XSS filtering library for Java...
Gerard Toonstra
I was looking for a library (java) that would help in filtering XSS
attack vectors possibly coming back from the GWT rich text editors. I
haven't found any specific libraries on XSS, so decided to start my
own. If anyone knows of a de-facto library for xss filtering (java),
please let me know.
The project, which I intend to opensource @ Google code is for now
available from here. ( WARNING : alpha code. Use it at your own
risk. )
http://gtoonstra.googlepages.com/xssProtect.tar.gz
Some time ago I validated the correct working of the library using
attack vectors from here, but not a lot of time was spent nor was that
done in depth. Hence you should not depend on this library with
confidence yet.
http://xssdb.dabbledb.com/publish/xssdb/d8266d7f-397e-4162-ad9f-5556494f18e9/xssdbtestview01.rss
The approach in filtering uses a parser/lexer from antlr. I took an
HTML parsing example from the v2 website and started using "ignore"
functions to drop attack vectors from the stream. It appears to work
quite well and it's not too bad performance wise. I might upgrade to
v3 in the future. The grammar currently suffers from ambiguities.
Comments are welcome and if other efforts exist in this area, I'd be
glad to know.
G>