问题
I have cq 5.5 project.
I want to Prevent XSS attacks.
According this link cq provides integration with AntiSamy project.
Please provide concrete steps for integration with AntiSamy because I really cannot find it.
update
Should I write code like this somewhere?
import org.owasp.validator.html.*;
Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policy);
MyUserDAO.storeUserProfile(cr.getCleanHTML()); // some custom function
回答1:
The XSS protection mechanism offered by CQ is already based on the AntiSamy Project. You only need to provide your custom antisamy configuration, in case the default configuration doesn't suit your needs.
The default antisamy configuration is present at /libs/cq/xssprotection/config.xml
, which can be overlaid with your custom config within /apps
.
You can make use of the XSS Protection API available in CQ, to protect your website from security attacks. The XSSAPI and the XSSFilter classes provide various methods to validate the given values.
The xssAPI
is available as an implicit object on inclusion of /libs/foundation/global.jsp
, whereas the XSSFilter can be obtained and used as shown below.
XSSFilter xssFilter = sling.getService(XSSFilter.class);
String filteredString = xssFilter.filter(ProtectionContext.HTML_HTML_CONTENT,
dirtyInput, POLICY_FILE_LOCATION);
You can find some predefined policy files and steps to create a new configuration here.
UPDATE:
In case you do not want to use the XSS API, then you need to have the owasp esapi bundle installed in your instance, and then you can use the code mentioned in the question.
来源:https://stackoverflow.com/questions/24800295/how-to-configure-antisamy-in-cq-5-5