edu.cornell.mannlib.vitro.webapp.web

Class AntiScript

java.lang.Object

edu.cornell.mannlib.vitro.webapp.web.AntiScript

public class AntiScript
extends Object

This is a class to provide methods to strip bad HTML from user input. The primary goal of this is to avoid XSS attacks.

Constructor Summary

Constructors

Constructor and Description
AntiScript()

Method Summary

Modifier and Type	Method and Description
static <T> void	cleanMapValues(Map<T,String> map) Method to clean all of the values in a map where the values are of type String.
static String	cleanText(String dirtyInput) This will attempt to return HTML that has been cleaned up according to the policy.
static String	cleanURI(String dirtyInput) Method to clean a URL or URI.
static org.owasp.validator.html.AntiSamy	getAntiSamyScanner() Try to get a static AntiSamy HTML scanner object that is shared the whole application.
protected static org.owasp.validator.html.Policy	getAntiScriptPolicy() Try to get the static policy, if none exists, create a new one.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AntiScript

public AntiScript()

Method Detail

cleanText

public static String cleanText(String dirtyInput)

This will attempt to return HTML that has been cleaned up according to the policy. If there is any error during the scan, an error message will be returned instead of the HTML. This might not be ideal so consider changing it once we see how this works. Other options include returning an empty string or some other error message. Returning the un-scanned HTML is not a secure option as it may contain scripts. This will return null if dirtyInput is null.

cleanURI

public static String cleanURI(String dirtyInput)

Method to clean a URL or URI.

cleanMapValues

public static <T> void cleanMapValues(Map<T,String> map)

Method to clean all of the values in a map where the values are of type String.

getAntiScriptPolicy

protected static org.owasp.validator.html.Policy getAntiScriptPolicy()

Try to get the static policy, if none exists, create a new one. This is a anti-script policy for use with OWASP AntiSamy, not a vivo auth Policy. Returns null if no policy can be created.

getAntiSamyScanner

public static org.owasp.validator.html.AntiSamy getAntiSamyScanner()

Try to get a static AntiSamy HTML scanner object that is shared the whole application. This may return a scanner with a null policy if the policy is not setup correctly.