I am doing a Java-based web application. It allows users to enter content, which is displayed to other users.
Naturally for security reasons, I have to filter user content to prevent XSS and other attacks.
I understand that filtering user content is a much-discussed topic. I found many posts at SO, but they are related to theory discussion, PHP, ideas, etc. I need a Java library to use to avoid re-writing/inventing everything. I feel there must be one out there.
Is there such a library I can use?
Thanks for any info!
If you want to sanitise user input to prevent XSS then OWASP provide the standard implementation for doing that in their AntiSamy project.
There is a better implementation of this on google code called owasp-java-html-sanitizer, this allows you to define policies programmatically and then run the suspect HTML through the policy which will strip out all nonsense.
Here is an example from their website:
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS); String safeHTML = policy.sanitize(untrustedHTML);
This creates a policy that only allows formatting and links in the suspect HTML, everything else is removed.