Anti-XSS java libraries [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers. 开发者_如何学运维

---

We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.

Closed 5 years ago.

Improve this question

I'm looking for a java library that can provide protection against XSS attacks. I'm writing a server, and would like to validate my user's input doesn't contain malicious javascript.

Which library would you recommend?

---

You should use AntiSamy. (That's what I did)

---

The great post how to prevent XSS attacks in different situations is posted in the following stack: Avoid XSS and allow some html tags with JavaScript

---

I've used the OWASP HTML sanitization project with much success.

https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project

Policies can be defined (or predefined policies can be used) that enable you to control what types of HTML elements are allowed on the String being validated/sanitized. A listener can be used as the HTML is sanitized in order to determine what elements are getting rejected, giving you flexibility around how to communicate this back to the client. Other than an easy implementation, I also like this library because it is produced and maintained by OWASP, a long standing organization whose aim is web security.

---

If you want to accept HTML from the users, then AntiSamy or something like jsoup makes sense. However, if you just want a good set of escapers, you can use a library such as CSL

We have a cheat sheet online that shows how to use it in many HTML contexts (aka HTML constructs):

---

I wrote a blog post on how to sanitize your inputs using OWASP library, may be can be helpful https://leantechblog.wordpress.com/2017/04/08/preventing-xss-sanitize-app-inputs/