Craig McClanahan wrote:
While the code in question here might not help you, the concept of a
Filter still can. You can use Filters to monitor (and potentially
modify) the output stream by providing a wrapper around the
HttpServletResponse that the container hands you, with custom
implementations of getOutputStream() and getWriter() that send their
output to a buffer instead of directly back to the client. Then, when
the client returns, you can postprocess the buffer and weed out
anything you think is dangerous.
I think there's a sample filter to do GZIP compression in the Tomcat
releases, which you could use as a model of the overall architecture.
Yeah, I grok servlet filters OK ;-) The issue is that filtering the entire
response is generally not too helpful for this: it'd disable all the
dynamic functionality in the application that's *meant* to be there...!
What I need is to allow users to enter HTML markup through a text field for
subsequent display as part of a page (think, for example, of a wiki or CMS
solution). Only the untrusted data should be filtered, and the submitted
HTML must render correctly after potential XSS insertion has been dealt with.
Cheers,
L.
--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
