Re: [Sharing] How to setup a Global XSS Filter in Tapestry 5

Fri, 17 Aug 2012 03:29:44 -0700 

Martin,
   out of curiosity - why was it necessary to add all of the additional
regexes in addition to using ESAPI ? Didn't ESAPI contain the needed APIs
to perform the filtering only with it ?

Cheers,

Alex K

On Fri, Aug 17, 2012 at 3:16 AM, kheldar666 <mar...@liber-mundi.org> wrote:

> Hi all,
>
> I post this as I had some headaches finding the proper solution and it
> seems
> that nobody posted a similar approach here....
>
> First step in AppModule.java:
>
>         public static void bind(ServiceBinder binder) {
>                 binder.bind(RequestFilter.class,
> XSSRequestFilterImpl.class).withId("XSSRequestFilter");
>         }
>
>         /*
>          * XSS Filtering
>          */
>         @Contribute(RequestHandler.class)
>         public static void
> requestHandler(OrderedConfiguration<RequestFilter>
> configuration,
>
> @InjectService("XSSRequestFilter") RequestFilter xssFilter)     {
>                 configuration.add("XSSRequestFilter", xssFilter,
> "after:StaticFiles",
> "before:StoreIntoGlobals");
>         }
>
> Second step, you can take a look at the XSSRequestFilterImpl class :
>
>
> http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestFilterImpl.java
>
> And then XSSRequestWrapper class :
>
>
> http://code.google.com/p/theorcs/source/browse/trunk/core/src/main/java/org/libermundi/theorcs/core/tapestry/services/xss/XSSRequestWrapper.java
>
> The code of the Wrapper is inspired from this article :
>
> http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/
>
> But I slighly changed it in order to allow people to use Rich Text that
> includes images.
>
> Hope this will be usefull to someone :)
>
> ALso if you have any feedback, feel free to share.
>
> Martin
>
>
>
>
> --
> View this message in context:
> http://tapestry.1045711.n5.nabble.com/Sharing-How-to-setup-a-Global-XSS-Filter-in-Tapestry-5-tp5715533.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>

Reply via email to