[owasp-antisamy] Using Antisamy in URL validation

Mogare Amey Amey.Mogare at atosorigin.com
Wed May 11 02:27:45 EDT 2011

Hi Jason,


Thank you for reply. It was very helpful.


I have following queries à


1.    I want to use Antisamy for avoiding XSS attacks by cleaning the input data coming to server.

Following is URL with XSS attack on my application which I want to clean à


https://<host:port>/mypage?url=/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8 %26token=%26text=x%26selScope=%26advanced=0%26search-btn-submit=Search%26precision=%26strategy=%26sort=globalrelevance.desc%26after=%26before=%26sourcecsv1=%26doctype=%26docformat=%26questionlanguage=autodetect%26documentlanguages=%26treepath-0=%26phonetics=1%26fuzzysearch=1%27%3balert%281%29//&system=SINEQUA_Search_System


Here you can see that 'fuzzysearch' parameter is containing an alert box.


Can Antisamy be use to avoid such attacks? If yes, how?


2.    My applications are using Java 1.4 (j2sdk1.4.2_16). 

Can Antisamy JAR (antisamy-1.4.4.jar) be used with it?


If no, where can I download suitable JAR?


3.    What are the dependant JARs that 'antisamy-1.4.4.jar' need?

I saw from your reply à https://lists.owasp.org/pipermail/owasp-antisamy/2010-October/000353.html that it needs following JARs?


* Apache Xerces 2.8.1

* Apache Batik-CSS 1.7

* NekoHTML 1.9.12

* Apache Commons HTTP-Client 3.1


>From where do I download these JARs?


Are these versions compatible for Java 1.4? If no, please let me know correct version.


4.    I tried it in my Java class for testing purpose, but it gives following exception: -


java.lang.NoClassDefFoundError: org/apache/batik/css/parser/ParseException

      at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:107)

      at XssTestMain.main(XssTestMain.java:37)

Exception in thread "main"


This is my XssTestMain.java à

            import org.owasp.validator.html.AntiSamy;

import org.owasp.validator.html.CleanResults;

import org.owasp.validator.html.Policy;

import org.owasp.validator.html.PolicyException;

import org.owasp.validator.html.ScanException;

public class XssTestMain {

public static void main(String[] args) {

      try {

            String POLICY_FILE_LOCATION = "C:/AMEY/SAP NWDS_7.01.3/WorkspaceAmey/XssTest/antisamy-esapi.xml";

            String dirtyInput = "1%27%3balert%281%29";

            System.out.println("dirtyInput : \n"+dirtyInput);

            Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);

            AntiSamy as = new AntiSamy();

            CleanResults cr = as.scan(dirtyInput, policy);

            String cleanInput = cr.getCleanHTML();

            System.out.println("\ncleanInput : \n"+cleanInput);

      } catch (PolicyException e) {

            // TODO Auto-generated catch block


      } catch (ScanException e) {

            // TODO Auto-generated catch block







Thank you.


With warm regards,

Amey Mogare


From: Jason Li [mailto:jason.li at owasp.org] 
Sent: Tuesday, May 10, 2011 11:57 PM
To: Mogare Amey
Cc: owasp-antisamy at lists.owasp.org
Subject: Re: [owasp-antisamy] Using Antisamy in URL validation




AntiSamy policy files are available here:



The AntiSamy Project is meant to validate user generated rich text (HTML) input against a whitelist specification of safe HTML elements in order to prevent cross-site scripting. It does not provide any other type of validation. Depending on your use case, AntiSamy may or may not be appropriate for your requirements.


You will need to identify the parameter you wish to validate and pass that parameter value into the AntiSamy scanner. For example, assuming the parameter containing user generated rich text input was named "inputHtml", AntiSamy can be invoked as follows:

	String dirtyInput = request.getParameter("inputHtml");
	Policy policy = Policy.getInstance(INSERT_YOUR_POLICY_FILE_LOCATION);
	AntiSamy as = new AntiSamy(policy);
	CleanResults cr = as.scan(dirtyInput);
	String cleanInput = cr.getCleanHTML();

Again, note that AntiSamy is not a universal validator - it's specific use case is to validate user generated rich text input.




On Tue, May 10, 2011 at 9:13 AM, Mogare Amey <Amey.Mogare at atosorigin.com> wrote:



I want to use Antisamy API to clean URL parameters.


I read the details on https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

And downloaded "antisamy-1.4.4.jar" and imported in my java class.


I don't know how to download base policy file mentioned in above URL. Where do get it?


Can you please help me in achieving my requirement? 


Which method I should use to clean URL parameters?


Thank you.


With warm regards,

Amey Mogare

Atos Origin India | SAP NetWeaver/ EP/ Web Dynpro | Nessie NDC : Production Line - SAP | Email : Amey.mogare at atosorigin.com | Office : +91-22-6733-3732 <tel:%2B91-22-6733-3732>  | Mobile : +91-9820-303-464 <tel:%2B91-9820-303-464> 


Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110511/3459619c/attachment-0001.html 

More information about the Owasp-antisamy mailing list