1   package com.trendmicro.grid.acl.l0;
2   
3   import com.trendmicro.grid.acl.RestService;
4   
5   /**
6    * Groups all Level0 REST services to automate their publishing under the spring bean "level0_JaxRsApplication".
7    *
8    * @author juergen_kellerer, 2010-05-31
9    * @version 1.0
10   */
11  public interface Level0RestService extends RestService {
12  	/**
13  	 * Is a collection of utilities for rest related services.
14  	 */
15  	public final class RestUtil {
16  		/**
17  		 * Defines a list of HTML tags that may indicate cross site scripting attacks.
18  		 */
19  		public static final String[] CROSS_SITE_SCRIPTING_TAGS = System.getProperty(
20  				"gacl.crosssite.scripting.taglist",
21  				"<html|<object|<embed|<video|<source|<article|<svg|<script|<frame|<iframe").split("\\|");
22  
23  		private RestUtil() {
24  		}
25  
26  		/**
27  		 * Validates whether the given input may be vulnerable to cross site scripting when
28  		 * it is interpreted by the browsers HTML engine.
29  		 *
30  		 * @param input The (un-encoded) input value to check.
31  		 */
32  		public static void assertIsNotCrossSiteScriptingVulnerable(String input) {
33  			if (input != null) {
34  				input = input.toLowerCase();
35  				for (String tag : CROSS_SITE_SCRIPTING_TAGS) {
36  					if (input.contains(tag)) {
37  						throw new IllegalArgumentException("The value '" + tag.substring(1) +
38  								"' is not allowed in the given request.");
39  					}
40  				}
41  			}
42  		}
43  	}
44  }