Filtering JavaScript From HTML Content in Java (Sanitizing user input)

By Jason Harwig on December 1, 2007 3:56 PM | Permalink | Comments (0) | TrackBacks (0)

I gave a JavaScript security talk last month, and one of the topics was HTML filtering. I gave examples of how MySpace tried to filter executable code, while still allowing HTML tags for formatting. MySpace, of course, failed to foresee every attack vector, and the Samy worm was born.

HTML filtering was never recommended because it was so difficult to get right, and with no proven libraries, trying to build a solution would almost certainly contain security holes. Thanks to Arshan Dabirsiaghi we finally have something to use. He has created the OWASP AntiSamy project to easily sanitize HTML input. AntiSamy is currently implemented as a Java 1.5 compatible library, but there are plans to support other platforms.

Here's a sample usage


AntiSamy sanitizer = new AntiSamy();
CleanResults results = sanitizer.scan(request.getParameter("html"));
String html = results.getCleanHTML();
if (!results.getErrorMessages().isEmpty()) {
    log.warn("Input contains errors");
}

0 TrackBacks

Listed below are links to blogs that reference this entry: Filtering JavaScript From HTML Content in Java (Sanitizing user input).

TrackBack URL for this entry: http://www.nearinfinity.com/mt/mt-tb.cgi/428

We're Hiring!

Quick Links

Filtering JavaScript From HTML Content in Java (Sanitizing user input)

Categories:

Leave a comment

0 TrackBacks

Search

Categories

Author Archives

Tag Cloud