Ah, this looks interesting. So I might construct a filter that passes all parameters through the AntiSamy object's scan method, and simply overwrite the value of each one with the resulting getCleanHTML() method?
Is it that simple or am I missing something? -a > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kai Virkki > Sent: Sunday, June 22, 2008 10:32 AM > To: General Discussion for the Resin application server > Subject: Re: [Resin-interest] Input Sanitization > > Hi! > > There isn't any easy way to protect against XSS attacks and I > don't know of any Servlet containers that would offer you any > solutions to this. But there's a nice library called OWASP > AntiSamy that you could use to validate user input: > > http://code.google.com/p/owaspantisamy/ > > If you don't want to use a ready-made library, do select > white-listing instead of black-listing when deciding what > HTML tags are allowed for users to input. > > Cheers, > > Kai > > > 2008/6/19 Aaron Freeman <[EMAIL PROTECTED]>: > > Is there an easy way to sanitize input such that a user > cannot inject > > javascript via user input fields, or does sanitation have to occur > > within each individual JSP that accepts user input? This could be > > done either on the input side or on the output side I > suppose. Does > > anyone have experience with this that can share? > > > > Thanks, > > > > Aaron > > > > > > > > _______________________________________________ > > resin-interest mailing list > > resin-interest@caucho.com > > http://maillist.caucho.com/mailman/listinfo/resin-interest > > > > > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest > _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest