How to configure antisamy in cq 5.5?

空扰寡人 提交于 2019-11-30 16:07:03

问题


I have cq 5.5 project.

I want to Prevent XSS attacks.

According this link cq provides integration with AntiSamy project.

Please provide concrete steps for integration with AntiSamy because I really cannot find it.

update

Should I write code like this somewhere?

import org.owasp.validator.html.*;

Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);

AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policy);

MyUserDAO.storeUserProfile(cr.getCleanHTML()); // some custom function

回答1:


The XSS protection mechanism offered by CQ is already based on the AntiSamy Project. You only need to provide your custom antisamy configuration, in case the default configuration doesn't suit your needs.

The default antisamy configuration is present at /libs/cq/xssprotection/config.xml, which can be overlaid with your custom config within /apps.

You can make use of the XSS Protection API available in CQ, to protect your website from security attacks. The XSSAPI and the XSSFilter classes provide various methods to validate the given values.

The xssAPI is available as an implicit object on inclusion of /libs/foundation/global.jsp, whereas the XSSFilter can be obtained and used as shown below.

XSSFilter xssFilter = sling.getService(XSSFilter.class);
String filteredString = xssFilter.filter(ProtectionContext.HTML_HTML_CONTENT,
                            dirtyInput, POLICY_FILE_LOCATION); 

You can find some predefined policy files and steps to create a new configuration here.

UPDATE:

In case you do not want to use the XSS API, then you need to have the owasp esapi bundle installed in your instance, and then you can use the code mentioned in the question.



来源:https://stackoverflow.com/questions/24800295/how-to-configure-antisamy-in-cq-5-5

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!