package cpcns.common.filter; import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XSSHttpServletRequestWrapper extends HttpServletRequestWrapper { public XSSHttpServletRequestWrapper(HttpServletRequest request) { super(request); } public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if(values == null) { return null; } else { int count = values.length; String[] encodedValues = new String[count]; for(int i = 0; i < count; ++i) { encodedValues[i] = this.cleanXSS(values[i]); } return encodedValues; } } public String getParameter(String name) { String value = super.getParameter(name); return value == null?null:this.cleanXSS(value); } public Object getAttribute(String name) { Object value = super.getAttribute(name); if(value != null && value instanceof String) { this.cleanXSS((String)value); } return value; } public String getHeader(String name) { String value = super.getHeader(name); return value == null?null:this.cleanXSS(value); } private String cleanXSS(String value) { if(value != null) { value = value.replaceAll(" ", ""); Pattern scriptPattern = Pattern.compile("", 2); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("src[ ]*=[ ]*\"(.*?)\"", 42); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("src[ ]*=[ ]*\"(.*?)\"", 42); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("", 2); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("", 42); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("eval\\((.*?)\\)", 42); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("e\u00adxpression\\((.*?)\\)", 42); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("javascript:", 2); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("vbscript:", 2); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("onload(.*?)=", 42); value = scriptPattern.matcher(value).replaceAll(""); } return value; } }