Comments on: XSS war: a Java HTML sanitizer

By: A html sanitizer for C# « Eltit Golb

A html sanitizer for C# « Eltit Golb — Thu, 04 Mar 2010 11:43:17 +0000

[...] JAVA, sanitizer, security, XSS by Roberto Bicchierai After 3 moths gestation and some bug fixes, HtmlSanitizer is reporting no hacking [...]

By: Rob Mueller

Rob Mueller — Mon, 11 Jan 2010 13:00:37 +0000

FYI we had to do something similar for a perl based project. We released the result here:

http://search.cpan.org/dist/HTML-Defang/lib/HTML/Defang.pm

HTML::Defang uses a custom html tag parser. The parser has been designed and tested to work with nasty real world html and to try and emulate as close as possible what browsers actually do with strange looking constructs. The test suite has been built based on examples from a range of sources such as http://ha.ckers.org/xss.html and http://imfo.ru/csstest/css_hacks/import.php to ensure that as many as possible XSS attack scenarios have been dealt with.

It’s worth checking those links to see how well your parser works. There’s some pretty nasty examples.

R0b

By: Roberto Bicchierai

Roberto Bicchierai — Mon, 11 Jan 2010 10:27:59 +0000

Sorry for the delay in responding, but I was on holiday.

About one month ago I discovered the problem in the source code and fixed it, but it was cached by the server.

The JSP class is an utility class used by our framework, so the real sanitizer is slightly different from the published one where all JSP.xxx methods are on the same class (HtmlSanitizer).

Now the source code should be fine, see: http://patapage.com/applications/pataPage/site/test/HtmlSanitizer.html

Thanks you all for feedback,

Roberto

By: dboyco

dboyco — Thu, 07 Jan 2010 22:52:53 +0000

where could we find the function for JSP.htmlEncodeApexesAndTags(token)

By: ayreon

ayreon — Thu, 07 Jan 2010 13:34:54 +0000

Hi Roberto,

Truth be told, your code is the only usable stuff around the net regarding this topic,
and it looks quite impressive,
however i couldn’t find the class “JSP” (e.g. JSP.htmlEncodeApexesAndTags) you’re referencing several times in the code you linked above,

Would you be so kind to post that class as well?

Many thanks,
Regards,
Janos

By: Stewart

Stewart — Wed, 06 Jan 2010 10:06:05 +0000

Looking at the code, I don’t think it’s complete?
What class is JSP?
I’ve never heard of JSP.htmlEncodeApexesAndTags.

Regards

Stewart

By: Java is just fine for your online service startup development « Keeping it brief – Pietro Polsinelli’s blog

Mon, 07 Dec 2009 16:39:26 +0000

[...] – Cross-site scripting See a definition here. Examining these kinds of problems, we put together a quite complete Java HTML sanitizer here, which everybody can freely use. The development process is described here. [...]

By: Solving the "halting problem"…. « Eltit Golb

Solving the "halting problem"…. « Eltit Golb — Wed, 18 Nov 2009 09:26:21 +0000

[...] (quite) easy problem of HTML sanitization (where you must remove some unaccepted tags. See XSS war: a Java HTML sanitizer [...]