XSS Security using AntiSamy in Spring MVC

https://stackoverflow.com/questions/20070801

31-07-2022
|

题

I want to filter the contents of all input tags from my HTML. I am using the AntiSamy filter, as of now my filter is filtering out complete html content (instead of input value only).

I am using the implementation provided here:

Github

Inside the doFilter method i am using this piece of code to scan the content

HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);

CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);

whereas what i want is about:

CleanResults cleanResults = antiSamy.scan(request.getParameter("input"), policy);

So that only the content of input field is filtered.

here is the whole doFilter Method:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    if (response instanceof HttpServletResponse) {
        HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);
        HttpServletResponse proxiedResponse = httpResponseProxyFactory.build(invocationHandler);
        chain.doFilter(request, proxiedResponse);

        if ("text/html;charset=UTF-8".equals(proxiedResponse.getContentType())) {
            try {
                Policy policy = policyFileLoader.load(policyFile);
                antiSamy.setInputEncoding(inputEncoding);
                antiSamy.setOutputEncoding(outputEncoding);
                
                CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);
                log.info("Number of Errors: " + cleanResults.getNumberOfErrors());
                if (log.isDebugEnabled()) {
                    log.debug("Errors found: ");
                    List errors = cleanResults.getErrorMessages();
                    for (int i = 0; i < errors.size(); i++) {
                        log.debug("\t" + (i + 1) + ". " + errors.get(i));
                    }
                }
                log.info("Scan time (in seconds): " + cleanResults.getScanTime());
                response.getOutputStream().write(cleanResults.getCleanHTML().getBytes());
            } catch (ScanException e) {
                log.error(GENERIC_ERROR, e);
            } catch (PolicyException e) {
                log.error(GENERIC_ERROR, e);
            }
        } else {
 
            response.getOutputStream().write(invocationHandler.getBytes());
        }
    } else {
        chain.doFilter(request, response);
    }
}

I have tried it on ALL policy files provided by AntiSamy as default.

It'd be great if can get some help on this.

解决方案

Found the solution, the error was with the incorrect regular expression. Works well now.

许可以下： CC-BY-SA 和归因

不隶属于 StackOverflow