Protect yourself from XSS attacks using AntiSamy

Posted by Dan on Dec 24, 2007 @ 1:02 PM

An extremely common problem web developers face is protecting themselves from XSS exploits. Any webpage that takes input from a user and displays it is potentially at risk. The simplest way to protect yourself from this type of exploit is to remove anything that could interpreted as HTML by the browser—either by escaping the content or by using removing it altogether.

However, there are many use cases where you may want to allow a user to enter some HTML markup—to allow for basic formatting. Browser tools such as XStandard, FCKeditor and TinyMCE all provide developers with easy ways to provide users with rich text formatting capabilities, but allowing users to input HTML opens your site up to the possibility of XSS attacks.

Solving the XSS problem is not a trivial task. It's one that companies such MySpace, eBay and Google have all spent a lot of time and money to roll out custom solutions in order to try to protect their sites from being exploited—and not one the average developer has time to completely implement and test.

Fortunately for us a new Open Web Application Security Project (OWASP) project called AntiSamy has been released to help us all solve this problem easily and efficiently.

AntiSamy is an Java-based open source API which allows your to ensure that all user-supplied HTML and CSS conforms to your application rules. The name derives from the famous MySpace Samy XSS exploit—which allowed one user to crash MySpace when he/she created an HTML-based worm designed to automatically add users to his "Friends" list (without knowledge of the MySpace users.)

The AntiSamy API is really easy to use. The first step is to create a Policy file—which is an XML file that defines your application's rules. The next step is to scan the user's input against the Policy file.

import org.owasp.validator.html.*;

Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);

AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(dirtyInput, policy);

MyUserDAO.storeUserProfile(cr.getCleanHTML()); // some custom function

The AntiSamy website contains a number of sample Policy files which you can use either verbatim or alter for your own needs. They have Policy files that show how to set up rules similar to Slashdot, eBay and MySpace use on their sites.

While the AntiSamy project is a new one, it's one I hope gains momentum. It's an API every developer could use in their arsenal.

I will be following up this article shortly with an example on how to use AntiSamy from within ColdFusion. In the meantime, check out this live demo of the AntiSamy API at work.

Categories: HTML/ColdFusion, Java

Comments for this entry have been disabled.