No description, website, or topics provided.
HTML Java
Switch branches/tags
Nothing to show
Clone or download
Permalink
Failed to load latest commit information.
conf Add versions to superset files Nov 19, 2015
docs Update 3.1 Using the XssPreventer.md Dec 13, 2015
src Add versions to superset files Nov 19, 2015
.gitignore Update .gitignore Aug 6, 2015
AUTHORS [XSSFILTERSUS-157] 문서 내용 추가 Sep 22, 2014
CHANGELOG.md Update CHANGELOG.md Nov 18, 2014
CONTRIBUTING.md
LICENSE LICENSE: remove Apache License 2.0 full text Sep 26, 2014
MAINTAINERS [XSSFILTERSUS-157] 문서 내용 추가 Sep 22, 2014
README.md Update README.md May 14, 2015
VERSION Update VERSION Dec 29, 2014
checkstyle-suppressions.xml
checkstyle.xml [XSSFILTERSUS-151] findbug, checkstyle 설정 추가 Sep 19, 2014
findbugs-exclude.xml [XSSFILTERSUS-151] findbug, checkstyle 설정 추가 Sep 19, 2014
pom.xml Add Cubertura plugin Mar 12, 2015

README.md

logo

Lucy-XSS : XssFilter, XssPreventer

Lucy-XSS is an open source library of two defense modules to protect Web applications from XSS attacks. It supports the white-list rule based security policy. The current default rule is Naver's standard. You can change the default rule if you want.

XssFilter

  • Java-based library that supports the method of setting the white-list to protect the web application.
  • If you use the filter with the white-list method, it will provide tighter security measures for websites from XSS attacks than the existing filter that uses the black-list method.
  • Support for both DOM and SAX Parser.

Lucy-XSS Filter structure.jpg

XssPreventer

  • Use the apache-common-lang3 library to prevent XSS attack.
  • Simply convert all input string as follows so it can't be recognized as HTML tags on web browser.
< → &lt; 
> → &gt; 
" → &quot; 
' → &#39;

https://commons.apache.org/proper/commons-lang/javadocs/api-3.1/org/apache/commons/lang3/StringEscapeUtils.html#escapeHtml4%28java.lang.String%29

XssFilter VS XssPreventer

  • Simple text parameter other than HTML should be filtered using the XssPreventer.
  • Use Xss Filter if you need to receive HTML tags for input. (eg: mail, visitors' book, message board service)

Release Information

The latest stable release of lucy-xss is 1.6.3. You can pull it from the central Maven repositories.

<dependency>
	<groupId>com.navercorp.lucy</groupId>
	<artifactId>lucy-xss</artifactId>
	<version>1.6.3</version>
</dependency>

Getting started

We also offer an interactive tutorial for learning basic uses of Lucy-XSS. See Docs for instructions on installing Luxy-xss.

To begin using the library, please see the Quick Start Guide.

Usage examples

  • XssPreventer
@Test
public void testXssPreventer() {
	String dirty = "\"><script>alert('xss');</script>";
	String clean = XssPreventer.escape(dirty);
		
	Assert.assertEquals(clean, "&quot;&gt;&lt;script&gt;alert(&#39xss&#39);&lt;/script&gt;");
	Assert.assertEquals(dirty, XssPreventer.unescape(clean));
}
  • XssFilter : DOM
@Test
public void pairQuoteCheckOtherCase() {
	XssFilter filter = XssFilter.getInstance("lucy-xss-superset.xml");
	String dirty = "<img src=\"<img src=1\\ onerror=alert(1234)>\" onerror=\"alert('XSS')\">";
	String expected = "<img src=\"\"><!-- Not Allowed Attribute Filtered ( onerror=alert(1234)) --><img src=1\\>\" onerror=\"alert('XSS')\"&gt;";
	String clean = filter.doFilter(dirty);
	Assert.assertEquals(expected, clean);
		
	dirty = "<img src='<img src=1\\ onerror=alert(1234)>\" onerror=\"alert('XSS')\">";
	expected = "<img src=''><!-- Not Allowed Attribute Filtered ( onerror=alert(1234)) --><img src=1\\>\" onerror=\"alert('XSS')\"&gt;";
	clean = filter.doFilter(dirty);
	Assert.assertEquals(expected, clean);
}
  • XssFilter : SAX
@Test
public void testSuperSetFix() {
	XssSaxFilter filter = XssSaxFilter.getInstance("lucy-xss-superset-sax.xml");
	String clean = "<TABLE class=\"NHN_Layout_Main\" style=\"TABLE-LAYOUT: fixed\" cellSpacing=\"0\" cellPadding=\"0\" width=\"743\">" + "</TABLE>" + "<SPAN style=\"COLOR: #66cc99\"></SPAN>";
	String filtered = filter.doFilter(clean);
	Assert.assertEquals(clean, filtered);
}

For more information, please see ....doc

Contributing to Lucy

Want to hack on Lucy-XSS? Awesome! There are instructions to get you started here. They are probably not perfect, please let us know if anything feels wrong or incomplete. (Please wait. We are preparing for contribution guide.)

Other Lucy Related Projects

Licensing

Lucy is licensed under the Apache License, Version 2.0. See LICENSE for full license text.

Maintainer

leeplay Seongmin Woo Jaehee Ahn