5

Basically I have a web-app which it currently is vulnerable to XSS. Based on my research I found one of good and open library that can help would be AntiSamy. So I downloaded the library .jar file which is antisamy-1.5.1.jar and The policy file antisamy-slashdot-1.4.4.xml and exported it to my project WEB-INF directory.

I'm pretty much new to AntiSamy and don't really know how to implement it on a string to encode and secure it from XSS.

Say I've a string of: String XSSPossible = "<script>alert("It's vulnerable.");</script>"; Now I want to encode this to a normal text and secure it from XSS.

Much Regards.

jaksdfjl
  • 115
  • 3
  • 9
  • Here, you can use this as your main question now. I closed the others as duplicates. – Kayaman Mar 31 '17 at 11:43
  • @Kayaman But nobody is responding, what do I do? – jaksdfjl Mar 31 '17 at 12:20
  • Well, I hope you're not just waiting around for someone to solve your problem. If I were you I'd be going through the logs for errors. Real errors, not "failed to start". As StackOverflow is a free service, there are no guarantees about getting help. However there are rules ([help/on-topic]), and reposting your question is against them. – Kayaman Mar 31 '17 at 12:25
  • You can update your question with more information you've found, and it'll have a chance to get someone's attention. Currently this question reads as "I tried this and there was an error", which makes this question pretty much unanswerable. We're not here to solve your problems, we're here to help you solve your problem. It still requires effort from you. – Kayaman Mar 31 '17 at 12:39
  • @Kayaman See my update, Hope you have a solution – jaksdfjl Mar 31 '17 at 13:22

1 Answers1

1

You can use below code 

public class AntisamySample 
{
     public static AntiSamy antiSamy; 
     public static Policy policy; 
     public static CleanResults cleanResults; 
     static String policyFileName = "antisamy-slashdot-1.4.4.xml"; 

     private Policy gtePolicyFile()
     {
         try
         {
             policy = policy.getInstance(this.getClass().getResourceAsStream(policyFileName));
         }
         catch (PolicyException e) 
         {
            e.printStackTrace();
         }
         return policy;
     }

     public static void main(String[] args) 
     {
         String XSSPossible = "<script>alert('It's vulnerable.');</script>";
         String cleanResult = "";
         try
         { 
             AntisamySample  antisamy = new AntisamySample();
             antiSamy = new AntiSamy();
             policy = antisamy.gtePolicyFile();
             cleanResults = antiSamy.scan(XSSPossible, policy); 

             cleanResult = cleanResults.getCleanHTML(); 
         } 
         catch(PolicyException e) 
         { 
             // TODO Auto-generated catch block
             e.printStackTrace();
         }
         catch (ScanException e)
         {
             // TODO Auto-generated catch block
             e.printStackTrace();
         } 
     }
}

This will return you clean HTML

All the rules to get clean HTML are in antisamy*.xml file. There are four different policy files.

As per your requirements you can use any policy file and add rules as per your requirements.

Here is the more details about antisamy

Hitesh Ghuge
  • 793
  • 2
  • 10
  • 39