XSS filter for forms enctype = "multipart / form-data"

Question

XSS filter for forms enctype = "multipart / form-data"

I found the following code that prevents xss attacks. But this is a problem. It works great with forms enctype="application/x-www-form-urlencoded", but not with forms enctype="multipart/form-data". I noticed that getParameterValues()other methods are not being called.

// --- XSS Filter --- //

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

/**
 * Servlet Filter implementation class XSSFilter
 */
public class XSSFilter implements Filter {

@SuppressWarnings("unused")
private FilterConfig filterConfig;

/**
 * Default constructor. 
 */
public XSSFilter() {

}

public void init(FilterConfig filterConfig) throws ServletException {
    this.filterConfig = filterConfig;        
}

public void destroy() {
    this.filterConfig = null;
}

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
    throws IOException, ServletException {      
    chain.doFilter(new RequestWrapperXSS((HttpServletRequest) request), response);
}

}

// --- RequestWrapperXSS --- //

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

public final class RequestWrapperXSS extends HttpServletRequestWrapper {
public RequestWrapperXSS(HttpServletRequest servletRequest) {       
    super(servletRequest);
}

public String[] getParameterValues(String parameter) {
    System.out.println("entra parameterValues");
    String[] values = super.getParameterValues(parameter);
    if (values == null) {
        return null;
    }
    int count = values.length;
    String[] encodedValues = new String[count];
    for (int i = 0; i < count; i++) {
        encodedValues[i] = cleanXSS(values[i]);
    }
    return encodedValues;
}

public String getParameter(String parameter) {
    System.out.println("entra getParameter");
    String value = super.getParameter(parameter);
    if (value == null) {
        return null;
    }
    return cleanXSS(value);
}

public String getHeader(String name) {
    System.out.println("entra header");
    String value = super.getHeader(name);
    if (value == null)
        return null;
    return cleanXSS(value);
}

private String cleanXSS(String cadena) {
    System.out.println("entra claean XSS");
     StringBuffer sb = new StringBuffer(cadena.length());
        // true if last char was blank
        boolean lastWasBlankChar = false;
        int len = cadena.length();
        char c;

        for (int i = 0; i < len; i++)
            {
            c = cadena.charAt(i);
            if (c == ' ') {
                // blank gets extra work,
                // this solves the problem you get if you replace all
                // blanks with &nbsp;, if you do that you loss 
                // word breaking
                if (lastWasBlankChar) {
                    lastWasBlankChar = false;
                    sb.append("&nbsp;");
                    }
                else {
                    lastWasBlankChar = true;
                    sb.append(' ');
                    }
                }
            else {
                lastWasBlankChar = false;
                //
                // HTML Special Chars
                if (c == '"')
                    sb.append("&quot;");
                else if (c == '&')
                    sb.append("&amp;");
                else if (c == '<')
                    sb.append("&lt;");
                else if (c == '>')
                    sb.append("&gt;");
                else if (c == '\n')
                    // Handle Newline
                    sb.append("&lt;br/&gt;");
                else {
                    int ci = 0xffff & c;
                    if (ci < 160 )
                        // nothing special only 7 Bit
                        sb.append(c);
                    else {
                        // Not 7 Bit use the unicode system
                        sb.append("&#");
                        sb.append(new Integer(ci).toString());
                        sb.append(';');
                        }
                    }
                }
            }
        return sb.toString();


}
}

+3

multipartform-data xss servlet-filters

jesusmmago Jan 31 '12 at 13:30

source share

2 answers

, , getParts c: out

0

user3513693 15 '19 11:32

BalusC · Accepted Answer · 2012-01-31T13:39:12+0000

In the case of requests, the multipart/form-datadata is available to getPart()both getParts(), and not getParameter(), getParameterValues()and the spouse.

, Servlet 3.0 API multipart/form-data. defacto API - Apache Commons FileUpload.

, IMO - XSS. XSS , , . , "" XSS. , , , , JSTL <c:out> fn:escapeXml() , MVC (, JSF, , ).

.

XSS - JSP/Servlet

XSS filter for forms enctype = "multipart / form-data"

.

More articles: