• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Prevent Xss injection in user generated content, JSOUP

 
Ranch Hand
Posts: 99
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm writing sort of an "what you see is what you get " editor where user can post image with style, tables and also charts from the google API.

To prevent XSS injection I was thinking about using JSOUP together with a mark up language I would create specifically for the task. Since I'm a bit new to this XSS thing ( I use jsf which is well equipped against it) I was hoping I could have tips or
if someone could put me on the right track as I'm not totally sure using my own mark up language is needed and if JSOUP alone could do what I want. I did test JSOUP a bit but I'm not completly understanding it so far, as vanilla whitelists are not enough
to do what I'm trying to do and I'm a bit afraid of adding tags to the whitelist. So is using my own markup language safer ?


The content of what an user could submit could look like this: (I took this directly from the dev tool consol so this is an actual output, I just formatted it - and removed most of the code- if you notice br tags aren't closing that's not me, that's google).






Thanks for the help if any.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic