AntiSamy为owasp针对xss提供的处理库,可以配置xml策略来决定过滤的内容,比如标签、属性、css等,自定义策略给开发人员使用成本比较高,AntiSamy也提供了几个内置的策略,其安全级别也不同,过滤的内容也不一样,下边是针对自带的策略的测试。
测试代码:
package com.didichuxing.hive.client;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
public class RichTextXssTest {
public static void main(String[] args) {
AntiSamy as = new AntiSamy();
try{
//Policy policy = Policy.getInstance("antisamy-slashdot.xml");
Policy policy = Policy.getInstance("antisamy-ebay.xml");
CleanResults cr = as.scan("<img src=http://www.qq.com/a.jpg />", policy);
System.out.print(cr.getCleanHTML() + "1\r\n");
cr = as.scan("<sCript src=http://www.qq.com/a.js />", policy);
System.out.print(cr.getCleanHTML() + "2\r\n");
cr = as.scan("<img src=http://www.qq.com/a.jpg οnclick=alert(1) />", policy);
System.out.print(cr.getCleanHTML() + "3\r\n");
cr = as.scan("onfinish=javascript:a=alert;a(1)%3E%3C!—", policy);
System.out.print(cr.getCleanHTML() + "4\r\n");
cr = as.scan("<img src=\"javascript:alert('XSS')\">", policy);
System.out.print(cr.getCleanHTML() + "5\r\n");
cr = as.scan("<IMG src=JaVaScRiPt:alert('XSS')>", policy);
System.out.print(cr.getCleanHTML() + "6\r\n");
cr = as.scan("<IMG src=javascript:alert('XSS')>", policy);
System.out.print(cr.getCleanHTML() + "7\r\n");
cr = as.scan("<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>", policy);
System.out.print(cr.getCleanHTML() + "8\r\n");
cr = as.scan("<A href=http://www.gohttp://www.google.com/ogle.com/>link</A>", policy);
System.out.print(cr.getCleanHTML() + "9\r\n");
cr = as.scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">", policy);
System.out.print(cr.getCleanHTML() + "10\r\n");
}
catch(Exception ex) {
ex.printStackTrace();
} ;
}
}
一共测试了10个payload,测试结果如下:
antisamy-ebay.xml 策略的测试结果
antisamy-slashdot.xml 策略的测试结果:
antisamy-myspace.xml策略的测试结果:
antisamy-tinymce.xml策略的测试结果:
antisamy-anythinggoes.xml策略的测试结果
默认策略antisamy.xml 策略的测试结果: