Comments on: XSS war: a Java HTML sanitizer

By: miroslavos

miroslavos — Mon, 14 Jun 2010 06:48:07 +0000

Hi, really good job.
Nice, this work´s

Sanitizer+String.replaceAll(String RegularExpression, Strin newString) Rocks!!

By: Roberto Bicchierai

Roberto Bicchierai — Thu, 10 Jun 2010 06:58:01 +0000

I didn’t get the question. The sanitizer published is a java piece of code, what is the “wmd.js” file you are talking? My sanitizer is not a javascript one (even if a porting should not a big deal).

How can I help you?

The only hint I can give you regarding a comment box on you site, is to use a simple text area or a markup editor (see this article http://www.codinghorror.com/blog/2008/05/is-html-a-humane-markup-language.html) and encoding all user inputs.

Cheers,

Roberto

By: rick

rick — Tue, 08 Jun 2010 02:31:48 +0000

I pasted the html sanitizing script into my wmd.js file, saved it, and loaded the modified wmd.js file to the server, and refreshed, but all of the typing function on the wmd.js comment/markdown window were stripped, leaving the comment area without functionality. What did I do wrong?
Thanks in advance for any help you can provide to make my website more secure.
Can you also help me put a comment box like this one on my website for visitor feedback, since I like the validation of required entry of e-mail account info to prevent spammers? That would be greatly appreciated, along with some very basic instructions for implementing the comment box.
Rick

By: HTML Sanitizer added to visural-common… « Pragmatic Coder

HTML Sanitizer added to visural-common… « Pragmatic Coder — Mon, 22 Mar 2010 05:45:30 +0000

[...] I wanted something more light-weight though, and stumbled across this. [...]

By: A html sanitizer for C# « Eltit Golb

A html sanitizer for C# « Eltit Golb — Thu, 04 Mar 2010 11:43:17 +0000

[...] JAVA, sanitizer, security, XSS by Roberto Bicchierai After 3 moths gestation and some bug fixes, HtmlSanitizer is reporting no hacking [...]

By: Rob Mueller

Rob Mueller — Mon, 11 Jan 2010 13:00:37 +0000

FYI we had to do something similar for a perl based project. We released the result here:

http://search.cpan.org/dist/HTML-Defang/lib/HTML/Defang.pm

HTML::Defang uses a custom html tag parser. The parser has been designed and tested to work with nasty real world html and to try and emulate as close as possible what browsers actually do with strange looking constructs. The test suite has been built based on examples from a range of sources such as http://ha.ckers.org/xss.html and http://imfo.ru/csstest/css_hacks/import.php to ensure that as many as possible XSS attack scenarios have been dealt with.

It’s worth checking those links to see how well your parser works. There’s some pretty nasty examples.

R0b

By: Roberto Bicchierai

Roberto Bicchierai — Mon, 11 Jan 2010 10:27:59 +0000

Sorry for the delay in responding, but I was on holiday.

About one month ago I discovered the problem in the source code and fixed it, but it was cached by the server.

The JSP class is an utility class used by our framework, so the real sanitizer is slightly different from the published one where all JSP.xxx methods are on the same class (HtmlSanitizer).

Now the source code should be fine, see: http://patapage.com/applications/pataPage/site/test/HtmlSanitizer.html

Thanks you all for feedback,

Roberto

By: dboyco

dboyco — Thu, 07 Jan 2010 22:52:53 +0000

where could we find the function for JSP.htmlEncodeApexesAndTags(token)

By: ayreon

ayreon — Thu, 07 Jan 2010 13:34:54 +0000

Hi Roberto,

Truth be told, your code is the only usable stuff around the net regarding this topic,
and it looks quite impressive,
however i couldn’t find the class “JSP” (e.g. JSP.htmlEncodeApexesAndTags) you’re referencing several times in the code you linked above,

Would you be so kind to post that class as well?

Many thanks,
Regards,
Janos

By: Stewart

Stewart — Wed, 06 Jan 2010 10:06:05 +0000

Looking at the code, I don’t think it’s complete?
What class is JSP?
I’ve never heard of JSP.htmlEncodeApexesAndTags.

Regards

Stewart