public class XssRequestWrapper
extends javax.servlet.http.HttpServletRequestWrapper
| Modifier and Type | Field and Description |
|---|---|
protected boolean |
customStripXssEnabled |
protected org.springframework.core.env.Environment |
environment |
| Constructor and Description |
|---|
XssRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest,
org.springframework.core.env.Environment environment,
String[] whiteListParamNames) |
| Modifier and Type | Method and Description |
|---|---|
protected boolean |
checkWhitelist(String parameter) |
protected String |
customStripXss(String value) |
String |
getParameter(String parameter) |
String[] |
getParameterValues(String parameter) |
protected String |
stripXss(String value) |
protected String |
stripXss(String value,
String esapiInputType)
When
customStripXssEnabled is false, it will run ESAPI's logic based on the esapiInputType. |
protected String |
stripXssAsHTML(String value) |
protected String |
stripXssWithESAPI(String value,
String esapiInputType) |
authenticate, changeSessionId, getAuthType, getContextPath, getCookies, getDateHeader, getHeader, getHeaderNames, getHeaders, getHttpServletMapping, getIntHeader, getMethod, getPart, getParts, getPathInfo, getPathTranslated, getQueryString, getRemoteUser, getRequestedSessionId, getRequestURI, getRequestURL, getServletPath, getSession, getSession, getTrailerFields, getUserPrincipal, isRequestedSessionIdFromCookie, isRequestedSessionIdFromUrl, isRequestedSessionIdFromURL, isRequestedSessionIdValid, isTrailerFieldsReady, isUserInRole, login, logout, newPushBuilder, upgradegetAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterMap, getParameterNames, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequest, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, isWrapperFor, isWrapperFor, removeAttribute, setAttribute, setCharacterEncoding, setRequest, startAsync, startAsyncclone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitgetAsyncContext, getAttribute, getAttributeNames, getCharacterEncoding, getContentLength, getContentLengthLong, getContentType, getDispatcherType, getInputStream, getLocalAddr, getLocale, getLocales, getLocalName, getLocalPort, getParameterMap, getParameterNames, getProtocol, getReader, getRealPath, getRemoteAddr, getRemoteHost, getRemotePort, getRequestDispatcher, getScheme, getServerName, getServerPort, getServletContext, isAsyncStarted, isAsyncSupported, isSecure, removeAttribute, setAttribute, setCharacterEncoding, startAsync, startAsyncprotected final org.springframework.core.env.Environment environment
@Value(value="${custom.strip.xss:false}")
protected boolean customStripXssEnabled
public XssRequestWrapper(javax.servlet.http.HttpServletRequest servletRequest,
org.springframework.core.env.Environment environment,
String[] whiteListParamNames)
public String[] getParameterValues(String parameter)
getParameterValues in interface javax.servlet.ServletRequestgetParameterValues in class javax.servlet.ServletRequestWrapperprotected boolean checkWhitelist(String parameter)
public String getParameter(String parameter)
getParameter in interface javax.servlet.ServletRequestgetParameter in class javax.servlet.ServletRequestWrapperprotected String stripXss(String value, String esapiInputType)
customStripXssEnabled is false, it will run ESAPI's logic based on the esapiInputType.
If esapiInputType is null or empty, it will run stripXssAsHTML(String).value - - value to be strippedesapiInputType - - The name of the ESAPI validation rule defined in ESAPI validation configuration file.Copyright © 2022. All rights reserved.