Hi! Yeah, that's how you could use AntiSamy. I haven't yet used it, because we have our own filter, but I sure plan to investigate it further. I didn't find a schema file for the policy XML files, but there are fairy comprehensive example policies in the download page.
Cheers, Kai 2008/6/23 Aaron Freeman <[EMAIL PROTECTED]>: > Ah, this looks interesting. So I might construct a filter that passes all > parameters through the AntiSamy object's scan method, and simply overwrite > the value of each one with the resulting getCleanHTML() method? > > Is it that simple or am I missing something? > > -a > >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Kai Virkki >> Sent: Sunday, June 22, 2008 10:32 AM >> To: General Discussion for the Resin application server >> Subject: Re: [Resin-interest] Input Sanitization >> >> Hi! >> >> There isn't any easy way to protect against XSS attacks and I >> don't know of any Servlet containers that would offer you any >> solutions to this. But there's a nice library called OWASP >> AntiSamy that you could use to validate user input: >> >> http://code.google.com/p/owaspantisamy/ >> >> If you don't want to use a ready-made library, do select >> white-listing instead of black-listing when deciding what >> HTML tags are allowed for users to input. >> >> Cheers, >> >> Kai >> >> >> 2008/6/19 Aaron Freeman <[EMAIL PROTECTED]>: >> > Is there an easy way to sanitize input such that a user >> cannot inject >> > javascript via user input fields, or does sanitation have to occur >> > within each individual JSP that accepts user input? This could be >> > done either on the input side or on the output side I >> suppose. Does >> > anyone have experience with this that can share? >> > >> > Thanks, >> > >> > Aaron >> > >> > >> > >> > _______________________________________________ >> > resin-interest mailing list >> > resin-interest@caucho.com >> > http://maillist.caucho.com/mailman/listinfo/resin-interest >> > >> >> >> _______________________________________________ >> resin-interest mailing list >> resin-interest@caucho.com >> http://maillist.caucho.com/mailman/listinfo/resin-interest >> > > > > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest > _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
