core/src/main/java/org/apache/hadoop/chukwa/util/XssFilter.java - chukwa - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.hadoop.chukwa.util;

 import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;

 import org.jsoup.Jsoup;
 import org.jsoup.safety.Whitelist;
 import org.owasp.esapi.ESAPI;

 public class XssFilter {
     private HttpServletRequest request = null;
     private static Log LOG = LogFactory.getLog(XssFilter.class);

     public XssFilter() {
     }

     public XssFilter(HttpServletRequest request) {
       // Return the cleansed request
       this.request = request;
     }

     public String getParameter(String key) {
       String value=null;
       try {
         value=filter(this.request.getParameter(key));
       } catch (Exception e) {
         LOG.info("XssFilter.getParameter: Cannot get parameter for: "+key);
       }
       return value;
     }

     public String[] getParameterValues(String key) {
       String[] values=null;
       try {
 	  values  = this.request.getParameterValues(key);
           int i = 0;
           for(String value : values) {
             values[i] = filter(value);
             i++;
           }
       } catch (Exception e) {
 	  LOG.info("XssFilter.getParameterValues: cannot get parameter for: "+key);
       }
       return values;
     }

     /**
      * Strips any potential XSS threats out of the value
      * @param value is a string
      * @return filtered string
      */
     public String filter( String value ) {
       if( value == null )
         return null;

       // Use the ESAPI library to avoid encoded attacks.
       value = ESAPI.encoder().canonicalize( value );

       // Avoid null characters
       value = value.replaceAll("\0", "");

       // Clean out HTML
       value = Jsoup.clean( value, Whitelist.none() );

       return value;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.hadoop.chukwa.util;

	import javax.servlet.http.HttpServletRequest;
	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;

	import org.jsoup.Jsoup;
	import org.jsoup.safety.Whitelist;
	import org.owasp.esapi.ESAPI;

	public class XssFilter {
	private HttpServletRequest request = null;
	private static Log LOG = LogFactory.getLog(XssFilter.class);

	public XssFilter() {
	}

	public XssFilter(HttpServletRequest request) {
	// Return the cleansed request
	this.request = request;
	}

	public String getParameter(String key) {
	String value=null;
	try {
	value=filter(this.request.getParameter(key));
	} catch (Exception e) {
	LOG.info("XssFilter.getParameter: Cannot get parameter for: "+key);
	}
	return value;
	}

	public String[] getParameterValues(String key) {
	String[] values=null;
	try {
	values = this.request.getParameterValues(key);
	int i = 0;
	for(String value : values) {
	values[i] = filter(value);
	i++;
	}
	} catch (Exception e) {
	LOG.info("XssFilter.getParameterValues: cannot get parameter for: "+key);
	}
	return values;
	}

	/**
	* Strips any potential XSS threats out of the value
	* @param value is a string
	* @return filtered string
	*/
	public String filter( String value ) {
	if( value == null )
	return null;

	// Use the ESAPI library to avoid encoded attacks.
	value = ESAPI.encoder().canonicalize( value );

	// Avoid null characters
	value = value.replaceAll("\0", "");

	// Clean out HTML
	value = Jsoup.clean( value, Whitelist.none() );

	return value;
	}
	}