roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Lothian (JIRA)" <j...@apache.org>
Subject [jira] Updated: (ROL-1727) XSS filtering for comments and blog posts
Date Mon, 16 Jun 2008 01:49:58 GMT

     [ https://issues.apache.org/roller/browse/ROL-1727?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Nick Lothian updated ROL-1727:
------------------------------

    Attachment: antisamy-myspace-1.1.1.xml
                antisamy-bin.1.1.1.jar

Patched anti-sammy jar (supports config loading from classpath) and config

> XSS filtering for comments and blog posts
> -----------------------------------------
>
>                 Key: ROL-1727
>                 URL: https://issues.apache.org/roller/browse/ROL-1727
>             Project: Roller
>          Issue Type: Bug
>          Components: Antispam, Authentication, Roles and Access Controls, Comments, Page
Rendering & Management, User Management, Weblog Editor
>    Affects Versions: 4.0
>            Reporter: Nick Lothian
>            Assignee: Roller Unassigned
>         Attachments: antisamy-bin.1.1.1.jar, antisamy-myspace-1.1.1.xml
>
>
> This set of classes will filter potential XSS attacks from comments and blog posts. Without
it, users could potentially use a XSS attack to take over an admin account (for example).
> This uses AntiSammy (http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project)
to remove potential attack vectors. The attached antisammy jar has been modified to support
config loading from the classpath, instead of from the file system.
> To build, copy the classes to the appropriate locations in your source tree and the antisammy
jar to the WEB-INF\lib directory. 
> To use, add
>     <filter>
>     	<filter-name>JavaScriptStrippingFilter</filter-name>
>     	<filter-class>org.apache.roller.myedna.filters.JavaScriptStrippingFilter</filter-class>
>     </filter>
> and 
>     <filter-mapping>
>     	<filter-name>JavaScriptStrippingFilter</filter-name>
>     	<url-pattern>/*</url-pattern>
>     </filter-mapping>
> to your web.xml

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message