CODEWITHSUNDEEP
java
2787184
2787184

Reputation: 3881

Why replaceAll method not available in StringBuilder

I am doing code scanning using sonarQube. I found issue Introduce a new variable instead of reusing the parameter "value". should I use StringBuilder instead of String or introducing a new variable? Below is my code.

private String stripXSS(String value) {

        if (StringUtils.isNotBlank(value)) {

            value = value.replaceAll("", "");

            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            value = value.replace("&", "&amp;");
            value = value.replace(">", "&gt;");
            value = value.replace("<", "&lt;");
        }
        return value;
    }

Upvotes: 0

Views: 507

Answers (2)

easyDaMan
easyDaMan

Reputation: 307

Would following slightly changed code of yours not solve your problem? Just don't overly operate on the passed value and instead create a new local String variable that is used throughout your method! Performance optimizations need not considered (String vs. StringBuilder) as of now unless your supervisor wants faster code. Or implement (Thread.sleep(1000)) for future optimization endeavours ;-)

private String stripXSS(String passedValue) {

    if (StringUtils.isNotBlank(passedValue)) {

        String value = passedValue.replaceAll("", "");

        Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
        value = scriptPattern.matcher(value).replaceAll("");

        scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = scriptPattern.matcher(value).replaceAll("");

        scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = scriptPattern.matcher(value).replaceAll("");

        scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
        value = scriptPattern.matcher(value).replaceAll("");

        scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = scriptPattern.matcher(value).replaceAll("");

        scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = scriptPattern.matcher(value).replaceAll("");

        scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = scriptPattern.matcher(value).replaceAll("");

        scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
        value = scriptPattern.matcher(value).replaceAll("");

        scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
        value = scriptPattern.matcher(value).replaceAll("");

        scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = scriptPattern.matcher(value).replaceAll("");

        value = value.replace("&", "&amp;");
        value = value.replace(">", "&gt;");
        value = value.replace("<", "&lt;");
    }
    return value;
}

Upvotes: 0

CoderNeji
CoderNeji

Reputation: 2074

For your part of the question that should I use StringBuilder instead of String or introducing a new variable ?

The following is the comparison between the String, StringBuffer and StringBuilder... You should use according to your need... i.e. Memory, performance, etc.

                  String                    StringBuffer         StringBuilder

Storage Area | Constant String Pool    |       Heap         |           Heap
Modifiable   |  No (immutable)         |   Yes( mutable )   |      Yes( mutable )
Thread Safe  |     Yes                 |       Yes          |             No
 Performance |   Fast                  |    Very slow       |            Fast

Upvotes: 1

Related Questions