How to sanitize HTML code in Java to prevent XSS attacks?

31
votes

I'm looking for class/util etc. to sanitize HTML code i.e. remove dangerous tags, attributes and values to avoid XSS and similar attacks.

I get html code from rich text editor (e.g. TinyMCE) but it can be send malicious way around, ommiting TinyMCE validation ("Data submitted form off-site").

Is there anything as simple to use as InputFilter in PHP? Perfect solution I can imagine works like that (assume sanitizer is encapsulated in HtmlSanitizer class):

String unsanitized = "...<...>...";           // some potentially 
                                              // dangerous html here on input

HtmlSanitizer sat = new HtmlSanitizer();      // sanitizer util class created

String sanitized = sat.sanitize(unsanitized); // voila - sanitized is safe...

Update - the simpler solution, the better! Small util class with as little external dependencies on other libraries/frameworks as possible - would be best for me.

How about that?

5
javahtmlsanitizationxss
So what you basically want is for clients to be able to submit forms which are then displayed in shape of fx. a guestbook? And you want them to be able to use html but you still want to be able to block malicious users hacking-attempts? Or did I get it all wrong here...? - Latze
@Latze: I want clients (users via their browsers) to submit richtext content (html format via rich text editor - TinyMCE) but to check and remove any potentially dangerous (unsafe) content. I don't know what is fx and guestbook that you mention in this context. - WildWezyr
Ah! I will give it a shot, give me a couple of minutes - Latze

5 Answers

38
votes

You can try OWASP Java HTML Sanitizer. It is very simple to use. 

PolicyFactory policy = new HtmlPolicyBuilder()
    .allowElements("a")
    .allowUrlProtocols("https")
    .allowAttributes("href").onElements("a")
    .requireRelNofollowOnLinks()
    .build();

String safeHTML = policy.sanitize(untrustedHTML);
14
votes

You could use OWASP ESAPI for Java, which is a security library that is built to do such operations.

Not only does it have encoders for HTML, it also has encoders to perform JavaScript, CSS and URL encoding. Sample uses of ESAPI can be found in the XSS prevention cheatsheet published by OWASP.

You could use the OWASP AntiSamy project to define a site policy that states what is allowed in user-submitted content. The site policy can be later used to obtain "clean" HTML that is displayed back. You can find a sample TinyMCE policy file on the AntiSamy downloads page.

9
votes

Thanks to @Saljack's answer. Just to elaborate more to OWASP Java HTML Sanitizer. It worked out really well (quick) for me. I just added the following to the pom.xml in my Maven project:

    <dependency>
        <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
        <artifactId>owasp-java-html-sanitizer</artifactId>
        <version>20150501.1</version>
    </dependency>

Check here for latest release.

Then I added this function for sanitization:

    private String sanitizeHTML(String untrustedHTML){
        PolicyFactory policy = new HtmlPolicyBuilder()
            .allowAttributes("src").onElements("img")
            .allowAttributes("href").onElements("a")
            .allowStandardUrlProtocols()
            .allowElements(
            "a", "img"
            ).toFactory();

        return policy.sanitize(untrustedHTML); 
    }

More tags can be added by extending the comma delimited parameter in allowElements method.

Just add this line prior passing the bean off to save the data:

    bean.setHtml(sanitizeHTML(bean.getHtml()));

That's it!

For more complex logic, this library is very flexible and it can handle more sophisticated sanitizing implementation.

6
votes

HTML escaping inputs works very well. But in some cases business rules might require you NOT to escape the HTML. Using REGEX is not fit for the task and it is too hard to come up with a good solution using it.

The best solution I found was to use: http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer

It builds a DOM tree with the provided input and filters any element not previosly allowed by a Whitelist. The API also has other functions for cleaning up html.

And it can also be used with javax.validation @SafeHtml(whitelistType=, additionalTags=)

0
votes

Regarding Antisamy, you may want to check this regarding the dependencies:

http://code.google.com/p/owaspantisamy/issues/detail?id=95&can=1&q=redyetidave