roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Lothian (JIRA)" <j...@apache.org>
Subject [jira] Created: (ROL-1727) XSS filtering for comments and blog posts
Date Mon, 16 Jun 2008 01:45:58 GMT
XSS filtering for comments and blog posts
-----------------------------------------

                 Key: ROL-1727
                 URL: https://issues.apache.org/roller/browse/ROL-1727
             Project: Roller
          Issue Type: Bug
          Components: Antispam, Authentication, Roles and Access Controls, Comments, Page
Rendering & Management, User Management, Weblog Editor
    Affects Versions: 4.0
            Reporter: Nick Lothian
            Assignee: Roller Unassigned


This set of classes will filter potential XSS attacks from comments and blog posts. Without
it, users could potentially use a XSS attack to take over an admin account (for example).

This uses AntiSammy (http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project) to remove
potential attack vectors. The attached antisammy jar has been modified to support config loading
from the classpath, instead of from the file system.

To build, copy the classes to the appropriate locations in your source tree and the antisammy
jar to the WEB-INF\lib directory. 

To use, add
    <filter>
    	<filter-name>JavaScriptStrippingFilter</filter-name>
    	<filter-class>org.apache.roller.myedna.filters.JavaScriptStrippingFilter</filter-class>
    </filter>

and 

    <filter-mapping>
    	<filter-name>JavaScriptStrippingFilter</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping>

to your web.xml

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message