Help: How to use Java HTML Sanitizer with clear examples.

[gordo...@gmail.com]

Hi,

I can't figure out how to use the HTML Sanitizer.  Been sitting here for over one hour and I can't figure it out.
https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted
http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/HtmlPolicyBuilder.html
http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/main/org/owasp/html/examples/EbayPolicyExample.java

Can someone document this? 

What I'm looking for is to allow the single quote to a variable because I need to allow names such as Mary Jane O'Conner.

Thanks,
Gordon

[Mike Samuel]

Single quotes should work just fine in text nodes and plain text
attributes that you allow.

They'll just be escaped to ' which shouldn't affect the displayed HTML.

[Jim Manico]

What version of Java are you using? Did you use Maven to deploy the Sanatizer jar? This looks like a configuration problem, can you give us more info as to how you deployed the jar?

Aloha,
Jim

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[gordo...@gmail.com]

java 1.6.0_45
I'm wondering if HTML Sanitizer is only for java and not for JSP scriptlets.

In my jsp page I used:
<%@page import="org.owasp.encoder.Encode"%>
<%@page import="org.owasp.html.HtmlPolicyBuilder"%>
<%@page import="org.owasp.html.Sanitizers" %>
...
...

                            out.println("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;      Yes url encoding: " + Encode.forUriComponent(currentgg)+ "<br>");
                            out.println("Yes Javascript encoding: " + Encode.forJavaScriptBlock(currentgg)+ "<br>");

                            out.println(Sanitizers.FORMATTING.sanitize("<b>Hello, World!</b>"));

see below when I run my jsp file.  I have not created any Policy nor have I added html sanitizer code to any Java file besides the above jsp.

I have read:
http://code.google.com/p/owasp-java-html-sanitizer/

The result I'm getting is the below.  I just want to get a simple hello world and start to play with it.
Thanks, Gordon.

HTTP Status 500 - Unable to compile class for JSP:

---

type Exception report

message Unable to compile class for JSP:

description The server encountered an internal error that prevented it from fulfilling this request.

exception

org.apache.jasper.JasperException: Unable to compile class for JSP: 

An error occurred at line: 11 in the generated java file
Only a type can be imported. org.owasp.html.HtmlPolicyBuilder resolves to a package

An error occurred at line: 12 in the generated java file
Only a type can be imported. org.owasp.html.Sanitizers resolves to a package

An error occurred at line: 362 in the jsp file: /login.jsp
Sanitizers.FORMATTING cannot be resolved to a type
359:                             out.println("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;      Yes url encoding: " + Encode.forUriComponent(currentgg)+ "<br>");
360:                             out.println("Yes Javascript encoding: " + Encode.forJavaScriptBlock(currentgg)+ "<br>");
361: 
362:                             out.println(Sanitizers.FORMATTING.sanitize("<b>Hello, World!</b>"));
363: 
364:                         %>
365: 

To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

[Mike Samuel]

I'm not an expert at debugging half of a JSP page, but
http://stackoverflow.com/questions/1858463/java-error-only-a-type-can-be-imported-xyz-resolves-to-a-package
suggests you're missing a semicolon

>> email to owasp-java-html-saniti...@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>>
>>

> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to owasp-java-html-saniti...@googlegroups.com.

[gordo...@gmail.com]

Hi Mike,

Attach is my complete jsp file of 17 lines.  I don't think there needs to be a semicolon at the end of the import, even if it's the last because the Owasp Java Encoder didn't need it.  In fact, putting a semi colon would cause an error for the Owasp Java Encoder.  In this attachment, there's no JSP compilation error when I remove lines 1, 2, 15, which are associated with HTML Sanitizer, and Java Encoder would work.  However, soon as I put in the HTML Sanitizer codes, my program fails to compile. 

<%@page import="org.owasp.html.Sanitizers" %>
<%@page import="org.owasp.html.HtmlPolicyBuilder"%>
<%@page import="org.owasp.encoder.Encode"%>
<html>
<h1> Want to keep the apostrophy between O and C </h1>
<%
String currentgg= "Hello there, let's keep the apostrophy < ' testing > Ms. O'Rielly Testing. \\ abc '~!@#$%^&*()_+-_=[{]};:,./?||\\";
out.println("---------------------OWASP JAVA ENCODER:");
out.println("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No encoding: " + currentgg + "<br>");
out.println("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Yes html encoding: "+ Encode.forHtml(currentgg) + "<br>");
out.println("&nbsp;Yes attribute encoding: " + Encode.forHtmlAttribute(currentgg)+ "<br>");

out.println("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Yes url encoding: " + Encode.forUriComponent(currentgg)+ "<br>");
out.println("Yes Javascript encoding: " + Encode.forJavaScriptBlock(currentgg)+ "<br>");

out.println("---------------------OWASP HTML SANITIZER:");

out.println(Sanitizers.FORMATTING.sanitize("<b>Hello, World!</b>"));

%>
</html>

Thank you,
Gordon

>> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

[gordo...@gmail.com]

I believe I forgot to copy the jar files over to tomcat manually!  I'll report back tomorrow after I redeploy.

Gordon


On Monday, April 28, 2014 4:00:34 PM UTC-7, Mike Samuel wrote:

>> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

[gordo...@gmail.com]

No more errors after I redeployed!  =)  Thanks!  Now I'll go and figure out how to ignore the single quote in the string "John O'Conner."

Gordon

On Monday, April 28, 2014 4:00:34 PM UTC-7, Mike Samuel wrote:

>> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Java HTML Sanitizer Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.

[Jim Manico]

Can you take a second look at the documentation and let us know what you think needs fixed? I'm glad you worked this out.

Thanks Gordon,
Jim

To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.

[gordo...@gmail.com]

Mike / Jim:

I'll try to answer questions by Mike and Jim in this thread.

Mike:  "If you can pass a string from your scriptlet to an external class and
use the result then you should be able to use the sanitizer from your
scriptlet."

My reply:

Do you want me to create a class to extend your sanitizer class?  I don't see this in the documentation.  What about the policy class?  I can't extend two classes.  I looked at http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/main/org/owasp/html/examples/EbayPolicyExample.java but I don't know what to do with it in regards to the sanitizer jsp class and my call from my JSP page.  **It would help if documentation would include a HowTo for Jsp from start to finish on one example usage for JSP.***  I did look at http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/main/org/owasp/html/examples/EbayPolicyExample.java but I don't know how to use that from my JSP file and how is that related to the Sanitizer class?

Thanks,
Gordon

[Mike Samuel]

No. I will not email you teh codes because
http://thedailywtf.com/Articles/plz-email-me-teh-codez.aspx but thank
you for clarifying.

I think my last reply gave you enough to go on : write java code, not
JSP for the tricky parts. Read the JSP documentation to figure out
how to connect JSP and Java.


2014-04-30 16:09 GMT-04:00 Gordon Ma <gordo...@gmail.com>:
> Mike, I'll be precise: Please give me a jsp sample code where it uses your
> sanitizer library. I have seen zero jsp example as of yet that uses your
> library. Can you do this, email me the jsp, and put that sample jsp on your
> sanitizer site as a Getting Started Example. In the rails app link you've
> sent had zero sanitation code that uses your library. Gordon
>
>
> On Wed, Apr 30, 2014 at 11:03 AM, Mike Samuel <mikes...@gmail.com> wrote:
>>
>> 2014-04-30 12:53 GMT-04:00 Gordon Ma <gordo...@gmail.com>:
>> > I'd like the program to sanitize input variables to protect against xss.
>> > However, I do want a rule not to filter the apostrophe as in John
>> > O'Conner.
>>
>> As mentioned in my first response:

>> """
>> Single quotes should work just fine in text nodes and plain text
>> attributes that you allow.
>>
>> They'll just be escaped to &#39; which shouldn't affect the displayed
>> HTML.
>> """
>>

>> > I can use an encoder on the output, but I feel that I would have an
>> > extra
>> > layer of protection by filtering also the input. The previous issue
>> > about
>> > not even able to get the hello world to work with the sanitizer has been
>> > resolved as I forgot to copy the jar files to the temp lib folders in
>> > tomcat
>> > from my IDE, but the issue that remain is I don't how to call the
>> > methods in
>> > your program from a jsp to do the sanitization from a jsp page.
>>
>> I'm still confused. You asked 9 hours ago about "hello world": "I'm
>> trying to get at least a "hello world" up" but now you're saying that
>> you don't need "hello world" instructions.
>>
>>
>> Here's a generic HowTo for JSP.
>>
>> Don't put complicated business logic in templates. See
>> http://www.sitepoint.com/keeping-your-rails-app-clean/ which is aimed
>> at a Rails audience but the arguments work broadly.
>>
>> With regards to this specific project, instead of trying to import
>> multiple sanitizer classes into your JSP, write one Java class that
>> specifies the policy and exposes a simple sanitize method. From JSP,
>> import and use that class.
>>
>>
>> Also, the more precise you can be (
>> http://www.catb.org/esr/faqs/smart-questions.html#beprecise ) when
>> posing a question, the more likely we are to be able to help.
>
>