roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Lothian (JIRA)" <>
Subject [jira] Updated: (ROL-1727) XSS filtering for comments and blog posts
Date Mon, 16 Jun 2008 01:52:58 GMT


Nick Lothian updated ROL-1727:


Classes required. These may require some refactoring to include into Roller as part of the
product (the packages are probably incorrect for a start), but they will work as a fix.

> XSS filtering for comments and blog posts
> -----------------------------------------
>                 Key: ROL-1727
>                 URL:
>             Project: Roller
>          Issue Type: Bug
>          Components: Antispam, Authentication, Roles and Access Controls, Comments, Page
Rendering & Management, User Management, Weblog Editor
>    Affects Versions: 4.0
>            Reporter: Nick Lothian
>            Assignee: Roller Unassigned
>         Attachments: antisamy-bin.1.1.1.jar, antisamy-myspace-1.1.1.xml,,
> This set of classes will filter potential XSS attacks from comments and blog posts. Without
it, users could potentially use a XSS attack to take over an admin account (for example).
> This uses AntiSammy (
to remove potential attack vectors. The attached antisammy jar has been modified to support
config loading from the classpath, instead of from the file system.
> To build, copy the classes to the appropriate locations in your source tree and the antisammy
jar to the WEB-INF\lib directory. 
> To use, add
>     <filter>
>     	<filter-name>JavaScriptStrippingFilter</filter-name>
>     	<filter-class>org.apache.roller.myedna.filters.JavaScriptStrippingFilter</filter-class>
>     </filter>
> and 
>     <filter-mapping>
>     	<filter-name>JavaScriptStrippingFilter</filter-name>
>     	<url-pattern>/*</url-pattern>
>     </filter-mapping>
> to your web.xml

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message