Package ch.tocco.nice2.toolbox.api

Class XssHtmlFilter

java.lang.Object

ch.tocco.nice2.toolbox.api.XssHtmlFilter

public final class XssHtmlFilter
extends Object

Filters html text and removes code classified as vulnerable. For example, at least the following tags and/or attributes are suspicious:

<script/>

embeds executable code

<applet>

Embedds java applets

<embed/> <object/>

embeds external stuff

<xml/>

embeds meta statements

<style>

embeds style sheet instructions which may contain javascript

<a href|link/>

the anchor tag with href or link attribute, embeds external urls (javascript protocol)

<frame|iframe|input type=image|bgsound|img src/>

tags with src attribute, embed external urls (javascript protocol). Also dynsrc and lowsrc of img tag

onXxx

All event handlers

<body|table|tr|td|th background

background attribute may contain code using javascript protocol

style=url()|expressoin()

Styles that allow specifying url() or expression(), like background-image:, behaviour: etc

<meta content=0; url=

meta redirect. may execute code using javascript protocol

Urls are replaced by # to leave syntactically correct html while all others are removed. Exceptions are anchor tags (see task #17742), the href attribute is left and a blank target is added.

Method Summary

Modifier and Type	Method	Description
static String	clean(String html)
static boolean	containsPotentialXssCode(String content)	Just checks content for some potential Xss breaches like script elements, on-attributes, ...

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

containsPotentialXssCode

public static boolean containsPotentialXssCode(String content)

Just checks content for some potential Xss breaches like script elements, on-attributes, ...

clean

public static String clean(String html)