You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@roller.apache.org by "Nick Lothian (JIRA)" <ji...@apache.org> on 2008/06/16 03:49:58 UTC

[jira] Updated: (ROL-1727) XSS filtering for comments and blog posts

     [ https://issues.apache.org/roller/browse/ROL-1727?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nick Lothian updated ROL-1727:
------------------------------

    Attachment: antisamy-myspace-1.1.1.xml
                antisamy-bin.1.1.1.jar

Patched anti-sammy jar (supports config loading from classpath) and config

> XSS filtering for comments and blog posts
> -----------------------------------------
>
>                 Key: ROL-1727
>                 URL: https://issues.apache.org/roller/browse/ROL-1727
>             Project: Roller
>          Issue Type: Bug
>          Components: Antispam, Authentication, Roles and Access Controls, Comments, Page Rendering & Management, User Management, Weblog Editor
>    Affects Versions: 4.0
>            Reporter: Nick Lothian
>            Assignee: Roller Unassigned
>         Attachments: antisamy-bin.1.1.1.jar, antisamy-myspace-1.1.1.xml
>
>
> This set of classes will filter potential XSS attacks from comments and blog posts. Without it, users could potentially use a XSS attack to take over an admin account (for example).
> This uses AntiSammy (http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) to remove potential attack vectors. The attached antisammy jar has been modified to support config loading from the classpath, instead of from the file system.
> To build, copy the classes to the appropriate locations in your source tree and the antisammy jar to the WEB-INF\lib directory. 
> To use, add
>     <filter>
>     	<filter-name>JavaScriptStrippingFilter</filter-name>
>     	<filter-class>org.apache.roller.myedna.filters.JavaScriptStrippingFilter</filter-class>
>     </filter>
> and 
>     <filter-mapping>
>     	<filter-name>JavaScriptStrippingFilter</filter-name>
>     	<url-pattern>/*</url-pattern>
>     </filter-mapping>
> to your web.xml

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.