Monday, December 3rd, 2007

Filtering JavaScript From HTML Content with AntiSammy

Category: Java, Security

Jason Harwig has posted about AntiSamy, the Java 1.5 compatible library that sanitizes away:

  1. AntiSamy sanitizer = new AntiSamy();
  2. CleanResults results = sanitizer.scan(request.getParameter("html"));
  3. String html = results.getCleanHTML();
  4. if (!results.getErrorMessages().isEmpty()) {
  5.     log.warn("Input contains erorrs");
  6. }

I gave a JavaScript security talk last month, and one of the topics was HTML filtering. I gave examples of how MySpace tried to filter executable code, while still allowing HTML tags for formatting. MySpace, of course, failed to foresee every attack vector, and the Samy worm was born.

HTML filtering was never recommended because it was so difficult to get right, and with no proven libraries, trying to build a solution would almost certainly contain security holes.

Posted by Dion Almaer at 5:11 am

3.4 rating from 19 votes


Comments feed TrackBack URI

This is truely a tough nut to crack. I’ll be looking forward to the PHP implementation.

Comment by Marc — December 3, 2007

Kudos to getting this reliably working, but I have to wonder why? Presumably you would never rely on client-side validation before submitting to a database or some-such mechanism, I would hope…

Comment by bclaydon — December 10, 2007

Ok, ignore me, I completely mis-intepretted the post. It’s server-side in Java, excellent. Carry on… :)

Comment by bclaydon — December 10, 2007

Leave a comment

You must be logged in to post a comment.