Hi, If you want to escape HTML, you can use Jakarta Commons-Lang StringEscapeUtils class : http://jakarta.apache.org/commons/lang/apidocs/org/apache/commons/lang/StringEscapeUtils.html#escapeHtml(java.lang.String)
Personally, I am using the Radeox Wiki engine (http://www.radeox.org/space/start) to render all of my free-form text areas. Regards, Sami Le jeudi 15 mars 2007 à 01:15 -0400, Joseph McGranaghan a écrit : > Are you allowing the user to redisplay any entered HTML ala myspace? > > I'm working on a solution for this right now. For this situation, I'm > filtering it in action before it is saved to DB. > > Here are some REs and a simple function: > > > private final static String XSS_BIG_OBJECTS_FILTER = > "(((<\\s*[Aa][Pp][Pp][Ll][Ee][Tt].*>.*<\\s*/.*[Aa][Pp][Pp][Ll][Ee][Tt]\\s*>)|(<\\s*[Aa][Pp][Pp][Ll][Ee][Tt].*/\\s*>))|"+ > > > "((<\\s*[Oo][Bb][Jj][Ee][Cc][Tt].*>.*<\\s*/.*[Oo][Bb][Jj][Ee][Cc][Tt]\\s*>)|(<\\s*[Oo][Bb][Jj][Ee][Cc][Tt].*/\\s*>))|"+ > > > "((<\\s*[Ss][Cc][Rr][Ii][Pp][Tt].*>.*<\\s*/.*[Ss][Cc][Rr][Ii][Pp][Tt]\\s*>)|(<\\s*[Ss][Cc][Rr][Ii][Pp][Tt].*/\\s*>))|"+ > > > "((<\\s*[Ee][Mm][Bb][Ee][Dd].*>.*<\\s*/.*[Ee][Mm][Bb][Ee][Dd]\\s*>)|(<\\s*[Ee][Mm][Bb][Ee][Dd].*/\\s*>))|"+ > > > "(=\\s*[\"\']*\\s*[Jj][Aa][Vv][Aa][Ss][Cc][Rr][Ii][Pp][Tt]\\s*:.*[\"\']))"; > > > private final static String XSS_BIG_TAGS_FILTER = > "(((<\\s*[Ss][Ee][Rr][Vv][Ee][Rr].*>.*<\\s*/.*[Ss][Ee][Rr][Vv][Ee][Rr]\\s*>)|(<\\s*[Ss][Ee][Rr][Vv][Ee][Rr].*/\\s*>))|"+ > > > "((<\\s*[Ff][Rr][Aa][Mm][Ee].*>.*<\\s*/.*[Ff][Rr][Aa][Mm][Ee]\\s*>)|(<\\s*[Ff][Rr][Aa][Mm][Ee].*/\\s*>))|"+ > > > "((<\\s*[Ii][Ff][Rr][Aa][Mm][Ee].*>.*<\\s*/.*[Ii][Ff][Rr][Aa][Mm][Ee]\\s*>)|(<\\s*[Ii][Ff][Rr][Aa][Mm][Ee].*/\\s*>))|"+ > > > "((<\\s*[Ff][Rr][Aa][Mm][Ee][Ss][Ee][Tt].*>.*<\\s*/.*[Ff][Rr][Aa][Mm][Ee][Ss][Ee][Tt]\\s*>)|(<\\s*[Ff][Rr][Aa][Mm][Ee][Ss][Ee][Tt].*/\\s*>)))"; > > > > /* > * No relative URLs > * No cross-domain URLs > * > * Tags ( a,img,form,ilayer ) > */ > private final static String XSS_NOT_HTTP_RE = > "([^Hh]|[Hh][^Tt]|[Hh][Tt][^Tt]|[Hh][Tt][Tt][^Pp])*"; > > private final static String > XSS_NOT_RELATIVE_NOR_XDOMAIN_LINKS_FILTER = > "((<\\s*[Aa].*[Hh][Rr][Ee][Ff]\\s*=.*"+XSS_NOT_HTTP_RE+".*>.*>)|"+ > > "(<\\s*[Aa].*[Hh][Rr][Ee][Ff]\\s*=.*[Ee]-[Cc][Oo][Aa][Ll][Ee][Ss][Cc][Ee].*>.*>))"; > > > > /* > * handle img|ilayer src attributes > */ > private final static String XSS_NOT_RELATIVE_NOR_XDOMAIN_SRC_FILTER > = > "((<\\s*[Ii]([Mm][Gg]|[Ll][Aa][Yy][Ee][Rr]).*[Ss][Rr][Cc]\\s*=.*"+XSS_NOT_HTTP_RE+".*>.*>)|"+ > > "(<\\s*[Ii]([Mm][Gg]|[Ll][Aa][Yy][Ee][Rr]).*[Ss][Rr][Cc]\\s*=.*[Ee]-[Cc][Oo][Aa][Ll][Ee][Ss][Cc][Ee].*>.*>))"; > > > > > /* > * form tags allowed, but action cannot be relative or xdomain > */ > private final static String XSS_FORMS_FILTER = > "((<\\s*[Ff][Oo][Rr][Mm].*[Aa][Cc][Tt][Ii][Oo][Nn]\\s*=.*"+XSS_NOT_HTTP_RE+".*>.*<\\s*/\\s*[Ff][Oo][Rr][Mm]\\s*>)|"+ > > "(<\\s*[Ff][Oo][Rr][Mm].*[Aa][Cc][Tt][Ii][Oo][Nn]\\s*=.*[Ee]-[Cc][Oo][Aa][Ll][Ee][Ss][Cc][Ee].*>.*<\\s*/\\s*[Ff][Oo][Rr][Mm]\\s*>))"; > > > > > /* > * target attributes need to be replaced with target='_blank' > */ > private final static String XSS_TARGET_ATTRIBUTES_FILTER = > "\\s*[Tt][Aa][Rr][Gg][Ee][Tt]\\s*=\\s*((\'.*\')|(\".*\")|(_.*\\s*))"; > > private final static String BLANK_TARGET = " target=_blank "; > > > private String filterForHTMLRedisplay(String html){ > > String filtered = null; > > try{ > > RE reObjects = new RE(FormUtils.XSS_BIG_OBJECTS_FILTER); > filtered = reObjects.subst(html," "); > > RE reTags = new RE(FormUtils.XSS_BIG_TAGS_FILTER); > filtered = reTags.subst(filtered," "); > > RE reLinks = new > RE(FormUtils.XSS_NOT_RELATIVE_NOR_XDOMAIN_LINKS_FILTER); > filtered = reLinks.subst(filtered," "); > > RE reSrc = new > RE(FormUtils.XSS_NOT_RELATIVE_NOR_XDOMAIN_SRC_FILTER); > filtered = reSrc.subst(filtered," "); > > RE reForms = new RE(FormUtils.XSS_FORMS_FILTER); > filtered = reForms.subst(filtered," "); > > RE reTarget = new RE(FormUtils.XSS_TARGET_ATTRIBUTES_FILTER); > filtered = reTarget.subst(filtered,FormUtils.BLANK_TARGET); > > }catch(Exception e){ > > if(DEBUG){ > System.out.println("\nFormUtils.filterForHTMLRedisplay: > "+e.getMessage()+"\n"); > } > } > > if(filtered==null){ > return (""); > }else{ > return ("\n<!--NO_EVAL-->\n\n"+filtered); > } > } > > > Again, I did most of this tonight so I haven't even ran it yet. > But I'd love some feedback if I'm fundamentally wrong. > > Oh, the <!--NO_EVAL--> thing is so my AJAX execScript function knows not to > eval() any of this, just incase my REs don't catch everything. > > > -Joe > > > > > rapsy wrote: > > Hi All, > > > > I am trying to find a best solution to prevent Cross site scripting attacks. > > I wrote a method to filter out all the bad characters. But my questions is > > where should I call this method? > > AT the form level, in setters method r action level or use a filter. > > > > I think filter is a good option but I am not sure how to implement that. > > > > Any help is appreciated! > > Thanks > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]