Difference between revisions of "Projects/OWASP Java HTML Sanitizer Project"

From OWASP
Jump to: navigation, search
(updating prep)
(18 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Template:Project About
+
= Project Info =
 +
 
 +
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
  
 
| project_name = OWASP Java HTML Sanitizer
 
| project_name = OWASP Java HTML Sanitizer
Line 6: Line 8:
  
 
| project_description =  
 
| project_description =  
*This is a fast Java-based HTML Sanitizer which provides XSS protection.
+
*The OWASP Java HTML Sanitizer Project is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
*This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
+
*This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review [https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules].
*The existing dependencies are on guava and JSR 305. The other jars are only needed by the unittests. The JSR 305 dependency is a compile-only dependency, only needed for annotations.  
+
*The existing dependencies are on guava and JSR 305. The JSR 305 dependency is a compile-only dependency, only needed for annotations. The other jars are only needed by the unittests.  
*This code provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode
+
*Provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode.
 
*Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
 
*Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
*It does not suffer from the various security flaws that the Niko HTML parser brought with it
+
*Actively maintained by Mike Samuel from Google's AppSec team!
*Actively maintained by myself and Mike Samuel from Google's AppSec team
+
*Passing 95+% of AntiSamy's unit tests plus many more.
*Already passing 80% of AntiSamy's unit tests *plus many more*.
+
*This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
* Only 3 dependent jar files
+
*Java 1.5+
*This is a pure Java 6 project and does not support Java 5 or below ( Please note AntiSamy supports 1.4+ ).
+
 
+
  
 
| project_license = [http://www.opensource.org/licenses/bsd-license.php New BSD License]
 
| project_license = [http://www.opensource.org/licenses/bsd-license.php New BSD License]
  
| leader_name1 = Jim Manico
+
| leader_name1 = Mike Samuel
| leader_email1 = jim.manico@owasp.org
+
| leader_email1 = mikesamuel@gmail.com
| leader_username1 = Jmanico
+
| leader_username1 =
 +
 
 +
| leader_name2 = Jim Manico
 +
| leader_email2 = jim@owasp.org
 +
| leader_username2 = jmanico
  
 
| contributor_name[1-10] =  
 
| contributor_name[1-10] =  
Line 38: Line 42:
 
| links_url1 = https://code.google.com/p/owasp-java-html-sanitizer/
 
| links_url1 = https://code.google.com/p/owasp-java-html-sanitizer/
 
| links_name1 = https://code.google.com/p/owasp-java-html-sanitizer/
 
| links_name1 = https://code.google.com/p/owasp-java-html-sanitizer/
 +
| links_url2 = http://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven
 +
| links_name2 = http://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven
  
| links_url2 =
+
| release_1 = Release_v135
| links_name2 =
+
| release_2 = Release_v175
 
+
| release_3 = Release_v209
| release_1 = We are currently at Alpha right now - but will be production ready and soon.
+
| release_2 =  
+
| release_3 =
+
 
| release_4 =
 
| release_4 =
 +
<!--- The line below is for GPC usage only. Please do not edit it --->
 +
| project_about_page = Projects/OWASP Java HTML Sanitizer Project
 +
 
}}
 
}}
 +
 +
= Info =
 +
 +
The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
 +
 +
The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations.
 +
 +
This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review.
 +
 +
A great place to get started using the OWASP Java HTML Sanitizer is here: [https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted].
 +
 +
= Creating a HTML Policy =
 +
 +
You can use prepackaged policies here: [http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html].
 +
 +
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
 +
String safeHTML = policy.sanitize(untrustedHTML);
 +
 +
or the tests show how to configure your own policy here: [http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java]
 +
 +
PolicyFactory policy = new HtmlPolicyBuilder()
 +
    .allowElements("a")
 +
    .allowUrlProtocols("https")
 +
    .allowAttributes("href").onElements("a")
 +
    .requireRelNofollowOnLinks()
 +
    .build();
 +
String safeHTML = policy.sanitize(untrustedHTML);
 +
 +
or you can write custom policies to do things like changing h1s to divs with a certain class:
 +
 +
PolicyFactory policy = new HtmlPolicyBuilder()
 +
    .allowElements("p")
 +
    .allowElements(
 +
        new ElementPolicy() {
 +
          public String apply(String elementName, List<String> attrs) {
 +
            attrs.add("class");
 +
            attrs.add("header-" + elementName);
 +
            return "div";
 +
          }
 +
        }, "h1", "h2", "h3", "h4", "h5", "h6"))
 +
    .build();
 +
String safeHTML = policy.sanitize(untrustedHTML);
 +
 +
= Questions =
 +
 +
*How was this project tested?
 +
**This code was written with security best practices in mind, has an extensive test suite, and has undergone [https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules adversarial security review].
 +
*How is this project deployed?
 +
**This project is best deployed through Maven [https://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven https://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven]
 +
 +
__NOTOC__ <headertabs /> <br>
 +
 +
[[Category:OWASP Project]]

Revision as of 20:30, 15 September 2013

[edit]

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Java HTML Sanitizer (home page)
Purpose:
  • The OWASP Java HTML Sanitizer Project is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
  • This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules.
  • The existing dependencies are on guava and JSR 305. The JSR 305 dependency is a compile-only dependency, only needed for annotations. The other jars are only needed by the unittests.
  • Provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode.
  • Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
  • Actively maintained by Mike Samuel from Google's AppSec team!
  • Passing 95+% of AntiSamy's unit tests plus many more.
  • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
  • Java 1.5+
License: New BSD License
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact Mike Samuel @ to contribute to this project
  • Contact Mike Samuel @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
For more information goto https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project.
last reviewed release
Not Yet Reviewed


other releases

The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.

The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations.

This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review.

A great place to get started using the OWASP Java HTML Sanitizer is here: https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted.

You can use prepackaged policies here: http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html.

PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String safeHTML = policy.sanitize(untrustedHTML);

or the tests show how to configure your own policy here: http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java

PolicyFactory policy = new HtmlPolicyBuilder()
   .allowElements("a")
   .allowUrlProtocols("https")
   .allowAttributes("href").onElements("a")
   .requireRelNofollowOnLinks()
   .build();
String safeHTML = policy.sanitize(untrustedHTML);

or you can write custom policies to do things like changing h1s to divs with a certain class:

PolicyFactory policy = new HtmlPolicyBuilder()
   .allowElements("p")
   .allowElements(
       new ElementPolicy() {
         public String apply(String elementName, List<String> attrs) {
           attrs.add("class");
           attrs.add("header-" + elementName);
           return "div";
         }
       }, "h1", "h2", "h3", "h4", "h5", "h6"))
   .build();
String safeHTML = policy.sanitize(untrustedHTML);