1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package fr.paris.lutece.portal.web.xss;
35
36 import fr.paris.lutece.util.http.SecurityUtil;
37
38 import java.io.IOException;
39
40 import javax.servlet.Filter;
41 import javax.servlet.FilterChain;
42 import javax.servlet.FilterConfig;
43 import javax.servlet.ServletException;
44 import javax.servlet.ServletRequest;
45 import javax.servlet.ServletResponse;
46 import javax.servlet.http.HttpServletRequest;
47 import javax.servlet.http.HttpServletResponse;
48
49
50
51
52
53
54 public abstract class SafeRequestFilter implements Filter
55 {
56 private static final String PROPERTY_TITLE_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS = "portal.util.message.titleDefault";
57 private static final String PROPERTY_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS = "portal.util.message.requestParametersContainsXssCharacters";
58 private static final String PARAM_FILTER_XSS_CHARATERS = "xssCharacters";
59 private static final String ACTIVATE_XSS_FILTER = "activateXssFilter";
60 private FilterConfig _filterConfig;
61 private String _strXssCharacters;
62 private boolean _bActivateXssFilter;
63
64
65
66
67 @Override
68 public void init( FilterConfig config ) throws ServletException
69 {
70 _filterConfig = config;
71
72 String strParamValue = _filterConfig.getInitParameter( PARAM_FILTER_XSS_CHARATERS );
73 _strXssCharacters = strParamValue;
74 strParamValue = _filterConfig.getInitParameter( ACTIVATE_XSS_FILTER );
75
76 if ( strParamValue != null )
77 {
78 _bActivateXssFilter = Boolean.valueOf( strParamValue );
79 }
80 }
81
82
83
84
85 @Override
86 public void destroy( )
87 {
88
89 }
90
91
92
93
94 @Override
95 public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain )
96 throws IOException, ServletException
97 {
98 HttpServletRequest httpRequest = (HttpServletRequest) request;
99
100 if ( _bActivateXssFilter && ( _strXssCharacters != null ) && !_strXssCharacters.trim( ).equals( "" ) &&
101 !SecurityUtil.containsCleanParameters( httpRequest, _strXssCharacters ) )
102 {
103 HttpServletResponse httpServletResponse = (HttpServletResponse) response;
104 httpServletResponse.sendRedirect( getMessageUrl( httpRequest,
105 PROPERTY_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS, null,
106 PROPERTY_TITLE_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS ) );
107 }
108 else
109 {
110 chain.doFilter( request, response );
111 }
112 }
113
114
115
116
117
118
119
120
121
122 protected abstract String getMessageUrl( HttpServletRequest request, String strMessageKey, Object[] messageArgs,
123 String strTitleKey );
124 }