Allowing Javascript and CSS but not XSS
Asked By: cix.yong
Originally Asked On: 2014-01-02 08:25:08
Asked Via: stackoverflow
We allow users to create rich content using TinyMCE and this includes Javascript and CSS.
However, when the content reaches server (Java), we want to filter out all XSS code or potentially malicious code, things like document.cookie, eval, etc, whether they are in CSS, inline JS, XSS Javascript crafted using string text (eg. document.write), etc. Everything else, eg. changing color on mouse over, set gradient on CSS, etc are fine.We want to allow flexibility to our users but at the same time we want to ensure users are secured. We researched on libs like HTML Purifier, jSoup, but they do not seem smart enough to distinguish potentially malicious JS from safe one.
We are wondering if there is any way to do it?Thank you.
He received 2 answers
eventually accepting:
NoUsername’s answer to
Allowing Javascript and CSS but not XSS
Have you looked at google caja? It is a compiler for third party javascript so it can be safely embedded in another site:
https://developers.google.com/caja/
It sounds like what you are looking for.
If the selected answer did not help you out, the other answers might!
All Answers For: Allowing Javascript and CSS but not XSS
arsingh1212’s answer to
Allowing Javascript and CSS but not XSS
You can use JSoup for this job. JSoup has a XSS Cleaner Parser which can work on a whilelist Object (list of permitted tags).The jsoup whitelist sanitizer works by parsing the input HTML, and then iterating through the parse tree and only allowing known-safe tags and attributes (and values) through into the cleaned output. It does not use regular expressions, which are inappropriate for this task.
jsoup provides a range of Whitelist configurations to suit most requirements; they can be modified if necessary. Read this link for more details [http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer].
NoUsername’s answer to
Allowing Javascript and CSS but not XSS
Have you looked at google caja? It is a compiler for third party javascript so it can be safely embedded in another site:
https://developers.google.com/caja/
It sounds like what you are looking for.
Of course, you should really check out the original question.
The post Allowing Javascript and CSS but not XSS [ANSWERED] appeared first on Tech ABC to XYZ.