package org.apache.geronimo.console.filter;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.Enumeration;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/console-filter-2.2.jar:org/apache/geronimo/console/filter/XSSHandler.class */
public class XSSHandler {
    private static final Logger log = LoggerFactory.getLogger(XSSHandler.class);

    public boolean isInvalidURI(HttpServletRequest httpServletRequest) {
        return isInvalidString(httpServletRequest.getRequestURI()) || isInvalidString(httpServletRequest.getQueryString());
    }

    public boolean isInvalidParameters(HttpServletRequest httpServletRequest) {
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            String lowerCase = str.trim().toLowerCase();
            if (lowerCase.startsWith("noxss")) {
                log.debug("Skipping specially marked paramter=" + str);
            } else if (!lowerCase.startsWith("minxss") && lowerCase.indexOf("password") == -1 && lowerCase.indexOf("xml") == -1 && lowerCase.indexOf("sql") == -1) {
                for (String str2 : httpServletRequest.getParameterValues(str)) {
                    if (isInvalidString(str2)) {
                        log.warn("Blocking request due to potential XSS content in parameter=" + str + " for uri=" + httpServletRequest.getRequestURI());
                        return true;
                    }
                }
            } else {
                for (String str3 : httpServletRequest.getParameterValues(str)) {
                    if (isInvalidParam(str3)) {
                        log.warn("Blocking request due to known XSS content in parameter=" + str + " for uri=" + httpServletRequest.getRequestURI());
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean isInvalidString(String str) {
        if (str == null) {
            return false;
        }
        try {
            String lowerCase = URLDecoder.decode(str, "UTF-8").toLowerCase();
            if (lowerCase.indexOf(60) == -1) {
                return lowerCase.indexOf(34) != -1;
            }
            return true;
        } catch (UnsupportedEncodingException e) {
            log.error("URLDecoder.decode(UTF8) failed.", e);
            return false;
        }
    }

    private boolean isInvalidParam(String str) {
        if (str == null) {
            return false;
        }
        try {
            String lowerCase = URLDecoder.decode(str, "UTF-8").toLowerCase();
            int indexOf = lowerCase.indexOf(60);
            while (indexOf != -1) {
                int i = indexOf + 1;
                if (containsScript(lowerCase, i) || containsImg(lowerCase, i) || containsIframe(lowerCase, i) || containsDiv(lowerCase, i)) {
                    return true;
                }
                indexOf = lowerCase.indexOf(60, i);
            }
            return containsStyle(lowerCase);
        } catch (UnsupportedEncodingException e) {
            log.error("URLDecoder.decode(UTF8) failed.", e);
            return false;
        }
    }

    private boolean containsScript(String str, int i) {
        if (str.charAt(i) != 's') {
            return false;
        }
        int i2 = i + 1;
        if (str.charAt(i2) != 'c') {
            return false;
        }
        int i3 = i2 + 1;
        if (str.charAt(i3) != 'r') {
            return false;
        }
        int i4 = i3 + 1;
        if (str.charAt(i4) != 'i') {
            return false;
        }
        int i5 = i4 + 1;
        if (str.charAt(i5) != 'p' || str.charAt(i5 + 1) != 't') {
            return false;
        }
        log.debug("Found a '<script' tag in a HttpServletRequest parameter.");
        return true;
    }

    private boolean containsImg(String str, int i) {
        if (str.charAt(i) != 'i') {
            return false;
        }
        int i2 = i + 1;
        if (str.charAt(i2) != 'm' || str.charAt(i2 + 1) != 'g') {
            return false;
        }
        log.debug("Found a '<img' tag in a HttpServletRequest parameter.");
        return true;
    }

    private boolean containsIframe(String str, int i) {
        if (str.charAt(i) != 'i') {
            return false;
        }
        int i2 = i + 1;
        if (str.charAt(i2) != 'f') {
            return false;
        }
        int i3 = i2 + 1;
        if (str.charAt(i3) != 'r') {
            return false;
        }
        int i4 = i3 + 1;
        if (str.charAt(i4) != 'a') {
            return false;
        }
        int i5 = i4 + 1;
        if (str.charAt(i5) != 'm' || str.charAt(i5 + 1) != 'e') {
            return false;
        }
        log.debug("Found a '<iframe' tag in a HttpServletRequest parameter.");
        return true;
    }

    private boolean containsDiv(String str, int i) {
        if (str.charAt(i) != 'd') {
            return false;
        }
        int i2 = i + 1;
        if (str.charAt(i2) != 'i' || str.charAt(i2 + 1) != 'v') {
            return false;
        }
        log.debug("Found a '<div' tag in a HttpServletRequest parameter.");
        return true;
    }

    private boolean containsStyle(String str) {
        if (str.indexOf("style=") == -1) {
            return false;
        }
        log.debug("Found a 'style=' tag in a HttpServletRequest parameter.");
        return true;
    }
}
