XSS Security using AntiSamy in Spring MVC

StackOverflow https://stackoverflow.com/questions/20070801

  •  31-07-2022
  •  | 
  •  

Question

I want to filter the contents of all input tags from my HTML. I am using the AntiSamy filter, as of now my filter is filtering out complete html content (instead of input value only).

I am using the implementation provided here:

Github

Inside the doFilter method i am using this piece of code to scan the content

HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);

CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);

whereas what i want is about:

CleanResults cleanResults = antiSamy.scan(request.getParameter("input"), policy);

So that only the content of input field is filtered.

here is the whole doFilter Method:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    if (response instanceof HttpServletResponse) {
        HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);
        HttpServletResponse proxiedResponse = httpResponseProxyFactory.build(invocationHandler);
        chain.doFilter(request, proxiedResponse);

        if ("text/html;charset=UTF-8".equals(proxiedResponse.getContentType())) {
            try {
                Policy policy = policyFileLoader.load(policyFile);
                antiSamy.setInputEncoding(inputEncoding);
                antiSamy.setOutputEncoding(outputEncoding);
                
                CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);
                log.info("Number of Errors: " + cleanResults.getNumberOfErrors());
                if (log.isDebugEnabled()) {
                    log.debug("Errors found: ");
                    List errors = cleanResults.getErrorMessages();
                    for (int i = 0; i < errors.size(); i++) {
                        log.debug("\t" + (i + 1) + ". " + errors.get(i));
                    }
                }
                log.info("Scan time (in seconds): " + cleanResults.getScanTime());
                response.getOutputStream().write(cleanResults.getCleanHTML().getBytes());
            } catch (ScanException e) {
                log.error(GENERIC_ERROR, e);
            } catch (PolicyException e) {
                log.error(GENERIC_ERROR, e);
            }
        } else {
 
            response.getOutputStream().write(invocationHandler.getBytes());
        }
    } else {
        chain.doFilter(request, response);
    }
}

I have tried it on ALL policy files provided by AntiSamy as default.

It'd be great if can get some help on this.

Was it helpful?

Solution

Found the solution, the error was with the incorrect regular expression. Works well now.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top