/*-
* ============LICENSE_START==========================================
* ONAP Portal
* ===================================================================
* Copyright © 2017 AT&T Intellectual Property. All rights reserved.
* ===================================================================
*
* Unless otherwise specified, all software contained herein is licensed
* under the Apache License, Version 2.0 (the "License");
* you may not use this software except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Unless otherwise specified, all documentation contained herein is licensed
* under the Creative Commons License, Attribution 4.0 Intl. (the "License");
* you may not use this documentation except in compliance with the License.
* You may obtain a copy of the License at
*
* https://creativecommons.org/licenses/by/4.0/
*
* Unless required by applicable law or agreed to in writing, documentation
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ============LICENSE_END============================================
*
*
*/
package org.onap.portalapp.filter;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.regex.Pattern;
import org.apache.commons.lang.NotImplementedException;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringEscapeUtils;
import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
import org.onap.portalsdk.core.util.SystemProperties;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.codecs.MySQLCodec;
import org.owasp.esapi.codecs.OracleCodec;
import org.owasp.esapi.codecs.MySQLCodec.Mode;
public class SecurityXssValidator {
private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
private static final String MYSQL_DB = "mysql";
private static final String ORACLE_DB = "oracle";
private static final String MARIA_DB = "mariadb";
private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
static SecurityXssValidator validator = null;
private static Codec instance;
private static final Lock lock = new ReentrantLock();
public static SecurityXssValidator getInstance() {
if (validator == null) {
lock.lock();
try {
if (validator == null)
validator = new SecurityXssValidator();
} finally {
lock.unlock();
}
}
return validator;
}
private SecurityXssValidator() {
// Avoid anything between script tags
XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS));
// avoid iframes
XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS));
// Avoid anything in a src='...' type of expression
XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
// Remove any lonesome tag
XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS));
XSS_INPUT_PATTERNS.add(Pattern.compile(".*().*", FLAGS));
XSS_INPUT_PATTERNS.add(Pattern.compile(".*().*", FLAGS));
// Remove any lonesome