spring-mvcxssantisamy

XSS Security using AntiSamy in Spring MVC


I want to filter the contents of all input tags from my HTML. I am using the AntiSamy filter, as of now my filter is filtering out complete html content (instead of input value only).

I am using the implementation provided here:

Github

Inside the doFilter method i am using this piece of code to scan the content

HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);

CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);

whereas what i want is about:

CleanResults cleanResults = antiSamy.scan(request.getParameter("input"), policy);

So that only the content of input field is filtered.

here is the whole doFilter Method:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    if (response instanceof HttpServletResponse) {
        HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);
        HttpServletResponse proxiedResponse = httpResponseProxyFactory.build(invocationHandler);
        chain.doFilter(request, proxiedResponse);

        if ("text/html;charset=UTF-8".equals(proxiedResponse.getContentType())) {
            try {
                Policy policy = policyFileLoader.load(policyFile);
                antiSamy.setInputEncoding(inputEncoding);
                antiSamy.setOutputEncoding(outputEncoding);
                
                CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);
                log.info("Number of Errors: " + cleanResults.getNumberOfErrors());
                if (log.isDebugEnabled()) {
                    log.debug("Errors found: ");
                    List errors = cleanResults.getErrorMessages();
                    for (int i = 0; i < errors.size(); i++) {
                        log.debug("\t" + (i + 1) + ". " + errors.get(i));
                    }
                }
                log.info("Scan time (in seconds): " + cleanResults.getScanTime());
                response.getOutputStream().write(cleanResults.getCleanHTML().getBytes());
            } catch (ScanException e) {
                log.error(GENERIC_ERROR, e);
            } catch (PolicyException e) {
                log.error(GENERIC_ERROR, e);
            }
        } else {
 
            response.getOutputStream().write(invocationHandler.getBytes());
        }
    } else {
        chain.doFilter(request, response);
    }
}

I have tried it on ALL policy files provided by AntiSamy as default.

It'd be great if can get some help on this.


Solution

  • Found the solution, the error was with the incorrect regular expression. Works well now.