You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by kheldar666 <ma...@liber-mundi.org> on 2012/08/17 09:16:26 UTC

[Sharing] How to setup a Global XSS Filter in Tapestry 5

Hi all,

I post this as I had some headaches finding the proper solution and it seems
that nobody posted a similar approach here....

First step in AppModule.java:

        public static void bind(ServiceBinder binder) {
                binder.bind(RequestFilter.class,
XSSRequestFilterImpl.class).withId("XSSRequestFilter");
        }

	/*
	 * XSS Filtering
	 */
	@Contribute(RequestHandler.class)
	public static void requestHandler(OrderedConfiguration<RequestFilter>
configuration,
						@InjectService("XSSRequestFilter") RequestFilter xssFilter)	{
		configuration.add("XSSRequestFilter", xssFilter, "after:StaticFiles",
"before:StoreIntoGlobals");
	}

Second step, you can take a look at the XSSRequestFilterImpl class :

http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestFilterImpl.java

And then XSSRequestWrapper class :

http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestWrapper.java

The code of the Wrapper is inspired from this article :
http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/

But I slighly changed it in order to allow people to use Rich Text that
includes images.

Hope this will be usefull to someone :)

ALso if you have any feedback, feel free to share.

Martin




--
View this message in context: http://tapestry.1045711.n5.nabble.com/Sharing-How-to-setup-a-Global-XSS-Filter-in-Tapestry-5-tp5715533.html
Sent from the Tapestry - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: [Sharing] How to setup a Global XSS Filter in Tapestry 5

Posted by Alex Kotchnev <ak...@gmail.com>.

Martin,
   out of curiosity - why was it necessary to add all of the additional
regexes in addition to using ESAPI ? Didn't ESAPI contain the needed APIs
to perform the filtering only with it ?

Cheers,

Alex K

On Fri, Aug 17, 2012 at 3:16 AM, kheldar666 <ma...@liber-mundi.org> wrote:

> Hi all,
>
> I post this as I had some headaches finding the proper solution and it
> seems
> that nobody posted a similar approach here....
>
> First step in AppModule.java:
>
>         public static void bind(ServiceBinder binder) {
>                 binder.bind(RequestFilter.class,
> XSSRequestFilterImpl.class).withId("XSSRequestFilter");
>         }
>
>         /*
>          * XSS Filtering
>          */
>         @Contribute(RequestHandler.class)
>         public static void
> requestHandler(OrderedConfiguration<RequestFilter>
> configuration,
>
> @InjectService("XSSRequestFilter") RequestFilter xssFilter)     {
>                 configuration.add("XSSRequestFilter", xssFilter,
> "after:StaticFiles",
> "before:StoreIntoGlobals");
>         }
>
> Second step, you can take a look at the XSSRequestFilterImpl class :
>
>
> http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestFilterImpl.java
>
> And then XSSRequestWrapper class :
>
>
> http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestWrapper.java
>
> The code of the Wrapper is inspired from this article :
>
> http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/
>
> But I slighly changed it in order to allow people to use Rich Text that
> includes images.
>
> Hope this will be usefull to someone :)
>
> ALso if you have any feedback, feel free to share.
>
> Martin
>
>
>
>
> --
> View this message in context:
> http://tapestry.1045711.n5.nabble.com/Sharing-How-to-setup-a-Global-XSS-Filter-in-Tapestry-5-tp5715533.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>