[Tip of the Week] Using the AntiSamy Plugin to Clean User Input

If your site ever displays text on the page that end users have control over, you should be concerned about XSS attacks. This could come in the form of user comments at the bottom of an article, user-generated content, or user profile information. In many instances, the user should never be entering any HTML and you might simply fully escape that text with HTMLEditFormat() or EncodeForHTML() as you output it.

Other times you may be dealing with a forum or message board that allows some limited markup like bold or underline, but not script or object tags, etc. There is a very nice Java library from OWASP called AntiSamy that does just that. AntiSamy is named after the first wide-scale XSS worm ever developed; called Samy. This worm used malicious JavaScript embeded in MySpace profiles and to infect over 1 million accounts in a single day.

What’s cool about AntiSamy is you can create different profiles that control what HTML is valid and what isn’t. This gives you complete control over what text you allow to be stored and output on your site. Instead of escaping forbidden tags and attributes, AntiSamy removes them entirely from the string.

ColdBox has an AntiSamy plugin to let you tap into this powerful library. In its simplest form, it looks like this:

#getPlugin(“antisamy”).clean(“Hello World”)#

Despite the JavaScript block in the middle of the string, the output is “Hello World”. As you can see, the bold tag is benign and is left alone.

More info here: http://wiki.coldbox.org/wiki/Plugins:AntiSamy.cfm

P.S. The ColdBox AntiSamy plugin ships with several policies such as ebay (default), myspace, slashdot, and tinymce stored as XML files in /coldbox/system/plugins/AntiSamy-lib/. If you want to roll up your sleeves, you can even supply a policy of your own making.

Thanks!

~Brad

ColdBox Platform Evangelist
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com

Great tip Brad.

When I run code based on the example in the documentation, I get an error:

Application Execution Exception

Error Type: Object : [N/A]

Error Messages: The scan method was not found.

F:\Coding\Workspace\Frameworks\coldbox\system\plugins\AntiSamy.cfc, line 90

Is there something that I’m missing here in terms of making sure the Java loads properly?

Tony

Hmm, that code still works for me. Are you on CF or Railo? Can you paste in the full error message including any java stack traces? Look especially for any “caused by” sections at the bottom of the stack trace that represents a nested Java exception.

Also, try dumping out the “antiSamy” variables on that line of the plugin to see what you get.

Thanks!

~Brad

ColdBox Platform Evangelist
Ortus Solutions, Corp

E-mail: brad@coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com

In case anyone runs into this problem on older versions of ColdBox (3.6 for me), the solution was to wrap the value being passed into the scan() function with toString().

— Adrian