XSS Security using AntiSamy in Spring MVC

StackOverflow https://stackoverflow.com/questions/20070801

  •  31-07-2022
  •  | 
  •  

문제

I want to filter the contents of all input tags from my HTML. I am using the AntiSamy filter, as of now my filter is filtering out complete html content (instead of input value only).

I am using the implementation provided here:

Github

Inside the doFilter method i am using this piece of code to scan the content

HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);

CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);

whereas what i want is about:

CleanResults cleanResults = antiSamy.scan(request.getParameter("input"), policy);

So that only the content of input field is filtered.

here is the whole doFilter Method:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    if (response instanceof HttpServletResponse) {
        HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);
        HttpServletResponse proxiedResponse = httpResponseProxyFactory.build(invocationHandler);
        chain.doFilter(request, proxiedResponse);

        if ("text/html;charset=UTF-8".equals(proxiedResponse.getContentType())) {
            try {
                Policy policy = policyFileLoader.load(policyFile);
                antiSamy.setInputEncoding(inputEncoding);
                antiSamy.setOutputEncoding(outputEncoding);
                
                CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);
                log.info("Number of Errors: " + cleanResults.getNumberOfErrors());
                if (log.isDebugEnabled()) {
                    log.debug("Errors found: ");
                    List errors = cleanResults.getErrorMessages();
                    for (int i = 0; i < errors.size(); i++) {
                        log.debug("\t" + (i + 1) + ". " + errors.get(i));
                    }
                }
                log.info("Scan time (in seconds): " + cleanResults.getScanTime());
                response.getOutputStream().write(cleanResults.getCleanHTML().getBytes());
            } catch (ScanException e) {
                log.error(GENERIC_ERROR, e);
            } catch (PolicyException e) {
                log.error(GENERIC_ERROR, e);
            }
        } else {
 
            response.getOutputStream().write(invocationHandler.getBytes());
        }
    } else {
        chain.doFilter(request, response);
    }
}

I have tried it on ALL policy files provided by AntiSamy as default.

It'd be great if can get some help on this.

도움이 되었습니까?

해결책

Found the solution, the error was with the incorrect regular expression. Works well now.

라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top