1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package fr.paris.lutece.portal.web.xss;
35
36 import fr.paris.lutece.util.http.SecurityUtil;
37
38 import java.io.IOException;
39
40 import javax.servlet.Filter;
41 import javax.servlet.FilterChain;
42 import javax.servlet.FilterConfig;
43 import javax.servlet.ServletException;
44 import javax.servlet.ServletRequest;
45 import javax.servlet.ServletResponse;
46 import javax.servlet.http.HttpServletRequest;
47 import javax.servlet.http.HttpServletResponse;
48
49
50
51
52 public abstract class SafeRequestFilter implements Filter
53 {
54 private static final String PROPERTY_TITLE_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS = "portal.util.message.titleDefault";
55 private static final String PROPERTY_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS = "portal.util.message.requestParametersContainsXssCharacters";
56 private static final String PARAM_FILTER_XSS_CHARATERS = "xssCharacters";
57 private static final String ACTIVATE_XSS_FILTER = "activateXssFilter";
58 private String _strXssCharacters;
59 private boolean _bActivateXssFilter;
60
61
62
63
64 @Override
65 public void init( FilterConfig config ) throws ServletException
66 {
67 String strParamValue = config.getInitParameter( PARAM_FILTER_XSS_CHARATERS );
68 _strXssCharacters = strParamValue;
69 strParamValue = config.getInitParameter( ACTIVATE_XSS_FILTER );
70
71 if ( strParamValue != null )
72 {
73 _bActivateXssFilter = Boolean.valueOf( strParamValue );
74 }
75 }
76
77
78
79
80 @Override
81 public void destroy( )
82 {
83
84 }
85
86
87
88
89 @Override
90 public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException
91 {
92 HttpServletRequest httpRequest = (HttpServletRequest) request;
93
94 if ( _bActivateXssFilter && ( _strXssCharacters != null ) && !_strXssCharacters.trim( ).equals( "" )
95 && !SecurityUtil.containsCleanParameters( httpRequest, _strXssCharacters ) )
96 {
97 HttpServletResponse httpServletResponse = (HttpServletResponse) response;
98 httpServletResponse.sendRedirect( getMessageUrl( httpRequest, PROPERTY_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS, null,
99 PROPERTY_TITLE_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS ) );
100 }
101 else
102 {
103 chain.doFilter( request, response );
104 }
105 }
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120 protected abstract String getMessageUrl( HttpServletRequest request, String strMessageKey, Object [ ] messageArgs, String strTitleKey );
121 }