Package edu.cornell.mannlib.vitro.webapp.web

Class AntiScript

  • public class AntiScript
extends Object
    This is a class to provide methods to strip bad HTML from user input. The primary goal of this is to avoid XSS attacks.

    • Constructor Detail

      • AntiScript

        public AntiScript()

    • Method Detail

      • cleanText

        public static String cleanText​(String dirtyInput)
        This will attempt to return HTML that has been cleaned up according to the policy. If there is any error during the scan, an error message will be returned instead of the HTML. This might not be ideal so consider changing it once we see how this works. Other options include returning an empty string or some other error message. Returning the un-scanned HTML is not a secure option as it may contain scripts. This will return null if dirtyInput is null.

      • cleanURI

        public static String cleanURI​(String dirtyInput)
        Method to clean a URL or URI.

      • cleanMapValues

        public static <T> void cleanMapValues​(Map<T,​String> map)
        Method to clean all of the values in a map where the values are of type String.

      • getAntiScriptPolicy

        protected static org.owasp.validator.html.Policy getAntiScriptPolicy()
        Try to get the static policy, if none exists, create a new one. This is a anti-script policy for use with OWASP AntiSamy, not a vivo auth Policy. Returns null if no policy can be created.

      • getAntiSamyScanner

        public static org.owasp.validator.html.AntiSamy getAntiSamyScanner()
        Try to get a static AntiSamy HTML scanner object that is shared the whole application. This may return a scanner with a null policy if the policy is not setup correctly.