package org.gbif.ipt.struts2;

import com.google.common.collect.Maps;
import com.google.inject.Singleton;
import com.lowagie.text.html.HtmlTags;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.gbif.api.model.common.messaging.Response;
import org.gbif.ws.util.XSSUtil;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.HtmlSanitizer;
import org.owasp.html.HtmlStreamEventReceiver;

@Singleton
/* loaded from: input_file:WEB-INF/classes/org/gbif/ipt/struts2/SanitizeHtmlFilter.class */
public class SanitizeHtmlFilter implements Filter {
    private static final Logger LOG = Logger.getLogger(SanitizeHtmlFilter.class);
    private static final HtmlPolicyBuilder POLICY_BUILDER = new HtmlPolicyBuilder();

    /* loaded from: input_file:WEB-INF/classes/org/gbif/ipt/struts2/SanitizeHtmlFilter$XssException.class */
    public static class XssException extends IllegalArgumentException {
        private final String parameter;

        public XssException(String str) {
            super("Malicious XSS content found in request parameter " + str);
            this.parameter = str;
        }

        public String getParameter() {
            return this.parameter;
        }
    }

    /* loaded from: input_file:WEB-INF/classes/org/gbif/ipt/struts2/SanitizeHtmlFilter$XssRequestWrapper.class */
    public static class XssRequestWrapper extends HttpServletRequestWrapper {
        private Map<String, String[]> sanitized;

        public XssRequestWrapper(HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
            this.sanitized = Maps.newHashMap();
            this.sanitized = sanitizeParamMap(httpServletRequest.getParameterMap());
        }

        public String getParameter(String str) {
            String[] parameterValues = getParameterValues(str);
            if (parameterValues == null || parameterValues.length <= 0) {
                return null;
            }
            return parameterValues[0];
        }

        public Map<String, String[]> getParameterMap() {
            return this.sanitized;
        }

        public String[] getParameterValues(String str) {
            return this.sanitized.get(str);
        }

        private Map<String, String[]> sanitizeParamMap(Map<String, String[]> map) {
            HashMap hashMap = new HashMap();
            if (map != null) {
                for (String str : map.keySet()) {
                    String[] strArr = map.get(str);
                    String[] strArr2 = new String[strArr.length];
                    for (int i = 0; i < strArr.length; i++) {
                        strArr2[i] = sanitize(str, strArr[i]);
                    }
                    hashMap.put(str, strArr2);
                }
            }
            return hashMap;
        }

        private String sanitize(String str, String str2) throws XssException {
            if (XSSUtil.containsXSS(str2)) {
                throw new XssException(str);
            }
            final StringBuilder sb = new StringBuilder();
            HtmlSanitizer.sanitize(str2, SanitizeHtmlFilter.POLICY_BUILDER.build(new HtmlStreamEventReceiver() { // from class: org.gbif.ipt.struts2.SanitizeHtmlFilter.XssRequestWrapper.1
                @Override // org.owasp.html.HtmlStreamEventReceiver
                public void openDocument() {
                }

                @Override // org.owasp.html.HtmlStreamEventReceiver
                public void closeDocument() {
                }

                @Override // org.owasp.html.HtmlStreamEventReceiver
                public void openTag(String str3, List<String> list) {
                    if ("br".equals(str3) || HtmlTags.PARAGRAPH.equals(str3)) {
                        sb.append('\n');
                        sb.append('\n');
                    }
                }

                @Override // org.owasp.html.HtmlStreamEventReceiver
                public void closeTag(String str3) {
                }

                @Override // org.owasp.html.HtmlStreamEventReceiver
                public void text(String str3) {
                    sb.append(str3);
                }
            }));
            String sb2 = sb.toString();
            if (!sb2.equals(str2)) {
                SanitizeHtmlFilter.LOG.warn("Parameter sanitization. " + str + " modified: " + str2 + "  ==>  " + sb2);
            }
            return sb2;
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (servletRequest instanceof HttpServletRequest) {
            try {
                filterChain.doFilter(new XssRequestWrapper((HttpServletRequest) servletRequest), servletResponse);
            } catch (XssException e) {
                LOG.warn(e);
                HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
                if (httpServletResponse.isCommitted()) {
                    return;
                }
                httpServletResponse.sendError(Response.StatusCode.BAD_REQUEST.getCode().intValue());
            }
        }
    }
}
