tags:

views:

320

answers:

2
+1  Q: 

How to sanitize HTML code in Java to prevent XSS attacks?

I'm looking for class/util etc. to sanitize HTML code i.e. remove dangerous tags, attributes and values to avoid XSS and similar attacks.

I get html code from rich text editor (e.g. TinyMCE) but it can be send malicious way around, ommiting TinyMCE validation ("Data submitted form off-site").

Is there anything as simple to use as InputFilter in PHP? Perfect solution I can imagine works like that (assume sanitizer is encapsulated in HtmlSanitizer class):

String unsanitized = "...<...>...";           // some potentially 
                                              // dangerous html here on input

HtmlSanitizer sat = new HtmlSanitizer();      // sanitizer util class created

String sanitized = sat.sanitize(unsanitized); // voila - sanitized is safe...

Update - the simpler solution, the better! Small util class with as little external dependencies on other libraries/frameworks as possible - would be best for me.

How about that?

A: 

One of the most basic things to do to prevent XSS attacks is to HTML encode special characters like <, >, &, " and ' to &lt; &gt; &amp; &quot; and &apos;. You can do this very easily using plain old string replace. This is a good start.

For more information you can check out - http://htmlencode.net/

Rahul  2010-08-05 09:30:22
encoding html tags and special chars is not good solution here. it would convert html to plaintext-alike format. html comes in, html (sanitized = safe) must come out.
WildWezyr  2010-08-05 10:15:05
+3  A: 
Vineet Reynolds  2010-08-05 09:56:42
this would require to rebuild architecture of my whole project. i'm not willing to do it. i need something simple without many dependencies and no need to change the way my code is organized (i like it the way it is now). so - i need just a util class to do the work. my question is now updated to clarify that requirement.
WildWezyr  2010-08-05 10:43:03
I'm not sure what you mean by rebuilding the architecture of the project. AntiSamy fits in perfectly into your requirement by allowing text editor inputs to be fed into a filtering library driven by a site policy.
Vineet Reynolds  2010-08-05 10:58:59
Hmmm. Seems you are right! I just thought it is big and heavy framework like struts, spring etc. and works as some kind of servlet filter ;-). Probably big letters in name ("OWASP") misled me here. BTW: what are exact dependencies of OWASP AntiSamy - what else will I need to use it?
WildWezyr  2010-08-05 12:10:48
The AntiSamy POM might give you a hint (the link provided later is from SVN, and should not be used directly). It does need a couple of other libraries, but I'm not sure how they're internally used by AntiSamy. Ref: http://code.google.com/p/owaspantisamy/source/browse/trunk/Java/current/antisamy-project/antisamy/pom.xml?r=149
Vineet Reynolds  2010-08-05 12:17:01

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?