Add OWASP Java Encoder #24120
Comments
|
Need issue details. Link from Will. |
|
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
|
The OWASP Java Encoder project is a library designed to help developers protect their applications from XSS attacks by providing encoding methods for different contexts, such as HTML, JavaScript, and URL parameters. Integrating this into your Velocity templates can significantly enhance security by sanitizing user inputs and outputs. Using OWASP Encoder in Velocity Templates To use the OWASP Encoder in your Velocity templates, follow these steps:
If you’re using Maven, include the following dependency in your pom.xml: <dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.2.3</version> <!-- Check for the latest version -->
</dependency>
Here’s an example of how you might implement this: import org.owasp.encoder.Encode;
public class OwaspTool {
public String validateUrl(String input) {
// Implement URL validation logic
return Encode.forUriComponent(input);
}
public String forHtmlAttribute(String input) {
return Encode.forHtmlAttribute(input);
}
public boolean urlHasXSS(String input) {
// Simple heuristic for detecting XSS in URLs
return input.matches(".*<script>.*");
}
public String forHtml(String input) {
return Encode.forHtml(input);
}
}
tools.view.servlet.owasp = path.to.your.package.OwaspTool
Example1: #set($url = "https://www.google.com/search?q=maven+repository&oq=maven&aqs=chrome.1.<script>alert('test');</script>.2855j0j1&sourceid=chrome&ie=UTF-8")
$owasp.validateUrl($url) ## Encodes the URL components
$owasp.forHtmlAttribute($url) ## Encodes for HTML attributes
$owasp.urlHasXSS($url) ## Checks if the URL contains potential XSS
$owasp.forHtml("<script>window.location='/bad-url?doBadThings=true';</script>") ## Encodes for HTMLExample2: #set($url = "https://www.google.com/search?q=maven+repository&oq=maven&aqs=chrome.1.<script>alert('test');</script>.2855j0j1&sourceid=chrome&ie=UTF-8")
## Validate and encode the URL
$owasp.validateUrl($url)
## Encode for HTML attribute
$owasp.forHtmlAttribute($url)
## Check if the URL has XSS
#if($owasp.urlHasXSS($url))
<p>Potential XSS detected in URL!</p>
#else
<p>URL is safe.</p>
#end
## Encode potentially dangerous HTML content
$owasp.forHtml("<script>window.location='/bad-url?doBadThings=true';</script>") |
|
Would the above be in conjunction w/ current XSS protection measures? |
|
We would have to use OWASP JE rather than the XSS protection here. |
github-project-automation
bot
moved this from Gardening Day Backlog
to Internal QA
in dotCMS - Product Planning
|
@bryanboza - please review, thanks |
github-project-automation
bot
moved this from QA - Backlog
to Current Sprint Backlog
in dotCMS - Product Planning
|
@bryanboza - please test, thanks. |
mbiuki
moved this from Current Sprint Backlog
to In Progress
in dotCMS - Product Planning
mbiuki
moved this from In Review
to Current Sprint Backlog
in dotCMS - Product Planning
mbiuki
moved this from Current Sprint Backlog
to Next 1-3 Sprints
in dotCMS - Product Planning
nollymar
moved this from Next 1-3 Sprints
to Gardening Day Backlog
in dotCMS - Product Planning
We should pull this library and viewtool into the core
https://github.com/dotcms-plugins/com.dotcms.owasp.encoder
When we pull this and the library in, we need to replace the methods in this class to use the new library
https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/liferay/util/Xss.java
and also here:
https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/rendering/velocity/viewtools/VelocityRequestWrapper.java#L85
We probably are going to want to use the latest (unreleased) version of this lib as it has been updated recently:
https://github.com/OWASP/owasp-java-encoder/commits/main
Maybe we use
jitpack.io?The text was updated successfully, but these errors were encountered: