XSS filtering for comments and blog posts
-----------------------------------------
Key: ROL-1727
URL: https://issues.apache.org/roller/browse/ROL-1727
Project: Roller
Issue Type: Bug
Components: Antispam, Authentication, Roles and Access Controls,
Comments, Page Rendering & Management, User Management, Weblog Editor
Affects Versions: 4.0
Reporter: Nick Lothian
Assignee: Roller Unassigned
This set of classes will filter potential XSS attacks from comments and blog
posts. Without it, users could potentially use a XSS attack to take over an
admin account (for example).
This uses AntiSammy
(http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) to remove
potential attack vectors. The attached antisammy jar has been modified to
support config loading from the classpath, instead of from the file system.
To build, copy the classes to the appropriate locations in your source tree and
the antisammy jar to the WEB-INF\lib directory.
To use, add
<filter>
<filter-name>JavaScriptStrippingFilter</filter-name>
<filter-class>org.apache.roller.myedna.filters.JavaScriptStrippingFilter</filter-class>
</filter>
and
<filter-mapping>
<filter-name>JavaScriptStrippingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
to your web.xml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
