[
https://issues.apache.org/jira/browse/ROL-1727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13545598#comment-13545598
]
Glen Mazza commented on ROL-1727:
---------------------------------
Dave: Was this fixed already in 5.0.1 (the anti-XSS patch?)
> XSS filtering for comments and blog posts
> -----------------------------------------
>
> Key: ROL-1727
> URL: https://issues.apache.org/jira/browse/ROL-1727
> Project: Roller
> Issue Type: Bug
> Components: Antispam, Authentication, Roles and Access Controls,
> Comments, Page Rendering & Management, User Management, Weblog Editor
> Affects Versions: 4.0
> Reporter: Nick Lothian
> Assignee: Roller Unassigned
> Attachments: antisamy-bin.1.1.1.jar, antisamy-myspace-1.1.1.xml,
> JavaScriptStrippingFilter.java, Utils.java
>
>
> This set of classes will filter potential XSS attacks from comments and blog
> posts. Without it, users could potentially use a XSS attack to take over an
> admin account (for example).
> This uses AntiSammy
> (http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) to remove
> potential attack vectors. The attached antisammy jar has been modified to
> support config loading from the classpath, instead of from the file system.
> To build, copy the classes to the appropriate locations in your source tree
> and the antisammy jar to the WEB-INF\lib directory.
> To use, add
> <filter>
> <filter-name>JavaScriptStrippingFilter</filter-name>
>
> <filter-class>org.apache.roller.myedna.filters.JavaScriptStrippingFilter</filter-class>
> </filter>
> and
> <filter-mapping>
> <filter-name>JavaScriptStrippingFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> to your web.xml
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira