javawebparts.filter
Class CrossSiteScriptingFilter

java.lang.Object
  |
  +--javawebparts.filter.CrossSiteScriptingFilter

All Implemented Interfaces:

javax.servlet.Filter

public class CrossSiteScriptingFilter

extends java.lang.Object

implements javax.servlet.Filter

This filter checks all incoming request parameters, as well as all attributes if desired, for any characters usually associated with cross-site scripting exploits. It allows for including or excluding paths from filter functionality. It also allows a custom regex expression in case the application might legitimately want to allow certain characters.

Init parameters are:

• pathSpec - Either "include" or "exclude". This determines whether the list of paths in the pathList parameter is a list of paths to include in filter functionality, or a list of paths to exclude. Required: No. Default: None.



• pathList - This is a comma-separated list of paths, which can use asterisk for wildcard support, that denotes either paths to include or exclude from the functioning of this filter (depending on what pathSpec is set to). The paths ARE case-senitive! There is no limit to how many items can be specified, although for performance reasons a developer will probably want to specify as few as possible to get the job done (each requested path is matched via regex). Note also that you are of course still required to specify a path for the filter itself as per the servlet spec. This parameter however, together with pathSpec, gives you more control and flexibility than that setting alone. Required: No. Default: None.
  
  General note on pathSpec and pathList: If pathSpec is not specified but pathList IS, then 'exclude' is assumed for pathSpec. If pathSpec is specified by pathList IS NOT, then the filter WILL NEVER EXECUTE (this is technically a misconfiguration). If NEITHER is defined then the generic filter mapping will be in effect only.



• cssRegex - This is the regular expression that will be used to check parameter and String attribute values. The default string is [<>%()] which will effectively disallow any parameter or String attribute value with the characters <, >, %, (, or ) in them. Required: No. Default: [<>%()]



• checkAttributes - Either 'true' or 'false'. When true, attributes are checked as well IF they are Strings. Attributes that do not pass an instanceof String test will NOT be checked. Required: No. Default: false.



• redirectTo - The URL to redirect to if an illegal character is found in any value. You can either redirect to this URL or forward to it, but not both. Required: Yes (either this or forwardTo). Default: None.



• forwardTo - The URL to forward to if an illegal character is found in any value. You can either redirect to this URL or forward to it, but not both. Required: Yes (either this or redirectTo). Default: None.

Example configuration in web.xml:

<filter>
<filter-name>CrossSiteScriptingFilter< /filter-name>
<filter-class>javawebparts.filter. CrossSiteScriptingFilter</filter-class>
<init-param>
<param-name>forwardTo</param-name>
<param-value>/CSSReject.jsp</param-value> </init-param>
</filter>

<filter-mapping>
<filter-name>CrossSiteScriptingFilter< /filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Author:

Frank W. Zammetti.

Field Summary

private boolean	checkAttributes Determines whether String attributes are checked or not.
private java.util.regex.Pattern	cssRegex The regular expression to use to check parameter and String attributes.
private java.lang.String	forwardTo A path to forward to when access is denied.
private static org.apache.commons.logging.Log	log Log instance.
private java.util.ArrayList	pathList List of paths for filter functionality determination.
private java.lang.String	pathSpec Whether pathList includes or excludes.
private java.lang.String	redirectTo A path to redirect to when access is denied.

Constructor Summary

CrossSiteScriptingFilter()

Method Summary

void	destroy() Destroy.
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain filterChain) Do filter's work.
void	init(javax.servlet.FilterConfig filterConfig) Initialize this filter.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

private static org.apache.commons.logging.Log log

Log instance.

pathSpec

private java.lang.String pathSpec

Whether pathList includes or excludes.

pathList

private java.util.ArrayList pathList

List of paths for filter functionality determination.

cssRegex

private java.util.regex.Pattern cssRegex

The regular expression to use to check parameter and String attributes.

redirectTo

private java.lang.String redirectTo

A path to redirect to when access is denied.

forwardTo

private java.lang.String forwardTo

A path to forward to when access is denied.

checkAttributes

private boolean checkAttributes

Determines whether String attributes are checked or not.

Constructor Detail

CrossSiteScriptingFilter

public CrossSiteScriptingFilter()

Method Detail

destroy

public void destroy()

Destroy.

Specified by:

destroy in interface javax.servlet.Filter

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException

Initialize this filter.

Specified by:

init in interface javax.servlet.Filter

Parameters:

filterConfig - The configuration information for this filter.

Throws:

javax.servlet.ServletException - ServletException.

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain filterChain)
              throws javax.servlet.ServletException,
                     java.io.IOException

Do filter's work.

Specified by:

doFilter in interface javax.servlet.Filter

Parameters:

request - The current request object.

response - The current response object.

filterChain - The current filter chain.

Throws:

javax.servlet.ServletException - ServletException.

java.io.IOException - IOException.