package cn.enilu.flash.web.filter;

import cn.enilu.flash.core.lang.Strings;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpSession;

/* loaded from: input_file:cn/enilu/flash/web/filter/XssHttpServletRequestWrapper.class */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private static final Pattern SCRIPT_PATTERN = Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']", 42);
    private static final Pattern ON_PATTERN = Pattern.compile("on\\w{2,20}=[^>]+", 42);
    private static final Pattern EVIL_ENTITY_PATTERN = Pattern.compile("&(colon|newline|tab);", 2);

    public XssHttpServletRequestWrapper(HttpServletRequest httpServletRequest) {
        super(httpServletRequest);
    }

    public HttpSession getSession() {
        return getSession(false);
    }

    public String[] getParameterValues(String str) {
        String[] parameterValues = super.getParameterValues(str);
        if (parameterValues == null) {
            return null;
        }
        int length = parameterValues.length;
        String[] strArr = new String[length];
        for (int i = 0; i < length; i++) {
            strArr[i] = cleanXSS(parameterValues[i]);
        }
        return strArr;
    }

    public String getParameter(String str) {
        String parameter = super.getParameter(str);
        if (str.endsWith("_escaped")) {
            return parameter;
        }
        if (parameter == null) {
            return null;
        }
        return ("low".equals(super.getParameter("xss-filtering-level")) || "low".equals(super.getHeader("xss-filtering-level"))) ? stripXSS(parameter) : cleanXSS(parameter);
    }

    public String getHeader(String str) {
        String header = super.getHeader(str);
        if (header == null) {
            return null;
        }
        return cleanXSS(header);
    }

    private String cleanXSS(String str) {
        return ON_PATTERN.matcher(SCRIPT_PATTERN.matcher(EVIL_ENTITY_PATTERN.matcher(str).replaceAll("").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;").replaceAll("'", "&#39;").replaceAll("eval\\((.*)\\)", "")).replaceAll("")).replaceAll("");
    }

    private String stripXSS(String str) {
        if (Strings.isBlank(str)) {
            return str;
        }
        return Pattern.compile("onload(.*?)=", 42).matcher(Pattern.compile("vbscript:", 2).matcher(Pattern.compile("javascript:", 2).matcher(Pattern.compile("e\u00adxpression\\((.*?)\\)", 42).matcher(Pattern.compile("eval\\((.*?)\\)", 42).matcher(Pattern.compile("<script(.*?)>", 42).matcher(Pattern.compile("</script>", 2).matcher(Pattern.compile("src[\\r\\n]*=[\\r\\n]*[\\'\\\"]?https?://([^'\">]+)[\\'\\\"]?", 42).matcher(Pattern.compile("on\\w+=[^>]+", 42).matcher(Pattern.compile("<script>(.*?)</script>", 2).matcher(EVIL_ENTITY_PATTERN.matcher(str.replaceAll("", "")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("")).replaceAll("");
    }
}
