Difference between revisions of "Projects/OWASP Java HTML Sanitizer Project"

From OWASP
Redirect page
Jump to: navigation, search
(updating prep)
(Redirected page to OWASP Java HTML Sanitizer Project)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Project Info =
+
#REDIRECT [[OWASP_Java_HTML_Sanitizer_Project]]
 
+
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
+
 
+
| project_name = OWASP Java HTML Sanitizer
+
 
+
| project_home_page = OWASP Java HTML Sanitizer
+
 
+
| project_description =
+
*The OWASP Java HTML Sanitizer Project is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
+
*This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review [https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules].
+
*The existing dependencies are on guava and JSR 305. The JSR 305 dependency is a compile-only dependency, only needed for annotations. The other jars are only needed by the unittests.
+
*Provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode.
+
*Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
+
*Actively maintained by Mike Samuel from Google's AppSec team!
+
*Passing 95+% of AntiSamy's unit tests plus many more.
+
*This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
+
*Java 1.5+
+
 
+
| project_license = [http://www.opensource.org/licenses/bsd-license.php New BSD License]
+
 
+
| leader_name1 = Mike Samuel
+
| leader_email1 = mikesamuel@gmail.com
+
| leader_username1 =
+
 
+
| leader_name2 = Jim Manico
+
| leader_email2 = jim@owasp.org
+
| leader_username2 = jmanico
+
 
+
| contributor_name[1-10] =
+
| contributor_email[1-10] =
+
| contributor_username[1-10] =
+
 
+
| pamphlet_link =
+
 
+
| presentation_link =
+
 
+
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-java-html-sanitizer
+
 
+
| project_road_map = http://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer/Roadmap
+
 
+
| links_url1 = https://code.google.com/p/owasp-java-html-sanitizer/
+
| links_name1 = https://code.google.com/p/owasp-java-html-sanitizer/
+
| links_url2 = http://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven
+
| links_name2 = http://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven
+
 
+
| release_1 = Release_v135
+
| release_2 = Release_v175
+
| release_3 = Release_v209
+
| release_4 =
+
<!--- The line below is for GPC usage only. Please do not edit it --->
+
| project_about_page = Projects/OWASP Java HTML Sanitizer Project
+
 
+
}}
+
 
+
= Info =
+
 
+
The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
+
 
+
The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations.
+
 
+
This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review.
+
 
+
A great place to get started using the OWASP Java HTML Sanitizer is here: [https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted].
+
 
+
= Creating a HTML Policy =
+
 
+
You can use prepackaged policies here: [http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html].
+
 
+
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
+
String safeHTML = policy.sanitize(untrustedHTML);
+
 
+
or the tests show how to configure your own policy here: [http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java]
+
 
+
PolicyFactory policy = new HtmlPolicyBuilder()
+
    .allowElements("a")
+
    .allowUrlProtocols("https")
+
    .allowAttributes("href").onElements("a")
+
    .requireRelNofollowOnLinks()
+
    .build();
+
String safeHTML = policy.sanitize(untrustedHTML);
+
 
+
or you can write custom policies to do things like changing h1s to divs with a certain class:
+
 
+
PolicyFactory policy = new HtmlPolicyBuilder()
+
    .allowElements("p")
+
    .allowElements(
+
        new ElementPolicy() {
+
          public String apply(String elementName, List<String> attrs) {
+
            attrs.add("class");
+
            attrs.add("header-" + elementName);
+
            return "div";
+
          }
+
        }, "h1", "h2", "h3", "h4", "h5", "h6"))
+
    .build();
+
String safeHTML = policy.sanitize(untrustedHTML);
+
 
+
= Questions =
+
 
+
*How was this project tested?
+
**This code was written with security best practices in mind, has an extensive test suite, and has undergone [https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules adversarial security review].
+
*How is this project deployed?
+
**This project is best deployed through Maven [https://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven https://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven]
+
 
+
__NOTOC__ <headertabs /> <br>
+
 
+
[[Category:OWASP Project]]
+

Latest revision as of 10:04, 31 March 2014