How to apply HTML Sanitizer to existing project

677 views
Skip to first unread message

Raviprasad Narava

unread,
Jun 11, 2020, 8:58:00 AM6/11/20
to OWASP Java HTML Sanitizer Support
Hi, I have added the maven repository for Html sanitizer.  How to apply HTML Sanitizer into my existing  project? How to configure to my project.Please guide me.  

Mike Samuel

unread,
Jun 11, 2020, 9:04:31 AM6/11/20
to OWASP Java HTML Sanitizer Support

On Thu, Jun 11, 2020, 8:58 AM Raviprasad Narava <narav...@gmail.com> wrote:
Hi, I have added the maven repository for Html sanitizer.  How to apply HTML Sanitizer into my existing  project? How to configure to my project.Please guide me.  

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/owasp-java-html-sanitizer-support/94103b27-357d-4e3a-bd46-91a38b17b68co%40googlegroups.com.

Raviprasad Narava

unread,
Jun 12, 2020, 1:30:57 PM6/12/20
to owasp-java-html-...@googlegroups.com
Hi Mike,

Thanks for your prompt response. I have gone through the above link. Let me give you the outline of my project. We have 2 war files. One war is for UI(which was written in Angularjs+html+javascript) From this war calling the second war through rest services(Java,Utterlyidle Rest Library and other technologies). Both war files are deployed in Tomcat 7.0.96. The security team identified Stored-XSS and Reflected-XSS issues in our application. I need to resolve these issues. Is there any way to apply the logic without disturbing the existing code( Just like filters or plugins or any other way). Could you please give me some advice.

Thanks,
 Ravi   

To view this discussion on the web visit https://groups.google.com/d/msgid/owasp-java-html-sanitizer-support/CACod6GtKPSmpZ7DwOT%2BN6-JOgeFDa0fCtYk1NczFyRU%2BRte5KQ%40mail.gmail.com.


--
Thanks&Regards,
Ravi Prasad Narava

Mike Samuel

unread,
Jun 12, 2020, 1:32:58 PM6/12/20
to OWASP Java HTML Sanitizer Support
The Java HTML sanitizer is not a filter, nor does it plug into Tomcat.

There are commercial filters available, but they have a poor track record against determined attackers.

To view this discussion on the web visit https://groups.google.com/d/msgid/owasp-java-html-sanitizer-support/CAF2SRNf5gW0xi54x3z-NO6b1rkRf70bB2bU7Lwwi1Sr%2BogqhLg%40mail.gmail.com.

Jim Manico

unread,
Jun 12, 2020, 1:52:20 PM6/12/20
to owasp-java-html-...@googlegroups.com
Ravi,

Cross site scripting defense is a very complicated topic. It requires a combination of output encoding using some kind of encoding library like the OWASP Java encoder or templates that automatically encode. 

In addition if you allow users to author HTML through something like a WYSIWYG editor then you need a tool like the OWASP HTML sanitizer to sanitize untrusted HTML input.

These tools are not automatic you need to program them into your applications on a page by page basis.

This tool is but one Java library that would be part of a full cross site scripting defense strategy.

Your homework:



Also, I think our documentation needs to explain what this library is for better. I am happy to take that on, Mike.

Respectfully,
--
Jim Manico
@Manicode

On Jun 12, 2020, at 1:33 PM, Mike Samuel <mikes...@gmail.com> wrote:



Raviprasad Narava

unread,
Jun 14, 2020, 11:11:29 AM6/14/20
to owasp-java-html-...@googlegroups.com
Thanks Jim for your support. I will go through the provided links. 

To view this discussion on the web visit https://groups.google.com/d/msgid/owasp-java-html-sanitizer-support/7586271C-5FB3-401C-818C-CFAF81CA6677%40owasp.org.

Raviprasad Narava

unread,
Jun 14, 2020, 11:11:29 AM6/14/20
to owasp-java-html-...@googlegroups.com
Thanks MIke for your support.

To view this discussion on the web visit https://groups.google.com/d/msgid/owasp-java-html-sanitizer-support/CACod6GtozN0V11eLOBa2BDJcxMRjm4wcObcENQZRw7wsrZBfNA%40mail.gmail.com.

Raviprasad Narava

unread,
Jul 2, 2020, 6:01:06 AM7/2/20
to owasp-java-html-...@googlegroups.com
Hi Jim,

I have successfully implemented Xss in our application. Now i need to implement CSRF into our application. I have applied Owasp CsrfGuard into my application. But somehow it is getting failed.

In the logs i can see the message "CsrfGuard  analyzing request" . No errors displayed. But csrftoken is not getting generated.  Could you please advise.


I have configured the below into my application. 

 Web.xml

     <!--  Cross Site Request Forgery Implementation OWASP Begin-->

                <listener>

                                <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>

                </listener>

                <listener>

                                <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>

                </listener>

               

                <filter>

                                <filter-name>CSRFGuard</filter-name>

                                <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>

                </filter>

                <filter-mapping>

                                <filter-name>CSRFGuard</filter-name>

                                <url-pattern>/*</url-pattern>

                </filter-mapping>

               

    <servlet>

                                <servlet-name>JavaScriptServlet</servlet-name>

                                <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>

                                <init-param>

                                                <param-name>inject-into-attributes</param-name>

                                                <param-value>true</param-value>

                                </init-param>

                </servlet>

 

                <servlet-mapping>

                                <servlet-name>JavaScriptServlet</servlet-name>

                                <url-pattern>/JavaScriptServlet</url-pattern>

                </servlet-mapping>

<!-- Cross Site Request Forgery Implementation OWASP End  -->


And In the html pages I have mentioned the below  script tag.

 

<script src="/JavaScriptServlet"> </script>


Placed Owasp.CsrfGuard.properties under WEB-INF/classes and csrfguard.js under webapp/scripts folder.


Let me give you the outline of my project. We have 2 war files. One war is for UI(which was written in Angularjs+html+javascript) From this war calling the second war through rest services(Java,Utterlyidle Rest Library and other technologies). Both war files are deployed in Tomcat 7.0.96. The above configuration I have mentioned in the second war only. Could you please advise if anything needs to be done. 


Thanks,
Ravi

Jim Manico

unread,
Jul 2, 2020, 12:01:52 PM7/2/20
to owasp-java-html-...@googlegroups.com
That’s a different project, please submit to the CSRF list!

I would advise enabling csrf projection specific to your framework however.

- Jim

On Jul 2, 2020, at 12:01 AM, Raviprasad Narava <narav...@gmail.com> wrote:



Raviprasad Narava

unread,
Jul 3, 2020, 9:23:59 PM7/3/20
to Jim Manico, owasp-java-html-...@googlegroups.com
Hi Jim,

I'm able to generate the token for each request now. But still security team identified that csrf issue still persists. I have mentioned the configuration details in my previous mail and sent the security team findings attachment. Could you please advise.

Thanks,
Ravi

On Fri, 3 Jul 2020, 11:05 am Raviprasad Narava, <narav...@gmail.com> wrote:
Hi Jim,

As per my understanding I need to generate the token for each action. There is no specific list.  Please find the attached file for reference. Could you please advise how to implement this in my application. 


Thanks,
Ravi

To view this discussion on the web visit https://groups.google.com/d/msgid/owasp-java-html-sanitizer-support/2703246B-3EE2-46FA-B88B-E6E10DA15EBC%40owasp.org.

Jim Manico

unread,
Jul 3, 2020, 10:18:12 PM7/3/20
to Raviprasad Narava, Jim Manico, owasp-java-html-...@googlegroups.com
I would work with your security team to understand exactly what the issue is. It’s hard for me to help without seeing the details myself, and I do not advise you sharing those details in public.

So hopefully you can work closely with your security team to solve the issue.

Regards,
--
Jim Manico
@Manicode

Raviprasad Narava

unread,
Jul 4, 2020, 7:06:20 AM7/4/20
to Jim Manico, Jim Manico, owasp-java-html-...@googlegroups.com
Hi Jim,

I'm checking in my application. Hopefully, it will be sorted out. Thanks for your support.

Thanks,
Ravi
Reply all
Reply to author
Forward
0 new messages