XSSUrlParamSecurityAdapter (stumps 1.0-SNAPSHOT API)

java.lang.Object
- com.neurosys.cluzo.adapters.WhiteBlackExpressionSecurityAdapter
- - com.neurosys.cluzo.adapters.XSSUrlParamSecurityAdapter

All Implemented Interfaces:

SecurityAdapter<String>
```
public class XSSUrlParamSecurityAdapter
extends WhiteBlackExpressionSecurityAdapter
```
Simply sanitize URL params based on regexs and encoded & double-encoded versions of them, looking for any trouble!

Author:

Arjun Dhar

Field Summary

Fields
Modifier and Type Field and Description

static String BLACK_URL_REGEX_PROP

static String WHITE_URL_REGEX_PROP
- Fields inherited from class com.neurosys.cluzo.adapters.WhiteBlackExpressionSecurityAdapter
  blackRegExPattern, whiteRegExPattern
- Fields inherited from interface com.neurosys.cluzo.domain.SecurityAdapter
  REGEX_PROP_FILE

Fields
Modifier and Type	Field and Description
`static String`	`BLACK_URL_REGEX_PROP`
`static String`	`WHITE_URL_REGEX_PROP`

Constructor Summary

Constructors
Constructor and Description

XSSUrlParamSecurityAdapter()

Constructors
Constructor and Description
`XSSUrlParamSecurityAdapter()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`Data<String>`	`preProcess(Data<String> input)` For Absolute URL's we can determine the genuine host name (or pick from config) and sanitize those out from the input.
`protected void`	`processInvalidQuery(Data<String> input)`
`Data`	`sanitize(Data<String> input)` Sanitize content, from malicious to harmless.
`void`	`validate(Data<String> input)` Check if the input is safe or not When used in a chained or a `SecurityContext` with other `SecurityAdapter`s then the Adapters throwing a `OperationNotSupportedException` will be ignored.

Methods inherited from class com.neurosys.cluzo.adapters.WhiteBlackExpressionSecurityAdapter
getBlackRegExPattern, getWhiteRegExPattern, processNameValue, processParams, setBlackRegExPattern, setWhiteRegExPattern, validateAgainstBlackRegEx, validateAgainstWhiteRegEx

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - BLACK_URL_REGEX_PROP
```
public static final String BLACK_URL_REGEX_PROP
```
    See Also:
    
    Constant Field Values
  - WHITE_URL_REGEX_PROP
```
public static final String WHITE_URL_REGEX_PROP
```
    See Also:
    
    Constant Field Values
- Constructor Detail
  - XSSUrlParamSecurityAdapter
```
public XSSUrlParamSecurityAdapter()
                           throws IOException
```
    Throws:
    
    IOException
- Method Detail
  - sanitize
```
public Data sanitize(Data<String> input)
              throws org.owasp.validator.html.ScanException,
                     org.owasp.validator.html.PolicyException,
                     OperationNotSupportedException
```
    Description copied from interface: SecurityAdapter
    
    Sanitize content, from malicious to harmless. An adapter may or may not choose to support a Sanitization method. In the event it does not support it, it should throw a OperationNotSupportedException. When used in a chained or a SecurityContext with other SecurityAdapters then the Adapters throwing a OperationNotSupportedException will be ignored. Any other exception will be thrown if there is an issue in the executionof the sanitization process.
    
    Specified by:
    
    sanitize in interface SecurityAdapter<String>
    
    Overrides:
    
    sanitize in class WhiteBlackExpressionSecurityAdapter
    
    Returns:
    
    Throws:
    
    org.owasp.validator.html.ScanException
    
    org.owasp.validator.html.PolicyException
    
    OperationNotSupportedException
  - preProcess
```
public Data<String> preProcess(Data<String> input)
```
    For Absolute URL's we can determine the genuine host name (or pick from config) and sanitize those out from the input. We want to do that because the RegEx are strict against ref to Absolute URI's and we want to clean the legitimate ones before passing to the scanner.
    
    Parameters:
    
    input - @Nullable
    
    Returns:
    
    @Nullable
  - validate
```
public void validate(Data<String> input)
              throws SecurityException,
                     IOException
```
    Description copied from interface: SecurityAdapter
    
    Check if the input is safe or not
    When used in a chained or a SecurityContext with other SecurityAdapters then the Adapters throwing a OperationNotSupportedException will be ignored.
    
    Specified by:
    
    validate in interface SecurityAdapter<String>
    
    Overrides:
    
    validate in class WhiteBlackExpressionSecurityAdapter
    
    Parameters:
    
    input - as Data
    
    Throws:
    
    SecurityException - is its is not safe. This is to provide additional details about the failure that te return param cannot.
    
    IOException - for any type of setup, reading, infra related issue with files/configs
  - processInvalidQuery
```
protected void processInvalidQuery(Data<String> input)
                            throws SecurityException,
                                   IOException
```
    Overrides:
    
    processInvalidQuery in class WhiteBlackExpressionSecurityAdapter
    
    Throws:
    
    SecurityException
    
    IOException

Class XSSUrlParamSecurityAdapter

Field Summary

Fields inherited from class com.neurosys.cluzo.adapters.WhiteBlackExpressionSecurityAdapter

Fields inherited from interface com.neurosys.cluzo.domain.SecurityAdapter

Constructor Summary

Method Summary

Methods inherited from class com.neurosys.cluzo.adapters.WhiteBlackExpressionSecurityAdapter

Methods inherited from class java.lang.Object

Field Detail

BLACK_URL_REGEX_PROP

WHITE_URL_REGEX_PROP

Constructor Detail

XSSUrlParamSecurityAdapter

Method Detail

sanitize

preProcess

validate

processInvalidQuery