Ah, this looks interesting. So I might construct a filter that passes all
parameters through the AntiSamy object's scan method, and simply overwrite
the value of each one with the resulting getCleanHTML() method?
Is it that simple or am I missing something?
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kai Virkki
> Sent: Sunday, June 22, 2008 10:32 AM
> To: General Discussion for the Resin application server
> Subject: Re: [Resin-interest] Input Sanitization
> There isn't any easy way to protect against XSS attacks and I
> don't know of any Servlet containers that would offer you any
> solutions to this. But there's a nice library called OWASP
> AntiSamy that you could use to validate user input:
> If you don't want to use a ready-made library, do select
> white-listing instead of black-listing when deciding what
> HTML tags are allowed for users to input.
> 2008/6/19 Aaron Freeman <[EMAIL PROTECTED]>:
> > Is there an easy way to sanitize input such that a user
> cannot inject
> > within each individual JSP that accepts user input? This could be
> > done either on the input side or on the output side I
> suppose. Does
> > anyone have experience with this that can share?
> > Thanks,
> > Aaron
> > _______________________________________________
> > resin-interest mailing list
> > firstname.lastname@example.org
> > http://maillist.caucho.com/mailman/listinfo/resin-interest
> resin-interest mailing list
resin-interest mailing list