Open damen-dotcms opened 1 year ago
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.
The OWASP Java Encoder project is a library designed to help developers protect their applications from XSS attacks by providing encoding methods for different contexts, such as HTML, JavaScript, and URL parameters. Integrating this into your Velocity templates can significantly enhance security by sanitizing user inputs and outputs.
Using OWASP Encoder in Velocity Templates
To use the OWASP Encoder in your Velocity templates, follow these steps:
If you’re using Maven, include the following dependency in your pom.xml:
<dependency>
<groupId>org.owasp.encoder</groupId>
<artifactId>encoder</artifactId>
<version>1.2.3</version> <!-- Check for the latest version -->
</dependency>
Here’s an example of how you might implement this:
import org.owasp.encoder.Encode;
public class OwaspTool {
public String validateUrl(String input) {
// Implement URL validation logic
return Encode.forUriComponent(input);
}
public String forHtmlAttribute(String input) {
return Encode.forHtmlAttribute(input);
}
public boolean urlHasXSS(String input) {
// Simple heuristic for detecting XSS in URLs
return input.matches(".*<script>.*");
}
public String forHtml(String input) {
return Encode.forHtml(input);
}
}
Configure the Velocity ViewTool in your velocity.properties (or equivalent configuration file):
tools.view.servlet.owasp = path.to.your.package.OwaspTool
Use the OWASP Encoder methods in your Velocity templates.
Example1:
#set($url = "https://www.google.com/search?q=maven+repository&oq=maven&aqs=chrome.1.<script>alert('test');</script>.2855j0j1&sourceid=chrome&ie=UTF-8")
$owasp.validateUrl($url) ## Encodes the URL components
$owasp.forHtmlAttribute($url) ## Encodes for HTML attributes
$owasp.urlHasXSS($url) ## Checks if the URL contains potential XSS
$owasp.forHtml("<script>window.location='/bad-url?doBadThings=true';</script>") ## Encodes for HTML
Example2:
#set($url = "https://www.google.com/search?q=maven+repository&oq=maven&aqs=chrome.1.<script>alert('test');</script>.2855j0j1&sourceid=chrome&ie=UTF-8")
## Validate and encode the URL
$owasp.validateUrl($url)
## Encode for HTML attribute
$owasp.forHtmlAttribute($url)
## Check if the URL has XSS
#if($owasp.urlHasXSS($url))
<p>Potential XSS detected in URL!</p>
#else
<p>URL is safe.</p>
#end
## Encode potentially dangerous HTML content
$owasp.forHtml("<script>window.location='/bad-url?doBadThings=true';</script>")
Would the above be in conjunction w/ current XSS protection measures? https://www.dotcms.com/docs/latest/xss-prevention
@bryanboza - please review, thanks
@bryanboza - please test, thanks.
We should pull this library and viewtool into the core
https://github.com/dotcms-plugins/com.dotcms.owasp.encoder
When we pull this and the library in, we need to replace the methods in this class to use the new library
https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/liferay/util/Xss.java
and also here:
https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/rendering/velocity/viewtools/VelocityRequestWrapper.java#L85
We probably are going to want to use the latest (unreleased) version of this lib as it has been updated recently:
https://github.com/OWASP/owasp-java-encoder/commits/main
Maybe we use
jitpack.io
?