Filter the Cross-site scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy..read more...
XssRequestFilter is a spring based framework to filter the cross-site scripting in your @Controller request (current version support form data) just using a simple @XxsFilter annotation . Also it's easy to customized you own rule for filter xss request.
Use @XxsFilter annotation on your controller methods where you wish to filter Cross-site scripting.
It will remove all xss from request parameter. Also use @ComponentScan("com.xss.filters") in your one of configuration class for active the auto configuration for XssRequestFilter.
example:
@Configuration
@ComponentScan("com.xss.filters")
public class Config {
}
@Controller
public class TestController {
@XxsFilter
@RequestMapping("/")
public ModelAndView save(Model model, BindingResult result, Map map) {
// logic
return new ModelAndView();
}
@XxsFilter
@RequestMapping("/save"
public ModelAndView save(Model model, BindingResult result, Map map) {
// logic
return new ModelAndView();
}
@XxsFilter
@RequestMapping("/update")
public ModelAndView update(Model model, BindingResult result, Map map) {
// logic
return new ModelAndView();
}
The filter will pick up only those request whose have annotated with @XxsFilter annotation.
(<input(.*?)></input>|<input(.*)/>)
<span(.*?)</span>
<div(.*)</div>
<style>(.*?)</style>
<script>(.*?)</script>
javascript:
</script>
<script(.*?)>
src[\r\n]*=[\r\n]*\\\'(.*?)\\\'
eval\((.*?)\)
expression\((.*?)\)
vbscript:
onload(.*?)=
XSS Filter Evasion Cheat Sheet
If above patterns are not enough for you and you want your own custom pattern for filter xss request, then no worry XssRequestFilter also support your custom logic for filter your xss request.
By default this framework you DefaultRansackXssImpl service for filter the xss request, this service implemented RansackXss interface.
So for your custom logic for filter xss request you just need following steps:
String ransackXss(String value); method. (value parameter is ServletRequest parameter where client can inject the xss, you need to perform the filter on this value, you can take a reference of DefaultRansackXssImpl class)done... Now instead of DefaultRansackXssImpl, RansackXss will use your class implementation rules for filter xss
Apache Maven
<dependency>
<groupId>com.github.techguy-bhushan</groupId>
<artifactId>xss.filter</artifactId>
<version>1.0.2</version>
</dependency> compile 'com.github.techguy-bhushan:xss.filter:1.0.2'
This Component will search all the url's which action are annotated with @XxsFilter (collect the list of urls, which will be pick by CustomXssFilter )
This filter will only work for request which action have annotated @XxsFilter (with help of XssFiltersConfiguration)
This class is responsible for filter the XSS in request you can add or remove the XSS handling logic in #stripXSS method in CaptureRequestWrapper, CustomXssFilter use this class for remove xss in request.
This component will register CustomXssFilter if there will any @XxsFilte annotation used in url mapping, if there will no @XxsFilte used in application then CustomXssFilter will disable.
Thank you!