com.neurosys.cluzo.adapters

Class XSSAntiSamySecurityAdapter

java.lang.Object

com.neurosys.cluzo.adapters.XSSAntiSamySecurityAdapter

All Implemented Interfaces:

SecurityAdapter<String>

public class XSSAntiSamySecurityAdapter
extends Object
implements SecurityAdapter<String>

A SecurityAdapter for preventing & sanitizing AntiSamy DOM-XSS. One can also refer to a ready set of Policy files at classpath:com/neurosys/cluzo/antisamy

Note: This Adapter does not handled Encoded Strings internally.
If there is an encoded String, the decoding must happen before it is passed to the adapter.

You can also pick out other files listed @ OWASP Anti Samy Project

Author:

Arjun Dhar

Field Summary

Fields inherited from interface com.neurosys.cluzo.domain.SecurityAdapter

REGEX_PROP_FILE

Constructor Summary

Constructors

Constructor and Description
XSSAntiSamySecurityAdapter()

Method Summary

Modifier and Type	Method and Description
boolean	equals(Object obj)
org.owasp.validator.html.Policy	getPolicy()
String	getPolicyId()
int	hashCode()
Data	sanitize(Data<String> input) Sanitize content, from malicious to harmless.
void	setPolicy(org.owasp.validator.html.Policy policy)
XSSAntiSamySecurityAdapter	setPolicyFile(File policyFile) Locations can be files, urls or classpaths.
void	setPolicyId(String policyId)
XSSAntiSamySecurityAdapter	setPolicyResourceLocation(String resourceLocation) Locations can be files, urls or classpaths.
XSSAntiSamySecurityAdapter	setPolicyUrl(URL url) Locations can be files, urls or classpaths.
void	validate(Data<String> input) Check if the input is safe or not When used in a chained or a SecurityContext with other SecurityAdapters then the Adapters throwing a OperationNotSupportedException will be ignored.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

XSSAntiSamySecurityAdapter

public XSSAntiSamySecurityAdapter()

Method Detail

setPolicyFile

public XSSAntiSamySecurityAdapter setPolicyFile(File policyFile)
                                         throws org.owasp.validator.html.PolicyException

Locations can be files, urls or classpaths.
Example(s): Normal file or even using springContext.getResource("classpath:antisamy-tinymce-1.4.4.xml").getFile()

Parameters:

location - as File

Throws:

org.owasp.validator.html.PolicyException

setPolicyUrl

public XSSAntiSamySecurityAdapter setPolicyUrl(URL url)
                                        throws org.owasp.validator.html.PolicyException

Locations can be files, urls or classpaths.
Example(s): Normal file or even using springContext.getResource("classpath:antisamy-tinymce-1.4.4.xml").getFile()

Parameters:

location - as URL

Throws:

org.owasp.validator.html.PolicyException

setPolicyResourceLocation

public XSSAntiSamySecurityAdapter setPolicyResourceLocation(String resourceLocation)
                                                     throws IOException,
                                                            org.owasp.validator.html.PolicyException

Locations can be files, urls or classpaths.
Example(s): Normal file or even using springContext.getResource("classpath:antisamy-tinymce-1.4.4.xml").getFile()

Parameters:

resourceLocation - as Spring Resource location

Throws:

org.owasp.validator.html.PolicyException

IOException

sanitize

public Data sanitize(Data<String> input)
              throws org.owasp.validator.html.ScanException,
                     org.owasp.validator.html.PolicyException,
                     OperationNotSupportedException

Description copied from interface: SecurityAdapter

Sanitize content, from malicious to harmless. An adapter may or may not choose to support a Sanitization method. In the event it does not support it, it should throw a OperationNotSupportedException. When used in a chained or a SecurityContext with other SecurityAdapters then the Adapters throwing a OperationNotSupportedException will be ignored. Any other exception will be thrown if there is an issue in the executionof the sanitization process.

Specified by:

sanitize in interface SecurityAdapter<String>

Returns:

Throws:

org.owasp.validator.html.ScanException

org.owasp.validator.html.PolicyException

OperationNotSupportedException

validate

public void validate(Data<String> input)
              throws SecurityException,
                     OperationNotSupportedException

Description copied from interface: SecurityAdapter

Check if the input is safe or not
When used in a chained or a SecurityContext with other SecurityAdapters then the Adapters throwing a OperationNotSupportedException will be ignored.

Specified by:

validate in interface SecurityAdapter<String>

Parameters:

input - as Data

Throws:

SecurityException - is its is not safe. This is to provide additional details about the failure that te return param cannot.

OperationNotSupportedException

setPolicy

public void setPolicy(org.owasp.validator.html.Policy policy)

getPolicy

public org.owasp.validator.html.Policy getPolicy()

setPolicyId

public void setPolicyId(String policyId)

getPolicyId

public String getPolicyId()

equals

public final boolean equals(Object obj)

Overrides:

equals in class Object

hashCode

public final int hashCode()

Overrides:

hashCode in class Object