HttpServletRequestDecoratorFilter.java

## HttpServletRequestDecoratorFilter.java
public class HttpServletRequestDecoratorFilter implements Filter {
  @Override
  public void init(FilterConfig filterConfig) throws ServletException {
    //do nothing
  }

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

    request = decorate(request);
    chain.doFilter(request, response);
  }

  private ServletRequest decorate(ServletRequest request) {
    try {
      HttpServletRequest req = (HttpServletRequest) request;
      return new XFFAwareReq(req);
    }
    catch (ClassCastException e) {
      // As we are not able to cast the request to an Http one, we just return the same object
      return request;
    }
  }

  @Override
  public void destroy() {
    // Do nothing
  }
}

## XFFAwareRequest.java
public class XFFAwareReq extends HttpServletRequestWrapper {

  public XFFAwareReq(HttpServletRequest request) {
    super(request);
  }

  @Override
  public String getRemoteAddr() {
    String xff = getXForwardedFor();
    return xff != null ? xff : super.getRemoteAddr();
  }

  public String getXForwardedFor() {
    String xff = getHeader("X-Forwarded-For");
    if (xff == null || "".equals(xff)) return null;
    return getIpFromXFF(xff);
  }

  protected static final String getIpFromXFF(String xff) {
   //extract and return the ip from the X-Forwarded-For header
  }
}

## XSSAwareReq.java
public class XSSAwareReq extends HttpServletRequestWrapper {

  protected XSSAwareReq(HttpServletRequest req) {
    super(req);
  }

  @Override
  public String getParameter(String name) {
    return super.getParameter(name)
      .replaceAll("<", "&lt;")
      .replaceAll(">", "&gt;")
      .replaceAll("\\(", "&#40;")
      .replaceAll("\\)", "&#41;")
      .replaceAll("'", "&#39;")
      .replaceAll("eval\\((.*)\\)", "")
      .replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"")
      .replaceAll("script", "");
  }
}