return value;
85      }
86  }