Found the solution, the error was with the incorrect regular expression. Works well now.
XSS Security using AntiSamy in Spring MVC
-
31-07-2022 - |
문제
I want to filter the contents of all input tags from my HTML. I am using the AntiSamy filter, as of now my filter is filtering out complete html content (instead of input value only).
I am using the implementation provided here:
Inside the doFilter method i am using this piece of code to scan the content
HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);
CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);
whereas what i want is about:
CleanResults cleanResults = antiSamy.scan(request.getParameter("input"), policy);
So that only the content of input field is filtered.
here is the whole doFilter Method:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (response instanceof HttpServletResponse) {
HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);
HttpServletResponse proxiedResponse = httpResponseProxyFactory.build(invocationHandler);
chain.doFilter(request, proxiedResponse);
if ("text/html;charset=UTF-8".equals(proxiedResponse.getContentType())) {
try {
Policy policy = policyFileLoader.load(policyFile);
antiSamy.setInputEncoding(inputEncoding);
antiSamy.setOutputEncoding(outputEncoding);
CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);
log.info("Number of Errors: " + cleanResults.getNumberOfErrors());
if (log.isDebugEnabled()) {
log.debug("Errors found: ");
List errors = cleanResults.getErrorMessages();
for (int i = 0; i < errors.size(); i++) {
log.debug("\t" + (i + 1) + ". " + errors.get(i));
}
}
log.info("Scan time (in seconds): " + cleanResults.getScanTime());
response.getOutputStream().write(cleanResults.getCleanHTML().getBytes());
} catch (ScanException e) {
log.error(GENERIC_ERROR, e);
} catch (PolicyException e) {
log.error(GENERIC_ERROR, e);
}
} else {
response.getOutputStream().write(invocationHandler.getBytes());
}
} else {
chain.doFilter(request, response);
}
}
I have tried it on ALL policy files provided by AntiSamy as default.
It'd be great if can get some help on this.
해결책
제휴하지 않습니다 StackOverflow