[ROL-1727] XSS filtering for comments and blog posts - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.0
Fix Version/s: None
Component/s: Authentication, Roles and Access Controls, Comments, Installation & Configuration, User Interface - General, User Interface - Weblog Editor, User Management
Labels:
None

Description

This set of classes will filter potential XSS attacks from comments and blog posts. Without it, users could potentially use a XSS attack to take over an admin account (for example).

This uses AntiSammy (http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) to remove potential attack vectors. The attached antisammy jar has been modified to support config loading from the classpath, instead of from the file system.

To build, copy the classes to the appropriate locations in your source tree and the antisammy jar to the WEB-INF\lib directory.

To use, add
<filter>
<filter-name>JavaScriptStrippingFilter</filter-name>
<filter-class>org.apache.roller.myedna.filters.JavaScriptStrippingFilter</filter-class>
</filter>

and

<filter-mapping>
<filter-name>JavaScriptStrippingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

to your web.xml

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

antisamy-bin.1.1.1.jar
16/Jun/08 01:48
1.91 MB
Nick Lothian
antisamy-myspace-1.1.1.xml
16/Jun/08 01:48
76 kB
Nick Lothian
JavaScriptStrippingFilter.java
16/Jun/08 01:52
3 kB
Nick Lothian
Utils.java
16/Jun/08 01:52
0.7 kB
Nick Lothian

Activity

People

Assignee:: David M. Johnson

Reporter:: Nick Lothian

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Jun/08 01:44

Updated:: 08/Jan/14 05:02

Resolved:: 16/Jan/13 13:45