Difference between revisions of "OWASP Java HTML Sanitizer Project"

From OWASP
Jump to: navigation, search
m
Line 1: Line 1:
==== Project About ====
+
= Main =  
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
 +
 
 +
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 +
 
 +
== OWASP JSON Sanitizer Project ==
 +
 
 +
Our Mission: Given JSON-like content, convert it to valid JSON! The OWASP JSON Sanitizer Project is a simple to use Java library that can be attached at either end of a data-pipeline to help satisfy Postel's principle: <i>be conservative in what you do, be liberal in what you accept from others</i><br/>
 +
Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use.<br/>
 +
Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML.
 +
 
 +
== Security ==
 +
 
 +
Since the output of the OWASP JSON Sanitizer Project is always well-formed JSON, passing it to eval will have no side-effects and no free variables, so is neither a code-injection vector, nor a vector for exfiltration of secrets. This library only ensures that the JSON string → Javascript object phase has no side effects and resolves no free variables, and cannot control how other client side code later interprets the resulting Javascript object. So if client-side code takes a part of the parsed data that is controlled by an attacker and passes it back through a powerful interpreter like eval or innerHTML then that client-side code might suffer unintended side-effects.
 +
 
 +
==Licensing==
 +
The OWASP Java Encoder is free to use under the [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License].
 +
 
 +
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 +
 
 +
== What is this? ==
 +
 
 +
The OWASP JSON Sanitizer Projects provides:
 +
 
 +
* Java based JSON outbound or inbound sanitization library
 +
 
 +
== Code Repo ==
 +
 
 +
[https://code.google.com/p/json-sanitizer/ OWASP JSON Sanitizer at Google Code]
 +
 
 +
== Email List ==
 +
 
 +
[https://lists.owasp.org/mailman/listinfo/owasp_json_sanitizer Project Email List ]
 +
 
 +
== Project Leader ==
 +
 
 +
Project Leader:<br/>Mike Samuel
 +
<br/><br/>
 +
Contributors: <br/>
 +
Jim Manico<br/>
 +
 
 +
== Related Projects ==
 +
 
 +
* [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]
 +
* [[OWASP Java HTML Sanitizer]]
 +
* [[OWASP Java Encoder]]
 +
 
 +
| valign="top"  style="padding-left:25px;width:200px;" |
 +
 
 +
== Quick Download ==
 +
 
 +
* [https://code.google.com/p/json-sanitizer/downloads/detail?name=json-sanitizer-2012-10-17.jar https://code.google.com/p/json-sanitizer/downloads/detail?name=json-sanitizer-2012-10-17.jar]
 +
 
 +
== News and Events ==
 +
* [Oct 17, 2012] 1.0 Released!
 +
 
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center"  | [http://www.apache.org/licenses/LICENSE-2.0 Apache 2 License]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 +
  |}
 +
 
 +
|}
 +
 
 +
 
 +
= Info =
 +
 
 +
The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
 +
 
 +
The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations.
 +
 
 +
This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review.
 +
 
 +
A great place to get started using the OWASP Java HTML Sanitizer is here: [https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted].
 +
 
 +
= Creating a HTML Policy =
 +
 
 +
You can use prepackaged policies here: [http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html].
 +
 
 +
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
 +
String safeHTML = policy.sanitize(untrustedHTML);
 +
 
 +
or the tests show how to configure your own policy here: [http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java]
 +
 
 +
PolicyFactory policy = new HtmlPolicyBuilder()
 +
    .allowElements("a")
 +
    .allowUrlProtocols("https")
 +
    .allowAttributes("href").onElements("a")
 +
    .requireRelNofollowOnLinks()
 +
    .build();
 +
String safeHTML = policy.sanitize(untrustedHTML);
 +
 
 +
or you can write custom policies to do things like changing h1s to divs with a certain class:
 +
 
 +
PolicyFactory policy = new HtmlPolicyBuilder()
 +
    .allowElements("p")
 +
    .allowElements(
 +
        new ElementPolicy() {
 +
          public String apply(String elementName, List<String> attrs) {
 +
            attrs.add("class");
 +
            attrs.add("header-" + elementName);
 +
            return "div";
 +
          }
 +
        }, "h1", "h2", "h3", "h4", "h5", "h6"))
 +
    .build();
 +
String safeHTML = policy.sanitize(untrustedHTML);
 +
 
 +
= Questions =
 +
 
 +
*How was this project tested?
 +
**This code was written with security best practices in mind, has an extensive test suite, and has undergone [https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules adversarial security review].
 +
*How is this project deployed?
 +
**This project is best deployed through Maven [https://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven https://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven]
 +
 
 +
= About =
 
{{:Projects/OWASP Java HTML Sanitizer Project | Project About}}
 
{{:Projects/OWASP Java HTML Sanitizer Project | Project About}}
  

Revision as of 03:27, 5 February 2014

[edit]

OWASP Project Header.jpg

OWASP JSON Sanitizer Project

Our Mission: Given JSON-like content, convert it to valid JSON! The OWASP JSON Sanitizer Project is a simple to use Java library that can be attached at either end of a data-pipeline to help satisfy Postel's principle: be conservative in what you do, be liberal in what you accept from others
Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use.
Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML.

Security

Since the output of the OWASP JSON Sanitizer Project is always well-formed JSON, passing it to eval will have no side-effects and no free variables, so is neither a code-injection vector, nor a vector for exfiltration of secrets. This library only ensures that the JSON string → Javascript object phase has no side effects and resolves no free variables, and cannot control how other client side code later interprets the resulting Javascript object. So if client-side code takes a part of the parsed data that is controlled by an attacker and passes it back through a powerful interpreter like eval or innerHTML then that client-side code might suffer unintended side-effects.

Licensing

The OWASP Java Encoder is free to use under the Apache 2 License.

What is this?

The OWASP JSON Sanitizer Projects provides:

  • Java based JSON outbound or inbound sanitization library

Code Repo

OWASP JSON Sanitizer at Google Code

Email List

Project Email List

Project Leader

Project Leader:
Mike Samuel

Contributors:
Jim Manico

Related Projects

Quick Download

News and Events

  • [Oct 17, 2012] 1.0 Released!


Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Apache 2 License
Project Type Files CODE.jpg


The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.

The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations.

This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review.

A great place to get started using the OWASP Java HTML Sanitizer is here: https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted.

You can use prepackaged policies here: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html.

PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String safeHTML = policy.sanitize(untrustedHTML);

or the tests show how to configure your own policy here: http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java

PolicyFactory policy = new HtmlPolicyBuilder()
   .allowElements("a")
   .allowUrlProtocols("https")
   .allowAttributes("href").onElements("a")
   .requireRelNofollowOnLinks()
   .build();
String safeHTML = policy.sanitize(untrustedHTML);

or you can write custom policies to do things like changing h1s to divs with a certain class:

PolicyFactory policy = new HtmlPolicyBuilder()
   .allowElements("p")
   .allowElements(
       new ElementPolicy() {
         public String apply(String elementName, List<String> attrs) {
           attrs.add("class");
           attrs.add("header-" + elementName);
           return "div";
         }
       }, "h1", "h2", "h3", "h4", "h5", "h6"))
   .build();
String safeHTML = policy.sanitize(untrustedHTML);

OWASP Project Header.jpg

OWASP HTML Sanitizer Project

The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations. This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review. A great place to get started using the OWASP Java HTML Sanitizer is here: https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted.

Benefits

  • Provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode.
  • Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
  • Actively maintained by Mike Samuel from Google's AppSec team!
  • Passing 95+% of AntiSamy's unit tests plus many more.
  • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
  • Java 1.5+

Licensing

The OWASP HTML Sanitizer is free to use under the Apache 2 License.

What is this?

The OWASP HTML Sanitizer Projects provides Java based HTML sanitization of untrusted HTML!

Code Repo

OWASP HTML Sanitizer at Google Code

Email List

Questions? Please sign up for our Project Email List

Project Leaders

Author: Mike Samuel @
PM: Jim Manico @

Related Projects

Quick Download

Release v226 at Google Code

News and Events

  • [3 Mar 2014] v226 Released
  • [5 Feb 2014] New Wiki
  • [4 Sept 2013] v209 Released

Change Log

For recent release notes, please visit the changelog on Google Code.

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Apache 2 License
Project Type Files CODE.jpg

You can use prepackaged policies here: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html.

PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String safeHTML = policy.sanitize(untrustedHTML);

or the tests show how to configure your own policy here: http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java

PolicyFactory policy = new HtmlPolicyBuilder()
   .allowElements("a")
   .allowUrlProtocols("https")
   .allowAttributes("href").onElements("a")
   .requireRelNofollowOnLinks()
   .build();
String safeHTML = policy.sanitize(untrustedHTML);

or you can write custom policies to do things like changing h1s to divs with a certain class:

PolicyFactory policy = new HtmlPolicyBuilder()
   .allowElements("p")
   .allowElements(
       new ElementPolicy() {
         public String apply(String elementName, List<String> attrs) {
           attrs.add("class");
           attrs.add("header-" + elementName);
           return "div";
         }
       }, "h1", "h2", "h3", "h4", "h5", "h6"))
   .build();
String safeHTML = policy.sanitize(untrustedHTML);