Xss

build.gradle

@@ -133,6 +133,7 @@ subprojects {
          compile group: 'commons-collections', name: 'commons-collections', version: '3.2.2'
          compile group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'
          //compile group: 'org.apache.commons', name: 'commons-csv', version: '1.7'
+         compile group: 'org.apache.commons', name: 'commons-text', version: '1.9'
          compile group: 'org.apache.commons', name: 'commons-dbcp2', version: '2.6.0'
          compile group: 'commons-dbutils', name: 'commons-dbutils', version: '1.7'
          compile group: 'org.apache.commons', name: 'commons-digester3', version: '3.2'

config/build_docker.gradle

@@ -133,6 +133,7 @@ subprojects {
          compile group: 'commons-collections', name: 'commons-collections', version: '3.2.2'
          compile group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'
          //compile group: 'org.apache.commons', name: 'commons-csv', version: '1.7'
+         compile group: 'org.apache.commons', name: 'commons-text', version: '1.9'
          compile group: 'org.apache.commons', name: 'commons-dbcp2', version: '2.6.0'
          compile group: 'commons-dbutils', name: 'commons-dbutils', version: '1.7'
          compile group: 'org.apache.commons', name: 'commons-digester3', version: '3.2'

config/build_jar.gradle

@@ -133,6 +133,7 @@ subprojects {
          compile group: 'commons-collections', name: 'commons-collections', version: '3.2.2'
          compile group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'
          //compile group: 'org.apache.commons', name: 'commons-csv', version: '1.7'
+         compile group: 'org.apache.commons', name: 'commons-text', version: '1.9'
          compile group: 'org.apache.commons', name: 'commons-dbcp2', version: '2.6.0'
          compile group: 'commons-dbutils', name: 'commons-dbutils', version: '1.7'
          compile group: 'org.apache.commons', name: 'commons-digester3', version: '3.2'

config/build_standard.gradle

@@ -133,6 +133,7 @@ subprojects {
          compile group: 'commons-collections', name: 'commons-collections', version: '3.2.2'
          compile group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'
          //compile group: 'org.apache.commons', name: 'commons-csv', version: '1.7'
+         compile group: 'org.apache.commons', name: 'commons-text', version: '1.9'
          compile group: 'org.apache.commons', name: 'commons-dbcp2', version: '2.6.0'
          compile group: 'commons-dbutils', name: 'commons-dbutils', version: '1.7'
          compile group: 'org.apache.commons', name: 'commons-digester3', version: '3.2'

maxkey-core/src/main/java/org/maxkey/autoconfigure/MvcAutoConfiguration.java

@@ -25,6 +25,7 @@ import javax.servlet.Filter;
 
 import org.maxkey.constants.ConstantsProperties;
 import org.maxkey.constants.ConstantsTimeInterval;
+import org.maxkey.web.WebXssRequestFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
@@ -260,6 +261,17 @@ public class MvcAutoConfiguration implements InitializingBean {
         return new SecurityContextHolderAwareRequestFilter();
     }
     
+    
+    @Bean
+    public FilterRegistrationBean<Filter> webXssRequestFilter() {
+        _logger.debug("delegatingFilterProxy init for /* ");
+        FilterRegistrationBean<Filter> registrationBean = new FilterRegistrationBean<Filter>(new WebXssRequestFilter());
+        registrationBean.addUrlPatterns("/*");
+        registrationBean.setName("webXssRequestFilter");
+        registrationBean.setOrder(2);
+        return registrationBean;
+    }
+    
     @Bean
     public FilterRegistrationBean<Filter> delegatingFilterProxy() {
         _logger.debug("delegatingFilterProxy init for /* ");

maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java

@@ -0,0 +1,43 @@
+package org.maxkey.web;
+
+import java.io.IOException;
+import java.util.Enumeration;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.apache.commons.text.StringEscapeUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.filter.GenericFilterBean;
+
+public class WebXssRequestFilter  extends GenericFilterBean {
+
+	final static Logger _logger = LoggerFactory.getLogger(GenericFilterBean.class);	
+	
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+			throws IOException, ServletException {
+		_logger.trace("WebXssRequestFilter");
+		boolean isWebXss = false;
+        Enumeration<String> parameterNames = request.getParameterNames();
+        while (parameterNames.hasMoreElements()) {
+          String key = (String) parameterNames.nextElement();
+          String value = request.getParameter(key);
+          _logger.trace("parameter name "+key +" , value " + value);
+          if(!StringEscapeUtils.escapeHtml4(value).equals(value)
+        		  ||value.toLowerCase().indexOf("script")>-1) {
+        	  isWebXss = true;
+        	  _logger.error("parameter name "+key +" , value " + value 
+        			  		+ ", contains dangerous content ! ");
+        	  break;
+          }
+        }
+        if(!isWebXss) {
+        	chain.doFilter(request, response);
+        }  
+	}
+
+}

maxkey-core/src/test/java/org/maxkey/EscapeHtml4Test.java

@@ -0,0 +1,13 @@
+package org.maxkey;
+
+import java.sql.SQLException;
+
+import org.apache.commons.text.StringEscapeUtils;
+
+public class EscapeHtml4Test {
+	public static void main(String[] args) throws SQLException {
+		String value="<IMG SRC=javascript:alert('XSS')<javascript>>";
+		System.out.println(StringEscapeUtils.escapeHtml4(value));
+		System.out.println(StringEscapeUtils.escapeEcmaScript(value));
+	}
+}