It’s your turn!
Try to prevent this kind of XSS by creating a clean string inside of the saveNewComment() function. Use the "antisamy-slashdot.xml" as policy file for this example:
==================== the following doesn't pass the test ========
import org.owasp.validator.html.*;
import MyCommentDAO;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.Policy;
public class AntiSamyController {
//aspantisamy/Java/antisamy-smoketest/src/main/webapp/WEB-INF/policies/antisamy-slashdot.xmu
//static String policyFileName ="antisamy-slashdot.xml";
//public static Policy policy ;
//public static AntiSamy antisamy;
//antisamy= new Antisamy();
//policy=Policy.getInstance(policyFileName);
//String XSSPossible ="<script> alert('vulnerable,');</script>";
public void saveNewComment(int threadID, int userID, String newComment){
// int thID = antiSamy.scan(XSSPossible , policy);
// int uID = antiSamy.scan(XSSPossible , policy);
// policy
// antisamy.setPolicy("antisamy-slashdot.xml");
String filename = Core.getConfiguration().getResourcesPath() +
AntiSamy antisamy=new AntiSamy();
Policy policy= Policy.getInstance("src/main/webapp/WEB-INF/policies/antisamy-slashdot.xml");
CleanResults cr=antisamy.scan( newComment ,policy );
String nCom= cr.getCleanHTML();
MyCommentDAO.addComment(threadID, userID, cr.getCleanHTML());
}
}
沒有留言:
張貼留言