/stripes-xss

XSS Sanitizer for Stripes Framework

Primary LanguageJavaApache License 2.0Apache-2.0

Stripes XSS Interceptor

Stripes XSS Interceptor escapes all the parameters that Stripes binds during its Validation & Binding phase using a wrapped request object (a convenient implementation of the HttpServletRequest interface). The code follows the XSS (Cross Site Scripting) security guidance posted at Open Web Application Security Project (OWASP).

NOTE: Parameters gotten manually through request.getParameter() are not sanitized.

This project is an update of the excellent XSS filter from Jeff Ferber and contain the following changes:

Configuration

Maven Configuration

Add Stripes XSS Interceptor dependency to your project:

<dependency>
    <groupId>com.samaxes.stripes</groupId>
    <artifactId>stripesafe</artifactId>
    <version>VERSION</version>
</dependency>

Stripes filter configuration

Add Stripes XSS Interceptor to Stripes filter Extension.Packages configuration in web.xml:

<init-param>
    <param-name>Extension.Packages</param-name>
    <param-value>com.samaxes.stripes.xss</param-value>
</init-param>

License

This distribution is licensed under the terms of the Apache License, Version 2.0 (see LICENSE.txt).