开发者

Sanitize CSS Using Java

Is there a good library in Java for sanitizing CS开发者_开发技巧S stylesheets? We would like to allow admin users to upload CSS stylesheets to control the look of portion of the site that they administrate. Naturally we do not want to allox XSS attacks such as background:url(javascript:) so we are looking for a good sanitization solution.

The only thing I have found so far that I have liked uses the Google Caja CssTree parser to exclude dangerous tags from CSS. I may end up using something like this, but if someone knows of a library that I do not have to bring down so many dependencies for, and extract, that would be helpful.

Solution: Used AntiSamy library like Vineet Reynolds suggested

        Policy policy = Policy.getInstance("antisamy.xml");
        ResourceBundle messages = ResourceBundle.getBundle("AntiSamy", Locale.getDefault());

        CssScanner scanner = new CssScanner(policy, messages);
        CleanResults results = scanner.scanStyleSheet(stylesheet, Integer.MAX_VALUE);


OWASP AntiSamy can perform CSS stylesheet validation; I haven't tried that feature in particular though. Also, I'm not sure if it fits your bill of being a project with too many dependencies. It relies on Apache Batik internally to perform the parsing of the stylesheet.

If I were security conscious, I wouldn't be bothered with downstream dependencies; I would choose the appropriate tool for the task.


Java's built-in StyleSheet and CSS class has support for parsing stylesheets and allowing you to interact with them (remove certain properties, enforce certain properties, etc.). I'm not sure if they are completely up to date and model every available property, but it's something worth looking into (one less library to ship!)


You might be able to use the CSSParser from the Flying saucer project

You would still have to iterate over all of the rules and decide if they are dangerous or not.


The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are and the best practices in defending against them. It recommends using OWASP's ESAPI Project to build your defenses against XSS. This ESAPI project has created an encoding library which comes in a variety of languages including Java, .NET, PHP, Classic ASP, Cold Fusion, Python, and Haskell. It has tools for encoding untrusted data for the context that you're dealing with:

encodeForHTML
encodeForHTMLAttribute
encodeForJavaScript
encodeForCSS
encodeForURL

It also has a validator which validates for the context the input belongs to:

boolean isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);

Some organisations using ESAPI include American Express, Apache Foundation, Booz Allen Hamilton, Aspect Security, Foundstone(McAfee), The Hartford, Infinite Campus, Lockheed Martin, MITRE, U.S. Navy - SPAWAR, The World Bank, SANS Institute.

I also recommend giving their XSS Prevention Cheat Sheet a read which describes the best practices in building your defenses against XSS (it essentially boils down to that you MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜