1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
/*
* ============LICENSE_START==========================================
* ONAP Portal SDK
* ===================================================================
* Copyright © 2017 AT&T Intellectual Property. All rights reserved.
* ===================================================================
*
* Unless otherwise specified, all software contained herein is licensed
* under the Apache License, Version 2.0 (the "License");
* you may not use this software except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Unless otherwise specified, all documentation contained herein is licensed
* under the Creative Commons License, Attribution 4.0 Intl. (the "License");
* you may not use this documentation except in compliance with the License.
* You may obtain a copy of the License at
*
* https://creativecommons.org/licenses/by/4.0/
*
* Unless required by applicable law or agreed to in writing, documentation
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ============LICENSE_END============================================
*
* ECOMP is a trademark and service mark of AT&T Intellectual Property.
*/
package org.onap.portalsdk.analytics.util;
/**
*
* @author Sundar
* This class is used to filter javascript tags to avoid XSS attacks.
*/
public class XSSFilter {
// private static String[] filterChars = { "<", ">", "<", ">", "\"", "\\", "0x" };
// private static String[] replacementChars = { " ", " ", " ", " ", "'", "/", "0 x" };
/* public static synchronized String filterRequest(String param) {
String value = param;
if (param != null) {
for (int i = 0; i < filterChars.length; i++) {
value = filterCharacters(filterChars[i], replacementChars[i],
value);
}
}
return value;
}
*/
public static synchronized String filterRequestOnlyScript(String param) {
String value = "";
value = nvl(param);
value = value.replaceAll("<[\\s]*[sS][\\s]*[cC][\\s]*[rR][\\s]*[iI][\\s]*[pP][\\s]*[tT][\\s]*>", "");
value = value.replaceAll("</[\\s]*[sS][\\s]*[cC][\\s]*[rR][\\s]*[iI][\\s]*[pP][\\s]*[tT][\\s]*>", "");
value = value.replaceAll("[\\s]*[jJ][\\s]*[aA][\\s]*[vV][\\s]*[aA][\\s]*[sS][\\s]*[cC][\\s]*[rR][\\s]*[iI][\\s]*[pP][\\s]*[tT][\\s]*", "");
return value;
}
public static synchronized String filterRequest (String param) {
String value = "";
value = nvl(param);
value = value.replaceAll("<[\\s]*[sS][\\s]*[cC][\\s]*[rR][\\s]*[iI][\\s]*[pP][\\s]*[tT][\\s]*>", "");
value = value.replaceAll("</[\\s]*[sS][\\s]*[cC][\\s]*[rR][\\s]*[iI][\\s]*[pP][\\s]*[tT][\\s]*>", "");
value = value.replaceAll("[\\s]*[jJ][\\s]*[aA][\\s]*[vV][\\s]*[aA][\\s]*[sS][\\s]*[cC][\\s]*[rR][\\s]*[iI][\\s]*[pP][\\s]*[tT][\\s]*", "");
value = value.replaceAll("[\\s]*<", "");
value = value.replaceAll("[\\s]*>", "");
return value;
}
// private static synchronized String filterCharacters(String originalChar, String newChar,
// String param) {
// StringBuffer sb = new StringBuffer(param);
//
// for (int position = param.toLowerCase().indexOf(originalChar); position >= 0;) {
// sb.replace(position, position + originalChar.length(), newChar);
// param = sb.toString();
// position = param.toLowerCase().indexOf(originalChar);
// }
//
// return sb.toString();
// }
public static void main (String args[]) {
String value = XSSFilter.filterRequest("<s\nC\nr\nI\np\nT\n>\na\nl\ne\nr\nt\n('sundar');</SCRIPT>javascript:alert('Sundar');");
int i = Integer.parseInt("8989");
System.out.println(value);
}
private static String nvl(String s) {
return (s == null) ? "" : s;
}
}
|