Package org.broadleafcommerce.core.web.security

Class XssRequestWrapper

java.lang.Object
jakarta.servlet.ServletRequestWrapper
jakarta.servlet.http.HttpServletRequestWrapper
org.broadleafcommerce.core.web.security.XssRequestWrapper
All Implemented Interfaces:
jakarta.servlet.http.HttpServletRequest, jakarta.servlet.ServletRequest
public class XssRequestWrapper extends jakarta.servlet.http.HttpServletRequestWrapper

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected boolean
    customStripXssEnabled
     
    protected final org.springframework.core.env.Environment
    environment
     
    protected Pattern
    parameterPatter
     

    Fields inherited from interface jakarta.servlet.http.HttpServletRequest

    BASIC_AUTH, CLIENT_CERT_AUTH, DIGEST_AUTH, FORM_AUTH

  • Constructor Summary

    Constructors
    Constructor
    Description
    XssRequestWrapper(jakarta.servlet.http.HttpServletRequest servletRequest, org.springframework.core.env.Environment environment, String[] whiteListParamNames)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected boolean
    checkWhitelist(String parameter)
     
    protected String
    customStripXss(String value)
     
    String
    getParameter(String parameter)
     
    String[]
    getParameterValues(String parameter)
     
    protected String
    stripXss(String value)
     
    protected String
    stripXss(String value, String esapiInputType)
    When customStripXssEnabled is false, it will run ESAPI's logic based on the esapiInputType.
    protected String
    stripXssAsHTML(String value)
     
    protected String
    stripXssWithESAPI(String value, String esapiInputType)
     

    Methods inherited from class jakarta.servlet.http.HttpServletRequestWrapper

    authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeader, getHeaderNames, getHeaders, getHttpServletMapping, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRemoteUser, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getTrailerFields, getUserPrincipal, isRequestedSessionIdFromCookie, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isTrailerFieldsReady, isUserInRole, login, logout, newPushBuilder, upgrade

    Methods inherited from class jakarta.servlet.ServletRequestWrapper

    getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterMap, getParameterNames, getProtocol, getProtocolRequestId, getReader, getRemoteAddr, getRemoteHost, getRemotePort, getRequest, getRequestDispatcher, getRequestId, getScheme, getServerName, getServerPort, getServletConnection, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setRequest, startAsync, startAsync

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface jakarta.servlet.ServletRequest

    getAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterMap, getParameterNames, getProtocol, getProtocolRequestId, getReader, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getRequestId, getScheme, getServerName, getServerPort, getServletConnection, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, startAsync, startAsync

  • Field Details

    • environment

      protected final org.springframework.core.env.Environment environment

    • parameterPatter

      protected Pattern parameterPatter

    • customStripXssEnabled

      @Value("${custom.strip.xss:false}") protected boolean customStripXssEnabled

  • Constructor Details

    • XssRequestWrapper

      public XssRequestWrapper(jakarta.servlet.http.HttpServletRequest servletRequest, org.springframework.core.env.Environment environment, String[] whiteListParamNames)

  • Method Details

    • getParameterValues

      public String[] getParameterValues(String parameter)
      Specified by:
      getParameterValues in interface jakarta.servlet.ServletRequest
      Overrides:
      getParameterValues in class jakarta.servlet.ServletRequestWrapper

    • checkWhitelist

      protected boolean checkWhitelist(String parameter)

    • getParameter

      public String getParameter(String parameter)
      Specified by:
      getParameter in interface jakarta.servlet.ServletRequest
      Overrides:
      getParameter in class jakarta.servlet.ServletRequestWrapper

    • stripXss

      protected String stripXss(String value)

    • stripXss

      protected String stripXss(String value, String esapiInputType)
      When customStripXssEnabled is false, it will run ESAPI's logic based on the esapiInputType. If esapiInputType is null or empty, it will run stripXssAsHTML(String).
      Parameters:
      value - - value to be stripped
      esapiInputType - - The name of the ESAPI validation rule defined in ESAPI validation configuration file.

    • customStripXss

      protected String customStripXss(String value)

    • stripXssWithESAPI

      protected String stripXssWithESAPI(String value, String esapiInputType)

    • stripXssAsHTML

      protected String stripXssAsHTML(String value)