Yeah, that's how you could use AntiSamy. I haven't yet used it,
because we have our own filter, but I sure plan to investigate it
further. I didn't find a schema file for the policy XML files, but
there are fairy comprehensive example policies in the download page.
2008/6/23 Aaron Freeman <[EMAIL PROTECTED]>:
> Ah, this looks interesting. So I might construct a filter that passes all
> parameters through the AntiSamy object's scan method, and simply overwrite
> the value of each one with the resulting getCleanHTML() method?
> Is it that simple or am I missing something?
>> -----Original Message-----
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Kai Virkki
>> Sent: Sunday, June 22, 2008 10:32 AM
>> To: General Discussion for the Resin application server
>> Subject: Re: [Resin-interest] Input Sanitization
>> There isn't any easy way to protect against XSS attacks and I
>> don't know of any Servlet containers that would offer you any
>> solutions to this. But there's a nice library called OWASP
>> AntiSamy that you could use to validate user input:
>> If you don't want to use a ready-made library, do select
>> white-listing instead of black-listing when deciding what
>> HTML tags are allowed for users to input.
>> 2008/6/19 Aaron Freeman <[EMAIL PROTECTED]>:
>> > Is there an easy way to sanitize input such that a user
>> cannot inject
>> > within each individual JSP that accepts user input? This could be
>> > done either on the input side or on the output side I
>> suppose. Does
>> > anyone have experience with this that can share?
>> > Thanks,
>> > Aaron
>> > _______________________________________________
>> > resin-interest mailing list
>> > firstname.lastname@example.org
>> > http://maillist.caucho.com/mailman/listinfo/resin-interest
>> resin-interest mailing list
> resin-interest mailing list
resin-interest mailing list