Created
October 27, 2015 00:24
-
-
Save jlcrow/49abccbe74687b35ed72 to your computer and use it in GitHub Desktop.
Java XSS Filter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.greatwebguy.filter; | |
| import java.io.IOException; | |
| import javax.servlet.Filter; | |
| import javax.servlet.FilterChain; | |
| import javax.servlet.FilterConfig; | |
| import javax.servlet.ServletException; | |
| import javax.servlet.ServletRequest; | |
| import javax.servlet.ServletResponse; | |
| import javax.servlet.http.HttpServletRequest; | |
| public class CrossScriptingFilter implements Filter { | |
| public void init(FilterConfig filterConfig) throws ServletException { | |
| this.filterConfig = filterConfig; | |
| } | |
| public void destroy() { | |
| this.filterConfig = null; | |
| } | |
| public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) | |
| throws IOException, ServletException { | |
| chain.doFilter(new RequestWrapper((HttpServletRequest) request), response); | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.greatwebguy.filter; | |
| import javax.servlet.http.HttpServletRequest; | |
| import javax.servlet.http.HttpServletRequestWrapper; | |
| public final class RequestWrapper extends HttpServletRequestWrapper { | |
| public RequestWrapper(HttpServletRequest servletRequest) { | |
| super(servletRequest); | |
| } | |
| public String[] getParameterValues(String parameter) { | |
| String[] values = super.getParameterValues(parameter); | |
| if (values==null) { | |
| return null; | |
| } | |
| int count = values.length; | |
| String[] encodedValues = new String[count]; | |
| for (int i = 0; i < count; i++) { | |
| encodedValues[i] = cleanXSS(values[i]); | |
| } | |
| return encodedValues; | |
| } | |
| public String getParameter(String parameter) { | |
| String value = super.getParameter(parameter); | |
| if (value == null) { | |
| return null; | |
| } | |
| return cleanXSS(value); | |
| } | |
| public String getHeader(String name) { | |
| String value = super.getHeader(name); | |
| if (value == null) | |
| return null; | |
| return cleanXSS(value); | |
| } | |
| private String cleanXSS(String value) { | |
| //You'll need to remove the spaces from the html entities below | |
| value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); | |
| value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;"); | |
| value = value.replaceAll("'", "& #39;"); | |
| value = value.replaceAll("eval\\((.*)\\)", ""); | |
| value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); | |
| value = value.replaceAll("script", ""); | |
| return value; | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <filter> | |
| <filter-name>XSS</filter-name> | |
| <display-name>XSS</display-name> | |
| <description></description> | |
| <filter-class>com.greatwebguy.filter.CrossScriptingFilter</filter-class> | |
| </filter> | |
| <filter-mapping> | |
| <filter-name>XSS</filter-name> | |
| <url-pattern>/*</url-pattern> | |
| </filter-mapping> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
FYI you don't need those spaces from RequestWrapper.java:44 to RequestWrapper.java:46, they'll still display as code (example).