Martin,
out of curiosity - why was it necessary to add all of the additional
regexes in addition to using ESAPI ? Didn't ESAPI contain the needed APIs
to perform the filtering only with it ?
Cheers,
Alex K
On Fri, Aug 17, 2012 at 3:16 AM, kheldar666 mar...@liber-mundi.org wrote:
Hi all,
I post this as I had some headaches finding the proper solution and it
seems
that nobody posted a similar approach here
First step in AppModule.java:
public static void bind(ServiceBinder binder) {
binder.bind(RequestFilter.class,
XSSRequestFilterImpl.class).withId(XSSRequestFilter);
}
/*
* XSS Filtering
*/
@Contribute(RequestHandler.class)
public static void
requestHandler(OrderedConfigurationRequestFilter
configuration,
@InjectService(XSSRequestFilter) RequestFilter xssFilter) {
configuration.add(XSSRequestFilter, xssFilter,
after:StaticFiles,
before:StoreIntoGlobals);
}
Second step, you can take a look at the XSSRequestFilterImpl class :
http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestFilterImpl.java
And then XSSRequestWrapper class :
http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestWrapper.java
The code of the Wrapper is inspired from this article :
http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/
But I slighly changed it in order to allow people to use Rich Text that
includes images.
Hope this will be usefull to someone :)
ALso if you have any feedback, feel free to share.
Martin
--
View this message in context:
http://tapestry.1045711.n5.nabble.com/Sharing-How-to-setup-a-Global-XSS-Filter-in-Tapestry-5-tp5715533.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org