-
Notifications
You must be signed in to change notification settings - Fork 0
/
xssprotect.txt
82 lines (56 loc) · 2.33 KB
/
xssprotect.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
XSSProtect
==========
XSSProtect is a library with a pluggable XSS filter for reducing the vulnerability
of XSS injection attacks. This library is useful for those people that would like to
allow their end users to write or submit standard HTML-formatted text and show this
text on other pages, either by using DHTML or by server-generated pages.
How it works:
=============
The library generates a parse tree of the HTML snippet and then cleans it up and makes
it X-HTML compliant. A plugged-in filter then filters the submitted code for
potential XSS vulnerabilities. The result is clean HTML that should not contain
XSS attack vectors.
Guarantees?
===========
No guarantees. New holes are found and browser inventions or bugs may be introduced that
still make your application vulnerable to new attack vectors. That is why this library cannot
guarantee security. However, a lot of effort has been made to verify the correct behaviour
of this library against known attack vectors. Please see the unit tests for those results.
LICENSE:
========
This work is released under the terms of the General Public License GPL v3.
How to use the library:
=======================
Very simple. Any method in Java that implements as follows:
-----------------------------------------------------------
import com.blogspot.radialmind.html.HTMLParser;
import com.blogspot.radialmind.html.HandlingException;
import com.blogspot.radialmind.xss.XSSFilter;
public String filterHtmlForXSS( String html )
{
StringReader reader = new StringReader( html );
StringWriter writer = new StringWriter();
try {
HTMLParser.process( reader, writer, new XSSFilter(), true );
return writer.toString();
} catch (HandlingException e) {
// log error
// throw your exception
}
}
or:
import com.blogspot.radialmind.html.HTMLParser;
import com.blogspot.radialmind.html.HandlingException;
import com.blogspot.radialmind.xss.XSSFilter;
public File filterHtmlForXSSAndWriteToFile( String fileName )
{
InputStreamReader reader = new InputStreamReader( new FileInputStream( fileName ) );
File result = FileUtils.createTempFile();
BufferedWriter writer = new BufferedWriter( new FileWriter( result ));
HTMLParser.process( reader, writer, new XSSFilter(), true );
writer.flush();
writer.close();
reader.close();
return result;
}
-------------------------------------------------------