All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.blade.security.web.xss.XssMiddleware Maven / Gradle / Ivy

There is a newer version: 2.0.15.RELEASE
Show newest version
package com.blade.security.web.xss;

import com.blade.kit.StringKit;
import com.blade.mvc.RouteContext;
import com.blade.mvc.hook.WebHook;
import com.blade.mvc.http.StringBody;
import com.blade.security.web.filter.HTMLFilter;
import lombok.NoArgsConstructor;

import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;

/**
 * @author biezhi
 * @date 2018/6/11
 */
@NoArgsConstructor
public class XssMiddleware implements WebHook {

    private final static HTMLFilter HTML_FILTER = new HTMLFilter();

    private XssOption xssOption = XssOption.builder().build();

    public XssMiddleware(XssOption xssOption) {
        this.xssOption = xssOption;
    }

    @Override
    public boolean before(RouteContext context) {
        if (xssOption.isExclusion(context.uri())) {
            return true;
        }

        this.filterHeaders(context.headers());
        this.filterParameters(context.parameters());

        if (context.contentType().toLowerCase().contains("json")) {
            String body = context.bodyToString();
            if (StringKit.isNotEmpty(body)) {
                String filterBody = stripXSS(body);
                context.body(new StringBody(filterBody));
            }
        }
        return true;
    }

    protected void filterHeaders(Map headers) {
        headers.forEach((key, value) -> headers.put(key, this.stripXSS(value)));
    }

    protected void filterParameters(Map> parameters) {
        Set>> entries = parameters.entrySet();

        for (Map.Entry> entry: entries) {
            List snzValues = entry.getValue().stream().map(this::stripXSS).collect(Collectors.toList());
            parameters.remove(entry.getKey());
            parameters.put(entry.getKey(), snzValues);
        }
    }

    /**
     * Removes all the potentially malicious characters from a string
     *
     * @param value the raw string
     * @return the sanitized string
     */
    protected String stripXSS(String value) {
        return HTML_FILTER.filter(value);
    }

}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy