javawebparts.filter
Class CrossSiteScriptingFilter

java.lang.Object
  |
  +--javawebparts.filter.CrossSiteScriptingFilter
All Implemented Interfaces:
javax.servlet.Filter

public class CrossSiteScriptingFilter
extends java.lang.Object
implements javax.servlet.Filter

This filter checks all incoming request parameters, as well as all attributes if desired, for any characters usually associated with cross-site scripting exploits. It allows for including or excluding paths from filter functionality. It also allows a custom regex expression in case the application might legitimately want to allow certain characters.

Init parameters are:


Example configuration in web.xml:

<filter>
  <filter-name>CrossSiteScriptingFilter< /filter-name>
  <filter-class>javawebparts.filter. CrossSiteScriptingFilter</filter-class>
  <init-param>
    <param-name>forwardTo</param-name>
    <param-value>/CSSReject.jsp</param-value>   </init-param>
</filter>

<filter-mapping>
  <filter-name>CrossSiteScriptingFilter< /filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Author:
Frank W. Zammetti.

Field Summary
private  boolean checkAttributes
          Determines whether String attributes are checked or not.
private  java.util.regex.Pattern cssRegex
          The regular expression to use to check parameter and String attributes.
private  java.lang.String forwardTo
          A path to forward to when access is denied.
private static org.apache.commons.logging.Log log
          Log instance.
private  java.util.ArrayList pathList
          List of paths for filter functionality determination.
private  java.lang.String pathSpec
          Whether pathList includes or excludes.
private  java.lang.String redirectTo
          A path to redirect to when access is denied.
 
Constructor Summary
CrossSiteScriptingFilter()
           
 
Method Summary
 void destroy()
          Destroy.
 void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain filterChain)
          Do filter's work.
 void init(javax.servlet.FilterConfig filterConfig)
          Initialize this filter.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

log

private static org.apache.commons.logging.Log log
Log instance.


pathSpec

private java.lang.String pathSpec
Whether pathList includes or excludes.


pathList

private java.util.ArrayList pathList
List of paths for filter functionality determination.


cssRegex

private java.util.regex.Pattern cssRegex
The regular expression to use to check parameter and String attributes.


redirectTo

private java.lang.String redirectTo
A path to redirect to when access is denied.


forwardTo

private java.lang.String forwardTo
A path to forward to when access is denied.


checkAttributes

private boolean checkAttributes
Determines whether String attributes are checked or not.

Constructor Detail

CrossSiteScriptingFilter

public CrossSiteScriptingFilter()
Method Detail

destroy

public void destroy()
Destroy.

Specified by:
destroy in interface javax.servlet.Filter

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException
Initialize this filter.

Specified by:
init in interface javax.servlet.Filter
Parameters:
filterConfig - The configuration information for this filter.
Throws:
javax.servlet.ServletException - ServletException.

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain filterChain)
              throws javax.servlet.ServletException,
                     java.io.IOException
Do filter's work.

Specified by:
doFilter in interface javax.servlet.Filter
Parameters:
request - The current request object.
response - The current response object.
filterChain - The current filter chain.
Throws:
javax.servlet.ServletException - ServletException.
java.io.IOException - IOException.


Copyright 2005 Frank W. Zammetti