Stripes XSS Interceptor escapes all the parameters that Stripes binds during its Validation & Binding phase using a wrapped request object (a convenient implementation of the HttpServletRequest interface). The code follows the XSS (Cross Site Scripting) security guidance posted at Open Web Application Security Project (OWASP).
NOTE: Parameters gotten manually through request.getParameter() are not sanitized.
This project is an update of the excellent XSS filter from Jeff Ferber and contain the following changes:
- All external dependencies have been removed except for Servlet API and Stripes Framework.
- The class
sun.text.Normalizerhas been replaced with the newerjava.text.Normalizershipped with Java SE 6. Please read Why Developers Should Not Write Programs That Call 'sun' Packages.
Add Stripes XSS Interceptor dependency to your project:
<dependency>
<groupId>com.samaxes.stripes</groupId>
<artifactId>stripesafe</artifactId>
<version>VERSION</version>
</dependency>Add Stripes XSS Interceptor to Stripes filter Extension.Packages configuration in web.xml:
<init-param>
<param-name>Extension.Packages</param-name>
<param-value>com.samaxes.stripes.xss</param-value>
</init-param>This distribution is licensed under the terms of the Apache License, Version 2.0 (see LICENSE.txt).