import org.owasp.esapi.ESAPI;
import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.codecs.MySQLCodec;
-import org.owasp.esapi.codecs.MySQLCodec.Mode;
import org.owasp.esapi.codecs.OracleCodec;
+import org.owasp.esapi.codecs.MySQLCodec.Mode;
public class SecurityXssValidator {
Boolean flag = Boolean.FALSE;
try {
if (StringUtils.isNotBlank(value)) {
+ if (value.contains("×eclgn"))
+ {
+ logger.info(EELFLoggerDelegate.applicationLogger, "denyXSS() replacing ×eclgn with empty string for request value : " + value);
+ value=value.replaceAll("×eclgn", "");
+ }
+ while(value.contains("%25")) {
+ value = value.replaceAll("%25", "%");
+ }
value = ESAPI.encoder().canonicalize(value);
for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
if (xssInputPattern.matcher(value).matches()) {
flag = Boolean.TRUE;
break;
}
-
}
}
} catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
+ logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed for request with value : " + e.getMessage());
+ logger.debug(EELFLoggerDelegate.debugLogger, "denyXSS() failed for request with value : " + value, e);
}
return flag;