Package ch.tocco.nice2.toolbox.api

Class XssHtmlFilter

java.lang.Object
ch.tocco.nice2.toolbox.api.XssHtmlFilter
public final class XssHtmlFilter extends Object
Filters html text and removes code classified as vulnerable. For example, at least the following tags and/or attributes are suspicious:
<script/>
embeds executable code
<applet>
Embedds java applets
<embed/> <object/>
embeds external stuff
<xml/>
embeds meta statements
<style>
embeds style sheet instructions which may contain javascript
<a href|link/>
the anchor tag with href or link attribute, embeds external urls (javascript protocol)
<frame|iframe|input type=image|bgsound|img src/>
tags with src attribute, embed external urls (javascript protocol). Also dynsrc and lowsrc of img tag
onXxx
All event handlers
<body|table|tr|td|th background
background attribute may contain code using javascript protocol
style=url()|expressoin()
Styles that allow specifying url() or expression(), like background-image:, behaviour: etc
<meta content=0; url=
meta redirect. may execute code using javascript protocol
Urls are replaced by # to leave syntactically correct html while all others are removed. Exceptions are anchor tags (see task #17742), the href attribute is left and a blank target is added.

  • Method Details

    • containsPotentialXssCode

      public static boolean containsPotentialXssCode(String content, XssHtmlFilter.ValidationLevel validationLevel)

    • containsPotentialXssCode

      public static boolean containsPotentialXssCode(String content, XssHtmlFilter.ValidationLevel validationLevel, boolean disableAntiSamy)
      Checks content for potential XSS issues. This method does not guarantee that the content is safe to use, but gives an indication.

    • clean

      public static String clean(String html)