BoxLang 🚀 A New JVM Dynamic Language Learn More...
Copyright Since 2005 ColdBox Platform by Luis Majano and Ortus Solutions, Corp
www.coldbox.org |
www.ortussolutions.com
OWASP AntiSamy Module that provides XSS cleanup operations to ColdBox applications
Apache License, Version 2.0.
Just drop into your modules
folder or use the box-cli to install
box install cbantisamy
The module registers the following mapping in WireBox: antisamy@cbantisamy
that you can use to clean input a-la-carte intrusions. You can also activate different policies and an auto clean interceptor that will clean incoming variables for you automatically. The main methods to clean input are:
/**
* Clean HTML from XSS scripts using the AntiSamy project. The available policies are basic, antisamy, ebay, myspace, slashdot, custom
*
* @htmlData The html data to clean
* @policyFile The policy file to use. Defaults to the one in the configuration file
*
* @return sanitized html data
*/
string function clean( required htmlData, string policyFile = variables.defaultPolicy )
/**
* Checks whether HTML is safe from XSS scripts using the AntiSamy project. The available policies are basic, antisamy, ebay, myspace, slashdot, custom
*
* @htmlData The html data to clean
* @policyFile The policy file to use. Defaults to the one in the configuration file
*
* @return True if it is safe, false if not
*/
boolean function check( required htmlData, string policyFile = variables.defaultPolicy )
You can also use the two registered helper methods which delegate to the two methods above:
antisamyClean()
antisamyCheck()
Here are the module settings you can place in your ColdBox.cfc
under an antisamy
structure
// Antisamy settings
moduleSettings = {
"cbantisamy" : {
// Activate auto request capture cleanups interceptor
autoClean = true,
// Default Policy to use, available are: antisamy, ebay, myspace, slashdot and tinymce
defaultPolicy = "ebay",
// Custom Policy absolute path, leave empty if not used
customPolicy = ""
}
};
You can read more about AntiSamy here: https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Copyright Since 2005 ColdBox Framework by Ortus Solutions, Corp www.ortussolutions.com
Because of His grace, this project exists. If you don't like this, then don't read it, its not for you.
"Therefore being justified by faith, we have peace with God through our Lord Jesus Christ: By whom also we have access by faith into this grace wherein we stand, and rejoice in hope of the glory of God. And not only so, but we glory in tribulations also: knowing that tribulation worketh patience; And patience, experience; and experience, hope: And hope maketh not ashamed; because the love of God is shed abroad in our hearts by the Holy Ghost which is given unto us. ." Romans 5:5
"I am the way, and the truth, and the life; no one comes to the Father, but by me (JESUS)" Jn 14:1-12
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
getSafeHTML()
and isSafeHTML()
methods when on ACFmoduleSettings
)autoClean
module configuration setting to default to true
. This is opinionated but also makes this module more "plug and play"basic
policy file. This policy file is the same default policy file used by ACFresultsObject
argument in HTMLSanitizer.cfc
method to check and changes it to return a boolean, to allow for consistent return types between ACF and Luceecheck
argument from the clean
method and adds a check
method in AntiSamy.cfc
cbox-antisamy
to cbantisamy
to allow the default CI scripts and request variables to work without major modificationantisamyClean(), antisamyCheck()
Autoclean
property not respecting proper boolean value
$
box install cbantisamy