What is the easiest way (framework/library/call) to prevent Cross Site Scripting using Google App Engine (GAE)?

I'd like to store then later display user-entered 开发者_运维技巧content securely with minimal effort (my goal is a web app not writing a bunch of security-related code).

EDIT: Google App Engine for Java

I'm working with the same issue myself; but I haven't had the chance to get it out into the real world yet; so please just keep in mind that MY ANSWER IS NOT BATTLE TESTED. USE AT YOUR OWN RISK.

First, you need to ask yourself if you're going to be allowing the user to use ANY html markup. So, for example, can the user enter a link? What about make bold text?

If the answer is NO, then it is fairly simple. Here is the idea of how to set the filter up:

http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/

But personally, I don't like the filter being used in the first example; I just put it there to show you how to set the filter up.

I would recommend using this filter:

http://xss-html-filter.sourceforge.net/

So basically:

1. Setup the example from first link, get it working
2. Download the example from the second link, put it in your project in such a way you can access it from your code.

3. Rewrite the cleanXSS method to use what you downloaded from the second link. So probably something like:

   private String cleanXSS(String value) {
       return new HTMLInputFilter().filter( input );
   }
   

If you do want to allow HTML (such as an anchor tag/etc) then it looks like the HTMLInputFilter has mechanisms to allow this; but it isn't documented so you'll have to figure it out by looking at the code yourself or provide your own way of filtering.

user-entered content securely with minimal effort (my goal is a web app not writing a bunch of security-related code).

How much security-related code you need to write depends on how much you are at risk (how likely is it someone would want to attack your site, which it self is related to how popular your site is).

For example if your writing a public notepad, which will have a total of 3 users, you can get away with the bare minimum, if however your writing a we hate China, Iran and all hackers/crackers app dealing with $1,000,000 worth of transactions an hour and 3 billion users, you may be a bit more of a target.

Simply put you shouldn't trust any data that comes from outside your app including from the datastore. All this data should be checked that it's what you expect.

I've not validated incoming Java Strings against XSS however removing HTML is normally good enough, and Jsoup looks interesting for this (See Remove HTML tags from a String )

Also to be sure you should ensure your outputting what you expect to be outputting and not the some JavaScript.

Most templating engines, including django's (which is bundled with App Engine), provide facilities to escape output to make it safe to print in HTML. In newer versions of Django, this is done automatically unless you tell it not to; in 0.9.6 (still the default in webapp), you pass your output values to |escape in the template.

Escaping on output is universally the best way to do this, because it means you have the original unmodified text; if you modify your escaping or output formatting later, you can still format text entered before that.

You can also use a service that will proxy all connections and block any XSS attempts. I know only one service like that - CloudFlare (but it doesn't mean there aren't others like that). Unfortunately security features goes in with Pro plan which is paid :(