You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by kheldar666 <ma...@liber-mundi.org> on 2012/08/17 09:16:26 UTC
[Sharing] How to setup a Global XSS Filter in Tapestry 5
Hi all,
I post this as I had some headaches finding the proper solution and it seems
that nobody posted a similar approach here....
First step in AppModule.java:
public static void bind(ServiceBinder binder) {
binder.bind(RequestFilter.class,
XSSRequestFilterImpl.class).withId("XSSRequestFilter");
}
/*
* XSS Filtering
*/
@Contribute(RequestHandler.class)
public static void requestHandler(OrderedConfiguration<RequestFilter>
configuration,
@InjectService("XSSRequestFilter") RequestFilter xssFilter) {
configuration.add("XSSRequestFilter", xssFilter, "after:StaticFiles",
"before:StoreIntoGlobals");
}
Second step, you can take a look at the XSSRequestFilterImpl class :
http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestFilterImpl.java
And then XSSRequestWrapper class :
http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestWrapper.java
The code of the Wrapper is inspired from this article :
http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/
But I slighly changed it in order to allow people to use Rich Text that
includes images.
Hope this will be usefull to someone :)
ALso if you have any feedback, feel free to share.
Martin
--
View this message in context: http://tapestry.1045711.n5.nabble.com/Sharing-How-to-setup-a-Global-XSS-Filter-in-Tapestry-5-tp5715533.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: [Sharing] How to setup a Global XSS Filter in Tapestry 5
Posted by Alex Kotchnev <ak...@gmail.com>.
Martin,
out of curiosity - why was it necessary to add all of the additional
regexes in addition to using ESAPI ? Didn't ESAPI contain the needed APIs
to perform the filtering only with it ?
Cheers,
Alex K
On Fri, Aug 17, 2012 at 3:16 AM, kheldar666 <ma...@liber-mundi.org> wrote:
> Hi all,
>
> I post this as I had some headaches finding the proper solution and it
> seems
> that nobody posted a similar approach here....
>
> First step in AppModule.java:
>
> public static void bind(ServiceBinder binder) {
> binder.bind(RequestFilter.class,
> XSSRequestFilterImpl.class).withId("XSSRequestFilter");
> }
>
> /*
> * XSS Filtering
> */
> @Contribute(RequestHandler.class)
> public static void
> requestHandler(OrderedConfiguration<RequestFilter>
> configuration,
>
> @InjectService("XSSRequestFilter") RequestFilter xssFilter) {
> configuration.add("XSSRequestFilter", xssFilter,
> "after:StaticFiles",
> "before:StoreIntoGlobals");
> }
>
> Second step, you can take a look at the XSSRequestFilterImpl class :
>
>
> http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestFilterImpl.java
>
> And then XSSRequestWrapper class :
>
>
> http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestWrapper.java
>
> The code of the Wrapper is inspired from this article :
>
> http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/
>
> But I slighly changed it in order to allow people to use Rich Text that
> includes images.
>
> Hope this will be usefull to someone :)
>
> ALso if you have any feedback, feel free to share.
>
> Martin
>
>
>
>
> --
> View this message in context:
> http://tapestry.1045711.n5.nabble.com/Sharing-How-to-setup-a-Global-XSS-Filter-in-Tapestry-5-tp5715533.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>