Stripes XSS Interceptor
Stripes XSS Interceptor escapes all the parameters that Stripes binds during its Validation & Binding phase using a wrapped request object (a convenient implementation of the HttpServletRequest
interface). The code follows the XSS (Cross Site Scripting) security guidance posted at Open Web Application Security Project (OWASP).
NOTE: Parameters gotten manually through request.getParameter()
are not sanitized.
This project is an update of the excellent XSS filter from Jeff Ferber and contain the following changes:
- All external dependencies have been removed except for Servlet API and Stripes Framework.
- The class
sun.text.Normalizer
has been replaced with the newerjava.text.Normalizer
shipped with Java SE 6. Please read Why Developers Should Not Write Programs That Call 'sun' Packages.
Configuration
Maven Configuration
Add Stripes XSS Interceptor dependency to your project:
<dependency>
<groupId>com.samaxes.stripes</groupId>
<artifactId>stripesafe</artifactId>
<version>VERSION</version>
</dependency>
Stripes filter configuration
Add Stripes XSS Interceptor to Stripes filter Extension.Packages
configuration in web.xml
:
<init-param>
<param-name>Extension.Packages</param-name>
<param-value>com.samaxes.stripes.xss</param-value>
</init-param>
License
This distribution is licensed under the terms of the Apache License, Version 2.0 (see LICENSE.txt).